### Summary You can use the Package Registry to publish and install packages in a variety of formats. You can authenticate with personal access, project access, job or deploy tokens. ### Problem * Deploy tokens get access to packages through a [special condition](https://gitlab.com/gitlab-org/gitlab/-/blob/e7fe50276dbbe581a607b9c2989fd2822718056a/app/policies/project_policy.rb#L69) in the project policy. * This works as expected * Now we have a [negative rule](https://gitlab.com/gitlab-org/gitlab/-/blob/e7fe50276dbbe581a607b9c2989fd2822718056a/app/policies/project_policy.rb#L317) that basically says if one of the below is true, all `packages` permissions are removed: * The `packages` feature is disabled * The `repository` feature is disabled * The ~bug lies when checking the `repository` feature. This check is mainly done by [verifying](https://gitlab.com/gitlab-org/gitlab/-/blob/e7fe50276dbbe581a607b9c2989fd2822718056a/app/policies/project_policy.rb#L166) if the user has access to the project feature. * Let's break down how this "has the current user access to this project feature" [function](https://gitlab.com/gitlab-org/gitlab/-/blob/e7fe50276dbbe581a607b9c2989fd2822718056a/app/policies/project_policy.rb#L721): 1. if the feature is currently `DISABLED`, well, we return `false` 1. if the feature is currently `PRIVATE`, we check that the current user has the proper minimum access level for the feature 1. all other cases (including feature is `ENABLED`), we return true * The problem is that when (2.) is evaluated against a DeployToken object, the ~backend thinks that it has no [access level at all](https://gitlab.com/gitlab-org/gitlab/-/blob/e7fe50276dbbe581a607b9c2989fd2822718056a/app/policies/project_policy.rb#L708). * This case will reject the user from getting the `package` permissions. Now, here is the interesting part: * If I create a project with `public` visibility and then make it `private`, the `repository` feature is set to `PRIVATE`. * We will end up in (2.) above and thus, we will hit the ~bug * If I create a project with a `private` visibility, the `repository` feature is set to `ENABLED`. * We will end up in (3.) and the `package` permissions will be granted. ### Proposal Remove the code that checks the `repository` feature when checking `package` permissions. #### Related issues - Deploy token epic: https://gitlab.com/groups/gitlab-org/-/epics/6192 - Feature specific permissions change (this will decouple the repository permissions from the container registry, package registry and lfs: https://gitlab.com/gitlab-org/gitlab/-/issues/329253 /cc @bufferoverflow @fh1ch @dlouzan @wwwjon @max-wittig :tools: with :heart: at Siemens