The proxy registry model currently auto-creates repositories when an image is first pulled (and cached) via pull-thru proxy. If a user is not an org admin, this part of the flow is never reached, since the permission check halts the request before (and righteously so).

Users creating a repository need the "push" action in their jwt token. This is added to the token in the /auth endpoint[1]. This endpoint also handles auto-creation of repositories when necessary[2].

When pulling an image thru a proxy org, the jwt token will contain the "pull" action, causing Quay to deny pulls to a repository that hasn't yet been created (for all users who aren't org admin). 

[1] https://github.com/quay/quay/blob/master/endpoints/v2/v2auth.py#L61
[2] https://github.com/quay/quay/blob/master/endpoints/v2/v2auth.py#L285-L287