From da0fa2e0d272741f264db9fe18b4da6606ddc09b Mon Sep 17 00:00:00 2001
From: Joseph Schorr <joseph.schorr@coreos.com>
Date: Tue, 6 Feb 2018 11:20:40 -0500
Subject: [PATCH] Make sure to add primary repo permissions under a transaction

Should prevent a repository from being created under a user's namespace without a corresponding admin permission

Fixes https://jira.coreos.com/browse/QUAY-826
---
 data/model/repository.py | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/data/model/repository.py b/data/model/repository.py
index ecb120bf7..33a1da6b1 100644
--- a/data/model/repository.py
+++ b/data/model/repository.py
@@ -38,21 +38,23 @@ def create_repository(namespace, name, creating_user, visibility='private', repo
   namespace_user = User.get(username=namespace)
   yesterday = datetime.now() - timedelta(days=1)
 
-  repo = Repository.create(name=name, visibility=Repository.visibility.get_id(visibility),
-                           namespace_user=namespace_user,
-                           kind=Repository.kind.get_id(repo_kind),
-                           description=description)
+  with db_transaction():
+    repo = Repository.create(name=name, visibility=Repository.visibility.get_id(visibility),
+                            namespace_user=namespace_user,
+                            kind=Repository.kind.get_id(repo_kind),
+                            description=description)
 
-  RepositoryActionCount.create(repository=repo, count=0, date=yesterday)
-  RepositorySearchScore.create(repository=repo, score=0)
+    RepositoryActionCount.create(repository=repo, count=0, date=yesterday)
+    RepositorySearchScore.create(repository=repo, score=0)
 
-  if creating_user and not creating_user.organization:
-    admin = Role.get(name='admin')
-    RepositoryPermission.create(user=creating_user, repository=repo, role=admin)
+    # Note: We put the admin create permission under the transaction to ensure it is created.
+    if creating_user and not creating_user.organization:
+      admin = Role.get(name='admin')
+      RepositoryPermission.create(user=creating_user, repository=repo, role=admin)
 
-    if creating_user.username != namespace:
-      # Permission prototypes only work for orgs
-      permission.apply_default_permissions(repo, creating_user)
+  # Apply default permissions (only occurs for repositories under organizations)
+  if creating_user and not creating_user.organization and creating_user.username != namespace:
+    permission.apply_default_permissions(repo, creating_user)
 
   return repo