Allow reading group-level package endpoint when user has projects
What does this MR do and why?
Describe in detail what your merge request does and why.
This MR adds read_package
and read_package_settings
permissions to users who have projects in group or its subgroups.
These permissions allows usage of the group-level package endpoints (e.g. NuGet). Until now the user could see the packages on group page (only from projects he is a member of), but group-level endpoints returned 403 Forbidden.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Create a group with 2 projects
- For each project upload a package
- For one of the projects add a user as a developer
- Go to group and check if you see the package
- Try using group-level package endpoint (e.g.
/api/v4/groups/<group id>/-/packages/nuget/query
)- without changes you will get
403 Forbidden
- with changes you should see the package for the project the user is member of
- without changes you will get
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.