fix(packages): allow read access for private packages

Changes permission check from write to read access for viewing private packages. Organization members with read permissions can now view private packages, not just those with write access.
2026-01-24 14:37:19 -05:00
parent 1a8a6639b4
commit baaa8803a9
2 changed files with 4 additions and 4 deletions
--- a/routers/web/user/package.go
+++ b/routers/web/user/package.go
@@ -63,7 +63,7 @@ func canViewPrivatePackages(ctx gocontext.Context, owner, viewer *user_model.Use
 		return true
 	}

-	// For organizations, check if viewer has write access to packages
+	// For organizations, check if viewer has read access to packages (is a member)
 	if owner.IsOrganization() {
 		org := org_model.OrgFromUser(owner)
 		teams, err := org_model.GetUserOrgTeams(ctx, org.ID, viewer.ID)
@@ -71,7 +71,7 @@ func canViewPrivatePackages(ctx gocontext.Context, owner, viewer *user_model.Use
 			return false
 		}
 		for _, t := range teams {
-			if t.UnitAccessMode(ctx, unit.TypePackages) >= perm.AccessModeWrite {
+			if t.UnitAccessMode(ctx, unit.TypePackages) >= perm.AccessModeRead {
 				return true
 			}
 		}
--- a/services/context/package.go
+++ b/services/context/package.go
@@ -126,8 +126,8 @@ func packageAssignment(ctx *packageAssignmentCtx, errCb func(int, any)) *Package
 			return pkg
 		}

-		// Check if package is private and user doesn't have write access
-		if pkg.Descriptor.Package.IsPrivate && pkg.AccessMode < perm.AccessModeWrite {
+		// Check if package is private and user doesn't have read access
+		if pkg.Descriptor.Package.IsPrivate && pkg.AccessMode < perm.AccessModeRead {
 			errCb(http.StatusNotFound, errors.New("package is private"))
 			return pkg
 		}