Permissions to list packages of a group via REST API is different than viewing packages on the UI (GraphQL)

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

When a user lists group packages via REST API, they get a 403 when they have guest permission on the group - even though there are projects where they have owner role.

However, when the user goes to group’s package registry page (https://gitlab.com/groups/<group_name>/-/packages) they are able to view packages from projects they have owner access and also packages of public projects.

Steps to reproduce

1. On top-level group add user with guest role.
2. In some projects where there are packages published, assign this user owner role.
3. On the GitLab UI, view the top level group's package registry (https://gitlab.com/groups/<group_name>/-/packages) as the guest user. User is able to see packages from projects where they are assigned owner role (or any role reporter and above).
4. Create a personal access token for the guest user with read_api or api scope.
5. Make an API call to list group's packages. You will get HTTP 403 status code.

curl --header "PRIVATE-TOKEN: <ACCESS_TOKEN>" "https://gitlab.com/api/v4/groups/<GROUP_ID>/packages?exclude_subgroups=false"

What is the current bug behavior?

REST API does not list the packages that user should be able to see under the top-level group.

What is the expected correct behavior?

User should be able to see packages from projects where they have reporter or higher role and packages from public projects.

Output of checks

This bug happens on GitLab.com