Make "allow anyone to pull" work with group-level NuGet endpoints
🔭 Context
Feature specific permissions for the Package R... (#329253 - closed) it was suggested to have a way to have a public package registry in a non public (private or internal) projects.
We quickly discovered challenges for endpoints above the group-level. Thus, we decided to scope that issue to project-level endpoints only (see #329253 (comment 1120283554)).
🔥 Problem
The problem is twofold here:
- User might want to be able to pull packages from a public package registry (in a non-public project) at the group-level endpoint.
- Some formats don't have project-level endpoints, for example Composer. As such, the
Allow anyone to pull
toggle will not work for Composer packages.
🚒 Solution
At the group level, we have finders to collect all the project or packages that a user can access. This part use the user access level.
In short, we have a sql query that says: within this group, collect all the public projects + all the projects where the user has reporter
access.
We will need to update that to: within this group, collect all the public projects + all the projects where the user has reporter
access + all the projects that have a public package registry.