Add feature flag to enable team syncing setup when not a superuser

endpoints/api/team.py

@@ -209,6 +209,14 @@ class OrganizationTeam(ApiResource):
     raise Unauthorized()
 
 
+def _syncing_setup_allowed(orgname):
+  """ Returns whether syncing setup is allowed for the current user over the matching org. """
+  if not features.NONSUPERUSER_TEAM_SYNCING_SETUP and not SuperUserPermission().can():
+    return False
+
+  return AdministerOrganizationPermission(orgname).can()
+
+
 @resource('/v1/organization/<orgname>/team/<teamname>/syncing')
 @path_param('orgname', 'The name of the organization')
 @path_param('teamname', 'The name of the team')
@@ -221,8 +229,7 @@ class OrganizationTeamSyncing(ApiResource):
   @verify_not_prod
   @require_fresh_login
   def post(self, orgname, teamname):
-    # User must be both the org admin AND a superuser.
-    if SuperUserPermission().can() and AdministerOrganizationPermission(orgname).can():
+    if _syncing_setup_allowed(orgname):
       try:
         team = model.team.get_organization_team(orgname, teamname)
       except model.InvalidTeamException:
@@ -248,8 +255,7 @@ class OrganizationTeamSyncing(ApiResource):
   @verify_not_prod
   @require_fresh_login
   def delete(self, orgname, teamname):
-    # User must be both the org admin AND a superuser.
-    if SuperUserPermission().can() and AdministerOrganizationPermission(orgname).can():
+    if _syncing_setup_allowed(orgname):
       try:
         team = model.team.get_organization_team(orgname, teamname)
       except model.InvalidTeamException:
@@ -296,7 +302,7 @@ class TeamMemberList(ApiResource):
       }
 
       if features.TEAM_SYNCING and authentication.federated_service:
-        if SuperUserPermission().can() and AdministerOrganizationPermission(orgname).can():
+        if _syncing_setup_allowed(orgname):
           data['can_sync'] = {
             'service': authentication.federated_service,
           }