Fix permissions on accessing archived logs

endpoints/web.py

@@ -343,14 +343,20 @@ def sitemap():
 
 @web.route('/buildlogs/<build_uuid>', methods=['GET'])
 @route_show_if(features.BUILD_SUPPORT)
-@require_session_login
+@process_auth_or_cookie
 def buildlogs(build_uuid):
   found_build = model.build.get_repository_build(build_uuid)
   if not found_build:
     abort(403)
 
   repo = found_build.repository
-  if not ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can():
+  has_permission = ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can()
+  if features.READER_BUILD_LOGS and not has_permission:
+    if (ReadRepositoryPermission(repo.namespace_user.username, repo.name).can() or
+        model.repository.repository_is_public(repo.namespace_user.username, repo.name)):
+      has_permission = True
+
+  if not has_permission:
     abort(403)
 
   # If the logs have been archived, just return a URL of the completed archive
@@ -368,7 +374,7 @@ def buildlogs(build_uuid):
 
 @web.route('/logarchive/<file_id>', methods=['GET'])
 @route_show_if(features.BUILD_SUPPORT)
-@require_session_login
+@process_auth_or_cookie
 def logarchive(file_id):
   JSON_MIMETYPE = 'application/json'
   try:
@@ -378,7 +384,13 @@ def logarchive(file_id):
     abort(403)
 
   repo = found_build.repository
-  if not ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can():
+  has_permission = ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can()
+  if features.READER_BUILD_LOGS and not has_permission:
+    if (ReadRepositoryPermission(repo.namespace_user.username, repo.name).can() or
+        model.repository.repository_is_public(repo.namespace_user.username, repo.name)):
+      has_permission = True
+
+  if not has_permission:
     abort(403)
 
   try: