Initial changes to move repositories from using a namespace string to referencing a user object. Also stores the user id in the cookie rather than the username, to allow users to be renamed. This commit must not be used unmodified because the database migration is too aggressive for live migration.

auth/permissions.py

@@ -58,8 +58,8 @@ SCOPE_MAX_USER_ROLES.update({
 
 
 class QuayDeferredPermissionUser(Identity):
-  def __init__(self, id, auth_type, scopes):
-    super(QuayDeferredPermissionUser, self).__init__(id, auth_type)
+  def __init__(self, db_id, auth_type, scopes):
+    super(QuayDeferredPermissionUser, self).__init__(db_id, auth_type)
 
     self._permissions_loaded = False
     self._scope_set = scopes
@@ -88,7 +88,7 @@ class QuayDeferredPermissionUser(Identity):
   def can(self, permission):
     if not self._permissions_loaded:
       logger.debug('Loading user permissions after deferring.')
-      user_object = model.get_user(self.id)
+      user_object = model.get_user_by_id(self.id)
 
       # Add the superuser need, if applicable.
       if (user_object.username is not None and
@@ -230,9 +230,9 @@ def on_identity_loaded(sender, identity):
   if isinstance(identity, QuayDeferredPermissionUser):
     logger.debug('Deferring permissions for user: %s', identity.id)
 
-  elif identity.auth_type == 'username':
+  elif identity.auth_type == 'user_db_id':
     logger.debug('Switching username permission to deferred object: %s', identity.id)
-    switch_to_deferred = QuayDeferredPermissionUser(identity.id, 'username', {scopes.DIRECT_LOGIN})
+    switch_to_deferred = QuayDeferredPermissionUser(identity.id, 'user_db_id', {scopes.DIRECT_LOGIN})
     identity_changed.send(app, identity=switch_to_deferred)
 
   elif identity.auth_type == 'token':