From dff4207a8998f96880cba209475efdf8b9a0926d Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 7 Aug 2017 15:24:36 -0400
Subject: [PATCH] Add feature flag to enable viewing builds and build logs for
 public repos

---
 config.py                                         |  4 ++++
 endpoints/api/build.py                            | 10 ++++++++--
 static/directives/build-mini-status.html          |  2 +-
 static/directives/repo-view/repo-panel-info.html  |  2 +-
 static/js/directives/repo-view/repo-panel-info.js |  4 +++-
 static/js/directives/ui/build-mini-status.js      |  2 +-
 6 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/config.py b/config.py
index c4e06d14a..197a1f34e 100644
--- a/config.py
+++ b/config.py
@@ -269,6 +269,10 @@ class DefaultConfig(ImmutableConfig):
   # only private repositories can be returned.
   FEATURE_PUBLIC_CATALOG = False
 
+  # Feature Flag: If set to true, build logs may be read by those with read access to the repo,
+  # rather than only write access or admin access.
+  FEATURE_READER_BUILD_LOGS = False
+
   # The namespace to use for library repositories.
   # Note: This must remain 'library' until Docker removes their hard-coded namespace for libraries.
   # See: https://github.com/docker/docker/blob/master/registry/session.go#L320
diff --git a/endpoints/api/build.py b/endpoints/api/build.py
index 7a20c2872..5165761eb 100644
--- a/endpoints/api/build.py
+++ b/endpoints/api/build.py
@@ -8,6 +8,8 @@ import os
 from flask import request
 from urlparse import urlparse
 
+import features
+
 from app import userfiles as user_files, build_logs, log_archive, dockerfile_build_queue
 from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
                               AdministerRepositoryPermission, AdministerOrganizationPermission,
@@ -147,7 +149,7 @@ def build_status_view(build_obj):
     'error': error,
   }
 
-  if can_write:
+  if can_write or features.READER_BUILD_LOGS:
     if build_obj.resource_key is not None:
       resp['archive_url'] = user_files.get_file_url(build_obj.resource_key, requires_cors=True)
     elif job_config.get('archive_url', None):
@@ -424,11 +426,15 @@ def get_logs_or_log_url(build):
 @path_param('build_uuid', 'The UUID of the build')
 class RepositoryBuildLogs(RepositoryParamResource):
   """ Resource for loading repository build logs. """
-  @require_repo_write
+  @require_repo_read
   @nickname('getRepoBuildLogs')
   @disallow_for_app_repositories
   def get(self, namespace, repository, build_uuid):
     """ Return the build logs for the build specified by the build uuid. """
+    can_write = ModifyRepositoryPermission(namespace, repository).can()
+    if not features.READER_BUILD_LOGS and not can_write:
+      raise Unauthorized()
+
     build = model.build.get_repository_build(build_uuid)
     if (not build or build.repository.name != repository or
         build.repository.namespace_user.username != namespace):
diff --git a/static/directives/build-mini-status.html b/static/directives/build-mini-status.html
index 97b14d5c5..d1dda84cc 100644
--- a/static/directives/build-mini-status.html
+++ b/static/directives/build-mini-status.html
@@ -1,7 +1,7 @@
 <span class="build-mini-status-element">
   <span class="anchor"
         href="/repository/{{ build.repository.namespace }}/{{ build.repository.name }}/build/{{ build.id }}"
-        is-only-text="!isAdmin">
+        is-only-text="!canView">
     <div>
      <span class="build-state-icon" build="build"></span>
      <span class="timing">
diff --git a/static/directives/repo-view/repo-panel-info.html b/static/directives/repo-view/repo-panel-info.html
index 5e2b47d51..390f80d3d 100644
--- a/static/directives/repo-view/repo-panel-info.html
+++ b/static/directives/repo-view/repo-panel-info.html
@@ -40,7 +40,7 @@
       <!-- Builds -->
       <div ng-if="builds && builds.length">
         <div class="build-mini-status" ng-repeat="build in builds" build="build"
-             is-admin="repository.can_admin"></div>
+             can-view="repository.can_write || Features.READER_BUILD_LOGS"></div>
       </div>
 
       <!-- View All -->
diff --git a/static/js/directives/repo-view/repo-panel-info.js b/static/js/directives/repo-view/repo-panel-info.js
index 58cb1e038..2a86953e2 100644
--- a/static/js/directives/repo-view/repo-panel-info.js
+++ b/static/js/directives/repo-view/repo-panel-info.js
@@ -13,7 +13,9 @@ angular.module('quay').directive('repoPanelInfo', function () {
       'builds': '=builds',
       'isEnabled': '=isEnabled'
     },
-    controller: function($scope, $element, ApiService, Config) {
+    controller: function($scope, $element, ApiService, Config, Features) {
+      $scope.Features = Features;
+
       $scope.$watch('repository', function(repository) {
         if (!$scope.repository) { return; }
 
diff --git a/static/js/directives/ui/build-mini-status.js b/static/js/directives/ui/build-mini-status.js
index c48d7ea21..fcd201462 100644
--- a/static/js/directives/ui/build-mini-status.js
+++ b/static/js/directives/ui/build-mini-status.js
@@ -10,7 +10,7 @@ angular.module('quay').directive('buildMiniStatus', function () {
     restrict: 'C',
     scope: {
       'build': '=build',
-      'isAdmin': '=isAdmin'
+      'canView': '=canView'
     },
     controller: function($scope, $element, BuildService) {
       $scope.isBuilding = function(build) {