Grant Auditor users :read_package ability on the group-level
Context
According to the docs, Auditor users have read-only access to all groups, projects, and other resources.
There's an inconsistency between the documentation and current behavior, since auditors don't have rights to read packages from private groups with no membership in it:
u = User.last
u.auditor?
=> true
g = Group.last
policy = GroupPolicy.new(u, g)
policy.can?(:read_group)
=> true
policy.can?(:read_package)
=> false
policy.can?(:read_container_image)
=> trueWhat does this MR do?
Fixes this inconsistency and grant the auditor users the read_package ability on the group level. On the project level, auditors already have the read_package ability.
The exact changes introduced in this MR:
- Modify
EE::Packages::Policies::GroupPolicymodule to grant the auditor theread_packageability. The auditor roles is an Enterprise Edition feature, so we add the permission to the EE module. - Add related specs to the group and project polices.
- Add specs to the PyPI registry endpoints that use the
read_packageability in authorizing the request on the group & project levels. The endpoints are:GET /api/v4/groups/:id/-/packages/pypi/files/:sha256/*file_identifierGET /api/v4/projects/:id/packages/pypi/files/:sha256/*file_identifier
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
In your GDK rails console:
auditor = FactoryBot.create(:auditor)
g = Group.all.detect(&:private?)
policy = Packages::Policies::GroupPolicy.new(auditor, g.packages_policy_subject)
policy.can?(:read_package)
=> true
# repeating the same on master will return falseRelated to #382259 (closed)