6 files changed, 60 insertions, 20 deletions

diff --git a/lib/api/helpers/groups_helpers.rb b/lib/api/helpers/groups_helpers.rb
index e9af50b80be..74c8b582fde 100644
--- a/lib/api/helpers/groups_helpers.rb
+++ b/lib/api/helpers/groups_helpers.rb
@@ -11,7 +11,7 @@ module API
         optional :visibility, type: String,
                               values: Gitlab::VisibilityLevel.string_values,
                               desc: 'The visibility of the group'
-        optional :avatar, type: ::API::Validations::Types::WorkhorseFile, desc: 'Avatar image for the group'
+        optional :avatar, type: ::API::Validations::Types::WorkhorseFile, desc: 'Avatar image for the group', documentation: { type: 'file' }
         optional :share_with_group_lock, type: Boolean, desc: 'Prevent sharing a project with another group within this group'
         optional :require_two_factor_authentication, type: Boolean, desc: 'Require all users in this group to setup Two-factor authentication'
         optional :two_factor_grace_period, type: Integer, desc: 'Time before Two-factor authentication is enforced'
diff --git a/lib/api/helpers/open_api.rb b/lib/api/helpers/open_api.rb
new file mode 100644
index 00000000000..11602244b57
--- /dev/null
+++ b/lib/api/helpers/open_api.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module API
+  module Helpers
+    module OpenApi
+      extend ActiveSupport::Concern
+
+      class_methods do
+        def add_open_api_documentation!
+          return if Rails.env.production?
+
+          open_api_config = YAML.load_file(Rails.root.join('config/open_api.yml'))['metadata'].deep_symbolize_keys
+
+          add_swagger_documentation(open_api_config)
+        end
+      end
+    end
+  end
+end
diff --git a/lib/api/helpers/packages/basic_auth_helpers.rb b/lib/api/helpers/packages/basic_auth_helpers.rb
index ebedb3b7563..a62bb1d4991 100644
--- a/lib/api/helpers/packages/basic_auth_helpers.rb
+++ b/lib/api/helpers/packages/basic_auth_helpers.rb
@@ -14,15 +14,27 @@ module API
         include Constants
         include Gitlab::Utils::StrongMemoize
 
-        def authorized_user_project
-          @authorized_user_project ||= authorized_project_find!
+        def authorized_user_project(action: :read_project)
+          strong_memoize("authorized_user_project_#{action}") do
+            authorized_project_find!(action: action)
+          end
         end
 
-        def authorized_project_find!
+        def authorized_project_find!(action: :read_project)
           project = find_project(params[:id])
 
-          unless project && can?(current_user, :read_project, project)
-            return unauthorized_or! { not_found! }
+          return unauthorized_or! { not_found! } unless project
+
+          case action
+          when :read_package
+            unless can?(current_user, :read_package, project&.packages_policy_subject)
+              # guest users can have :read_project but not :read_package
+              return forbidden! if can?(current_user, :read_project, project)
+
+              return unauthorized_or! { not_found! }
+            end
+          else
+            return unauthorized_or! { not_found! } unless can?(current_user, action, project)
           end
 
           project
diff --git a/lib/api/helpers/packages/dependency_proxy_helpers.rb b/lib/api/helpers/packages/dependency_proxy_helpers.rb
index a09499e00d7..dc81e5e1b51 100644
--- a/lib/api/helpers/packages/dependency_proxy_helpers.rb
+++ b/lib/api/helpers/packages/dependency_proxy_helpers.rb
@@ -16,8 +16,8 @@ module API
           maven: 'maven_package_requests_forwarding'
         }.freeze
 
-        def redirect_registry_request(forward_to_registry, package_type, options)
-          if forward_to_registry && redirect_registry_request_available?(package_type) && maven_forwarding_ff_enabled?(package_type, options[:target])
+        def redirect_registry_request(forward_to_registry: false, package_type: nil, target: nil, **options)
+          if forward_to_registry && redirect_registry_request_available?(package_type, target) && maven_forwarding_ff_enabled?(package_type, target)
             ::Gitlab::Tracking.event(self.options[:for].name, "#{package_type}_request_forward")
             redirect(registry_url(package_type, options))
           else
@@ -40,15 +40,19 @@ module API
           end
         end
 
-        def redirect_registry_request_available?(package_type)
+        def redirect_registry_request_available?(package_type, target)
           application_setting_name = APPLICATION_SETTING_NAMES[package_type]
 
           raise ArgumentError, "Can't find application setting for package_type #{package_type}" unless application_setting_name
 
-          ::Gitlab::CurrentSettings
-            .current_application_settings
-            .attributes
-            .fetch(application_setting_name, false)
+          if target.present? && Feature.enabled?(:cascade_package_forwarding_settings, target)
+            target.public_send(application_setting_name) # rubocop:disable GitlabSecurity/PublicSend
+          else
+            ::Gitlab::CurrentSettings
+              .current_application_settings
+              .attributes
+              .fetch(application_setting_name, false)
+          end
         end
 
         private
diff --git a/lib/api/helpers/personal_access_tokens_helpers.rb b/lib/api/helpers/personal_access_tokens_helpers.rb
index db28daa5396..4fd72d89f4c 100644
--- a/lib/api/helpers/personal_access_tokens_helpers.rb
+++ b/lib/api/helpers/personal_access_tokens_helpers.rb
@@ -4,11 +4,14 @@ module API
   module Helpers
     module PersonalAccessTokensHelpers
       def finder_params(current_user)
-        if current_user.can_admin_all_resources?
-          { user: user(params[:user_id]) }
-        else
-          { user: current_user, impersonation: false }
-        end
+        user_param =
+          if current_user.can_admin_all_resources?
+            { user: user(params[:user_id]) }
+          else
+            { user: current_user, impersonation: false }
+          end
+
+        declared(params, include_missing: false).merge(user_param)
       end
 
       def user(user_id)
diff --git a/lib/api/helpers/projects_helpers.rb b/lib/api/helpers/projects_helpers.rb
index 7ca3f55b5a2..9839828a5b4 100644
--- a/lib/api/helpers/projects_helpers.rb
+++ b/lib/api/helpers/projects_helpers.rb
@@ -36,6 +36,7 @@ module API
         optional :analytics_access_level, type: String, values: %w(disabled private enabled), desc: 'Analytics access level. One of `disabled`, `private` or `enabled`'
         optional :container_registry_access_level, type: String, values: %w(disabled private enabled), desc: 'Controls visibility of the container registry. One of `disabled`, `private` or `enabled`. `private` will make the container registry accessible only to project members (reporter role and above). `enabled` will make the container registry accessible to everyone who has access to the project. `disabled` will disable the container registry'
         optional :security_and_compliance_access_level, type: String, values: %w(disabled private enabled), desc: 'Security and compliance access level. One of `disabled`, `private` or `enabled`'
+        optional :releases_access_level, type: String, values: %w(disabled private enabled), desc: 'Releases access level. One of `disabled`, `private` or `enabled`'
 
         optional :emails_disabled, type: Boolean, desc: 'Disable email notifications'
         optional :show_default_award_emojis, type: Boolean, desc: 'Show default award emojis'
@@ -58,7 +59,7 @@ module API
         optional :only_allow_merge_if_all_discussions_are_resolved, type: Boolean, desc: 'Only allow to merge if all threads are resolved'
         optional :tag_list, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'Deprecated: Use :topics instead'
         optional :topics, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'The list of topics for a project'
-        optional :avatar, type: ::API::Validations::Types::WorkhorseFile, desc: 'Avatar image for project'
+        optional :avatar, type: ::API::Validations::Types::WorkhorseFile, desc: 'Avatar image for project', documentation: { type: 'file' }
         optional :printing_merge_request_link_enabled, type: Boolean, desc: 'Show link to create/view merge request when pushing from the command line'
         optional :merge_method, type: String, values: %w(ff rebase_merge merge), desc: 'The merge method used when merging merge requests'
         optional :suggestion_commit_message, type: String, desc: 'The commit message used to apply merge request suggestions'
@@ -72,7 +73,7 @@ module API
         optional :repository_storage, type: String, desc: 'Which storage shard the repository is on. Available only to admins'
         optional :packages_enabled, type: Boolean, desc: 'Enable project packages feature'
         optional :squash_option, type: String, values: %w(never always default_on default_off), desc: 'Squash default for project. One of `never`, `always`, `default_on`, or `default_off`.'
-        optional :mr_default_target_self, Boolean, desc: 'Merge requests of this forked project targets itself by default'
+        optional :mr_default_target_self, type: Boolean, desc: 'Merge requests of this forked project targets itself by default'
       end
 
       params :optional_project_params_ee do
@@ -179,6 +180,7 @@ module API
           :keep_latest_artifact,
           :mr_default_target_self,
           :enforce_auth_checks_on_uploads,
+          :releases_access_level,
 
           # TODO: remove in API v5, replaced by *_access_level
           :issues_enabled,