vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Make sure to filter starred repos to those visible to the user

Browse source 
Fixes #1793
This commit is contained in:
Joseph Schorr 2016-08-31 14:07:05 -04:00
parent b4939a3cd0
commit 1b7b3ea41d
2 changed files with 31 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

10
endpoints/api/repository.py
View file

@ -20,7 +20,7 @@ from endpoints.api.billing import lookup_allowed_private_repos, get_namespace_pl
from endpoints.api.subscribe import check_repository_usage
from auth.permissions import (ModifyRepositoryPermission, AdministerRepositoryPermission,
CreateRepositoryPermission)
CreateRepositoryPermission, ReadRepositoryPermission)
from auth.auth_context import get_authenticated_user
from auth import scopes
from util.names import REPOSITORY_NAME_REGEX
@ -158,8 +158,12 @@ class RepositoryList(ApiResource):
# No repositories should be returned, as there is no user.
abort(400)
# Return the full list of repos starred by the current user.
repos = list(model.repository.get_user_starred_repositories(user))
# Return the full list of repos starred by the current user that are still visible to them.
def can_view_repo(repo):
return ReadRepositoryPermission(repo.namespace_user.username, repo.name).can()
unfiltered_repos = model.repository.get_user_starred_repositories(user)
repos = [repo for repo in unfiltered_repos if can_view_repo(repo)]
elif parsed_args['namespace']:
# Repositories filtered by namespace do not need pagination (their results are fairly small),
# so we just do the lookup directly.