Add scopes to many org admin methods and remove the internal_only on ones we can now expose

endpoints/api/billing.py

@@ -4,10 +4,11 @@ from flask import request
 from app import billing
 from endpoints.api import (resource, nickname, ApiResource, validate_json_request, log_action,
                            related_user_resource, internal_only, Unauthorized, NotFound,
-                           require_user_admin, show_if, hide_if, path_param)
+                           require_user_admin, show_if, hide_if, path_param, require_scope)
 from endpoints.api.subscribe import subscribe, subscription_view
 from auth.permissions import AdministerOrganizationPermission
 from auth.auth_context import get_authenticated_user
+from auth import scopes
 from data import model
 from data.billing import PLANS
 
@@ -158,6 +159,7 @@ class OrganizationCard(ApiResource):
     },
   }
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrgCard')
   def get(self, orgname):
     """ Get the organization's credit card. """
@@ -270,6 +272,7 @@ class OrganizationPlan(ApiResource):
     },
   }
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('updateOrgSubscription')
   @validate_json_request('OrgSubscription')
   def put(self, orgname):
@@ -284,6 +287,7 @@ class OrganizationPlan(ApiResource):
 
     raise Unauthorized()
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrgSubscription')
   def get(self, orgname):
     """ Fetch any existing subscription for the org. """
@@ -326,11 +330,11 @@ class UserInvoiceList(ApiResource):
 
 @resource('/v1/organization/<orgname>/invoices')
 @path_param('orgname', 'The name of the organization')
-@internal_only
 @related_user_resource(UserInvoiceList)
 @show_if(features.BILLING)
 class OrgnaizationInvoiceList(ApiResource):
   """ Resource for listing an orgnaization's invoices. """
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('listOrgInvoices')
   def get(self, orgname):
     """ List the invoices for the specified orgnaization. """