Separate user permissions from the package finder
What does this MR do and why?
This MR changes the maven package finder to return the packages without looking at users permissions. The permission check on a project is happening later inside in API https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/api/maven_packages.rb#L172
It'll mainly affect two cases:
-
When the duplicate packages are published to the two different projects and the user doesn't have an access to the most recent one.
Before The user will get the previous published version of the package that they an access to200 OK
After The user won't get any packages403 Forbidden
as not enough permission to read the most recent package. -
The request forward feature.
Before The package exists but the user doesn't have permissions to read it. The finder won't return any packages and the request will be forwarded to the maven central (when the feature is enabled).
After The user's request won't be forwarded to the maven central since the package exists but user doesn't have permission to read it.
This is a breaking change and introduced behind the feature flag
Screenshots or screen recordings
No UI changes
How to set up and validate locally
Execute the following commands in rails console:
-
Enable the feature flag
Feature.enable(:maven_remove_permissions_check_from_finder)
-
Create a new group with two projects
g = FactoryBot.create(:group, :private) p1 = FactoryBot.create(:project, group: g) p2 = FactoryBot.create(:project, group: g)
-
Create a new user with a token
u = FactoryBot.create(:user) pat = FactoryBot.create(:personal_access_token, user: u, scopes: ["api", "read_registry"])
# check the token - we need it for the curl request later pat.token
-
Add an user to the group and the projects
g.add_guest(u) p1.add_reporter(u) p2.add_guest(u)
-
Create two maven packages
# stub file upload def fixture_file_upload(*args, **kwargs) Rack::Test::UploadedFile.new(*args, **kwargs) end package1 = FactoryBot.create(:maven_package, project: p1) package2 = FactoryBot.create(:maven_package, project: p2, name: package1.name, version: package1.version) # Note down the package's name - we need it for the curl request later package1.name
-
Create a new curl request
With this MR
$ curl --header "PRIVATE-TOKEN: <PAT token>" "http://gdk.test:3000/api/v4/groups/<group ID>/-/packages/maven/<package's name>/1.1-SNAPSHOT/maven-metadata.xml"
The result should be
403 Forbidden
Additionally we could check that no packages were downloaded:
package1.reload.last_downloaded_at => nil package2.reload.last_downloaded_at => nil
With master or with the FF disabled
$ curl --header "PRIVATE-TOKEN: <PAT token>" "http://gdk.test:3000/api/v4/groups/<group ID>/-/packages/maven/<packages's name>/1.1-SNAPSHOT/maven-metadata.xml"
The result is
200 OK
And the package's
last_downloaded_at
should return a timestamppackage1.reload.last_downloaded_at
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #393933 (closed)