Alpine package registry: Can't authenticate as user on team with package read access

[mintyhippoxyz]

Description

Hello, I reached out on Discord last week and was told this sounds like a bug.

I've been setting up a private Alpine package registry. As the Gitea instance owner/admin everything works great.

The problem comes in when trying to use the registry as another user (same org, different team w/ package read permission). All requests as that user result in a 401 reqPackageAccess. Also noteworthy, as that same user, I have no problems pulling from the container registry. I did for the heck of it try temporarily giving that user's team package write access but that didn't have any effect on the read access.

router: completed GET /api/packages/<org omitted>/alpine/key for <ip omitted>:0, 401 Unauthorized in 25.0ms @ packages/api.go:43(packages.CommonRoutes.func1.reqPackageAccess)
router: completed GET /api/packages/<org omitted>/alpine/v3.19/main/x86_64/APKINDEX.tar.gz for <ip omitted>:0, 401 Unauthorized in 24.0ms @ packages/api.go:43(packages.CommonRoutes.func1.reqPackageAccess)

Happy to provide more logs if there's anything more useful to gather on this.

Gitea Version

1.21.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.43.0

Operating System

Alpine Linux 3.19

How are you running Gitea?

Distro package

Database

PostgreSQL

[mintyhippoxyz]

/api/packages/{owner}/alpine
It finally clicked. Its owner not org. Team permissions do not matter here.

My other mistake was overlooking the api token scope for the user with read-only access.
gitea admin user generate-access-token --username rouser --token-name test --scopes read:package

#20596 should address more fine grained permissions.