Add constructors for the QuayDeferredPermissionUser so that we can avoid extraneous DB lookups of the user whenever we already have the object

auth/permissions.py

@@ -66,11 +66,21 @@ def repository_write_grant(namespace, repository):
 
 
 class QuayDeferredPermissionUser(Identity):
-  def __init__(self, uuid, auth_type, scopes):
+  def __init__(self, uuid, auth_type, auth_scopes, user=None):
     super(QuayDeferredPermissionUser, self).__init__(uuid, auth_type)
 
     self._permissions_loaded = False
-    self._scope_set = scopes
+    self._scope_set = auth_scopes
+    self._user_object = user
+
+  @staticmethod
+  def for_id(uuid, auth_scopes=None):
+    return QuayDeferredPermissionUser(uuid, 'user_uuid', auth_scopes or {scopes.DIRECT_LOGIN})
+
+  @staticmethod
+  def for_user(user, auth_scopes=None):
+    return QuayDeferredPermissionUser(user.uuid, 'user_uuid', auth_scopes or {scopes.DIRECT_LOGIN},
+                                      user=user)
 
   def _translate_role_for_scopes(self, cardinality, max_roles, role):
     if self._scope_set is None:
@@ -96,7 +106,7 @@ class QuayDeferredPermissionUser(Identity):
   def can(self, permission):
     if not self._permissions_loaded:
       logger.debug('Loading user permissions after deferring.')
-      user_object = model.get_user_by_uuid(self.id)
+      user_object = self._user_object or model.get_user_by_uuid(self.id)
       if user_object is None:
         return super(QuayDeferredPermissionUser, self).can(permission)
 
@@ -249,7 +259,7 @@ def on_identity_loaded(sender, identity):
 
   elif identity.auth_type == 'user_uuid':
     logger.debug('Switching username permission to deferred object with uuid: %s', identity.id)
-    switch_to_deferred = QuayDeferredPermissionUser(identity.id, 'user_uuid', {scopes.DIRECT_LOGIN})
+    switch_to_deferred = QuayDeferredPermissionUser.for_id(identity.id)
     identity_changed.send(app, identity=switch_to_deferred)
 
   elif identity.auth_type == 'token':