Don't separate user permissions from maven packages finder

Dzmitry (Dima) Meshcharakourequested to merge
393933-maven-package-registry-group-level-endpoint-separate-user-permissions-from-finder-revert into master

What does this MR do and why?

In Separate user permissions from the package finder (!135494 - merged) we have implemented the changes to separate user permission from the Maven group packages finder. The changes were implemented with the feature flag.

However, during the feature flag rollout on gitlab.com it was discovered, that it implies the changes to the behaviour for current workflows for some customers, making the rollout hard #393933 (comment 1895035772).

Recently we got notified about the long lived feature flag and decided to remove the code #393933 (comment 2736320555). This's what the current MR does. It basically reverts the changes implemented in Separate user permissions from the package finder (!135494 - merged) plus a few additional spots in the tests that are related and were added in the meantime.

References

Screenshots or screen recordings

No.

How to set up and validate locally

  1. Create a new group with two projects

    g = FactoryBot.create(:group, :private)
p1 = FactoryBot.create(:project, group: g)
p2 = FactoryBot.create(:project, group: g)

  2. Create a new user with a token

    u = FactoryBot.create(:user)

pat = FactoryBot.create(:personal_access_token, user: u, scopes: ["api", "read_registry"])


 # check the token - we need it for the curl request later pat.token

  1. Add an user to the group and the projects

    g.add_guest(u)
p1.add_reporter(u)
p2.add_guest(u)

  2. Create two maven packages

    # stub file upload
def fixture_file_upload(*args, **kwargs)
  Rack::Test::UploadedFile.new(*args, **kwargs)
end

package1 = FactoryBot.create(:maven_package, project: p1)
package2 = FactoryBot.create(:maven_package, project: p2, name: package1.name, version: package1.version)

# Note down the package's name - we need it for the curl request later
package1.name

  3. Create a new curl request

    $ curl --header "PRIVATE-TOKEN: <PAT token>" "http://gdk.test:3000/api/v4/groups/<group ID>/-/packages/maven/<packages's name>/1.1-SNAPSHOT/maven-metadata.xml"

    The result is 200 OK

    And the package's last_downloaded_at should return a timestamp

    package1.reload.last_downloaded_at

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #393933

Edited by Dzmitry (Dima) Meshcharakou

Merge request reports