rust-lang
diff --git a/‎src/controllers/krate/owners.rs
+7-1 b/‎src/controllers/krate/owners.rs
+7-1
diff --git a/‎src/controllers/krate/publish.rs
+19-1 b/‎src/controllers/krate/publish.rs
+19-1
diff --git a/‎src/controllers/version/yank.rs
+7-1 b/‎src/controllers/version/yank.rs
+7-1
diff --git a/‎src/tests/http-data/routes_crates_versions_yank_unyank_auth_token_user_with_correct_crate_scope.json
+122 b/‎src/tests/http-data/routes_crates_versions_yank_unyank_auth_token_user_with_correct_crate_scope.json
+122
diff --git a/‎src/tests/http-data/routes_crates_versions_yank_unyank_auth_token_user_with_correct_endpoint_scope.json
+122 b/‎src/tests/http-data/routes_crates_versions_yank_unyank_auth_token_user_with_correct_endpoint_scope.json
+122
@@ -2,6 +2,7 @@
 
 use crate::auth::AuthCheck;
 use crate::controllers::prelude::*;
+use crate::models::token::EndpointScope;
 use crate::models::{Crate, Owner, Rights, Team, User};
 use crate::views::EncodableOwner;
 
@@ -80,7 +81,12 @@ fn parse_owners_request(req: &mut dyn RequestExt) -> AppResult<Vec<String>> {
 }
 
 fn modify_owners(req: &mut dyn RequestExt, add: bool) -> EndpointResult {
-    let auth = AuthCheck::default().check(req)?;
+    let crate_name = &req.params()["crate_id"];
+
+    let auth = AuthCheck::default()
+        .with_endpoint_scope(EndpointScope::ChangeOwners)
+        .for_crate(crate_name)
+        .check(req)?;
 
     let logins = parse_owners_request(req)?;
     let app = req.app();
 
@@ -18,6 +18,7 @@ use crate::models::{
 use crate::worker;
 
 use crate::middleware::log_request::add_custom_metadata;
+use crate::models::token::EndpointScope;
 use crate::schema::*;
 use crate::util::errors::{cargo_err, AppResult};
 use crate::util::{read_fill, read_le_u32, CargoVcsInfo, LimitErrorReader, Maximums};
@@ -65,7 +66,24 @@ pub fn publish(req: &mut dyn RequestExt) -> EndpointResult {
     add_custom_metadata("crate_version", new_crate.vers.to_string());
 
     let conn = app.primary_database.get()?;
-    let auth = AuthCheck::default().check(req)?;
+
+    // this query should only be used for the endpoint scope calculation
+    // since a race condition there would only cause `publish-new` instead of
+    // `publish-update` to be used.
+    let existing_crate = Crate::by_name(&new_crate.name)
+        .first::<Crate>(&*conn)
+        .optional()?;
+
+    let endpoint_scope = match existing_crate {
+        Some(_) => EndpointScope::PublishUpdate,
+        None => EndpointScope::PublishNew,
+    };
+
+    let auth = AuthCheck::default()
+        .with_endpoint_scope(endpoint_scope)
+        .for_crate(&new_crate.name)
+        .check(req)?;
+
     let api_token_id = auth.api_token_id();
     let user = auth.user();
 
 
@@ -5,6 +5,7 @@ use swirl::Job;
 
 use super::{extract_crate_name_and_semver, version_and_crate};
 use crate::controllers::cargo_prelude::*;
+use crate::models::token::EndpointScope;
 use crate::models::Rights;
 use crate::models::{insert_version_owner_action, VersionAction};
 use crate::schema::versions;
@@ -32,9 +33,14 @@ pub fn unyank(req: &mut dyn RequestExt) -> EndpointResult {
 fn modify_yank(req: &mut dyn RequestExt, yanked: bool) -> EndpointResult {
     // FIXME: Should reject bad requests before authentication, but can't due to
     // lifetime issues with `req`.
-    let auth = AuthCheck::default().check(req)?;
+
     let (crate_name, semver) = extract_crate_name_and_semver(req)?;
 
+    let auth = AuthCheck::default()
+        .with_endpoint_scope(EndpointScope::Yank)
+        .for_crate(crate_name)
+        .check(req)?;
+
     let conn = req.db_write()?;
     let (version, krate) = version_and_crate(&conn, crate_name, semver)?;
     let api_token_id = auth.api_token_id();
 
@@ -0,0 +1,122 @@
+[
+    {
+        "request": {
+            "uri": "http://alexcrichton-test.s3.amazonaws.com/crates/fyk/fyk-1.0.0.crate",
+            "method": "PUT",
+            "headers": [
+                [
+                    "accept",
+                    "*/*"
+                ],
+                [
+                    "accept-encoding",
+                    "gzip"
+                ],
+                [
+                    "content-length",
+                    "35"
+                ],
+                [
+                    "content-type",
+                    "application/gzip"
+                ]
+            ],
+            "body": "H4sIAAAAAAAA/+3AAQEAAACCIP+vbkhQwKsBLq+17wAEAAA="
+        },
+        "response": {
+            "status": 200,
+            "headers": [],
+            "body": ""
+        }
+    },
+    {
+        "request": {
+            "uri": "http://alexcrichton-test.s3.amazonaws.com/3/f/fyk",
+            "method": "PUT",
+            "headers": [
+                [
+                    "accept",
+                    "*/*"
+                ],
+                [
+                    "accept-encoding",
+                    "gzip"
+                ],
+                [
+                    "content-length",
+                    "157"
+                ],
+                [
+                    "content-type",
+                    "text/plain"
+                ]
+            ],
+            "body": "eyJuYW1lIjoiZnlrIiwidmVycyI6IjEuMC4wIiwiZGVwcyI6W10sImNrc3VtIjoiYWNiNTYwNGIxMjZhYzg5NGMxZWIxMWM0NTc1YmYyMDcyZmVhNjEyMzJhODg4ZTQ1Mzc3MGM3OWQ3ZWQ1NjQxOSIsImZlYXR1cmVzIjp7fSwieWFua2VkIjpmYWxzZSwibGlua3MiOm51bGx9Cg=="
+        },
+        "response": {
+            "status": 200,
+            "headers": [],
+            "body": ""
+        }
+    },
+    {
+        "request": {
+            "uri": "http://alexcrichton-test.s3.amazonaws.com/3/f/fyk",
+            "method": "PUT",
+            "headers": [
+                [
+                    "accept",
+                    "*/*"
+                ],
+                [
+                    "accept-encoding",
+                    "gzip"
+                ],
+                [
+                    "content-length",
+                    "156"
+                ],
+                [
+                    "content-type",
+                    "text/plain"
+                ]
+            ],
+            "body": "eyJuYW1lIjoiZnlrIiwidmVycyI6IjEuMC4wIiwiZGVwcyI6W10sImNrc3VtIjoiYWNiNTYwNGIxMjZhYzg5NGMxZWIxMWM0NTc1YmYyMDcyZmVhNjEyMzJhODg4ZTQ1Mzc3MGM3OWQ3ZWQ1NjQxOSIsImZlYXR1cmVzIjp7fSwieWFua2VkIjp0cnVlLCJsaW5rcyI6bnVsbH0K"
+        },
+        "response": {
+            "status": 200,
+            "headers": [],
+            "body": ""
+        }
+    },
+    {
+        "request": {
+            "uri": "http://alexcrichton-test.s3.amazonaws.com/3/f/fyk",
+            "method": "PUT",
+            "headers": [
+                [
+                    "accept",
+                    "*/*"
+                ],
+                [
+                    "accept-encoding",
+                    "gzip"
+                ],
+                [
+                    "content-length",
+                    "157"
+                ],
+                [
+                    "content-type",
+                    "text/plain"
+                ]
+            ],
+            "body": "eyJuYW1lIjoiZnlrIiwidmVycyI6IjEuMC4wIiwiZGVwcyI6W10sImNrc3VtIjoiYWNiNTYwNGIxMjZhYzg5NGMxZWIxMWM0NTc1YmYyMDcyZmVhNjEyMzJhODg4ZTQ1Mzc3MGM3OWQ3ZWQ1NjQxOSIsImZlYXR1cmVzIjp7fSwieWFua2VkIjpmYWxzZSwibGlua3MiOm51bGx9Cg=="
+        },
+        "response": {
+            "status": 200,
+            "headers": [],
+            "body": ""
+        }
+    }
+]
@@ -0,0 +1,122 @@
+[
+    {
+        "request": {
+            "uri": "http://alexcrichton-test.s3.amazonaws.com/crates/fyk/fyk-1.0.0.crate",
+            "method": "PUT",
+            "headers": [
+                [
+                    "accept",
+                    "*/*"
+                ],
+                [
+                    "accept-encoding",
+                    "gzip"
+                ],
+                [
+                    "content-length",
+                    "35"
+                ],
+                [
+                    "content-type",
+                    "application/gzip"
+                ]
+            ],
+            "body": "H4sIAAAAAAAA/+3AAQEAAACCIP+vbkhQwKsBLq+17wAEAAA="
+        },
+        "response": {
+            "status": 200,
+            "headers": [],
+            "body": ""
+        }
+    },
+    {
+        "request": {
+            "uri": "http://alexcrichton-test.s3.amazonaws.com/3/f/fyk",
+            "method": "PUT",
+            "headers": [
+                [
+                    "accept",
+                    "*/*"
+                ],
+                [
+                    "accept-encoding",
+                    "gzip"
+                ],
+                [
+                    "content-length",
+                    "157"
+                ],
+                [
+                    "content-type",
+                    "text/plain"
+                ]
+            ],
+            "body": "eyJuYW1lIjoiZnlrIiwidmVycyI6IjEuMC4wIiwiZGVwcyI6W10sImNrc3VtIjoiYWNiNTYwNGIxMjZhYzg5NGMxZWIxMWM0NTc1YmYyMDcyZmVhNjEyMzJhODg4ZTQ1Mzc3MGM3OWQ3ZWQ1NjQxOSIsImZlYXR1cmVzIjp7fSwieWFua2VkIjpmYWxzZSwibGlua3MiOm51bGx9Cg=="
+        },
+        "response": {
+            "status": 200,
+            "headers": [],
+            "body": ""
+        }
+    },
+    {
+        "request": {
+            "uri": "http://alexcrichton-test.s3.amazonaws.com/3/f/fyk",
+            "method": "PUT",
+            "headers": [
+                [
+                    "accept",
+                    "*/*"
+                ],
+                [
+                    "accept-encoding",
+                    "gzip"
+                ],
+                [
+                    "content-length",
+                    "156"
+                ],
+                [
+                    "content-type",
+                    "text/plain"
+                ]
+            ],
+            "body": "eyJuYW1lIjoiZnlrIiwidmVycyI6IjEuMC4wIiwiZGVwcyI6W10sImNrc3VtIjoiYWNiNTYwNGIxMjZhYzg5NGMxZWIxMWM0NTc1YmYyMDcyZmVhNjEyMzJhODg4ZTQ1Mzc3MGM3OWQ3ZWQ1NjQxOSIsImZlYXR1cmVzIjp7fSwieWFua2VkIjp0cnVlLCJsaW5rcyI6bnVsbH0K"
+        },
+        "response": {
+            "status": 200,
+            "headers": [],
+            "body": ""
+        }
+    },
+    {
+        "request": {
+            "uri": "http://alexcrichton-test.s3.amazonaws.com/3/f/fyk",
+            "method": "PUT",
+            "headers": [
+                [
+                    "accept",
+                    "*/*"
+                ],
+                [
+                    "accept-encoding",
+                    "gzip"
+                ],
+                [
+                    "content-length",
+                    "157"
+                ],
+                [
+                    "content-type",
+                    "text/plain"
+                ]
+            ],
+            "body": "eyJuYW1lIjoiZnlrIiwidmVycyI6IjEuMC4wIiwiZGVwcyI6W10sImNrc3VtIjoiYWNiNTYwNGIxMjZhYzg5NGMxZWIxMWM0NTc1YmYyMDcyZmVhNjEyMzJhODg4ZTQ1Mzc3MGM3OWQ3ZWQ1NjQxOSIsImZlYXR1cmVzIjp7fSwieWFua2VkIjpmYWxzZSwibGlua3MiOm51bGx9Cg=="
+        },
+        "response": {
+            "status": 200,
+            "headers": [],
+            "body": ""
+        }
+    }
+]