Add latest changes from gitlab-org/gitlab@master

2 files changed, 20 insertions, 2 deletions

diff --git a/app/finders/packages/group_or_project_package_finder.rb b/app/finders/packages/group_or_project_package_finder.rb
index fb8bcfc7d42..5b5f70bf459 100644
--- a/app/finders/packages/group_or_project_package_finder.rb
+++ b/app/finders/packages/group_or_project_package_finder.rb
@@ -26,9 +26,9 @@ module Packages
 
     def base
       if project?
-        packages_for_project(@project_or_group)
+        project_packages
       elsif group?
-        packages_visible_to_user(@current_user, within_group: @project_or_group)
+        group_packages
       else
         ::Packages::Package.none
       end
@@ -41,5 +41,13 @@ module Packages
     def group?
       @project_or_group.is_a?(::Group)
     end
+
+    def project_packages
+      packages_for_project(@project_or_group)
+    end
+
+    def group_packages
+      packages_visible_to_user(@current_user, within_group: @project_or_group)
+    end
   end
 end
diff --git a/app/finders/packages/pypi/package_finder.rb b/app/finders/packages/pypi/package_finder.rb
index 574e9770363..3a37e404b79 100644
--- a/app/finders/packages/pypi/package_finder.rb
+++ b/app/finders/packages/pypi/package_finder.rb
@@ -12,6 +12,16 @@ module Packages
       def packages
         base.pypi.has_version
       end
+
+      def group_packages
+        # PyPI finds packages without checking permissions.
+        # The package download endpoint uses obfuscation to secure the file
+        # instead of authentication. This is behavior the PyPI package
+        # manager defines and is not something GitLab controls.
+        ::Packages::Package.for_projects(
+          @project_or_group.all_projects.select(:id)
+        ).installable
+      end
     end
   end
 end