Add a user info scope and thread it through the code. Protect the org modification API.

endpoints/api/__init__.py

@@ -12,9 +12,9 @@ from jsonschema import validate, ValidationError
 
 from data import model
 from util.names import parse_namespace_repository
-from auth.permissions import (ReadRepositoryPermission,
-                              ModifyRepositoryPermission,
-                              AdministerRepositoryPermission)
+from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
+                              AdministerRepositoryPermission, UserReadPermission,
+                              UserAdminPermission)
 from auth import scopes
 from auth.auth_context import get_authenticated_user, get_validated_oauth_token
 from auth.auth import process_oauth
@@ -183,6 +183,29 @@ require_repo_write = require_repo_permission(ModifyRepositoryPermission, scopes.
 require_repo_admin = require_repo_permission(AdministerRepositoryPermission, scopes.ADMIN_REPO)
 
 
+def require_user_permission(permission_class, scope=None):
+  def wrapper(func):
+    @add_method_metadata('oauth2_scope', scope)
+    @wraps(func)
+    def wrapped(self, *args, **kwargs):
+      user = get_authenticated_user()
+      if not user:
+        logger.debug('User is anonymous.')
+        raise InvalidToken('Method requires an auth token or user login.')
+
+      logger.debug('Checking permission %s for user', permission_class, user.username)
+      permission = permission_class(user.username)
+      if permission.can():
+        return func(self, *args, **kwargs)
+      raise Unauthorized()
+    return wrapped
+  return wrapper
+
+
+require_user_read = require_user_permission(UserReadPermission, scopes.USER_READ)
+require_user_admin = require_user_permission(UserAdminPermission, None)
+
+
 def require_scope(scope_object):
   def wrapper(func):
     @add_method_metadata('oauth2_scope', scope_object['scope'])