Protect the search and repository list endpoints appropriately. Add more differentiating data to some need types. Remove the notification about password change from the user admin page. Select the dependent models for the visible repo list.

2014-03-25 17:26:45 -04:00 · 2014-03-25 17:26:45 -04:00 · 41cfadac23
commit 41cfadac23
parent afb3a67b7b
7 changed files with 53 additions and 44 deletions
--- a/endpoints/api/repository.py
+++ b/endpoints/api/repository.py
@ -9,7 +9,7 @@ from endpoints.api import (truthy_bool, format_date, nickname, log_action, valid
                           RepositoryParamResource, resource, query_param, parse_args, ApiResource,
                           request_error, require_scope, Unauthorized, NotFound, InvalidRequest)
 from auth.permissions import (ModifyRepositoryPermission, AdministerRepositoryPermission,
-                              CreateRepositoryPermission)
+                              CreateRepositoryPermission, ReadRepositoryPermission)
 from auth.auth_context import get_authenticated_user
 from auth import scopes

@ -132,7 +132,8 @@ class RepositoryList(ApiResource):
                                                include_public=args['public'], sort=args['sort'],
                                                namespace=args['namespace'])

-    response['repositories'] = [repo_view(repo) for repo in repo_query]
+    response['repositories'] = [repo_view(repo) for repo in repo_query
+                                if ReadRepositoryPermission(repo.namespace, repo.name).can()]

    return response