## :telescope: Context https://gitlab.com/gitlab-org/gitlab/-/issues/329253+ it was suggested to have a way to have a public package registry in a non public (private or internal) projects. We quickly discovered challenges for endpoints above the group-level. Thus, we decided to scope that issue to project-level endpoints only (see https://gitlab.com/gitlab-org/gitlab/-/issues/329253#note_1120283554). ## :fire: Problem The problem is twofold here: * User might want to be able to pull packages from a public package registry (in a non-public project) at the group-level endpoint. * Some formats don't have project-level endpoints, for example Composer. As such, the `Allow anyone to pull` toggle will not work for Composer packages. ## :fire_engine: Solution At the group level, we have finders to collect all the project or packages that a user can access. This [part](https://gitlab.com/gitlab-org/gitlab/-/blob/42321b18b946c64d2f6f788c38844499a5ae9141/app/finders/concerns/packages/finder_helper.rb#L35-36) use the user access level. In short, we have a sql query that says: within this group, collect all the public projects + all the projects where the user has `reporter` access. We will need to update that to: within this group, collect all the public projects + all the projects where the user has `reporter` access + all the projects that have a public package registry. :warning: This part is pretty impactful on the performance of the group level endpoints. As such, make sure that an analysis of all group endpoints is done.