endpoints: clarify repo access decorators

endpoints/decorators.py

@@ -1,10 +1,19 @@
 """ Various decorators for endpoint and API handlers. """
 
-import features
+import logging
+
+from functools import wraps
+
 from flask import abort
+
+import features
+
 from auth.auth_context import (get_validated_oauth_token, get_authenticated_user,
                                get_validated_token, get_grant_context)
-from functools import wraps
+from data import model # TODO: stop using model directly
+
+
+logger = logging.getLogger(__name__)
 
 
 def anon_allowed(func):
@@ -34,3 +43,31 @@ def check_anon_protection(func):
 
     abort(401)
   return wrapper
+
+def _raise_unauthorized(repository, scopes):
+  raise StandardError("Unauthorized acces to %s", repository)
+
+
+def _get_reponame_kwargs(*args, **kwargs):
+  return [kwargs['namespace_name'], kwargs['repo_name']]
+
+
+def require_repo_permission(permission_class, scopes=None, allow_public=False,
+                            raise_method=_raise_unauthorized,
+                            get_reponame_method=_get_reponame_kwargs):
+  def wrapper(func):
+    @wraps(func)
+    def wrapped(*args, **kwargs):
+      namespace_name, repo_name = get_reponame_method(*args, **kwargs)
+
+      logger.debug('Checking permission %s for repo: %s/%s', permission_class,
+                   namespace_name, repo_name)
+      permission = permission_class(namespace_name, repo_name)
+      if (permission.can() or
+          (allow_public and
+           model.repository.repository_is_public(namespace_name, repo_name))):
+        return func(*args, **kwargs)
+      repository = namespace_name + '/' + repo_name
+      raise_method(repository, scopes)
+    return wrapped
+  return wrapper