Allow guest+ users to pull packages from private projects
What does this MR do and why?
This MR changes the minimal role to access the package registry and pull packages from reporter to guest.
The users with guest+ access will be able to view the package registry UI for private projects and download the package files, or pull (install) the packages using package managers.
This's considered a breaking change, and therefore implemented with the feature flag
References
Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
No.
How to set up and validate locally
-
Enable the feature flag
Feature.enable(:allow_guest_plus_roles_to_pull_packages) -
Prepare a private project and add an user to that project with guest access.
-
Create a PAT for the user with guest access.
-
Publish npm package to the private project docs
Now initialize an empty npm package and setup authentication using the PAT from the guest user to pull a package from a private project docs.
Using master
npm install @fruits/bananaShould fail with 403 Forbidden
Using this MR
npm install @fruits/bananaPackage installed
UI
As a guest user visit the private project and attempt to access the Package registry. It should work
Related to #336622