From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 1 Nov 2023 10:06:12 +0000 (+0000)
Subject: repos: Update API authentication
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=efcae7bf47fc5c92c43d390a3102c9ffcad4922f;p=pbs.git

repos: Update API authentication

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/web/repos.py b/src/web/repos.py
index fb3de897..7f539d42 100644
--- a/src/web/repos.py
+++ b/src/web/repos.py
@@ -26,28 +26,28 @@ from . import base
 from . import ui_modules
 
 class APIv1IndexHandler(base.APIMixin, base.BaseHandler):
-	# Allow users to create builds
+	# Only users can have repositories
 	allow_users = True
+	allow_builders = False
 
-	@tornado.web.authenticated
+	@base.negotiate
 	async def get(self, distro_slug):
-		with self.db.transaction():
-			# Fetch distro
-			distro = self.backend.distros.get_by_slug(distro_slug)
-			if not distro:
-				raise tornado.web.HTTPError(404, "Could not find distro '%s'" % distro_slug)
+		# Fetch distro
+		distro = self.backend.distros.get_by_slug(distro_slug)
+		if not distro:
+			raise tornado.web.HTTPError(404, "Could not find distro '%s'" % distro_slug)
 
-			# Fetch all repositories
-			try:
-				repos = self.current_user.repos[distro]
-			except KeyError:
-				repos = []
+		# Fetch all repositories
+		try:
+			repos = self.current_user.repos[distro]
+		except KeyError:
+			repos = []
 
 		self.finish({
 			"repos" : [repo.to_json() for repo in repos],
 		})
 
-	@tornado.web.authenticated
+	@base.negotiate
 	async def post(self, distro_slug):
 		with self.db.transaction():
 			# Fetch distro
@@ -70,33 +70,42 @@ class APIv1IndexHandler(base.APIMixin, base.BaseHandler):
 
 
 class APIv1ShowHandler(base.APIMixin, base.BaseHandler):
+	# Only users can have repositories
+	allow_users = True
+	allow_builders = False
+
 	def _get_repo(self, distro_slug, repo_slug):
 		# Fetch distro
-		self.distro = self.backend.distros.get_by_slug(distro_slug)
-		if not self.distro:
+		distro = self.backend.distros.get_by_slug(distro_slug)
+		if not distro:
 			raise tornado.web.HTTPError(404, "Could not find distro '%s'" % distro_slug)
 
 		# Fetch repository
-		self.repo = self.current_users.get_repo(self.distro, repo_slug)
-		if not self.repo:
+		repo = self.current_user.get_repo(distro, repo_slug)
+		if not repo:
 			raise tornado.web.HTTPError(404, "Could not find repository '%s" % repo_slug)
 
-	@tornado.web.authenticated
+		return distro, repo
+
+	@base.negotiate
 	async def get(self, distro_slug, name):
 		with self.db.transaction():
-			repo = self._get_repo(distro_slug, name)
+			distro, repo = self._get_repo(distro_slug, name)
 
 		self.finish(repo.to_json())
 
-	@tornado.web.authenticated
+	@base.negotiate
 	async def delete(self, distro_slug, name):
 		with self.db.transaction():
-			repo = self._get_repo(distro_slug, name)
+			distro, repo = self._get_repo(distro_slug, name)
 
 			# XXX check permissions
 
 			# Delete the repository
-			await self.repo.delete(self.current_user)
+			await repo.delete(self.current_user)
+
+		# Send a positive response
+		self.finish({})
 
 
 class BaseHandler(base.BaseHandler):