Add a user info scope and thread it through the code. Protect the org modification API.

endpoints/index.py

@@ -6,16 +6,15 @@ from flask import request, make_response, jsonify, session, Blueprint
 from functools import wraps
 from collections import OrderedDict
 
-from data import model, userevent
+from data import model
 from data.queue import webhook_queue
 from app import mixpanel, app
 from auth.auth import process_auth
 from auth.auth_context import get_authenticated_user, get_validated_token
 from util.names import parse_repository_name
 from util.email import send_confirmation_email
-from auth.permissions import (ModifyRepositoryPermission, UserPermission,
-                              ReadRepositoryPermission,
-                              CreateRepositoryPermission)
+from auth.permissions import (ModifyRepositoryPermission, UserAdminPermission,
+                              ReadRepositoryPermission, CreateRepositoryPermission)
 
 from util.http import abort
 
@@ -131,7 +130,7 @@ def get_user():
 @index.route('/users/<username>/', methods=['PUT'])
 @process_auth
 def update_user(username):
-  permission = UserPermission(username)
+  permission = UserAdminPermission(username)
 
   if permission.can():
     update_request = request.get_json()