Adapt Ruby gems API to consider package registry access level
What does this MR do and why?
Solves #385259 (closed)
This MR is a step of #329253 (closed) (see implementation plan):
- In !82808 (merged), we added a new Package Registry visiblity setting in the project settings to allow access to the package registry for everyone even in private projects - behind the
package_registry_access_level
feature flag. - In !90963 (merged) and !97001 (merged), we modified the package policies to consider the new setting - behind the
read_package_policy_rule
feature flag and cleaned up in !96767 (merged).
Now, we need to modify the APIs of all package types to the changes: This MR adapts the Ruby gems API.
Why do we need to modify the API if considering the new setting has already been implemented in the policies?
Currently, it checks in a first step if there's access to the project (:read_project
permission). If not, the request is aborted prematurely. The :read_package
permission is checked only in a second step.
But with the new project settings, it's possible that there's NO access to the project itself (:read_project
permission), but there's access to the package registry (:read_package
permission).
So we must not check for the :read_project
permission first.
/cc @bufferoverflow
How to set up and validate locally
-
Enable the feature flags:
Feature.enable(:read_package_policy_rule) Feature.enable(:rubygem_packages)
-
Try to download a gem file or fetch dependencies of a private project as anonymous (see docs):
➡ 404 Project Not Found
GET projects/:id/packages/rubygems/gems/:file_name
GET projects/:id/packages/rubygems/api/v1/dependencies
-
Change the
package_registry_access_level
of the private project to allow access for everyone:project = Project.find(2) project.project_feature.update!(package_registry_access_level: ProjectFeature::PUBLIC)
-
Try to download a gem file or fetch dependencies of a private project as anonymous (see docs):
➡ 200 OK
GET projects/:id/packages/rubygems/gems/:file_name
GET projects/:id/packages/rubygems/api/v1/dependencies
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.