Change v2 registry auth code to not hit the database when we know we have permissions loaded

Avoids a DB call and, when used in conjunction with blob caching, will avoid a DB *connection*

endpoints/v2/__init__.py

@@ -95,21 +95,26 @@ def _require_repo_permission(permission_class, scopes=None, allow_public=False):
     def wrapped(namespace_name, repo_name, *args, **kwargs):
       logger.debug('Checking permission %s for repo: %s/%s', permission_class, namespace_name,
                    repo_name)
-      repository = namespace_name + '/' + repo_name
-      repo = model.get_repository(namespace_name, repo_name)
-      if repo is None:
-        raise Unauthorized(repository=repository, scopes=scopes)
 
       permission = permission_class(namespace_name, repo_name)
-      if (permission.can() or (allow_public and repo.is_public)):
+      if permission.can():
+        return func(namespace_name, repo_name, *args, **kwargs)
+
+      repository = namespace_name + '/' + repo_name
+      if allow_public:
+        repo = model.get_repository(namespace_name, repo_name)
+        if repo is None or not repo.is_public:
+          raise Unauthorized(repository=repository, scopes=scopes)
+
         if repo.kind != 'image':
           msg = 'This repository is for managing %s resources and not container images.' % repo.kind
           raise Unsupported(detail=msg)
-        return func(namespace_name, repo_name, *args, **kwargs)
+
+        if repo.is_public:
+          return func(namespace_name, repo_name, *args, **kwargs)
+
       raise Unauthorized(repository=repository, scopes=scopes)
-
     return wrapped
-
   return wrapper