Have the fetch tag dialog show a warning for robot accounts without access

Before this change, we'd show the squash pulling command with the proper credentials, but it then 403s on the end user.

endpoints/api/permission.py

@@ -6,7 +6,8 @@ from flask import request
 
 from app import avatar
 from endpoints.api import (resource, nickname, require_repo_admin, RepositoryParamResource,
-                           log_action, request_error, validate_json_request, path_param)
+                           log_action, request_error, validate_json_request, path_param,
+                           NotFound)
 from data import model
 
 
@@ -96,6 +97,30 @@ class RepositoryUserPermissionList(RepositoryParamResource):
     }
 
 
+@resource('/v1/repository/<repopath:repository>/permissions/user/<username>/transitive')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('username', 'The username of the user to which the permissions apply')
+class RepositoryUserTransitivePermission(RepositoryParamResource):
+  """ Resource for retrieving whether a user has access to a repository, either directly
+      or via a team. """
+  @require_repo_admin
+  @nickname('getUserTransitivePermission')
+  def get(self, namespace, repository, username):
+    """ Get the fetch the permission for the specified user. """
+    user = model.get_user(username)
+    if not user:
+      raise NotFound
+
+    repo = model.get_repository(namespace, repository)
+    if not repo:
+      raise NotFound
+
+    permissions = list(model.get_user_repo_permissions(user, repo))
+    return {
+      'permissions': [role_view(permission) for permission in permissions]
+    }
+
+
 @resource('/v1/repository/<repopath:repository>/permissions/user/<username>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('username', 'The username of the user to which the permission applies')