From ec64325edd0356471c7c3bbb4ddbc1e2f6959904 Mon Sep 17 00:00:00 2001
From: Brandon Caton <bcaton@redhat.com>
Date: Thu, 25 Jul 2024 11:18:34 -0400
Subject: [PATCH] api: adding global readonly user to list repo endpoint
 (PROJQUAY-7446) (#3072)

Adding global readonly user to list repo endpoint.
---
 endpoints/api/repository_models_pre_oci.py |  4 ++--
 test/test_api_usage.py                     | 21 +++++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/endpoints/api/repository_models_pre_oci.py b/endpoints/api/repository_models_pre_oci.py
index 3f2485885e..26bc54905f 100644
--- a/endpoints/api/repository_models_pre_oci.py
+++ b/endpoints/api/repository_models_pre_oci.py
@@ -8,7 +8,7 @@
 from data.database import RepositoryState
 from data.registry_model import registry_model
 from data.registry_model.datatypes import RepositoryReference
-from endpoints.api import allow_if_superuser
+from endpoints.api import allow_if_global_readonly_superuser, allow_if_superuser
 from endpoints.api.repository_models_interface import (
     ApplicationRepository,
     Channel,
@@ -115,7 +115,7 @@ def can_view_repo(repo):
                 limit=REPOS_PER_PAGE + 1,
                 kind_filter=repo_kind,
                 namespace=namespace,
-                is_superuser=allow_if_superuser(),
+                is_superuser=allow_if_superuser() or allow_if_global_readonly_superuser(),
             )
 
             repos, next_page_token = model.modelutil.paginate_query(
diff --git a/test/test_api_usage.py b/test/test_api_usage.py
index b73143c1bf..b0746043fd 100644
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@@ -2328,6 +2328,27 @@ def test_listrepos_org_filtered(self):
         self.login(PUBLIC_USER)
         self.assertRepositoryNotVisible("neworg", "somerepo")
 
+    def test_list_repos_globalreadonlysuperuser(self):
+        repository = model.repository.get_repository("orgwithnosuperuser", "repo")
+        assert repository is not None
+        assert repository.visibility.name == "private"
+        self.login("globalreadonlysuperuser")
+        json = self.getJsonResponse(
+            RepositoryList,
+            params=dict(namespace="orgwithnosuperuser", public=False),
+        )
+
+        assert len(json["repositories"]) == 1
+        assert json["repositories"][0]["name"] == "repo"
+
+        # Make sure a normal user can't see the repository
+        self.login(NO_ACCESS_USER)
+        json = self.getJsonResponse(
+            RepositoryList,
+            params=dict(namespace="orgwithnosuperuser", public=False),
+        )
+        assert len(json["repositories"]) == 0
+
 
 class TestViewPublicRepository(ApiTestCase):
     def test_normalview(self):