Group non-direct members shouldn't be allowed to read virtual registry

Context

In Maven Virtual Registry: Permissions policy (!157793 - merged), we added a new group-level policy for the virtual registry feature. This policy is the gateway that any request will pass by to be authorized.

In the policy, the read_virtual_registry permission is granted to any authenticated user if the group is public. However, relying on the read_group permission might be too permissive.

What we want is:

• Either the user is a direct member of the group (in this case, the user has at least the guest access level) or
• the user is a direct member in one of the included subgroups/projects.