Next batch of backend permissions for orgs.

endpoints/api.py

@@ -23,7 +23,8 @@ from util.names import parse_repository_name
 from util.gravatar import compute_hash
 from auth.permissions import (ReadRepositoryPermission,
                               ModifyRepositoryPermission,
-                              AdministerRepositoryPermission)
+                              AdministerRepositoryPermission,
+                              CreateRepositoryPermission)
 from endpoints import registry
 from endpoints.web import common_login
 from util.cache import cache_control
@@ -290,22 +291,25 @@ def get_organization_private_allowed(orgname):
 @api_login_required
 def create_repo_api():
   owner = current_user.db_user()
-
-  # TODO(jake): Verify that the user can create a repo in this namespace.
   json = request.get_json()
-  namespace_name = json['namespace'] if 'namespace' in  json else owner.username
-  repository_name = json['repository']
-  visibility = json['visibility']
 
-  repo = model.create_repository(namespace_name, repository_name, owner,
-                                 visibility)
-  repo.description = json['description']
-  repo.save()
+  permission = CreateRepositoryPermission(json['namespace'])
+  if permission.can():
+    namespace_name = json['namespace'] if 'namespace' in  json else owner.username
+    repository_name = json['repository']
+    visibility = json['visibility']
 
-  return jsonify({
-    'namespace': namespace_name,
-    'name': repository_name
-  })
+    repo = model.create_repository(namespace_name, repository_name, owner,
+                                   visibility)
+    repo.description = json['description']
+    repo.save()
+
+    return jsonify({
+      'namespace': namespace_name,
+      'name': repository_name
+    })
+
+  abort(403)
 
 
 @app.route('/api/find/repository', methods=['GET'])