def save_group_permissions(self, **kw):
try:
permission_name = kw['permissions']['text']
except KeyError:
log.exception('Permission not submitted correctly')
response.status = 403
return ['Permission not submitted correctly']
try:
permission = Permission.by_name(permission_name)
except NoResultFound:
log.exception('Invalid permission: %s' % permission_name)
response.status = 403
return ['Invalid permission value']
try:
group_id = kw['group_id']
except KeyError:
log.exception('Group id not submitted')
response.status = 403
return ['No group id given']
try:
group = Group.by_id(group_id)
except NoResultFound:
log.exception('Group id %s is not a valid group id' % group_id)
response.status = 403
return ['Invalid Group Id']
group = Group.by_id(group_id)
if permission not in group.permissions:
group.permissions.append(permission)
else:
response.status = 403
return ['%s already exists in group %s' %
(permission.permission_name, group.group_name)]
return {'name':permission_name, 'id':permission.permission_id}
def grant_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.ldap:
raise GroupOwnerModificationForbidden('An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden('You are not an owner of the group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
else:
for assoc in group.user_group_assocs:
if assoc.user == user:
if not assoc.is_owner:
assoc.is_owner = True
group.record_activity(user=identity.current.user, service=service,
field=u'Owner', action='Added',
old=u'', new=user.user_name)
return ''
def removeUser(self, group_id=None, id=None, **kw):
group = Group.by_id(group_id)
if not group.can_modify_membership(identity.current.user):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
if not group.can_remove_member(identity.current.user, id):
flash(_(u'Cannot remove member'))
redirect('../groups/edit?group_id=%s' % group_id)
groupUsers = group.users
for user in groupUsers:
if user.user_id == int(id):
group.users.remove(user)
removed = user
activity = GroupActivity(identity.current.user, u'WEBUI', u'Removed', u'User', removed.user_name, u"")
group.activity.append(activity)
mail.group_membership_notify(user, group,
agent=identity.current.user,
action='Removed')
flash(_(u"%s Removed" % removed.display_name))
redirect("../groups/edit?group_id=%s" % group_id)
flash( _(u"No user %s in group %s" % (id, removed.display_name)))
raise redirect("../groups/edit?group_id=%s" % group_id)
def remove(self, **kw):
u = identity.current.user
try:
group = Group.by_id(kw['group_id'])
except DatabaseLookupError:
flash(unicode('Invalid group or already removed'))
redirect('../groups/mine')
if not group.can_edit(u):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
if group.is_protected_group():
flash(_(u'This group %s is predefined and cannot be deleted' % group))
redirect('../groups/mine')
if group.jobs:
flash(_(u'Cannot delete a group which has associated jobs'))
redirect('../groups/mine')
# Record the access policy rules that will be removed
# before deleting the group
for rule in group.system_access_policy_rules:
rule.record_deletion()
# For any system pool owned by this group, unset owning_group
# and set owning_user to the user deleting this group
pools = SystemPool.query.filter_by(owning_group_id=group.group_id)
for pool in pools:
pool.change_owner(user=u, service='WEBUI')
session.delete(group)
activity = Activity(u, u'WEBUI', u'Removed', u'Group', group.display_name, u"")
session.add(activity)
flash( _(u"%s deleted") % group.display_name )
raise redirect(".")
def revoke_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.membership_type == GroupMembershipType.ldap:
raise GroupOwnerModificationForbidden(
'An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden(
'You are not an owner of group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
if len(group.owners()) == 1 and not identity.current.user.is_admin():
raise GroupOwnerModificationForbidden(
'Cannot remove the only owner')
else:
group.revoke_ownership(user=user,
agent=identity.current.user,
service=service)
# hack to return the user removing this owner
# so that if the user was logged in as a group
# owner, he/she can be redirected appropriately
return str(identity.current.user.user_id)
def save_user(self, **kw):
user = User.by_user_name(kw['user']['text'])
if user is None:
flash(_(u"Invalid user %s" % kw['user']['text']))
redirect("./edit?group_id=%s" % kw['group_id'])
group = Group.by_id(kw['group_id'])
if not group.can_modify_membership(identity.current.user):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
if user not in group.users:
group.users.append(user)
activity = GroupActivity(identity.current.user, u'WEBUI', u'Added',
u'User', u"", user.user_name)
group.activity.append(activity)
mail.group_membership_notify(user,
group,
agent=identity.current.user,
action='Added')
flash(_(u"OK"))
redirect("./edit?group_id=%s" % kw['group_id'])
else:
flash(
_(u"User %s is already in Group %s" %
(user.user_name, group.group_name)))
redirect("./edit?group_id=%s" % kw['group_id'])
def revoke_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.ldap:
raise GroupOwnerModificationForbidden('An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden('You are not an owner of group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
if len(group.owners())==1 and not identity.current.user.is_admin():
raise GroupOwnerModificationForbidden('Cannot remove the only owner')
else:
for assoc in group.user_group_assocs:
if assoc.user == user:
if assoc.is_owner:
assoc.is_owner = False
group.record_activity(user=identity.current.user, service=service,
field=u'Owner', action='Removed',
old=user.user_name, new=u'')
# hack to return the user removing this owner
# so that if the user was logged in as a group
# owner, he/she can be redirected appropriately
return str(identity.current.user.user_id)
def grant_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.membership_type == GroupMembershipType.ldap:
raise GroupOwnerModificationForbidden(
'An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden(
'You are not an owner of the group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
else:
group.grant_ownership(user=user,
agent=identity.current.user,
service=service)
return ''
def revoke_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.membership_type == GroupMembershipType.ldap:
raise GroupOwnerModificationForbidden('An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden('You are not an owner of group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
if len(group.owners())==1 and not identity.current.user.is_admin():
raise GroupOwnerModificationForbidden('Cannot remove the only owner')
else:
group.revoke_ownership(user=user, agent=identity.current.user, service=service)
# hack to return the user removing this owner
# so that if the user was logged in as a group
# owner, he/she can be redirected appropriately
return str(identity.current.user.user_id)
def removeUser(self, group_id=None, id=None, **kw):
group = Group.by_id(group_id)
if not group.can_modify_membership(identity.current.user):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
if not group.can_remove_member(identity.current.user, id):
flash(_(u'Cannot remove member'))
redirect('../groups/edit?group_id=%s' % group_id)
groupUsers = group.users
for user in groupUsers:
if user.user_id == int(id):
group.users.remove(user)
removed = user
activity = GroupActivity(identity.current.user, u'WEBUI',
u'Removed', u'User',
removed.user_name, u"")
group.activity.append(activity)
mail.group_membership_notify(user,
group,
agent=identity.current.user,
action='Removed')
flash(_(u"%s Removed" % removed.display_name))
redirect("../groups/edit?group_id=%s" % group_id)
flash(_(u"No user %s in group %s" % (id, removed.display_name)))
raise redirect("../groups/edit?group_id=%s" % group_id)
def grant_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.ldap:
raise GroupOwnerModificationForbidden(
'An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden(
'You are not an owner of the group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
else:
for assoc in group.user_group_assocs:
if assoc.user == user:
if not assoc.is_owner:
assoc.is_owner = True
group.record_activity(user=identity.current.user,
service=service,
field=u'Owner',
action='Added',
old=u'',
new=user.user_name)
return ''
def get_group_users(self, group_id=None, *args, **kw):
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
log.exception('Group id %s is not a valid group id' % group_id)
response.status = 403
return ['Invalid Group Id']
users = group.users
return [(user.user_id, user.display_name) for user in users]
def get_group_users(self, group_id=None, *args, **kw):
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
log.exception('Group id %s is not a valid group id' % group_id)
response.status = 403
return ['Invalid Group Id']
users = group.users
return [(user.user_id, user.display_name) for user in users]
def get_group_systems(self, group_id=None, *args, **kw):
try:
group = Group.by_id(group_id)
except NoResultFound:
log.exception('Group id %s is not a valid group id' % group_id)
response.status = 403
return ['Invalid Group Id']
systems = group.systems
return [(system.id, system.fqdn) for system in systems]
def systems(self,group_id=None,*args,**kw):
try:
group = Group.by_id(group_id)
except NoResultFound:
log.exception('Group id %s is not a valid group id' % group_id)
flash(_(u'Need a valid group to search on'))
redirect('../groups/mine')
systems = System.all(identity.current.user).filter(System.groups.contains(group))
title = 'Systems in Group %s' % group.group_name
from bkr.server.controllers import Root
return Root()._systems(systems,title, group_id = group_id,**kw)
def get_group_systems(self, group_id=None, *args, **kw):
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
log.exception('Group id %s is not a valid group id' % group_id)
response.status = 403
return ['Invalid Group Id']
systems = System.all(identity.current.user).filter(System.groups.contains(group)). \
filter(System.status != SystemStatus.removed)
return [(system.id, system.fqdn) for system in systems]
def edit(self, group_id, **kw):
# Not just for editing, also provides a read-only view
try:
group = Group.by_id(group_id)
except NoResultFound:
log.exception('Group id %s is not a valid group id' % group_id)
flash(_(u'Need a valid group to search on'))
redirect('../groups/mine')
usergrid = self.show_members(group)
can_edit = False
if identity.current.user:
can_edit = group.can_edit(identity.current.user)
systems_fields = [('System', lambda x: x.link)]
if can_edit:
system_remove_widget = DeleteLinkWidgetForm(action='removeSystem',
hidden_fields=[widgets.HiddenField(name='group_id'),
widgets.HiddenField(name='id')],
action_text=u'Remove')
systems_fields.append((' ', lambda x: system_remove_widget.display(
dict(group_id=group_id, id=x.id))))
systemgrid = BeakerDataGrid(fields=systems_fields)
permissions_fields = [('Permission', lambda x: x.permission_name)]
if can_edit:
permissions_fields.append((' ', lambda x: XML(
'<a class="btn" href="#" id="remove_permission_%s">'
'<i class="icon-remove"/> Remove</a>' % x.permission_id)))
group_permissions_grid = BeakerDataGrid(name='group_permission_grid',
fields=permissions_fields)
group_permissions = GroupPermissions()
return dict(
form = self.group_form,
system_form = self.group_system_form,
user_form = self.group_user_form,
group_edit_js = LocalJSLink('bkr', '/static/javascript/group_users_v2.js'),
action = './save',
system_action = './save_system',
user_action = './save_user',
options = {},
value = group,
group_pw = group.root_password,
usergrid = usergrid,
systemgrid = systemgrid,
disabled_fields=[],
group_permissions = group_permissions,
group_form = self.permissions_form,
group_permissions_grid = group_permissions_grid,
)
def edit(self, group_id=None, group_name=None, **kw):
# Not just for editing, also provides a read-only view
if group_id is not None:
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
log.exception('Group id %s is not a valid group id' % group_id)
flash(_(u'Need a valid group to search on'))
redirect('../groups/mine')
elif group_name is not None:
try:
group = Group.by_name(group_name)
except NoResultFound:
log.exception('Group name %s is not a valid group name' %
group_name)
flash(_(u'Need a valid group to search on'))
redirect('../groups/mine')
else:
redirect('../groups/mine')
usergrid = self.show_members(group)
can_edit = False
if identity.current.user:
can_edit = group.can_edit(identity.current.user)
permissions_fields = [('Permission', lambda x: x.permission_name)]
if can_edit:
permissions_fields.append((' ', lambda x: XML(
'<a class="btn" href="#" id="remove_permission_%s">'
'<i class="fa fa-times"/> Remove</a>' % x.permission_id)))
group_permissions_grid = BeakerDataGrid(name='group_permission_grid',
fields=permissions_fields)
group_permissions = GroupPermissions()
return dict(
form=self.group_form,
user_form=self.group_user_form,
group_edit_js=LocalJSLink('bkr',
'/static/javascript/group_users_v2.js'),
action='./save',
user_action='./save_user',
options={},
value=group,
group_pw=group.root_password,
usergrid=usergrid,
disabled_fields=[],
group_permissions=group_permissions,
group_form=self.permissions_form,
group_permissions_grid=group_permissions_grid,
)
def systems(self, group_id=None, *args, **kw):
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
log.exception('Group id %s is not a valid group id' % group_id)
flash(_(u'Need a valid group to search on'))
redirect('../groups/mine')
systems = System.all(identity.current.user). \
filter(System.groups.contains(group)). \
filter(System.status != SystemStatus.removed)
title = 'Systems in Group %s' % group.group_name
from bkr.server.controllers import Root
return Root()._systems(systems, title, group_id=group_id, **kw)
def save_group_permissions(self, **kw):
try:
permission_name = kw['permissions']['text']
except KeyError:
log.exception('Permission not submitted correctly')
response.status = 403
return ['Permission not submitted correctly']
try:
permission = Permission.by_name(permission_name)
except NoResultFound:
log.exception('Invalid permission: %s' % permission_name)
response.status = 403
return ['Invalid permission value']
try:
group_id = kw['group_id']
except KeyError:
log.exception('Group id not submitted')
response.status = 403
return ['No group id given']
try:
group = Group.by_id(group_id)
except NoResultFound:
log.exception('Group id %s is not a valid group id' % group_id)
response.status = 403
return ['Invalid Group Id']
group = Group.by_id(group_id)
if permission not in group.permissions:
group.permissions.append(permission)
else:
response.status = 403
return [
'%s already exists in group %s' %
(permission.permission_name, group.group_name)
]
return {'name': permission_name, 'id': permission.permission_id}
def edit(self, group_id=None, group_name=None, **kw):
# Not just for editing, also provides a read-only view
if group_id is not None:
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
log.exception('Group id %s is not a valid group id' % group_id)
flash(_(u'Need a valid group to search on'))
redirect('../groups/mine')
elif group_name is not None:
try:
group = Group.by_name(group_name)
except NoResultFound:
log.exception('Group name %s is not a valid group name' % group_name)
flash(_(u'Need a valid group to search on'))
redirect('../groups/mine')
else:
redirect('../groups/mine')
usergrid = self.show_members(group)
can_edit = False
if identity.current.user:
can_edit = group.can_edit(identity.current.user)
permissions_fields = [('Permission', lambda x: x.permission_name)]
if can_edit:
permissions_fields.append((' ', lambda x: XML(
'<a class="btn" href="#" id="remove_permission_%s">'
'<i class="fa fa-times"/> Remove</a>' % x.permission_id)))
group_permissions_grid = BeakerDataGrid(name='group_permission_grid',
fields=permissions_fields)
group_permissions = GroupPermissions()
return dict(
form = self.group_form,
user_form = self.group_user_form,
group_edit_js = LocalJSLink('bkr', '/static/javascript/group_users_v2.js'),
action = './save',
user_action = './save_user',
options = {},
value = group,
group_pw = group.root_password,
usergrid = usergrid,
disabled_fields=[],
group_permissions = group_permissions,
group_form = self.permissions_form,
group_permissions_grid = group_permissions_grid,
)
def get_group_by_id_or_name():
"""
Created for backwards compatibility. Will redirect to /groups/<group_name>.
:queryparam group_id: Group's id.
:queryparam group_name: Group's name.
"""
if 'group_id' in request.args:
with convert_internal_errors():
group = Group.by_id(request.args['group_id'])
elif 'group_name' in request.args:
group = _get_group_by_name(request.args['group_name'])
else:
raise NotFound404
return flask_redirect(absolute_url(group.href))
def get_group_by_id_or_name():
"""
Created for backwards compatibility. Will redirect to /groups/<group_name>.
:queryparam group_id: Group's id.
:queryparam group_name: Group's name.
"""
if 'group_id' in request.args:
with convert_internal_errors():
group = Group.by_id(request.args['group_id'])
elif 'group_name' in request.args:
group = _get_group_by_name(request.args['group_name'])
else:
raise NotFound404
return flask_redirect(absolute_url(group.href))
def save(self,
group_id=None,
display_name=None,
group_name=None,
ldap=False,
root_password=None,
**kwargs):
user = identity.current.user
if ldap and not user.is_admin():
flash(_(u'Only admins can create LDAP groups'))
redirect('mine')
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
flash(_(u"Group %s does not exist." % group_id))
redirect('mine')
try:
Group.by_name(group_name)
except NoResultFound:
pass
else:
if group_name != group.group_name:
flash(
_(u'Failed to update group %s: Group name already exists: %s'
% (group.group_name, group_name)))
redirect('mine')
if not group.can_edit(user):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
try:
group.set_name(user, u'WEBUI', group_name)
group.set_display_name(user, u'WEBUI', display_name)
group.ldap = ldap
group.set_root_password(user, u'WEBUI', root_password)
except BeakerException, err:
session.rollback()
flash(_(u'Failed to update group %s: %s' %
(group.group_name, err)))
redirect('.')
def remove(self, **kw):
group = Group.by_id(kw['group_id'])
if not group.can_edit(identity.current.user):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
if group.jobs:
flash(_(u'Cannot delete a group which has associated jobs'))
redirect('../groups/mine')
session.delete(group)
activity = Activity(identity.current.user, u'WEBUI', u'Removed', u'Group', group.display_name, u"")
session.add(activity)
for system in group.systems:
session.add(SystemActivity(identity.current.user, u'WEBUI', u'Removed', u'Group', group.display_name, u"", object=system))
flash( _(u"%s deleted") % group.display_name )
raise redirect(".")
def save_system(self, **kw):
system = System.by_fqdn(kw['system']['text'],identity.current.user)
# A system owner can add their system to a group, but a group owner
# *cannot* add an arbitrary system to their group because that would
# grant them extra privileges over it.
if not system.can_edit(identity.current.user):
flash(_(u'You do not have permission to edit system %s' % system))
redirect('edit?group_id=%s' % kw['group_id'])
group = Group.by_id(kw['group_id'])
if group in system.groups:
flash( _(u"System '%s' is already in group '%s'" % (system.fqdn, group.group_name)))
redirect("./edit?group_id=%s" % kw['group_id'])
group.systems.append(system)
activity = GroupActivity(identity.current.user, u'WEBUI', u'Added', u'System', u"", system.fqdn)
sactivity = SystemActivity(identity.current.user, u'WEBUI', u'Added', u'Group', u"", group.display_name)
group.activity.append(activity)
system.activity.append(sactivity)
flash( _(u"OK") )
redirect("./edit?group_id=%s" % kw.get('group_id'))
def removeSystem(self, group_id=None, id=None, **kw):
group = Group.by_id(group_id)
system = System.by_id(id, identity.current.user)
# A group owner can remove a system from their group.
# A system owner can remove their system from a group.
# But note this is not symmetrical with adding systems.
if not (group.can_edit(identity.current.user) or
system.can_edit(identity.current.user)):
flash(_(u'Not permitted to remove %s from %s') % (system, group))
redirect('../groups/mine')
group.systems.remove(system)
activity = GroupActivity(identity.current.user, u'WEBUI', u'Removed', u'System', system.fqdn, u"")
sactivity = SystemActivity(identity.current.user, u'WEBUI', u'Removed', u'Group', group.display_name, u"")
group.activity.append(activity)
system.activity.append(sactivity)
flash( _(u"%s Removed" % system.fqdn))
raise redirect("./edit?group_id=%s" % group_id)
def remove_group_permission(self, group_id, permission_id):
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
log.exception('Group id %s is not a valid Group to remove' % group_id)
return ['0']
if not group.can_edit(identity.current.user):
log.exception('User %d does not have edit permissions for Group id %s'
% (identity.current.user.user_id, group_id))
response.status = 403
return ['You are not an owner of group %s' % group]
try:
permission = Permission.by_id(permission_id)
except NoResultFound:
log.exception('Permission id %s is not a valid Permission to remove' % permission_id)
return ['0']
group.permissions.remove(permission)
return ['1']
def remove(self, **kw):
try:
group = Group.by_id(kw['group_id'])
except DatabaseLookupError:
flash(unicode('Invalid group or already removed'))
redirect('../groups/mine')
if not group.can_edit(identity.current.user):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
if group.is_protected_group():
flash(
_(u'This group %s is predefined and cannot be deleted' %
group))
redirect('../groups/mine')
if group.jobs:
flash(_(u'Cannot delete a group which has associated jobs'))
redirect('../groups/mine')
# Record the access policy rules that will be removed
# before deleting the group
for rule in group.system_access_policy_rules:
rule.record_deletion()
session.delete(group)
activity = Activity(identity.current.user, u'WEBUI', u'Removed',
u'Group', group.display_name, u"")
session.add(activity)
for system in group.systems:
session.add(
SystemActivity(identity.current.user,
u'WEBUI',
u'Removed',
u'Group',
group.display_name,
u"",
object=system))
flash(_(u"%s deleted") % group.display_name)
raise redirect(".")
def revoke_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.ldap:
raise GroupOwnerModificationForbidden(
'An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden(
'You are not an owner of group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
if len(group.owners()) == 1 and not identity.current.user.is_admin():
raise GroupOwnerModificationForbidden(
'Cannot remove the only owner')
else:
for assoc in group.user_group_assocs:
if assoc.user == user:
if assoc.is_owner:
assoc.is_owner = False
group.record_activity(user=identity.current.user,
service=service,
field=u'Owner',
action='Removed',
old=user.user_name,
new=u'')
# hack to return the user removing this owner
# so that if the user was logged in as a group
# owner, he/she can be redirected appropriately
return str(identity.current.user.user_id)
def save(self, group_id=None, display_name=None, group_name=None,
ldap=False, root_password=None, **kwargs):
user = identity.current.user
if ldap and not user.is_admin():
flash(_(u'Only admins can create LDAP groups'))
redirect('mine')
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
flash( _(u"Group %s does not exist." % group_id) )
redirect('mine')
try:
Group.by_name(group_name)
except NoResultFound:
pass
else:
if group_name != group.group_name:
flash(_(u'Failed to update group %s: Group name already exists: %s' %
(group.group_name, group_name)))
redirect('mine')
if not group.can_edit(user):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
try:
group.set_name(user, u'WEBUI', group_name)
group.set_display_name(user, u'WEBUI', display_name)
group.ldap = ldap
group.set_root_password(user, u'WEBUI', root_password)
except BeakerException, err:
session.rollback()
flash(_(u'Failed to update group %s: %s' %
(group.group_name, err)))
redirect('.')
def grant_owner(self, group_id=None, id=None, **kw):
if group_id is not None and id is not None:
group = Group.by_id(group_id)
user = User.by_id(id)
service = 'WEBUI'
else:
group = Group.by_name(kw['group_name'])
user = User.by_user_name(kw['member_name'])
service = 'XMLRPC'
if group.membership_type == GroupMembershipType.ldap:
raise GroupOwnerModificationForbidden('An LDAP group does not have an owner')
if not group.can_edit(identity.current.user):
raise GroupOwnerModificationForbidden('You are not an owner of the group %s' % group)
if user not in group.users:
raise GroupOwnerModificationForbidden('User is not a group member')
else:
group.grant_ownership(user=user, agent=identity.current.user, service=service)
return ''
def remove(self, **kw):
u = identity.current.user
try:
group = Group.by_id(kw['group_id'])
except DatabaseLookupError:
flash(unicode('Invalid group or already removed'))
redirect('../groups/mine')
if not group.can_edit(u):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
if group.is_protected_group():
flash(
_(u'This group %s is predefined and cannot be deleted' %
group))
redirect('../groups/mine')
if group.jobs:
flash(_(u'Cannot delete a group which has associated jobs'))
redirect('../groups/mine')
# Record the access policy rules that will be removed
# before deleting the group
for rule in group.system_access_policy_rules:
rule.record_deletion()
# For any system pool owned by this group, unset owning_group
# and set owning_user to the user deleting this group
pools = SystemPool.query.filter_by(owning_group_id=group.group_id)
for pool in pools:
pool.change_owner(user=u, service='WEBUI')
session.delete(group)
activity = Activity(u, u'WEBUI', u'Removed', u'Group',
group.display_name, u"")
session.add(activity)
flash(_(u"%s deleted") % group.display_name)
raise redirect(".")
def save_user(self, **kw):
user = User.by_user_name(kw['user']['text'])
if user is None:
flash(_(u"Invalid user %s" % kw['user']['text']))
redirect("./edit?group_id=%s" % kw['group_id'])
group = Group.by_id(kw['group_id'])
if not group.can_modify_membership(identity.current.user):
flash(_(u'You are not an owner of group %s' % group))
redirect('../groups/mine')
if user not in group.users:
group.users.append(user)
activity = GroupActivity(identity.current.user, u'WEBUI', u'Added', u'User', u"", user.user_name)
group.activity.append(activity)
mail.group_membership_notify(user, group,
agent=identity.current.user,
action='Added')
flash( _(u"OK") )
redirect("./edit?group_id=%s" % kw['group_id'])
else:
flash( _(u"User %s is already in Group %s" %(user.user_name, group.group_name)))
redirect("./edit?group_id=%s" % kw['group_id'])
def removeSystem(self, group_id=None, id=None, **kw):
group = Group.by_id(group_id)
system = System.by_id(id, identity.current.user)
# A group owner can remove a system from their group.
# A system owner can remove their system from a group.
# But note this is not symmetrical with adding systems.
if not (group.can_edit(identity.current.user)
or system.can_edit(identity.current.user)):
flash(_(u'Not permitted to remove %s from %s') % (system, group))
redirect('../groups/mine')
group.systems.remove(system)
activity = GroupActivity(identity.current.user, u'WEBUI', u'Removed',
u'System', system.fqdn, u"")
group.activity.append(activity)
system.record_activity(user=identity.current.user,
service=u'WEBUI',
action=u'Removed',
field=u'Group',
old=group.display_name,
new=u"")
flash(_(u"%s Removed" % system.fqdn))
raise redirect("./edit?group_id=%s" % group_id)
def remove_group_permission(self, group_id, permission_id):
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
log.exception('Group id %s is not a valid Group to remove' %
group_id)
return ['0']
if not group.can_edit(identity.current.user):
log.exception(
'User %d does not have edit permissions for Group id %s' %
(identity.current.user.user_id, group_id))
response.status = 403
return ['You are not an owner of group %s' % group]
try:
permission = Permission.by_id(permission_id)
except NoResultFound:
log.exception(
'Permission id %s is not a valid Permission to remove' %
permission_id)
return ['0']
group.permissions.remove(permission)
return ['1']
def save_system(self, **kw):
try:
with convert_db_lookup_error('No such system: %s' %
kw['system']['text']):
system = System.by_fqdn(kw['system']['text'],
identity.current.user)
except DatabaseLookupError, e:
flash(unicode(e))
redirect("./edit?group_id=%s" % kw['group_id'])
# A system owner can add their system to a group, but a group owner
# *cannot* add an arbitrary system to their group because that would
# grant them extra privileges over it.
if not system.can_edit(identity.current.user):
flash(_(u'You do not have permission to edit system %s' % system))
redirect('edit?group_id=%s' % kw['group_id'])
group = Group.by_id(kw['group_id'])
if group in system.groups:
flash(
_(u"System '%s' is already in group '%s'" %
(system.fqdn, group.group_name)))
redirect("./edit?group_id=%s" % kw['group_id'])
group.systems.append(system)
activity = GroupActivity(identity.current.user, u'WEBUI', u'Added',
u'System', u"", system.fqdn)
group.activity.append(activity)
system.record_activity(user=identity.current.user,
service=u'WEBUI',
action=u'Added',
field=u'Group',
old=u"",
new=group.display_name)
