Make sure to search teams as well when determining the robots which have access to a private repo

data/model/legacy.py

@@ -825,6 +825,34 @@ def get_all_repo_users(namespace_name, repository_name):
                          Repository.name == repository_name)
 
 
+def get_all_repo_users_transitive_via_teams(namespace_name, repository_name):
+  select = User.select().distinct()
+  with_team_member = select.join(TeamMember)
+  with_team = with_team_member.join(Team)
+  with_perm = with_team.join(RepositoryPermission)
+  with_repo = with_perm.join(Repository)
+  return with_repo.where(Repository.namespace == namespace_name,
+                          Repository.name == repository_name)
+
+
+def get_all_repo_users_transitive(namespace_name, repository_name):
+  # Load the users found via teams and directly via permissions.
+  via_teams = get_all_repo_users_transitive_via_teams(namespace_name, repository_name)
+  directly = [perm.user for perm in get_all_repo_users(namespace_name, repository_name)]
+
+  # Filter duplicates.
+  user_set = set()
+
+  def check_add(u):
+    if u.username in user_set:
+      return False
+
+    user_set.add(u.username)
+    return True
+
+  return [user for user in list(directly) + list(via_teams) if check_add(user)]
+
+
 def get_repository_for_resource(resource_key):
   try:
     return (Repository

endpoints/api/trigger.py

@@ -350,8 +350,8 @@ class BuildTriggerAnalyze(RepositoryParamResource):
           (robot_namespace, shortname) = parse_robot_username(user.username)
           return AdministerOrganizationPermission(robot_namespace).can()
       
-        repo_perms = model.get_all_repo_users(base_namespace, base_repository)
-        read_robots = [robot_view(perm.user) for perm in repo_perms if is_valid_robot(perm.user)]
+        repo_users = list(model.get_all_repo_users_transitive(base_namespace, base_repository))
+        read_robots = [robot_view(user) for user in repo_users if is_valid_robot(user)]
 
       return {
         'namespace': base_namespace,