def set_anonymous_access(enable=True):
user = User.get_default_user()
user.active = enable
Session().commit()
print '\tanonymous access is now:', enable
if enable != User.get_default_user().active:
raise Exception('Cannot set anonymous access')
def test_add_ips(self):
self.log_user()
default_user_id = User.get_default_user().user_id
response = self.app.put(url('edit_user_ips', id=default_user_id),
params=dict(new_ip='127.0.0.0/24',
_authentication_token=self.authentication_token()))
# sleep more than beaker.cache.sql_cache_short.expire to expire user cache
time.sleep(1.5)
self.app.get(url('admin_permissions_ips'), status=302)
# REMOTE_ADDR must match 127.0.0.0/24
response = self.app.get(url('admin_permissions_ips'),
extra_environ={'REMOTE_ADDR': '127.0.0.1'})
response.mustcontain('127.0.0.0/24')
response.mustcontain('127.0.0.0 - 127.0.0.255')
## delete
default_user_id = User.get_default_user().user_id
del_ip_id = UserIpMap.query().filter(UserIpMap.user_id ==
default_user_id).first().ip_id
response = self.app.post(url('edit_user_ips', id=default_user_id),
params=dict(_method='delete',
del_ip_id=del_ip_id,
_authentication_token=self.authentication_token()),
extra_environ={'REMOTE_ADDR': '127.0.0.1'})
# sleep more than beaker.cache.sql_cache_short.expire to expire user cache
time.sleep(1.5)
response = self.app.get(url('admin_permissions_ips'))
response.mustcontain('All IP addresses are allowed')
response.mustcontain(no=['127.0.0.0/24'])
response.mustcontain(no=['127.0.0.0 - 127.0.0.255'])
def set_anonymous_access(enable=True):
user = User.get_default_user()
user.active = enable
Session().commit()
print '\tanonymous access is now:', enable
if enable != User.get_default_user().active:
raise Exception('Cannot set anonymous access')
def test_add_ips(self):
self.log_user()
default_user_id = User.get_default_user().user_id
response = self.app.put(url('edit_user_ips', id=default_user_id),
params=dict(new_ip='127.0.0.0/24',
_authentication_token=self.authentication_token()))
response = self.app.get(url('admin_permissions_ips'))
response.mustcontain('127.0.0.0/24')
response.mustcontain('127.0.0.0 - 127.0.0.255')
## delete
default_user_id = User.get_default_user().user_id
del_ip_id = UserIpMap.query().filter(UserIpMap.user_id ==
default_user_id).first().ip_id
response = self.app.post(url('edit_user_ips', id=default_user_id),
params=dict(_method='delete',
del_ip_id=del_ip_id,
_authentication_token=self.authentication_token()))
response = self.app.get(url('admin_permissions_ips'))
response.mustcontain('All IP addresses are allowed')
response.mustcontain(no=['127.0.0.0/24'])
response.mustcontain(no=['127.0.0.0 - 127.0.0.255'])
def test_delete_emails_default_user(self):
self.log_user()
user = User.get_default_user()
response = self.app.post(
base.url('edit_user_emails_delete', id=user.user_id),
{'_session_csrf_secret_token': self.session_csrf_secret_token()},
status=404)
def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
_set = set()
if inherit_from_default:
default_ips = UserIpMap.query().filter(UserIpMap.user ==
User.get_default_user(cache=True))
if cache:
default_ips = default_ips.options(FromCache("sql_cache_short",
"get_user_ips_default"))
# populate from default user
for ip in default_ips:
try:
_set.add(ip.ip_addr)
except ObjectDeletedError:
# since we use heavy caching sometimes it happens that we get
# deleted objects here, we just skip them
pass
user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
if cache:
user_ips = user_ips.options(FromCache("sql_cache_short",
"get_user_ips_%s" % user_id))
for ip in user_ips:
try:
_set.add(ip.ip_addr)
except ObjectDeletedError:
# since we use heavy caching sometimes it happens that we get
# deleted objects here, we just skip them
pass
return _set or set(['0.0.0.0/0', '::/0'])
def permission_ips(self):
c.active = 'ips'
c.user = User.get_default_user()
c.user_ip_map = UserIpMap.query() \
.filter(UserIpMap.user == c.user).all()
return render('admin/permissions/permissions.html')
def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
_set = set()
if inherit_from_default:
default_ips = UserIpMap.query().filter(
UserIpMap.user == User.get_default_user(cache=True))
if cache:
default_ips = default_ips.options(
FromCache("sql_cache_short", "get_user_ips_default"))
# populate from default user
for ip in default_ips:
try:
_set.add(ip.ip_addr)
except ObjectDeletedError:
# since we use heavy caching sometimes it happens that we get
# deleted objects here, we just skip them
pass
user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
if cache:
user_ips = user_ips.options(
FromCache("sql_cache_short", "get_user_ips_%s" % user_id))
for ip in user_ips:
try:
_set.add(ip.ip_addr)
except ObjectDeletedError:
# since we use heavy caching sometimes it happens that we get
# deleted objects here, we just skip them
pass
return _set or set(['0.0.0.0/0', '::/0'])
def edit_advanced(self, repo_name):
"""GET /repo_name/settings: Form to edit an existing item"""
# url('edit_repo', repo_name=ID)
c.repo_info = self._load_repo(repo_name)
c.default_user_id = User.get_default_user().user_id
c.in_public_journal = UserFollowing.query()\
.filter(UserFollowing.user_id == c.default_user_id)\
.filter(UserFollowing.follows_repository == c.repo_info).scalar()
_repos = Repository.query().order_by(Repository.repo_name).all()
read_access_repos = RepoList(_repos)
c.repos_list = [(None, _('-- Not a fork --'))]
c.repos_list += [(x.repo_id, x.repo_name)
for x in read_access_repos
if x.repo_id != c.repo_info.repo_id]
defaults = {
'id_fork_of': c.repo_info.fork.repo_id if c.repo_info.fork else ''
}
c.active = 'advanced'
if request.POST:
return redirect(url('repo_edit_advanced'))
return htmlfill.render(
render('admin/repos/repo_edit.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def permissions_setup_func(group_name='g0', perm='group.read', recursive='all',
user_id=None):
"""
Resets all permissions to perm attribute
"""
if not user_id:
user_id = test_u1_id
permissions_setup_func(group_name, perm, recursive,
user_id=User.get_default_user().user_id)
repo_group = RepoGroup.get_by_group_name(group_name=group_name)
if not repo_group:
raise Exception('Cannot get group %s' % group_name)
# Start with a baseline that current group can read recursive
perms_updates = [[user_id, 'group.read', 'user']]
RepoGroupModel()._update_permissions(repo_group,
perms_updates=perms_updates,
recursive='all', check_perms=False)
perms_updates = [[user_id, perm, 'user']]
RepoGroupModel()._update_permissions(repo_group,
perms_updates=perms_updates,
recursive=recursive, check_perms=False)
Session().commit()
def test_user_permissions_on_group_with_recursive_repo_mode_for_default_user():
# set permission to g0/g0_1 recursive repos only mode, all children including
# other repos should have this permission now set, inner groups are excluded!
recursive = 'repos'
group = 'g0/g0_1'
perm = 'group.none'
default_user_id = User.get_default_user().user_id
permissions_setup_func(group, perm, recursive=recursive,
user_id=default_user_id)
# change default to get perms for default user
_get_repo_perms = functools.partial(_get_perms, key='repositories',
test_u1_id=default_user_id)
_get_group_perms = functools.partial(_get_perms, key='repositories_groups',
test_u1_id=default_user_id)
repo_items = [x for x in _get_repo_perms(group, recursive)]
items = [x for x in _get_group_perms(group, recursive)]
_check_expected_count(items, repo_items, expected_count(group, True))
for name, perm in repo_items:
yield check_tree_perms, name, perm, group, 'repository.none'
for name, perm in items:
# permission is set with repos only mode, but we also change the permission
# on the group we trigger the apply to children from, thus we need
# to change its permission check
old_perm = 'group.read'
if name == group:
old_perm = perm
yield check_tree_perms, name, perm, group, old_perm
def test_user_permissions_on_group_with_recursive_group_mode_for_default_user():
# set permission to g0/g0_1 with recursive groups only mode, all children including
# other groups should have this permission now set. repositories should
# remain intact as we use groups only mode !
recursive = 'groups'
group = 'g0/g0_1'
default_user_id = User.get_default_user().user_id
permissions_setup_func(group, 'group.write', recursive=recursive,
user_id=default_user_id)
# change default to get perms for default user
_get_repo_perms = functools.partial(_get_perms, key='repositories',
test_u1_id=default_user_id)
_get_group_perms = functools.partial(_get_perms, key='repositories_groups',
test_u1_id=default_user_id)
repo_items = [x for x in _get_repo_perms(group, recursive)]
items = [x for x in _get_group_perms(group, recursive)]
_check_expected_count(items, repo_items, expected_count(group, True))
for name, perm in repo_items:
yield check_tree_perms, name, perm, group, 'repository.read'
for name, perm in items:
yield check_tree_perms, name, perm, group, 'group.write'
def edit_advanced(self, repo_name):
c.repo_info = self._load_repo()
c.default_user_id = User.get_default_user().user_id
c.in_public_journal = UserFollowing.query() \
.filter(UserFollowing.user_id == c.default_user_id) \
.filter(UserFollowing.follows_repository == c.repo_info).scalar()
_repos = Repository.query(sorted=True).all()
read_access_repos = RepoList(_repos, perm_level='read')
c.repos_list = [(None, _('-- Not a fork --'))]
c.repos_list += [(x.repo_id, x.repo_name)
for x in read_access_repos
if x.repo_id != c.repo_info.repo_id]
defaults = {
'id_fork_of': c.repo_info.fork_id if c.repo_info.fork_id else ''
}
c.active = 'advanced'
if request.POST:
raise HTTPFound(location=url('repo_edit_advanced'))
return htmlfill.render(
render('admin/repos/repo_edit.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def test_delete_ips(self, auto_clear_ip_permissions):
self.log_user()
default_user_id = User.get_default_user().user_id
## first add
new_ip = '127.0.0.0/24'
with test_context(self.app):
user_model = UserModel()
ip_obj = user_model.add_extra_ip(default_user_id, new_ip)
Session().commit()
## double check that add worked
# IP permissions are cached, need to invalidate this cache explicitly
invalidate_all_caches()
self.app.get(url('admin_permissions_ips'), status=302)
# REMOTE_ADDR must match 127.0.0.0/24
response = self.app.get(url('admin_permissions_ips'),
extra_environ={'REMOTE_ADDR': '127.0.0.1'})
response.mustcontain('127.0.0.0/24')
response.mustcontain('127.0.0.0 - 127.0.0.255')
## now delete
response = self.app.post(url('edit_user_ips_delete', id=default_user_id),
params=dict(del_ip_id=ip_obj.ip_id,
_authentication_token=self.authentication_token()),
extra_environ={'REMOTE_ADDR': '127.0.0.1'})
# IP permissions are cached, need to invalidate this cache explicitly
invalidate_all_caches()
response = self.app.get(url('admin_permissions_ips'))
response.mustcontain('All IP addresses are allowed')
response.mustcontain(no=['127.0.0.0/24'])
response.mustcontain(no=['127.0.0.0 - 127.0.0.255'])
def edit_advanced_journal(self, repo_name):
"""
Sets this repository to be visible in public journal,
in other words asking default user to follow this repo
:param repo_name:
"""
cur_token = request.POST.get('auth_token')
token = get_token()
if cur_token == token:
try:
repo_id = Repository.get_by_repo_name(repo_name).repo_id
user_id = User.get_default_user().user_id
self.scm_model.toggle_following_repo(repo_id, user_id)
h.flash(_('Updated repository visibility in public journal'),
category='success')
Session().commit()
except Exception:
h.flash(_('An error occurred during setting this'
' repository in public journal'),
category='error')
else:
h.flash(_('Token mismatch'), category='error')
return redirect(url('edit_repo_advanced', repo_name=repo_name))
def edit_advanced(self, repo_name):
"""GET /repo_name/settings: Form to edit an existing item"""
# url('edit_repo', repo_name=ID)
c.repo_info = self._load_repo(repo_name)
c.default_user_id = User.get_default_user().user_id
c.in_public_journal = UserFollowing.query()\
.filter(UserFollowing.user_id == c.default_user_id)\
.filter(UserFollowing.follows_repository == c.repo_info).scalar()
_repos = Repository.query().order_by(Repository.repo_name).all()
read_access_repos = RepoList(_repos)
c.repos_list = [(None, _('-- Not a fork --'))]
c.repos_list += [(x.repo_id, x.repo_name) for x in read_access_repos
if x.repo_id != c.repo_info.repo_id]
defaults = {
'id_fork_of': c.repo_info.fork.repo_id if c.repo_info.fork else ''
}
c.active = 'advanced'
if request.POST:
return redirect(url('repo_edit_advanced'))
return htmlfill.render(render('admin/repos/repo_edit.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def permission_ips(self):
c.active = 'ips'
c.user = User.get_default_user()
c.user_ip_map = UserIpMap.query() \
.filter(UserIpMap.user == c.user).all()
return render('admin/permissions/permissions.html')
def permissions_setup_func(group_name='g0',
perm='group.read',
recursive='all',
user_id=None):
"""
Resets all permissions to perm attribute
"""
if not user_id:
user_id = test_u1_id
# called by the @with_setup decorator also reset the default user stuff
permissions_setup_func(group_name,
perm,
recursive,
user_id=User.get_default_user().user_id)
repo_group = RepoGroup.get_by_group_name(group_name=group_name)
if not repo_group:
raise Exception('Cannot get group %s' % group_name)
perms_updates = [[user_id, perm, 'user']]
RepoGroupModel()._update_permissions(repo_group,
perms_updates=perms_updates,
recursive=recursive,
check_perms=False)
Session().commit()
def __enter__(self):
anon = User.get_default_user()
self._before = anon.active
anon.active = status
Session().add(anon)
Session().commit()
time.sleep(1.5) # hack: wait for beaker sql_cache_short to expire
def test_user_permissions_on_group_with_recursive_group_mode_for_default_user(
):
# set permission to g0/g0_1 with recursive groups only mode, all children including
# other groups should have this permission now set. repositories should
# remain intact as we use groups only mode !
recursive = 'groups'
group = 'g0/g0_1'
default_user_id = User.get_default_user().user_id
permissions_setup_func(group,
'group.write',
recursive=recursive,
user_id=default_user_id)
# change default to get perms for default user
_get_repo_perms = functools.partial(_get_perms,
key='repositories',
test_u1_id=default_user_id)
_get_group_perms = functools.partial(_get_perms,
key='repositories_groups',
test_u1_id=default_user_id)
repo_items = [x for x in _get_repo_perms(group, recursive)]
items = [x for x in _get_group_perms(group, recursive)]
_check_expected_count(items, repo_items, expected_count(group, True))
for name, perm in repo_items:
yield check_tree_perms, name, perm, group, 'repository.read'
for name, perm in items:
yield check_tree_perms, name, perm, group, 'group.write'
def test_delete_ips(self, auto_clear_ip_permissions):
self.log_user()
default_user_id = User.get_default_user().user_id
## first add
new_ip = '127.0.0.0/24'
with test_context(self.app):
user_model = UserModel()
ip_obj = user_model.add_extra_ip(default_user_id, new_ip)
Session().commit()
## double check that add worked
# IP permissions are cached, need to invalidate this cache explicitly
invalidate_all_caches()
self.app.get(url('admin_permissions_ips'), status=302)
# REMOTE_ADDR must match 127.0.0.0/24
response = self.app.get(url('admin_permissions_ips'),
extra_environ={'REMOTE_ADDR': '127.0.0.1'})
response.mustcontain('127.0.0.0/24')
response.mustcontain('127.0.0.0 - 127.0.0.255')
## now delete
response = self.app.post(
url('edit_user_ips_delete', id=default_user_id),
params=dict(del_ip_id=ip_obj.ip_id,
_authentication_token=self.authentication_token()),
extra_environ={'REMOTE_ADDR': '127.0.0.1'})
# IP permissions are cached, need to invalidate this cache explicitly
invalidate_all_caches()
response = self.app.get(url('admin_permissions_ips'))
response.mustcontain('All IP addresses are allowed')
response.mustcontain(no=['127.0.0.0/24'])
response.mustcontain(no=['127.0.0.0 - 127.0.0.255'])
def test_user_permissions_on_group_with_recursive_repo_mode_for_default_user():
# set permission to g0/g0_1 recursive repos only mode, all children including
# other repos should have this permission now set, inner groups are excluded!
recursive = 'repos'
group = u'g0/g0_1'
perm = 'group.none'
default_user_id = User.get_default_user().user_id
permissions_setup_func(group, perm, recursive=recursive,
user_id=default_user_id)
# change default to get perms for default user
_get_repo_perms = functools.partial(_get_perms, key='repositories',
test_u1_id=default_user_id)
_get_group_perms = functools.partial(_get_perms, key='repositories_groups',
test_u1_id=default_user_id)
repo_items = [x for x in _get_repo_perms(group, recursive)]
items = [x for x in _get_group_perms(group, recursive)]
_check_expected_count(items, repo_items, expected_count(group, True))
for name, perm in repo_items:
check_tree_perms(name, perm, group, 'repository.none')
for name, perm in items:
# permission is set with repos only mode, but we also change the permission
# on the group we trigger the apply to children from, thus we need
# to change its permission check
old_perm = 'group.read'
if name == group:
old_perm = perm
check_tree_perms(name, perm, group, old_perm)
def permissions_setup_func(group_name=u'g0', perm='group.read', recursive='all',
user_id=None):
"""
Resets all permissions to perm attribute
"""
if not user_id:
user_id = test_u1_id
permissions_setup_func(group_name, perm, recursive,
user_id=User.get_default_user().user_id)
repo_group = RepoGroup.get_by_group_name(group_name=group_name)
if not repo_group:
raise Exception('Cannot get group %s' % group_name)
# Start with a baseline that current group can read recursive
perms_updates = [[user_id, 'group.read', 'user']]
RepoGroupModel()._update_permissions(repo_group,
perms_updates=perms_updates,
recursive='all', check_perms=False)
perms_updates = [[user_id, perm, 'user']]
RepoGroupModel()._update_permissions(repo_group,
perms_updates=perms_updates,
recursive=recursive, check_perms=False)
Session().commit()
def test_user_permissions_on_group_with_recursive_mode_for_default_user():
# set permission to g0 recursive mode, all children including
# other repos and groups should have this permission now set !
recursive = 'all'
group = u'g0'
default_user_id = User.get_default_user().user_id
permissions_setup_func(group, 'group.write', recursive=recursive,
user_id=default_user_id)
# change default to get perms for default user
_get_repo_perms = functools.partial(_get_perms, key='repositories',
test_u1_id=default_user_id)
_get_group_perms = functools.partial(_get_perms, key='repositories_groups',
test_u1_id=default_user_id)
repo_items = [x for x in _get_repo_perms(group, recursive)]
items = [x for x in _get_group_perms(group, recursive)]
_check_expected_count(items, repo_items, expected_count(group, True))
for name, perm in repo_items:
# default user permissions do not "recurse into" private repos
is_private = Repository.get_by_repo_name(name).private
check_tree_perms(name, perm, group, 'repository.none' if is_private else 'repository.write')
for name, perm in items:
check_tree_perms(name, perm, group, 'group.write')
def my_account(self):
"""
GET /_admin/my_account Displays info about my account
"""
# url('my_account')
c.active = 'profile'
self.__load_data()
c.perm_user = AuthUser(user_id=self.authuser.user_id)
c.ip_addr = self.ip_addr
managed_fields = auth_modules.get_managed_fields(c.user)
def_user_perms = User.get_default_user().AuthUser.permissions['global']
if 'hg.register.none' in def_user_perms:
managed_fields.extend(['username', 'firstname', 'lastname', 'email'])
c.readonly = lambda n: 'readonly' if n in managed_fields else None
defaults = c.user.get_dict()
update = False
if request.POST:
_form = UserForm(edit=True,
old_data={'user_id': self.authuser.user_id,
'email': self.authuser.email})()
form_result = {}
try:
post_data = dict(request.POST)
post_data['new_password'] = ''
post_data['password_confirmation'] = ''
form_result = _form.to_python(post_data)
# skip updating those attrs for my account
skip_attrs = ['admin', 'active', 'extern_type', 'extern_name',
'new_password', 'password_confirmation',
] + managed_fields
UserModel().update(self.authuser.user_id, form_result,
skip_attrs=skip_attrs)
h.flash(_('Your account was updated successfully'),
category='success')
Session().commit()
update = True
except formencode.Invalid as errors:
return htmlfill.render(
render('admin/my_account/my_account.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except Exception:
log.error(traceback.format_exc())
h.flash(_('Error occurred during update of user %s') \
% form_result.get('username'), category='error')
if update:
raise HTTPFound(location='my_account')
return htmlfill.render(
render('admin/my_account/my_account.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def __enter__(self):
anon = User.get_default_user()
self._before = anon.active
anon.active = status
Session().add(anon)
Session().commit()
time.sleep(
1.5) # hack: wait for beaker sql_cache_short to expire
def my_account(self):
c.active = 'profile'
self.__load_data()
c.perm_user = AuthUser(user_id=request.authuser.user_id)
managed_fields = auth_modules.get_managed_fields(c.user)
def_user_perms = User.get_default_user().AuthUser.permissions['global']
if 'hg.register.none' in def_user_perms:
managed_fields.extend(['username', 'firstname', 'lastname', 'email'])
c.readonly = lambda n: 'readonly' if n in managed_fields else None
defaults = c.user.get_dict()
update = False
if request.POST:
_form = UserForm(edit=True,
old_data={'user_id': request.authuser.user_id,
'email': request.authuser.email})()
form_result = {}
try:
post_data = dict(request.POST)
post_data['new_password'] = ''
post_data['password_confirmation'] = ''
form_result = _form.to_python(post_data)
# skip updating those attrs for my account
skip_attrs = ['admin', 'active', 'extern_type', 'extern_name',
'new_password', 'password_confirmation',
] + managed_fields
UserModel().update(request.authuser.user_id, form_result,
skip_attrs=skip_attrs)
h.flash(_('Your account was updated successfully'),
category='success')
Session().commit()
update = True
except formencode.Invalid as errors:
return htmlfill.render(
render('admin/my_account/my_account.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except Exception:
log.error(traceback.format_exc())
h.flash(_('Error occurred during update of user %s') \
% form_result.get('username'), category='error')
if update:
raise HTTPFound(location='my_account')
return htmlfill.render(
render('admin/my_account/my_account.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def register(self):
def_user_perms = AuthUser(
dbuser=User.get_default_user()).permissions['global']
c.auto_active = 'hg.register.auto_activate' in def_user_perms
settings = Setting.get_app_settings()
captcha_private_key = settings.get('captcha_private_key')
c.captcha_active = bool(captcha_private_key)
c.captcha_public_key = settings.get('captcha_public_key')
if request.POST:
register_form = RegisterForm()()
try:
form_result = register_form.to_python(dict(request.POST))
form_result['active'] = c.auto_active
if c.captcha_active:
from kallithea.lib.recaptcha import submit
response = submit(request.POST.get('g-recaptcha-response'),
private_key=captcha_private_key,
remoteip=request.ip_addr)
if not response.is_valid:
_value = form_result
_msg = _('Bad captcha')
error_dict = {'recaptcha_field': _msg}
raise formencode.Invalid(_msg,
_value,
None,
error_dict=error_dict)
UserModel().create_registration(form_result)
h.flash(_('You have successfully registered with %s') %
(c.site_name or 'Kallithea'),
category='success')
Session().commit()
raise HTTPFound(location=url('login_home'))
except formencode.Invalid as errors:
return htmlfill.render(render('/register.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except UserCreationError as e:
# container auth or other auth functions that create users on
# the fly can throw this exception signaling that there's issue
# with user creation, explanation should be provided in
# Exception itself
h.flash(e, 'error')
return render('/register.html')
def fixup_groups(self):
def_usr = User.get_default_user()
for g in RepoGroup.query().all():
g.group_name = g.get_new_name(g.name)
# get default perm
default = UserRepoGroupToPerm.query() \
.filter(UserRepoGroupToPerm.group == g) \
.filter(UserRepoGroupToPerm.user == def_usr) \
.scalar()
if default is None:
log.debug('missing default permission for group %s adding', g)
RepoGroupModel()._create_default_perms(g)
def test_get_user_or_raise_if_default(self, monkeypatch, test_context_fixture):
# flash complains about an non-existing session
def flash_mock(*args, **kwargs):
pass
monkeypatch.setattr(h, 'flash', flash_mock)
u = UsersController()
# a regular user should work correctly
user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
assert u._get_user_or_raise_if_default(user.user_id) == user
# the default user should raise
with pytest.raises(HTTPNotFound):
u._get_user_or_raise_if_default(User.get_default_user().user_id)
def fixup_groups(self):
def_usr = User.get_default_user()
for g in RepoGroup.query().all():
g.group_name = g.get_new_name(g.name)
# get default perm
default = UserRepoGroupToPerm.query() \
.filter(UserRepoGroupToPerm.group == g) \
.filter(UserRepoGroupToPerm.user == def_usr) \
.scalar()
if default is None:
log.debug('missing default permission for group %s adding', g)
RepoGroupModel()._create_default_perms(g)
def register(self):
c.auto_active = 'hg.register.auto_activate' in User.get_default_user() \
.AuthUser.permissions['global']
settings = Setting.get_app_settings()
captcha_private_key = settings.get('captcha_private_key')
c.captcha_active = bool(captcha_private_key)
c.captcha_public_key = settings.get('captcha_public_key')
if request.POST:
register_form = RegisterForm()()
try:
form_result = register_form.to_python(dict(request.POST))
form_result['active'] = c.auto_active
if c.captcha_active:
from kallithea.lib.recaptcha import submit
response = submit(request.POST.get('recaptcha_challenge_field'),
request.POST.get('recaptcha_response_field'),
private_key=captcha_private_key,
remoteip=self.ip_addr)
if c.captcha_active and not response.is_valid:
_value = form_result
_msg = _('Bad captcha')
error_dict = {'recaptcha_field': _msg}
raise formencode.Invalid(_msg, _value, None,
error_dict=error_dict)
UserModel().create_registration(form_result)
h.flash(_('You have successfully registered into Kallithea'),
category='success')
Session().commit()
raise HTTPFound(location=url('login_home'))
except formencode.Invalid as errors:
return htmlfill.render(
render('/register.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except UserCreationError as e:
# container auth or other auth functions that create users on
# the fly can throw this exception signaling that there's issue
# with user creation, explanation should be provided in
# Exception itself
h.flash(e, 'error')
return render('/register.html')
def test_no_permissions_to_fork(self):
self.log_user(base.TEST_USER_REGULAR_LOGIN,
base.TEST_USER_REGULAR_PASS)['user_id']
try:
user_model = UserModel()
usr = User.get_default_user()
user_model.revoke_perm(usr, 'hg.fork.repository')
user_model.grant_perm(usr, 'hg.fork.none')
Session().commit()
# try create a fork
repo_name = self.REPO
self.app.post(base.url(controller='forks',
action='fork_create',
repo_name=repo_name), {
'_session_csrf_secret_token':
self.session_csrf_secret_token()
},
status=403)
finally:
usr = User.get_default_user()
user_model.revoke_perm(usr, 'hg.fork.none')
user_model.grant_perm(usr, 'hg.fork.repository')
Session().commit()
def test_add_ips(self):
self.log_user()
default_user_id = User.get_default_user().user_id
response = self.app.put(url('edit_user_ips', id=default_user_id),
params=dict(new_ip='127.0.0.0/24'))
response = self.app.get(url('admin_permissions_ips'))
response.mustcontain('127.0.0.0/24')
response.mustcontain('127.0.0.0 - 127.0.0.255')
## delete
default_user_id = User.get_default_user().user_id
del_ip_id = UserIpMap.query().filter(
UserIpMap.user_id == default_user_id).first().ip_id
response = self.app.post(url('edit_user_ips', id=default_user_id),
params=dict(_method='delete',
del_ip_id=del_ip_id))
response = self.app.get(url('admin_permissions_ips'))
response.mustcontain('All IP addresses are allowed')
response.mustcontain(no=['127.0.0.0/24'])
response.mustcontain(no=['127.0.0.0 - 127.0.0.255'])
def _create_default_perms(self, user_group):
# create default permission
default_perm = 'usergroup.read'
def_user = User.get_default_user()
for p in def_user.user_perms:
if p.permission.permission_name.startswith('usergroup.'):
default_perm = p.permission.permission_name
break
user_group_to_perm = UserUserGroupToPerm()
user_group_to_perm.permission = Permission.get_by_key(default_perm)
user_group_to_perm.user_group = user_group
user_group_to_perm.user_id = def_user.user_id
return user_group_to_perm
def _create_default_perms(self, new_group):
# create default permission
default_perm = 'group.read'
def_user = User.get_default_user()
for p in def_user.user_perms:
if p.permission.permission_name.startswith('group.'):
default_perm = p.permission.permission_name
break
repo_group_to_perm = UserRepoGroupToPerm()
repo_group_to_perm.permission = Permission.get_by_key(default_perm)
repo_group_to_perm.group = new_group
repo_group_to_perm.user_id = def_user.user_id
return repo_group_to_perm
def _create_default_perms(self, user_group):
# create default permission
default_perm = 'usergroup.read'
def_user = User.get_default_user()
for p in def_user.user_perms:
if p.permission.permission_name.startswith('usergroup.'):
default_perm = p.permission.permission_name
break
user_group_to_perm = UserUserGroupToPerm()
user_group_to_perm.permission = Permission.get_by_key(default_perm)
user_group_to_perm.user_group = user_group
user_group_to_perm.user_id = def_user.user_id
return user_group_to_perm
def _create_default_perms(self, new_group):
# create default permission
default_perm = 'group.read'
def_user = User.get_default_user()
for p in def_user.user_perms:
if p.permission.permission_name.startswith('group.'):
default_perm = p.permission.permission_name
break
repo_group_to_perm = UserRepoGroupToPerm()
repo_group_to_perm.permission = Permission.get_by_key(default_perm)
repo_group_to_perm.group = new_group
repo_group_to_perm.user_id = def_user.user_id
return repo_group_to_perm
def edit_ips(self, id):
c.user = self._get_user_or_raise_if_default(id)
c.active = 'ips'
c.user_ip_map = UserIpMap.query() \
.filter(UserIpMap.user == c.user).all()
c.inherit_default_ips = c.user.inherit_default_permissions
c.default_user_ip_map = UserIpMap.query() \
.filter(UserIpMap.user == User.get_default_user()).all()
defaults = c.user.get_dict()
return htmlfill.render(
render('admin/users/user_edit.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def edit_ips(self, id):
c.user = self._get_user_or_raise_if_default(id)
c.active = 'ips'
c.user_ip_map = UserIpMap.query() \
.filter(UserIpMap.user == c.user).all()
c.inherit_default_ips = c.user.inherit_default_permissions
c.default_user_ip_map = UserIpMap.query() \
.filter(UserIpMap.user == User.get_default_user()).all()
defaults = c.user.get_dict()
return htmlfill.render(
render('admin/users/user_edit.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def __init__(self,
user_id=None,
dbuser=None,
authenticating_api_key=None,
is_external_auth=False):
self.is_authenticated = False
self.is_external_auth = is_external_auth
self.authenticating_api_key = authenticating_api_key
user_model = UserModel()
self._default_user = User.get_default_user(cache=True)
# These attributes will be overridden by fill_data, below, unless the
# requested user cannot be found and the default anonymous user is
# not enabled.
self.user_id = None
self.username = None
self.api_key = None
self.name = ''
self.lastname = ''
self.email = ''
self.admin = False
self.inherit_default_permissions = False
# Look up database user, if necessary.
if user_id is not None:
log.debug('Auth User lookup by USER ID %s', user_id)
dbuser = user_model.get(user_id)
else:
# Note: dbuser is allowed to be None.
log.debug('Auth User lookup by database user %s', dbuser)
is_user_loaded = self._fill_data(dbuser)
# If user cannot be found, try falling back to anonymous.
if not is_user_loaded:
is_user_loaded = self._fill_data(self._default_user)
self.is_default_user = (self.user_id == self._default_user.user_id)
self.is_anonymous = not is_user_loaded or self.is_default_user
if not self.username:
self.username = '******'
log.debug('Auth User is now %s', self)
def test_add_ips(self, auto_clear_ip_permissions):
self.log_user()
default_user_id = User.get_default_user().user_id
response = self.app.post(url('edit_user_ips_update', id=default_user_id),
params=dict(new_ip='127.0.0.0/24',
_authentication_token=self.authentication_token()))
# IP permissions are cached, need to invalidate this cache explicitly
invalidate_all_caches()
self.app.get(url('admin_permissions_ips'), status=302)
# REMOTE_ADDR must match 127.0.0.0/24
response = self.app.get(url('admin_permissions_ips'),
extra_environ={'REMOTE_ADDR': '127.0.0.1'})
response.mustcontain('127.0.0.0/24')
response.mustcontain('127.0.0.0 - 127.0.0.255')
def _create_default_perms(self, repository, private):
# create default permission
default = 'repository.read'
def_user = User.get_default_user()
for p in def_user.user_perms:
if p.permission.permission_name.startswith('repository.'):
default = p.permission.permission_name
break
default_perm = 'repository.none' if private else default
repo_to_perm = UserRepoToPerm()
repo_to_perm.permission = Permission.get_by_key(default_perm)
repo_to_perm.repository = repository
repo_to_perm.user_id = def_user.user_id
return repo_to_perm
def test_add_ips(self, auto_clear_ip_permissions):
self.log_user()
default_user_id = User.get_default_user().user_id
response = self.app.post(
url('edit_user_ips_update', id=default_user_id),
params=dict(new_ip='127.0.0.0/24',
_authentication_token=self.authentication_token()))
# IP permissions are cached, need to invalidate this cache explicitly
invalidate_all_caches()
self.app.get(url('admin_permissions_ips'), status=302)
# REMOTE_ADDR must match 127.0.0.0/24
response = self.app.get(url('admin_permissions_ips'),
extra_environ={'REMOTE_ADDR': '127.0.0.1'})
response.mustcontain('127.0.0.0/24')
response.mustcontain('127.0.0.0 - 127.0.0.255')
def auto_clear_ip_permissions():
"""Fixture that provides nothing but clearing IP permissions upon test
exit. This clearing is needed to avoid other test failing to make fake http
accesses."""
yield
# cleanup
user_model = UserModel()
user_ids = []
user_ids.append(User.get_default_user().user_id)
user_ids.append(User.get_by_username(TEST_USER_REGULAR_LOGIN).user_id)
for user_id in user_ids:
for ip in UserIpMap.query().filter(UserIpMap.user_id == user_id):
user_model.delete_extra_ip(user_id, ip.ip_id)
# IP permissions are cached, need to invalidate this cache explicitly
invalidate_all_caches()
def _create_default_perms(self, repository, private):
# create default permission
default = 'repository.read'
def_user = User.get_default_user()
for p in def_user.user_perms:
if p.permission.permission_name.startswith('repository.'):
default = p.permission.permission_name
break
default_perm = 'repository.none' if private else default
repo_to_perm = UserRepoToPerm()
repo_to_perm.permission = Permission.get_by_key(default_perm)
repo_to_perm.repository = repository
repo_to_perm.user_id = def_user.user_id
return repo_to_perm
def auto_clear_ip_permissions():
"""Fixture that provides nothing but clearing IP permissions upon test
exit. This clearing is needed to avoid other test failing to make fake http
accesses."""
yield
# cleanup
user_model = UserModel()
user_ids = []
user_ids.append(User.get_default_user().user_id)
user_ids.append(User.get_by_username(TEST_USER_REGULAR_LOGIN).user_id)
for user_id in user_ids:
for ip in UserIpMap.query().filter(UserIpMap.user_id == user_id):
user_model.delete_extra_ip(user_id, ip.ip_id)
# IP permissions are cached, need to invalidate this cache explicitly
invalidate_all_caches()
def __init__(self, user_id=None, dbuser=None, authenticating_api_key=None,
is_external_auth=False):
self.is_authenticated = False
self.is_external_auth = is_external_auth
self.authenticating_api_key = authenticating_api_key
user_model = UserModel()
self._default_user = User.get_default_user(cache=True)
# These attributes will be overridden by fill_data, below, unless the
# requested user cannot be found and the default anonymous user is
# not enabled.
self.user_id = None
self.username = None
self.api_key = None
self.name = ''
self.lastname = ''
self.email = ''
self.admin = False
self.inherit_default_permissions = False
# Look up database user, if necessary.
if user_id is not None:
log.debug('Auth User lookup by USER ID %s', user_id)
dbuser = user_model.get(user_id)
else:
# Note: dbuser is allowed to be None.
log.debug('Auth User lookup by database user %s', dbuser)
is_user_loaded = self._fill_data(dbuser)
# If user cannot be found, try falling back to anonymous.
if not is_user_loaded:
is_user_loaded = self._fill_data(self._default_user)
self.is_default_user = (self.user_id == self._default_user.user_id)
self.is_anonymous = not is_user_loaded or self.is_default_user
if not self.username:
self.username = '******'
log.debug('Auth User is now %s', self)
def edit_ips(self, id):
c.user = User.get_or_404(id)
if c.user.username == User.DEFAULT_USER:
h.flash(_("You can't edit this user"), category='warning')
return redirect(url('users'))
c.active = 'ips'
c.user_ip_map = UserIpMap.query()\
.filter(UserIpMap.user == c.user).all()
c.inherit_default_ips = c.user.inherit_default_permissions
c.default_user_ip_map = UserIpMap.query()\
.filter(UserIpMap.user == User.get_default_user()).all()
defaults = c.user.get_dict()
return htmlfill.render(render('admin/users/user_edit.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def __load_data(self, repo_name=None):
"""
Load defaults settings for edit, and update
:param repo_name:
"""
self.__load_defaults()
c.repo_info = db_repo = Repository.get_by_repo_name(repo_name)
repo = db_repo.scm_instance
if c.repo_info is None:
h.not_mapped_error(repo_name)
return redirect(url('repos'))
c.default_user_id = User.get_default_user().user_id
c.in_public_journal = UserFollowing.query()\
.filter(UserFollowing.user_id == c.default_user_id)\
.filter(UserFollowing.follows_repository == c.repo_info).scalar()
if c.repo_info.stats:
last_rev = c.repo_info.stats.stat_on_revision+1
else:
last_rev = 0
c.stats_revision = last_rev
c.repo_last_rev = repo.count() if repo.revisions else 0
if last_rev == 0 or c.repo_last_rev == 0:
c.stats_percentage = 0
else:
c.stats_percentage = '%.2f' % ((float((last_rev)) /
c.repo_last_rev) * 100)
defaults = RepoModel()._get_defaults(repo_name)
# alter the description to indicate a fork
defaults['description'] = ('fork of repository: %s \n%s'
% (defaults['repo_name'],
defaults['description']))
# add suffix to fork
defaults['repo_name'] = '%s-fork' % defaults['repo_name']
return defaults
def setUp(self):
self.u1 = UserModel().create_or_update(
username=u'u1', password=u'qweqwe',
email=u'*****@*****.**', firstname=u'u1', lastname=u'u1'
)
self.u2 = UserModel().create_or_update(
username=u'u2', password=u'qweqwe',
email=u'*****@*****.**', firstname=u'u2', lastname=u'u2'
)
self.u3 = UserModel().create_or_update(
username=u'u3', password=u'qweqwe',
email=u'*****@*****.**', firstname=u'u3', lastname=u'u3'
)
self.anon = User.get_default_user()
self.a1 = UserModel().create_or_update(
username=u'a1', password=u'qweqwe',
email=u'*****@*****.**', firstname=u'a1', lastname=u'a1', admin=True
)
Session().commit()
def edit_advanced_journal(self, repo_name):
"""
Sets this repository to be visible in public journal,
in other words asking default user to follow this repo
:param repo_name:
"""
try:
repo_id = Repository.get_by_repo_name(repo_name).repo_id
user_id = User.get_default_user().user_id
self.scm_model.toggle_following_repo(repo_id, user_id)
h.flash(_('Updated repository visibility in public journal'),
category='success')
Session().commit()
except Exception:
h.flash(_('An error occurred during setting this'
' repository in public journal'),
category='error')
return redirect(url('edit_repo_advanced', repo_name=repo_name))
def permissions_setup_func(group_name='g0', perm='group.read', recursive='all',
user_id=None):
"""
Resets all permissions to perm attribute
"""
if not user_id:
user_id = test_u1_id
# called by the @with_setup decorator also reset the default user stuff
permissions_setup_func(group_name, perm, recursive,
user_id=User.get_default_user().user_id)
repo_group = RepoGroup.get_by_group_name(group_name=group_name)
if not repo_group:
raise Exception('Cannot get group %s' % group_name)
perms_updates = [[user_id, perm, 'user']]
RepoGroupModel()._update_permissions(repo_group,
perms_updates=perms_updates,
recursive=recursive, check_perms=False)
Session().commit()
def edit_ips(self, id):
c.user = User.get_or_404(id)
if c.user.username == User.DEFAULT_USER:
h.flash(_("You can't edit this user"), category='warning')
return redirect(url('users'))
c.active = 'ips'
c.user_ip_map = UserIpMap.query()\
.filter(UserIpMap.user == c.user).all()
c.inherit_default_ips = c.user.inherit_default_permissions
c.default_user_ip_map = UserIpMap.query()\
.filter(UserIpMap.user == User.get_default_user()).all()
defaults = c.user.get_dict()
return htmlfill.render(
render('admin/users/user_edit.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def __load_data(self):
"""
Load defaults settings for edit, and update
"""
self.__load_defaults()
c.repo_info = c.db_repo
repo = c.db_repo.scm_instance
if c.repo_info is None:
h.not_mapped_error(c.repo_name)
raise HTTPFound(location=url('repos'))
c.default_user_id = User.get_default_user().user_id
c.in_public_journal = UserFollowing.query() \
.filter(UserFollowing.user_id == c.default_user_id) \
.filter(UserFollowing.follows_repository == c.repo_info).scalar()
if c.repo_info.stats:
last_rev = c.repo_info.stats.stat_on_revision + 1
else:
last_rev = 0
c.stats_revision = last_rev
c.repo_last_rev = repo.count() if repo.revisions else 0
if last_rev == 0 or c.repo_last_rev == 0:
c.stats_percentage = 0
else:
c.stats_percentage = '%.2f' % ((float(
(last_rev)) / c.repo_last_rev) * 100)
defaults = RepoModel()._get_defaults(c.repo_name)
# alter the description to indicate a fork
defaults['description'] = (
'fork of repository: %s \n%s' %
(defaults['repo_name'], defaults['description']))
# add suffix to fork
defaults['repo_name'] = '%s-fork' % defaults['repo_name']
return defaults
def _determine_auth_user(session_authuser, ip_addr):
"""
Create an `AuthUser` object given the API key/bearer token
(if any) and the value of the authuser session cookie.
Returns None if no valid user is found (like not active or no access for IP).
"""
# Authenticate by session cookie
# In ancient login sessions, 'authuser' may not be a dict.
# In that case, the user will have to log in again.
# v0.3 and earlier included an 'is_authenticated' key; if present,
# this must be True.
if isinstance(session_authuser, dict) and session_authuser.get(
'is_authenticated', True):
return AuthUser.from_cookie(session_authuser, ip_addr=ip_addr)
# Authenticate by auth_container plugin (if enabled)
if any(plugin.is_container_auth
for plugin in auth_modules.get_auth_plugins()):
try:
user_info = auth_modules.authenticate('', '', request.environ)
except UserCreationError as e:
from kallithea.lib import helpers as h
h.flash(e, 'error', logf=log.error)
else:
if user_info is not None:
username = user_info['username']
user = User.get_by_username(username,
case_insensitive=True)
return log_in_user(user,
remember=False,
is_external_auth=True,
ip_addr=ip_addr)
# User is default user (if active) or anonymous
default_user = User.get_default_user()
authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)
if authuser is None: # fall back to anonymous
authuser = AuthUser(
dbuser=default_user) # TODO: somehow use .make?
return authuser
def edit_advanced_journal(self, repo_name):
"""
Sets this repository to be visible in public journal,
in other words asking default user to follow this repo
:param repo_name:
"""
try:
repo_id = Repository.get_by_repo_name(repo_name).repo_id
user_id = User.get_default_user().user_id
self.scm_model.toggle_following_repo(repo_id, user_id)
h.flash(_('Updated repository visibility in public journal'),
category='success')
Session().commit()
except Exception:
h.flash(_('An error occurred during setting this'
' repository in public journal'),
category='error')
raise HTTPFound(
location=url('edit_repo_advanced', repo_name=repo_name))
def propagate_data(self):
user_model = UserModel()
self.anonymous_user = User.get_default_user(cache=True)
is_user_loaded = False
# lookup by userid
if self.user_id is not None and self.user_id != self.anonymous_user.user_id:
log.debug('Auth User lookup by USER ID %s' % self.user_id)
is_user_loaded = user_model.fill_data(self, user_id=self.user_id)
# try go get user by api key
elif self._api_key and self._api_key != self.anonymous_user.api_key:
log.debug('Auth User lookup by API KEY %s' % self._api_key)
is_user_loaded = user_model.fill_data(self, api_key=self._api_key)
# lookup by username
elif self.username:
log.debug('Auth User lookup by USER NAME %s' % self.username)
is_user_loaded = user_model.fill_data(self, username=self.username)
else:
log.debug('No data in %s that could been used to log in' % self)
if not is_user_loaded:
# if we cannot authenticate user try anonymous
if self.anonymous_user.active:
user_model.fill_data(self, user_id=self.anonymous_user.user_id)
# then we set this user is logged in
self.is_authenticated = True
else:
self.user_id = None
self.username = None
self.is_authenticated = False
if not self.username:
self.username = '******'
log.debug('Auth User is now %s' % self)
def propagate_data(self):
user_model = UserModel()
self.anonymous_user = User.get_default_user(cache=True)
is_user_loaded = False
# lookup by userid
if self.user_id is not None and self.user_id != self.anonymous_user.user_id:
log.debug('Auth User lookup by USER ID %s' % self.user_id)
is_user_loaded = user_model.fill_data(self, user_id=self.user_id)
# try go get user by api key
elif self._api_key and self._api_key != self.anonymous_user.api_key:
log.debug('Auth User lookup by API KEY %s' % self._api_key)
is_user_loaded = user_model.fill_data(self, api_key=self._api_key)
# lookup by username
elif self.username:
log.debug('Auth User lookup by USER NAME %s' % self.username)
is_user_loaded = user_model.fill_data(self, username=self.username)
else:
log.debug('No data in %s that could been used to log in' % self)
if not is_user_loaded:
# if we cannot authenticate user try anonymous
if self.anonymous_user.active:
user_model.fill_data(self, user_id=self.anonymous_user.user_id)
# then we set this user is logged in
self.is_authenticated = True
else:
self.user_id = None
self.username = None
self.is_authenticated = False
if not self.username:
self.username = '******'
log.debug('Auth User is now %s' % self)
