So... at this point, what remains to be done is to detect and return an error when 'private' is true and 'name' does not end in a *. That is, just before api.go's searchStore calls out to findOne, it should check for private and bail with a 400.
So... at this point, what remains to be done is to detect and return an error when 'private' is true and 'name' does not end in a *. That is, just before api.go's searchStore calls out to findOne, it should check for private and bail with a 400.