Skip to content

Blocked: Adapt Packages API to consider the package registry access level

Jonas Wälter requested to merge siemens/gitlab:read_package/packages-API-projects into master

What does this MR do and why?

This MR is a step of #329253 (closed) (see implementation plan):

  • In !82808 (merged), we added a new Package Registry visiblity setting in the project settings to allow access to the package registry for everyone even in private projects - behind the package_registry_access_level feature flag.
  • In !90963 (merged) and !97001 (merged), we modified the package policies to consider the new setting - behind the read_package_policy_rule feature flag and cleaned up in !96767 (merged).

Now, we need to modify the APIs of all package types to the changes: This MR adapts the Packages API (project-level). The group-level endpoints will be modified in a follow-up MR.

Why do we need to modify the API if considering the new setting has already been implemented in the policies?

Currently, it checks in a first step if there's access to the project (:read_project permission). If not, the request is aborted prematurely. The :read_package permission is checked only in a second step. But with the new project settings, it's possible that there's NO access to the project itself (:read_project permission), but there's access to the package registry (:read_package permission). So we must not check for the :read_project permission first.

🛠 with at Siemens

/cc @bufferoverflow

How to set up and validate locally

  1. Enable the feature flag:

    Feature.enable(:package_registry_access_level)

  2. Try to get the package list, package or package files of a private project as anonymous (see docs): 404 Project Not Found

GET /projects/:id/packages
GET /projects/:id/packages/:package_id
GET /projects/:id/packages/:package_id/package_files

  1. Change the package_registry_access_level of the private project to allow access for everyone:

    project = Project.find(2)
project.project_feature.update!(package_registry_access_level: ProjectFeature::PUBLIC)

  2. Try to get the package list, package or package files of a private project as anonymous (see docs): 200 OK

GET /projects/:id/packages
GET /projects/:id/packages/:package_id
GET /projects/:id/packages/:package_id/package_files

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jonas Wälter

Merge request reports