Relax access level checks for the Maven group level endpoint
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
I've named this issue just like the NuGet version of this issue which were solved last year as it is the exact same issue. You should relax the access checking to something sensible this time for maven, since having an enterprise setup you often run into the issue of having Minimal access on the top level group but reporter or above on the some of the subgroups.
The issue arises when we need to have a setup like:
- group a
- sub group b
- sub group c
and you have artifacts in sub group b and c and want to collect artifacts from both you should be able to use group a. It is however not possible in many of our setups as you have minimal access at this group, while the current situation apparently require you to have something higher, even though you have at least reporter on both sub group b and c.
This have been tested by:
$ curl -H "Authorization: Bearer $token" 'https://gitlab.com/api/v4/groups/GROUP_A_ID/packages'
{"message":"403 Forbidden"}while on a subgroup it does not return a forbidden.
The issue here is resolved by either:
- elevating the access level (not gonna happen in our case)
- Using subgroups as entrypoint
Solution 2 is an OK workaround, however it will generate quite a lot of redundant requests for packages (failed lookup for packages) which can be avoided if this issue is resolved.