Protect the search and repository list endpoints appropriately. Add more differentiating data to some need types. Remove the notification about password change from the user admin page. Select the dependent models for the visible repo list.

auth/permissions.py

@@ -15,10 +15,13 @@ logger = logging.getLogger(__name__)
 
 _ResourceNeed = namedtuple('resource', ['type', 'namespace', 'name', 'role'])
 _RepositoryNeed = partial(_ResourceNeed, 'repository')
-_OrganizationNeed = namedtuple('organization', ['orgname', 'role'])
-_OrganizationRepoNeed = namedtuple('organization', ['orgname', 'role'])
-_TeamNeed = namedtuple('orgteam', ['orgname', 'teamname', 'role'])
-_UserNeed = namedtuple('user', ['username', 'role'])
+_NamespaceWideNeed = namedtuple('namespacewide', ['type', 'namespace', 'role'])
+_OrganizationNeed = partial(_NamespaceWideNeed, 'organization')
+_OrganizationRepoNeed = partial(_NamespaceWideNeed, 'organizationrepo')
+_TeamTypeNeed = namedtuple('teamwideneed', ['type', 'orgname', 'teamname', 'role'])
+_TeamNeed = partial(_TeamTypeNeed, 'orgteam')
+_UserTypeNeed = namedtuple('userspecificneed', ['type', 'username', 'role'])
+_UserNeed = partial(_UserTypeNeed, 'user')
 
 
 REPO_ROLES = [None, 'read', 'write', 'admin']
@@ -87,8 +90,8 @@ class QuayDeferredPermissionUser(Identity):
 
       # Add the user specific permissions, only for non-oauth permission      
       user_grant = _UserNeed(user_object.username, self._user_role_for_scopes('admin'))
-      self.provides.add(user_grant)
       logger.debug('User permission: {0}'.format(user_grant))
+      self.provides.add(user_grant)
 
       # Every user is the admin of their own 'org'
       user_namespace = _OrganizationNeed(user_object.username, self._team_role_for_scopes('admin'))
@@ -97,22 +100,22 @@ class QuayDeferredPermissionUser(Identity):
 
       # Org repo roles can differ for scopes
       user_repos = _OrganizationRepoNeed(user_object.username, self._repo_role_for_scopes('admin'))
-      logger.debug('User namespace permission: {0}'.format(user_repos))
+      logger.debug('User namespace repo permission: {0}'.format(user_repos))
       self.provides.add(user_repos)
 
       # Add repository permissions
       for perm in model.get_all_user_permissions(user_object):
-        grant = _RepositoryNeed(perm.repository.namespace, perm.repository.name,
-                                self._repo_role_for_scopes(perm.role.name))
-        logger.debug('User added permission: {0}'.format(grant))
-        self.provides.add(grant)
+        repo_grant = _RepositoryNeed(perm.repository.namespace, perm.repository.name,
+                                     self._repo_role_for_scopes(perm.role.name))
+        logger.debug('User added permission: {0}'.format(repo_grant))
+        self.provides.add(repo_grant)
 
       # Add namespace permissions derived
       for team in model.get_org_wide_permissions(user_object):
-        grant = _OrganizationNeed(team.organization.username,
-                                  self._team_role_for_scopes(team.role.name))
-        logger.debug('Organization team added permission: {0}'.format(grant))
-        self.provides.add(grant)
+        team_org_grant = _OrganizationNeed(team.organization.username,
+                                           self._team_role_for_scopes(team.role.name))
+        logger.debug('Organization team added permission: {0}'.format(team_org_grant))
+        self.provides.add(team_org_grant)
 
 
         team_repo_role = TEAM_REPO_ROLES[team.role.name]