Make "allow anyone to pull" work with group-level PyPI endpoints

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

🔭 Context

Feature specific permissions for the Package R... (#329253 - closed) it was suggested to have a way to have a public package registry in a non public (private or internal) projects.

We quickly discovered challenges for endpoints above the group-level. Thus, we decided to scope that issue to project-level endpoints only (see #329253 (comment 1120283554)).

🔥 Problem

The problem is twofold here:

• User might want to be able to pull packages from a public package registry (in a non-public project) at the group-level endpoint.
• Some formats don't have project-level endpoints, for example Composer. As such, the Allow anyone to pull toggle will not work for Composer packages.

🚒 Solution

At the group level, we have finders to collect all the project or packages that a user can access. This part use the user access level.

In short, we have a sql query that says: within this group, collect all the public projects + all the projects where the user has reporter access.

We will need to update that to: within this group, collect all the public projects + all the projects where the user has reporter access + all the projects that have a public package registry.

⚠️ This part is pretty impactful on the performance of the group level endpoints. As such, make sure that an analysis of all group endpoints is done.