Private Registry seems to allows unauthenticated access

Hello,

We came across an interesting although a little concerning issue: we have a private registry on gitlab.com where we put Python packages.

In attempting to access it from an external machine, we managed to access a .whl file without actually authenticating.

We used a crafted URL based on its SHA reference.

I’d be happy to put together a new issue for this although I might need assistance, selecting the right template for instance.