From 96e15d285d5e02e5aae52a44c7300db921bdfd61 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <jschorr@gmail.com>
Date: Mon, 27 Jan 2014 13:55:40 -0500
Subject: [PATCH 1/2] Public building repositories should allow users to see
 the build status

---
 endpoints/api.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/endpoints/api.py b/endpoints/api.py
index 21054b38b..da37c2508 100644
--- a/endpoints/api.py
+++ b/endpoints/api.py
@@ -1161,12 +1161,13 @@ def get_repo(namespace, repository):
 
 
 @api.route('/repository/<path:repository>/build/', methods=['GET'])
-@api_login_required
 @parse_repository_name
 def get_repo_builds(namespace, repository):
-  permission = ModifyRepositoryPermission(namespace, repository)
-  if permission.can():
+  permission = ReadRepositoryPermission(namespace, repository)
+  is_public = model.repository_is_public(namespace, repository)
+  if permission.can() or is_public:
     def build_view(build_obj):
+      # TODO(jake): Filter these logs if the current user can only *read* the repo.
       if build_obj.status_url:
         # Delegate the status to the build node
         node_status = requests.get(build_obj.status_url).json()
@@ -1190,7 +1191,7 @@ def get_repo_builds(namespace, repository):
       'builds': [build_view(build) for build in builds]
     })
 
-  abort(403)  # Permissions denied
+  abort(403)  # Permission denied
 
 
 @api.route('/repository/<path:repository>/build/', methods=['POST'])

From a87e5ba9ae8441e93c879e1f80409679522fda22 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <jschorr@gmail.com>
Date: Mon, 27 Jan 2014 13:58:12 -0500
Subject: [PATCH 2/2] Only send the CSRF token on mutable HTTP methods (where
 it is needed)

---
 static/js/app.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/static/js/app.js b/static/js/app.js
index f89281beb..387b2a735 100644
--- a/static/js/app.js
+++ b/static/js/app.js
@@ -2514,7 +2514,7 @@ quayApp.run(['$location', '$rootScope', 'Restangular', 'UserService', 'PlanServi
     function($location, $rootScope, Restangular, UserService, PlanService, $http, $timeout) {
 
   // Handle session security.
-  Restangular.setDefaultRequestParams({'_csrf_token': window.__token || ''});
+  Restangular.setDefaultRequestParams(['post', 'put', 'remove', 'delete'], {'_csrf_token': window.__token || ''});
 
   // Handle session expiration.
   Restangular.setErrorInterceptor(function(response) {