Break out repo kind checking into its own decorator

We then use that decorator both in the API and in the permissions check decorator

endpoints/appr/registry.py

@@ -15,6 +15,7 @@ from auth.process import process_auth
 from auth.auth_context import get_authenticated_user
 from auth.permissions import CreateRepositoryPermission, ModifyRepositoryPermission
 from endpoints.appr import appr_bp, require_app_repo_read, require_app_repo_write
+from endpoints.appr.decorators import disallow_for_image_repository
 from endpoints.appr.cnr_backend import Package, Channel, Blob
 from endpoints.decorators import anon_allowed, anon_protect
 
@@ -109,6 +110,8 @@ def delete_package(namespace, package_name, release, media_type):
   methods=['GET'],
   strict_slashes=False
 )
+@process_auth
+@require_app_repo_read
 def show_package(namespace, package_name, release, media_type):
   reponame = repo_name(namespace, package_name)
   result = cnr_registry.show_package(reponame, release,
@@ -163,6 +166,7 @@ def pull(namespace, package_name, release, media_type):
 
 @appr_bp.route("/api/v1/packages/<string:namespace>/<string:package_name>", methods=['POST'],
                strict_slashes=False)
+@disallow_for_image_repository()
 @process_auth
 @anon_protect
 def push(namespace, package_name):