Prevent CNR methods from auth-ing on non-app repos

endpoints/appr/decorators.py

@@ -2,6 +2,8 @@ import logging
 
 from functools import wraps
 
+from flask import abort
+
 from data import model
 
 
@@ -24,6 +26,11 @@ def require_repo_permission(permission_class, scopes=None, allow_public=False,
     def wrapped(*args, **kwargs):
       namespace_name, repo_name = get_reponame_method(*args, **kwargs)
 
+      image_repo = model.repository.get_repository(namespace_name, repo_name, kind_filter='image')
+      if image_repo is not None:
+        logger.debug('Tried to invoked a CNR method on an image repository')
+        abort(501)
+
       logger.debug('Checking permission %s for repo: %s/%s', permission_class,
                    namespace_name, repo_name)
       permission = permission_class(namespace_name, repo_name)

endpoints/appr/test/test_decorators.py

@@ -0,0 +1,19 @@
+import pytest
+
+from werkzeug.exceptions import NotImplemented as NIE
+
+from data import model
+from endpoints.test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
+from endpoints.appr import require_app_repo_read
+
+def test_require_app_repo_read(app):
+  called = [False]
+
+  # Ensure that trying to read an *image* repository fails.
+  @require_app_repo_read
+  def empty(**kwargs):
+    called[0] = True
+
+  with pytest.raises(NIE):
+    empty(namespace='devtable', package_name='simple')
+    assert not called[0]