feat(api v1): global readonly superuser support and app token visibility (PROJQUAY-8279) (#4276)

Implements global read-only superuser permissions for v1 endpoints, adjusts superuser write checks, and updates app token listing and detail endpoints; includes comprehensive tests. --------- Co-authored-by: Claude <noreply@anthropic.com>
2025-11-17 23:02:34 +03:00 · 2025-10-21 15:00:59 -04:00
parent bf24701ef3
commit d83e2c8647
37 changed files with 1150 additions and 242 deletions
--- a/endpoints/api/robot.py
+++ b/endpoints/api/robot.py
@@ -24,6 +24,7 @@ from data.model.user import (
 )
 from endpoints.api import (
    ApiResource,
+    allow_if_any_superuser,
    allow_if_global_readonly_superuser,
    allow_if_superuser,
    log_action,
@@ -220,7 +221,7 @@ class OrgRobotList(ApiResource):
        List the organization's robots.
        """
        permission = OrganizationMemberPermission(orgname)
-        if permission.can() or allow_if_superuser() or allow_if_global_readonly_superuser():
+        if permission.can() or allow_if_any_superuser():
            include_token = (
                AdministerOrganizationPermission(orgname).can()
                or allow_if_global_readonly_superuser()
@@ -260,7 +261,7 @@ class OrgRobot(ApiResource):
        Returns the organization's robot with the specified name.
        """
        permission = AdministerOrganizationPermission(orgname)
-        if permission.can() or allow_if_superuser() or allow_if_global_readonly_superuser():
+        if permission.can() or allow_if_any_superuser():
            robot = model.get_org_robot(robot_shortname, orgname)
            return robot.to_dict(include_metadata=True, include_token=True)

@@ -359,7 +360,7 @@ class OrgRobotPermissions(ApiResource):
        Returns the list of repository permissions for the org's robot.
        """
        permission = AdministerOrganizationPermission(orgname)
-        if permission.can() or allow_if_superuser() or allow_if_global_readonly_superuser():
+        if permission.can() or allow_if_any_superuser():
            robot = model.get_org_robot(robot_shortname, orgname)
            permissions = model.list_robot_permissions(robot.name)

@@ -430,7 +431,7 @@ class OrgRobotFederation(ApiResource):
    @require_scope(scopes.ORG_ADMIN)
    def get(self, orgname, robot_shortname):
        permission = AdministerOrganizationPermission(orgname)
-        if permission.can() or allow_if_superuser() or allow_if_global_readonly_superuser():
+        if permission.can() or allow_if_any_superuser():
            robot_username = format_robot_username(orgname, robot_shortname)
            robot = lookup_robot(robot_username)
            return get_robot_federation_config(robot)