Protect the search and repository list endpoints appropriately. Add more differentiating data to some need types. Remove the notification about password change from the user admin page. Select the dependent models for the visible repo list.

endpoints/api/user.py

@@ -14,7 +14,8 @@ from endpoints.api.subscribe import subscribe
 from endpoints.common import common_login
 from data import model
 from data.plans import get_plan
-from auth.permissions import AdministerOrganizationPermission, CreateRepositoryPermission
+from auth.permissions import (AdministerOrganizationPermission, CreateRepositoryPermission,
+                              UserAdminPermission)
 from auth.auth_context import get_authenticated_user
 from auth import scopes
 from util.gravatar import compute_hash
@@ -46,20 +47,26 @@ def user_view(user):
 
   logins = model.list_federated_logins(user)
 
-  return {
+  user_response = {
     'verified': user.verified,
     'anonymous': False,
     'username': user.username,
     'email': user.email,
     'gravatar': compute_hash(user.email),
-    'askForPassword': user.password_hash is None,
-    'organizations': [org_view(o) for o in organizations],
-    'logins': [login_view(login) for login in logins],
-    'can_create_repo': True,
-    'invoice_email': user.invoice_email,
-    'preferred_namespace': not (user.stripe_id is None)
   }
 
+  user_admin = UserAdminPermission(user.username)
+  if user_admin.can():
+    user_response.update({
+      'organizations': [org_view(o) for o in organizations],
+      'logins': [login_view(login) for login in logins],
+      'can_create_repo': True,
+      'invoice_email': user.invoice_email,
+      'preferred_namespace': not (user.stripe_id is None),
+    })
+
+  return user_response
+
 
 def notification_view(notification):
   return {
@@ -119,7 +126,7 @@ class User(ApiResource):
     },
   }
 
-  @require_scope(scopes.READ_USER)
+  @require_user_read
   @nickname('getLoggedInUser')
   def get(self):
     """ Get user information for the authenticated user. """