Add scopes to many org admin methods and remove the internal_only on ones we can now expose

endpoints/api/organization.py

@@ -5,12 +5,14 @@ from flask import request
 from app import billing as stripe
 from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
                            related_user_resource, internal_only, Unauthorized, NotFound,
-                           require_user_admin, log_action, show_if, path_param)
+                           require_user_admin, log_action, show_if, path_param,
+                           require_scope)
 from endpoints.api.team import team_view
 from endpoints.api.user import User, PrivateRepositories
 from auth.permissions import (AdministerOrganizationPermission,  OrganizationMemberPermission,
                               CreateRepositoryPermission)
 from auth.auth_context import get_authenticated_user
+from auth import scopes
 from data import model
 from data.billing import get_plan
 from util.gravatar import compute_hash
@@ -98,7 +100,6 @@ class OrganizationList(ApiResource):
 
 @resource('/v1/organization/<orgname>')
 @path_param('orgname', 'The name of the organization')
-@internal_only
 @related_user_resource(User)
 class Organization(ApiResource):
   """ Resource for managing organizations. """
@@ -119,6 +120,8 @@ class Organization(ApiResource):
       },
     },
   }
+
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganization')
   def get(self, orgname):
     """ Get the details for the specified organization """
@@ -134,6 +137,7 @@ class Organization(ApiResource):
 
     raise Unauthorized()
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('changeOrganizationDetails')
   @validate_json_request('UpdateOrg')
   def put(self, orgname):
@@ -170,6 +174,8 @@ class Organization(ApiResource):
 @show_if(features.BILLING)
 class OrgPrivateRepositories(ApiResource):
   """ Custom verb to compute whether additional private repositories are available. """
+
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganizationPrivateAllowed')
   def get(self, orgname):
     """ Return whether or not this org is allowed to create new private repositories. """
@@ -202,9 +208,10 @@ class OrgPrivateRepositories(ApiResource):
 
 @resource('/v1/organization/<orgname>/members')
 @path_param('orgname', 'The name of the organization')
-@internal_only
 class OrgnaizationMemberList(ApiResource):
   """ Resource for listing the members of an organization. """
+ 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganizationMembers')
   def get(self, orgname):
     """ List the members of the specified organization. """
@@ -237,9 +244,10 @@ class OrgnaizationMemberList(ApiResource):
 @resource('/v1/organization/<orgname>/members/<membername>')
 @path_param('orgname', 'The name of the organization')
 @path_param('membername', 'The username of the organization member')
-@internal_only
 class OrganizationMember(ApiResource):
   """ Resource for managing individual organization members. """
+
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganizationMember')
   def get(self, orgname, membername):
     """ Get information on the specific orgnaization member. """
@@ -273,6 +281,7 @@ class OrganizationMember(ApiResource):
 @path_param('client_id', 'The OAuth client ID')
 class ApplicationInformation(ApiResource):
   """ Resource that returns public information about a registered application. """
+
   @nickname('getApplicationInformation')
   def get(self, client_id):
     """ Get information on the specified application. """
@@ -309,7 +318,6 @@ def app_view(application):
 
 @resource('/v1/organization/<orgname>/applications')
 @path_param('orgname', 'The name of the organization')
-@internal_only
 class OrganizationApplications(ApiResource):
   """ Resource for managing applications defined by an organizations. """
   schemas = {
@@ -345,7 +353,7 @@ class OrganizationApplications(ApiResource):
     },
   }
 
-
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganizationApplications')
   def get(self, orgname):
     """ List the applications for the specified organization """
@@ -361,6 +369,7 @@ class OrganizationApplications(ApiResource):
 
     raise Unauthorized()
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('createOrganizationApplication')
   @validate_json_request('NewApp')
   def post(self, orgname):
@@ -395,7 +404,6 @@ class OrganizationApplications(ApiResource):
 @resource('/v1/organization/<orgname>/applications/<client_id>')
 @path_param('orgname', 'The name of the organization')
 @path_param('client_id', 'The OAuth client ID')
-@internal_only
 class OrganizationApplicationResource(ApiResource):
   """ Resource for managing an application defined by an organizations. """
   schemas = {
@@ -433,6 +441,7 @@ class OrganizationApplicationResource(ApiResource):
     },
   }
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganizationApplication')
   def get(self, orgname, client_id):
     """ Retrieves the application with the specified client_id under the specified organization """
@@ -451,6 +460,7 @@ class OrganizationApplicationResource(ApiResource):
 
     raise Unauthorized()
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('updateOrganizationApplication')
   @validate_json_request('UpdateApp')
   def put(self, orgname, client_id):
@@ -484,7 +494,7 @@ class OrganizationApplicationResource(ApiResource):
       return app_view(application)
     raise Unauthorized()
 
-
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('deleteOrganizationApplication')
   def delete(self, orgname, client_id):
     """ Deletes the application under this organization. """