def set_anonymous_access(enable=True): user = User.get_default_user() user.active = enable Session().commit() print '\tanonymous access is now:', enable if enable != User.get_default_user().active: raise Exception('Cannot set anonymous access')
def test_add_ips(self): self.log_user() default_user_id = User.get_default_user().user_id response = self.app.put(url('edit_user_ips', id=default_user_id), params=dict(new_ip='127.0.0.0/24', _authentication_token=self.authentication_token())) # sleep more than beaker.cache.sql_cache_short.expire to expire user cache time.sleep(1.5) self.app.get(url('admin_permissions_ips'), status=302) # REMOTE_ADDR must match 127.0.0.0/24 response = self.app.get(url('admin_permissions_ips'), extra_environ={'REMOTE_ADDR': '127.0.0.1'}) response.mustcontain('127.0.0.0/24') response.mustcontain('127.0.0.0 - 127.0.0.255') ## delete default_user_id = User.get_default_user().user_id del_ip_id = UserIpMap.query().filter(UserIpMap.user_id == default_user_id).first().ip_id response = self.app.post(url('edit_user_ips', id=default_user_id), params=dict(_method='delete', del_ip_id=del_ip_id, _authentication_token=self.authentication_token()), extra_environ={'REMOTE_ADDR': '127.0.0.1'}) # sleep more than beaker.cache.sql_cache_short.expire to expire user cache time.sleep(1.5) response = self.app.get(url('admin_permissions_ips')) response.mustcontain('All IP addresses are allowed') response.mustcontain(no=['127.0.0.0/24']) response.mustcontain(no=['127.0.0.0 - 127.0.0.255'])
def test_add_ips(self): self.log_user() default_user_id = User.get_default_user().user_id response = self.app.put(url('edit_user_ips', id=default_user_id), params=dict(new_ip='127.0.0.0/24', _authentication_token=self.authentication_token())) response = self.app.get(url('admin_permissions_ips')) response.mustcontain('127.0.0.0/24') response.mustcontain('127.0.0.0 - 127.0.0.255') ## delete default_user_id = User.get_default_user().user_id del_ip_id = UserIpMap.query().filter(UserIpMap.user_id == default_user_id).first().ip_id response = self.app.post(url('edit_user_ips', id=default_user_id), params=dict(_method='delete', del_ip_id=del_ip_id, _authentication_token=self.authentication_token())) response = self.app.get(url('admin_permissions_ips')) response.mustcontain('All IP addresses are allowed') response.mustcontain(no=['127.0.0.0/24']) response.mustcontain(no=['127.0.0.0 - 127.0.0.255'])
def test_delete_emails_default_user(self): self.log_user() user = User.get_default_user() response = self.app.post( base.url('edit_user_emails_delete', id=user.user_id), {'_session_csrf_secret_token': self.session_csrf_secret_token()}, status=404)
def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False): _set = set() if inherit_from_default: default_ips = UserIpMap.query().filter(UserIpMap.user == User.get_default_user(cache=True)) if cache: default_ips = default_ips.options(FromCache("sql_cache_short", "get_user_ips_default")) # populate from default user for ip in default_ips: try: _set.add(ip.ip_addr) except ObjectDeletedError: # since we use heavy caching sometimes it happens that we get # deleted objects here, we just skip them pass user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id) if cache: user_ips = user_ips.options(FromCache("sql_cache_short", "get_user_ips_%s" % user_id)) for ip in user_ips: try: _set.add(ip.ip_addr) except ObjectDeletedError: # since we use heavy caching sometimes it happens that we get # deleted objects here, we just skip them pass return _set or set(['0.0.0.0/0', '::/0'])
def permission_ips(self): c.active = 'ips' c.user = User.get_default_user() c.user_ip_map = UserIpMap.query() \ .filter(UserIpMap.user == c.user).all() return render('admin/permissions/permissions.html')
def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False): _set = set() if inherit_from_default: default_ips = UserIpMap.query().filter( UserIpMap.user == User.get_default_user(cache=True)) if cache: default_ips = default_ips.options( FromCache("sql_cache_short", "get_user_ips_default")) # populate from default user for ip in default_ips: try: _set.add(ip.ip_addr) except ObjectDeletedError: # since we use heavy caching sometimes it happens that we get # deleted objects here, we just skip them pass user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id) if cache: user_ips = user_ips.options( FromCache("sql_cache_short", "get_user_ips_%s" % user_id)) for ip in user_ips: try: _set.add(ip.ip_addr) except ObjectDeletedError: # since we use heavy caching sometimes it happens that we get # deleted objects here, we just skip them pass return _set or set(['0.0.0.0/0', '::/0'])
def edit_advanced(self, repo_name): """GET /repo_name/settings: Form to edit an existing item""" # url('edit_repo', repo_name=ID) c.repo_info = self._load_repo(repo_name) c.default_user_id = User.get_default_user().user_id c.in_public_journal = UserFollowing.query()\ .filter(UserFollowing.user_id == c.default_user_id)\ .filter(UserFollowing.follows_repository == c.repo_info).scalar() _repos = Repository.query().order_by(Repository.repo_name).all() read_access_repos = RepoList(_repos) c.repos_list = [(None, _('-- Not a fork --'))] c.repos_list += [(x.repo_id, x.repo_name) for x in read_access_repos if x.repo_id != c.repo_info.repo_id] defaults = { 'id_fork_of': c.repo_info.fork.repo_id if c.repo_info.fork else '' } c.active = 'advanced' if request.POST: return redirect(url('repo_edit_advanced')) return htmlfill.render( render('admin/repos/repo_edit.html'), defaults=defaults, encoding="UTF-8", force_defaults=False)
def permissions_setup_func(group_name='g0', perm='group.read', recursive='all', user_id=None): """ Resets all permissions to perm attribute """ if not user_id: user_id = test_u1_id permissions_setup_func(group_name, perm, recursive, user_id=User.get_default_user().user_id) repo_group = RepoGroup.get_by_group_name(group_name=group_name) if not repo_group: raise Exception('Cannot get group %s' % group_name) # Start with a baseline that current group can read recursive perms_updates = [[user_id, 'group.read', 'user']] RepoGroupModel()._update_permissions(repo_group, perms_updates=perms_updates, recursive='all', check_perms=False) perms_updates = [[user_id, perm, 'user']] RepoGroupModel()._update_permissions(repo_group, perms_updates=perms_updates, recursive=recursive, check_perms=False) Session().commit()
def test_user_permissions_on_group_with_recursive_repo_mode_for_default_user(): # set permission to g0/g0_1 recursive repos only mode, all children including # other repos should have this permission now set, inner groups are excluded! recursive = 'repos' group = 'g0/g0_1' perm = 'group.none' default_user_id = User.get_default_user().user_id permissions_setup_func(group, perm, recursive=recursive, user_id=default_user_id) # change default to get perms for default user _get_repo_perms = functools.partial(_get_perms, key='repositories', test_u1_id=default_user_id) _get_group_perms = functools.partial(_get_perms, key='repositories_groups', test_u1_id=default_user_id) repo_items = [x for x in _get_repo_perms(group, recursive)] items = [x for x in _get_group_perms(group, recursive)] _check_expected_count(items, repo_items, expected_count(group, True)) for name, perm in repo_items: yield check_tree_perms, name, perm, group, 'repository.none' for name, perm in items: # permission is set with repos only mode, but we also change the permission # on the group we trigger the apply to children from, thus we need # to change its permission check old_perm = 'group.read' if name == group: old_perm = perm yield check_tree_perms, name, perm, group, old_perm
def test_user_permissions_on_group_with_recursive_group_mode_for_default_user(): # set permission to g0/g0_1 with recursive groups only mode, all children including # other groups should have this permission now set. repositories should # remain intact as we use groups only mode ! recursive = 'groups' group = 'g0/g0_1' default_user_id = User.get_default_user().user_id permissions_setup_func(group, 'group.write', recursive=recursive, user_id=default_user_id) # change default to get perms for default user _get_repo_perms = functools.partial(_get_perms, key='repositories', test_u1_id=default_user_id) _get_group_perms = functools.partial(_get_perms, key='repositories_groups', test_u1_id=default_user_id) repo_items = [x for x in _get_repo_perms(group, recursive)] items = [x for x in _get_group_perms(group, recursive)] _check_expected_count(items, repo_items, expected_count(group, True)) for name, perm in repo_items: yield check_tree_perms, name, perm, group, 'repository.read' for name, perm in items: yield check_tree_perms, name, perm, group, 'group.write'
def edit_advanced(self, repo_name): c.repo_info = self._load_repo() c.default_user_id = User.get_default_user().user_id c.in_public_journal = UserFollowing.query() \ .filter(UserFollowing.user_id == c.default_user_id) \ .filter(UserFollowing.follows_repository == c.repo_info).scalar() _repos = Repository.query(sorted=True).all() read_access_repos = RepoList(_repos, perm_level='read') c.repos_list = [(None, _('-- Not a fork --'))] c.repos_list += [(x.repo_id, x.repo_name) for x in read_access_repos if x.repo_id != c.repo_info.repo_id] defaults = { 'id_fork_of': c.repo_info.fork_id if c.repo_info.fork_id else '' } c.active = 'advanced' if request.POST: raise HTTPFound(location=url('repo_edit_advanced')) return htmlfill.render( render('admin/repos/repo_edit.html'), defaults=defaults, encoding="UTF-8", force_defaults=False)
def test_delete_ips(self, auto_clear_ip_permissions): self.log_user() default_user_id = User.get_default_user().user_id ## first add new_ip = '127.0.0.0/24' with test_context(self.app): user_model = UserModel() ip_obj = user_model.add_extra_ip(default_user_id, new_ip) Session().commit() ## double check that add worked # IP permissions are cached, need to invalidate this cache explicitly invalidate_all_caches() self.app.get(url('admin_permissions_ips'), status=302) # REMOTE_ADDR must match 127.0.0.0/24 response = self.app.get(url('admin_permissions_ips'), extra_environ={'REMOTE_ADDR': '127.0.0.1'}) response.mustcontain('127.0.0.0/24') response.mustcontain('127.0.0.0 - 127.0.0.255') ## now delete response = self.app.post(url('edit_user_ips_delete', id=default_user_id), params=dict(del_ip_id=ip_obj.ip_id, _authentication_token=self.authentication_token()), extra_environ={'REMOTE_ADDR': '127.0.0.1'}) # IP permissions are cached, need to invalidate this cache explicitly invalidate_all_caches() response = self.app.get(url('admin_permissions_ips')) response.mustcontain('All IP addresses are allowed') response.mustcontain(no=['127.0.0.0/24']) response.mustcontain(no=['127.0.0.0 - 127.0.0.255'])
def edit_advanced_journal(self, repo_name): """ Sets this repository to be visible in public journal, in other words asking default user to follow this repo :param repo_name: """ cur_token = request.POST.get('auth_token') token = get_token() if cur_token == token: try: repo_id = Repository.get_by_repo_name(repo_name).repo_id user_id = User.get_default_user().user_id self.scm_model.toggle_following_repo(repo_id, user_id) h.flash(_('Updated repository visibility in public journal'), category='success') Session().commit() except Exception: h.flash(_('An error occurred during setting this' ' repository in public journal'), category='error') else: h.flash(_('Token mismatch'), category='error') return redirect(url('edit_repo_advanced', repo_name=repo_name))
def edit_advanced(self, repo_name): """GET /repo_name/settings: Form to edit an existing item""" # url('edit_repo', repo_name=ID) c.repo_info = self._load_repo(repo_name) c.default_user_id = User.get_default_user().user_id c.in_public_journal = UserFollowing.query()\ .filter(UserFollowing.user_id == c.default_user_id)\ .filter(UserFollowing.follows_repository == c.repo_info).scalar() _repos = Repository.query().order_by(Repository.repo_name).all() read_access_repos = RepoList(_repos) c.repos_list = [(None, _('-- Not a fork --'))] c.repos_list += [(x.repo_id, x.repo_name) for x in read_access_repos if x.repo_id != c.repo_info.repo_id] defaults = { 'id_fork_of': c.repo_info.fork.repo_id if c.repo_info.fork else '' } c.active = 'advanced' if request.POST: return redirect(url('repo_edit_advanced')) return htmlfill.render(render('admin/repos/repo_edit.html'), defaults=defaults, encoding="UTF-8", force_defaults=False)
def permissions_setup_func(group_name='g0', perm='group.read', recursive='all', user_id=None): """ Resets all permissions to perm attribute """ if not user_id: user_id = test_u1_id # called by the @with_setup decorator also reset the default user stuff permissions_setup_func(group_name, perm, recursive, user_id=User.get_default_user().user_id) repo_group = RepoGroup.get_by_group_name(group_name=group_name) if not repo_group: raise Exception('Cannot get group %s' % group_name) perms_updates = [[user_id, perm, 'user']] RepoGroupModel()._update_permissions(repo_group, perms_updates=perms_updates, recursive=recursive, check_perms=False) Session().commit()
def __enter__(self): anon = User.get_default_user() self._before = anon.active anon.active = status Session().add(anon) Session().commit() time.sleep(1.5) # hack: wait for beaker sql_cache_short to expire
def test_user_permissions_on_group_with_recursive_group_mode_for_default_user( ): # set permission to g0/g0_1 with recursive groups only mode, all children including # other groups should have this permission now set. repositories should # remain intact as we use groups only mode ! recursive = 'groups' group = 'g0/g0_1' default_user_id = User.get_default_user().user_id permissions_setup_func(group, 'group.write', recursive=recursive, user_id=default_user_id) # change default to get perms for default user _get_repo_perms = functools.partial(_get_perms, key='repositories', test_u1_id=default_user_id) _get_group_perms = functools.partial(_get_perms, key='repositories_groups', test_u1_id=default_user_id) repo_items = [x for x in _get_repo_perms(group, recursive)] items = [x for x in _get_group_perms(group, recursive)] _check_expected_count(items, repo_items, expected_count(group, True)) for name, perm in repo_items: yield check_tree_perms, name, perm, group, 'repository.read' for name, perm in items: yield check_tree_perms, name, perm, group, 'group.write'
def test_delete_ips(self, auto_clear_ip_permissions): self.log_user() default_user_id = User.get_default_user().user_id ## first add new_ip = '127.0.0.0/24' with test_context(self.app): user_model = UserModel() ip_obj = user_model.add_extra_ip(default_user_id, new_ip) Session().commit() ## double check that add worked # IP permissions are cached, need to invalidate this cache explicitly invalidate_all_caches() self.app.get(url('admin_permissions_ips'), status=302) # REMOTE_ADDR must match 127.0.0.0/24 response = self.app.get(url('admin_permissions_ips'), extra_environ={'REMOTE_ADDR': '127.0.0.1'}) response.mustcontain('127.0.0.0/24') response.mustcontain('127.0.0.0 - 127.0.0.255') ## now delete response = self.app.post( url('edit_user_ips_delete', id=default_user_id), params=dict(del_ip_id=ip_obj.ip_id, _authentication_token=self.authentication_token()), extra_environ={'REMOTE_ADDR': '127.0.0.1'}) # IP permissions are cached, need to invalidate this cache explicitly invalidate_all_caches() response = self.app.get(url('admin_permissions_ips')) response.mustcontain('All IP addresses are allowed') response.mustcontain(no=['127.0.0.0/24']) response.mustcontain(no=['127.0.0.0 - 127.0.0.255'])
def test_user_permissions_on_group_with_recursive_repo_mode_for_default_user(): # set permission to g0/g0_1 recursive repos only mode, all children including # other repos should have this permission now set, inner groups are excluded! recursive = 'repos' group = u'g0/g0_1' perm = 'group.none' default_user_id = User.get_default_user().user_id permissions_setup_func(group, perm, recursive=recursive, user_id=default_user_id) # change default to get perms for default user _get_repo_perms = functools.partial(_get_perms, key='repositories', test_u1_id=default_user_id) _get_group_perms = functools.partial(_get_perms, key='repositories_groups', test_u1_id=default_user_id) repo_items = [x for x in _get_repo_perms(group, recursive)] items = [x for x in _get_group_perms(group, recursive)] _check_expected_count(items, repo_items, expected_count(group, True)) for name, perm in repo_items: check_tree_perms(name, perm, group, 'repository.none') for name, perm in items: # permission is set with repos only mode, but we also change the permission # on the group we trigger the apply to children from, thus we need # to change its permission check old_perm = 'group.read' if name == group: old_perm = perm check_tree_perms(name, perm, group, old_perm)
def permissions_setup_func(group_name=u'g0', perm='group.read', recursive='all', user_id=None): """ Resets all permissions to perm attribute """ if not user_id: user_id = test_u1_id permissions_setup_func(group_name, perm, recursive, user_id=User.get_default_user().user_id) repo_group = RepoGroup.get_by_group_name(group_name=group_name) if not repo_group: raise Exception('Cannot get group %s' % group_name) # Start with a baseline that current group can read recursive perms_updates = [[user_id, 'group.read', 'user']] RepoGroupModel()._update_permissions(repo_group, perms_updates=perms_updates, recursive='all', check_perms=False) perms_updates = [[user_id, perm, 'user']] RepoGroupModel()._update_permissions(repo_group, perms_updates=perms_updates, recursive=recursive, check_perms=False) Session().commit()
def test_user_permissions_on_group_with_recursive_mode_for_default_user(): # set permission to g0 recursive mode, all children including # other repos and groups should have this permission now set ! recursive = 'all' group = u'g0' default_user_id = User.get_default_user().user_id permissions_setup_func(group, 'group.write', recursive=recursive, user_id=default_user_id) # change default to get perms for default user _get_repo_perms = functools.partial(_get_perms, key='repositories', test_u1_id=default_user_id) _get_group_perms = functools.partial(_get_perms, key='repositories_groups', test_u1_id=default_user_id) repo_items = [x for x in _get_repo_perms(group, recursive)] items = [x for x in _get_group_perms(group, recursive)] _check_expected_count(items, repo_items, expected_count(group, True)) for name, perm in repo_items: # default user permissions do not "recurse into" private repos is_private = Repository.get_by_repo_name(name).private check_tree_perms(name, perm, group, 'repository.none' if is_private else 'repository.write') for name, perm in items: check_tree_perms(name, perm, group, 'group.write')
def my_account(self): """ GET /_admin/my_account Displays info about my account """ # url('my_account') c.active = 'profile' self.__load_data() c.perm_user = AuthUser(user_id=self.authuser.user_id) c.ip_addr = self.ip_addr managed_fields = auth_modules.get_managed_fields(c.user) def_user_perms = User.get_default_user().AuthUser.permissions['global'] if 'hg.register.none' in def_user_perms: managed_fields.extend(['username', 'firstname', 'lastname', 'email']) c.readonly = lambda n: 'readonly' if n in managed_fields else None defaults = c.user.get_dict() update = False if request.POST: _form = UserForm(edit=True, old_data={'user_id': self.authuser.user_id, 'email': self.authuser.email})() form_result = {} try: post_data = dict(request.POST) post_data['new_password'] = '' post_data['password_confirmation'] = '' form_result = _form.to_python(post_data) # skip updating those attrs for my account skip_attrs = ['admin', 'active', 'extern_type', 'extern_name', 'new_password', 'password_confirmation', ] + managed_fields UserModel().update(self.authuser.user_id, form_result, skip_attrs=skip_attrs) h.flash(_('Your account was updated successfully'), category='success') Session().commit() update = True except formencode.Invalid as errors: return htmlfill.render( render('admin/my_account/my_account.html'), defaults=errors.value, errors=errors.error_dict or {}, prefix_error=False, encoding="UTF-8", force_defaults=False) except Exception: log.error(traceback.format_exc()) h.flash(_('Error occurred during update of user %s') \ % form_result.get('username'), category='error') if update: raise HTTPFound(location='my_account') return htmlfill.render( render('admin/my_account/my_account.html'), defaults=defaults, encoding="UTF-8", force_defaults=False)
def __enter__(self): anon = User.get_default_user() self._before = anon.active anon.active = status Session().add(anon) Session().commit() time.sleep( 1.5) # hack: wait for beaker sql_cache_short to expire
def my_account(self): c.active = 'profile' self.__load_data() c.perm_user = AuthUser(user_id=request.authuser.user_id) managed_fields = auth_modules.get_managed_fields(c.user) def_user_perms = User.get_default_user().AuthUser.permissions['global'] if 'hg.register.none' in def_user_perms: managed_fields.extend(['username', 'firstname', 'lastname', 'email']) c.readonly = lambda n: 'readonly' if n in managed_fields else None defaults = c.user.get_dict() update = False if request.POST: _form = UserForm(edit=True, old_data={'user_id': request.authuser.user_id, 'email': request.authuser.email})() form_result = {} try: post_data = dict(request.POST) post_data['new_password'] = '' post_data['password_confirmation'] = '' form_result = _form.to_python(post_data) # skip updating those attrs for my account skip_attrs = ['admin', 'active', 'extern_type', 'extern_name', 'new_password', 'password_confirmation', ] + managed_fields UserModel().update(request.authuser.user_id, form_result, skip_attrs=skip_attrs) h.flash(_('Your account was updated successfully'), category='success') Session().commit() update = True except formencode.Invalid as errors: return htmlfill.render( render('admin/my_account/my_account.html'), defaults=errors.value, errors=errors.error_dict or {}, prefix_error=False, encoding="UTF-8", force_defaults=False) except Exception: log.error(traceback.format_exc()) h.flash(_('Error occurred during update of user %s') \ % form_result.get('username'), category='error') if update: raise HTTPFound(location='my_account') return htmlfill.render( render('admin/my_account/my_account.html'), defaults=defaults, encoding="UTF-8", force_defaults=False)
def register(self): def_user_perms = AuthUser( dbuser=User.get_default_user()).permissions['global'] c.auto_active = 'hg.register.auto_activate' in def_user_perms settings = Setting.get_app_settings() captcha_private_key = settings.get('captcha_private_key') c.captcha_active = bool(captcha_private_key) c.captcha_public_key = settings.get('captcha_public_key') if request.POST: register_form = RegisterForm()() try: form_result = register_form.to_python(dict(request.POST)) form_result['active'] = c.auto_active if c.captcha_active: from kallithea.lib.recaptcha import submit response = submit(request.POST.get('g-recaptcha-response'), private_key=captcha_private_key, remoteip=request.ip_addr) if not response.is_valid: _value = form_result _msg = _('Bad captcha') error_dict = {'recaptcha_field': _msg} raise formencode.Invalid(_msg, _value, None, error_dict=error_dict) UserModel().create_registration(form_result) h.flash(_('You have successfully registered with %s') % (c.site_name or 'Kallithea'), category='success') Session().commit() raise HTTPFound(location=url('login_home')) except formencode.Invalid as errors: return htmlfill.render(render('/register.html'), defaults=errors.value, errors=errors.error_dict or {}, prefix_error=False, encoding="UTF-8", force_defaults=False) except UserCreationError as e: # container auth or other auth functions that create users on # the fly can throw this exception signaling that there's issue # with user creation, explanation should be provided in # Exception itself h.flash(e, 'error') return render('/register.html')
def fixup_groups(self): def_usr = User.get_default_user() for g in RepoGroup.query().all(): g.group_name = g.get_new_name(g.name) # get default perm default = UserRepoGroupToPerm.query() \ .filter(UserRepoGroupToPerm.group == g) \ .filter(UserRepoGroupToPerm.user == def_usr) \ .scalar() if default is None: log.debug('missing default permission for group %s adding', g) RepoGroupModel()._create_default_perms(g)
def test_get_user_or_raise_if_default(self, monkeypatch, test_context_fixture): # flash complains about an non-existing session def flash_mock(*args, **kwargs): pass monkeypatch.setattr(h, 'flash', flash_mock) u = UsersController() # a regular user should work correctly user = User.get_by_username(TEST_USER_REGULAR_LOGIN) assert u._get_user_or_raise_if_default(user.user_id) == user # the default user should raise with pytest.raises(HTTPNotFound): u._get_user_or_raise_if_default(User.get_default_user().user_id)
def register(self): c.auto_active = 'hg.register.auto_activate' in User.get_default_user() \ .AuthUser.permissions['global'] settings = Setting.get_app_settings() captcha_private_key = settings.get('captcha_private_key') c.captcha_active = bool(captcha_private_key) c.captcha_public_key = settings.get('captcha_public_key') if request.POST: register_form = RegisterForm()() try: form_result = register_form.to_python(dict(request.POST)) form_result['active'] = c.auto_active if c.captcha_active: from kallithea.lib.recaptcha import submit response = submit(request.POST.get('recaptcha_challenge_field'), request.POST.get('recaptcha_response_field'), private_key=captcha_private_key, remoteip=self.ip_addr) if c.captcha_active and not response.is_valid: _value = form_result _msg = _('Bad captcha') error_dict = {'recaptcha_field': _msg} raise formencode.Invalid(_msg, _value, None, error_dict=error_dict) UserModel().create_registration(form_result) h.flash(_('You have successfully registered into Kallithea'), category='success') Session().commit() raise HTTPFound(location=url('login_home')) except formencode.Invalid as errors: return htmlfill.render( render('/register.html'), defaults=errors.value, errors=errors.error_dict or {}, prefix_error=False, encoding="UTF-8", force_defaults=False) except UserCreationError as e: # container auth or other auth functions that create users on # the fly can throw this exception signaling that there's issue # with user creation, explanation should be provided in # Exception itself h.flash(e, 'error') return render('/register.html')
def test_no_permissions_to_fork(self): self.log_user(base.TEST_USER_REGULAR_LOGIN, base.TEST_USER_REGULAR_PASS)['user_id'] try: user_model = UserModel() usr = User.get_default_user() user_model.revoke_perm(usr, 'hg.fork.repository') user_model.grant_perm(usr, 'hg.fork.none') Session().commit() # try create a fork repo_name = self.REPO self.app.post(base.url(controller='forks', action='fork_create', repo_name=repo_name), { '_session_csrf_secret_token': self.session_csrf_secret_token() }, status=403) finally: usr = User.get_default_user() user_model.revoke_perm(usr, 'hg.fork.none') user_model.grant_perm(usr, 'hg.fork.repository') Session().commit()
def test_add_ips(self): self.log_user() default_user_id = User.get_default_user().user_id response = self.app.put(url('edit_user_ips', id=default_user_id), params=dict(new_ip='127.0.0.0/24')) response = self.app.get(url('admin_permissions_ips')) response.mustcontain('127.0.0.0/24') response.mustcontain('127.0.0.0 - 127.0.0.255') ## delete default_user_id = User.get_default_user().user_id del_ip_id = UserIpMap.query().filter( UserIpMap.user_id == default_user_id).first().ip_id response = self.app.post(url('edit_user_ips', id=default_user_id), params=dict(_method='delete', del_ip_id=del_ip_id)) response = self.app.get(url('admin_permissions_ips')) response.mustcontain('All IP addresses are allowed') response.mustcontain(no=['127.0.0.0/24']) response.mustcontain(no=['127.0.0.0 - 127.0.0.255'])
def _create_default_perms(self, user_group): # create default permission default_perm = 'usergroup.read' def_user = User.get_default_user() for p in def_user.user_perms: if p.permission.permission_name.startswith('usergroup.'): default_perm = p.permission.permission_name break user_group_to_perm = UserUserGroupToPerm() user_group_to_perm.permission = Permission.get_by_key(default_perm) user_group_to_perm.user_group = user_group user_group_to_perm.user_id = def_user.user_id return user_group_to_perm
def _create_default_perms(self, new_group): # create default permission default_perm = 'group.read' def_user = User.get_default_user() for p in def_user.user_perms: if p.permission.permission_name.startswith('group.'): default_perm = p.permission.permission_name break repo_group_to_perm = UserRepoGroupToPerm() repo_group_to_perm.permission = Permission.get_by_key(default_perm) repo_group_to_perm.group = new_group repo_group_to_perm.user_id = def_user.user_id return repo_group_to_perm
def edit_ips(self, id): c.user = self._get_user_or_raise_if_default(id) c.active = 'ips' c.user_ip_map = UserIpMap.query() \ .filter(UserIpMap.user == c.user).all() c.inherit_default_ips = c.user.inherit_default_permissions c.default_user_ip_map = UserIpMap.query() \ .filter(UserIpMap.user == User.get_default_user()).all() defaults = c.user.get_dict() return htmlfill.render( render('admin/users/user_edit.html'), defaults=defaults, encoding="UTF-8", force_defaults=False)
def __init__(self, user_id=None, dbuser=None, authenticating_api_key=None, is_external_auth=False): self.is_authenticated = False self.is_external_auth = is_external_auth self.authenticating_api_key = authenticating_api_key user_model = UserModel() self._default_user = User.get_default_user(cache=True) # These attributes will be overridden by fill_data, below, unless the # requested user cannot be found and the default anonymous user is # not enabled. self.user_id = None self.username = None self.api_key = None self.name = '' self.lastname = '' self.email = '' self.admin = False self.inherit_default_permissions = False # Look up database user, if necessary. if user_id is not None: log.debug('Auth User lookup by USER ID %s', user_id) dbuser = user_model.get(user_id) else: # Note: dbuser is allowed to be None. log.debug('Auth User lookup by database user %s', dbuser) is_user_loaded = self._fill_data(dbuser) # If user cannot be found, try falling back to anonymous. if not is_user_loaded: is_user_loaded = self._fill_data(self._default_user) self.is_default_user = (self.user_id == self._default_user.user_id) self.is_anonymous = not is_user_loaded or self.is_default_user if not self.username: self.username = '******' log.debug('Auth User is now %s', self)
def test_add_ips(self, auto_clear_ip_permissions): self.log_user() default_user_id = User.get_default_user().user_id response = self.app.post(url('edit_user_ips_update', id=default_user_id), params=dict(new_ip='127.0.0.0/24', _authentication_token=self.authentication_token())) # IP permissions are cached, need to invalidate this cache explicitly invalidate_all_caches() self.app.get(url('admin_permissions_ips'), status=302) # REMOTE_ADDR must match 127.0.0.0/24 response = self.app.get(url('admin_permissions_ips'), extra_environ={'REMOTE_ADDR': '127.0.0.1'}) response.mustcontain('127.0.0.0/24') response.mustcontain('127.0.0.0 - 127.0.0.255')
def _create_default_perms(self, repository, private): # create default permission default = 'repository.read' def_user = User.get_default_user() for p in def_user.user_perms: if p.permission.permission_name.startswith('repository.'): default = p.permission.permission_name break default_perm = 'repository.none' if private else default repo_to_perm = UserRepoToPerm() repo_to_perm.permission = Permission.get_by_key(default_perm) repo_to_perm.repository = repository repo_to_perm.user_id = def_user.user_id return repo_to_perm
def test_add_ips(self, auto_clear_ip_permissions): self.log_user() default_user_id = User.get_default_user().user_id response = self.app.post( url('edit_user_ips_update', id=default_user_id), params=dict(new_ip='127.0.0.0/24', _authentication_token=self.authentication_token())) # IP permissions are cached, need to invalidate this cache explicitly invalidate_all_caches() self.app.get(url('admin_permissions_ips'), status=302) # REMOTE_ADDR must match 127.0.0.0/24 response = self.app.get(url('admin_permissions_ips'), extra_environ={'REMOTE_ADDR': '127.0.0.1'}) response.mustcontain('127.0.0.0/24') response.mustcontain('127.0.0.0 - 127.0.0.255')
def auto_clear_ip_permissions(): """Fixture that provides nothing but clearing IP permissions upon test exit. This clearing is needed to avoid other test failing to make fake http accesses.""" yield # cleanup user_model = UserModel() user_ids = [] user_ids.append(User.get_default_user().user_id) user_ids.append(User.get_by_username(TEST_USER_REGULAR_LOGIN).user_id) for user_id in user_ids: for ip in UserIpMap.query().filter(UserIpMap.user_id == user_id): user_model.delete_extra_ip(user_id, ip.ip_id) # IP permissions are cached, need to invalidate this cache explicitly invalidate_all_caches()
def edit_ips(self, id): c.user = User.get_or_404(id) if c.user.username == User.DEFAULT_USER: h.flash(_("You can't edit this user"), category='warning') return redirect(url('users')) c.active = 'ips' c.user_ip_map = UserIpMap.query()\ .filter(UserIpMap.user == c.user).all() c.inherit_default_ips = c.user.inherit_default_permissions c.default_user_ip_map = UserIpMap.query()\ .filter(UserIpMap.user == User.get_default_user()).all() defaults = c.user.get_dict() return htmlfill.render(render('admin/users/user_edit.html'), defaults=defaults, encoding="UTF-8", force_defaults=False)
def __load_data(self, repo_name=None): """ Load defaults settings for edit, and update :param repo_name: """ self.__load_defaults() c.repo_info = db_repo = Repository.get_by_repo_name(repo_name) repo = db_repo.scm_instance if c.repo_info is None: h.not_mapped_error(repo_name) return redirect(url('repos')) c.default_user_id = User.get_default_user().user_id c.in_public_journal = UserFollowing.query()\ .filter(UserFollowing.user_id == c.default_user_id)\ .filter(UserFollowing.follows_repository == c.repo_info).scalar() if c.repo_info.stats: last_rev = c.repo_info.stats.stat_on_revision+1 else: last_rev = 0 c.stats_revision = last_rev c.repo_last_rev = repo.count() if repo.revisions else 0 if last_rev == 0 or c.repo_last_rev == 0: c.stats_percentage = 0 else: c.stats_percentage = '%.2f' % ((float((last_rev)) / c.repo_last_rev) * 100) defaults = RepoModel()._get_defaults(repo_name) # alter the description to indicate a fork defaults['description'] = ('fork of repository: %s \n%s' % (defaults['repo_name'], defaults['description'])) # add suffix to fork defaults['repo_name'] = '%s-fork' % defaults['repo_name'] return defaults
def setUp(self): self.u1 = UserModel().create_or_update( username=u'u1', password=u'qweqwe', email=u'*****@*****.**', firstname=u'u1', lastname=u'u1' ) self.u2 = UserModel().create_or_update( username=u'u2', password=u'qweqwe', email=u'*****@*****.**', firstname=u'u2', lastname=u'u2' ) self.u3 = UserModel().create_or_update( username=u'u3', password=u'qweqwe', email=u'*****@*****.**', firstname=u'u3', lastname=u'u3' ) self.anon = User.get_default_user() self.a1 = UserModel().create_or_update( username=u'a1', password=u'qweqwe', email=u'*****@*****.**', firstname=u'a1', lastname=u'a1', admin=True ) Session().commit()
def edit_advanced_journal(self, repo_name): """ Sets this repository to be visible in public journal, in other words asking default user to follow this repo :param repo_name: """ try: repo_id = Repository.get_by_repo_name(repo_name).repo_id user_id = User.get_default_user().user_id self.scm_model.toggle_following_repo(repo_id, user_id) h.flash(_('Updated repository visibility in public journal'), category='success') Session().commit() except Exception: h.flash(_('An error occurred during setting this' ' repository in public journal'), category='error') return redirect(url('edit_repo_advanced', repo_name=repo_name))
def edit_ips(self, id): c.user = User.get_or_404(id) if c.user.username == User.DEFAULT_USER: h.flash(_("You can't edit this user"), category='warning') return redirect(url('users')) c.active = 'ips' c.user_ip_map = UserIpMap.query()\ .filter(UserIpMap.user == c.user).all() c.inherit_default_ips = c.user.inherit_default_permissions c.default_user_ip_map = UserIpMap.query()\ .filter(UserIpMap.user == User.get_default_user()).all() defaults = c.user.get_dict() return htmlfill.render( render('admin/users/user_edit.html'), defaults=defaults, encoding="UTF-8", force_defaults=False)
def __load_data(self): """ Load defaults settings for edit, and update """ self.__load_defaults() c.repo_info = c.db_repo repo = c.db_repo.scm_instance if c.repo_info is None: h.not_mapped_error(c.repo_name) raise HTTPFound(location=url('repos')) c.default_user_id = User.get_default_user().user_id c.in_public_journal = UserFollowing.query() \ .filter(UserFollowing.user_id == c.default_user_id) \ .filter(UserFollowing.follows_repository == c.repo_info).scalar() if c.repo_info.stats: last_rev = c.repo_info.stats.stat_on_revision + 1 else: last_rev = 0 c.stats_revision = last_rev c.repo_last_rev = repo.count() if repo.revisions else 0 if last_rev == 0 or c.repo_last_rev == 0: c.stats_percentage = 0 else: c.stats_percentage = '%.2f' % ((float( (last_rev)) / c.repo_last_rev) * 100) defaults = RepoModel()._get_defaults(c.repo_name) # alter the description to indicate a fork defaults['description'] = ( 'fork of repository: %s \n%s' % (defaults['repo_name'], defaults['description'])) # add suffix to fork defaults['repo_name'] = '%s-fork' % defaults['repo_name'] return defaults
def _determine_auth_user(session_authuser, ip_addr): """ Create an `AuthUser` object given the API key/bearer token (if any) and the value of the authuser session cookie. Returns None if no valid user is found (like not active or no access for IP). """ # Authenticate by session cookie # In ancient login sessions, 'authuser' may not be a dict. # In that case, the user will have to log in again. # v0.3 and earlier included an 'is_authenticated' key; if present, # this must be True. if isinstance(session_authuser, dict) and session_authuser.get( 'is_authenticated', True): return AuthUser.from_cookie(session_authuser, ip_addr=ip_addr) # Authenticate by auth_container plugin (if enabled) if any(plugin.is_container_auth for plugin in auth_modules.get_auth_plugins()): try: user_info = auth_modules.authenticate('', '', request.environ) except UserCreationError as e: from kallithea.lib import helpers as h h.flash(e, 'error', logf=log.error) else: if user_info is not None: username = user_info['username'] user = User.get_by_username(username, case_insensitive=True) return log_in_user(user, remember=False, is_external_auth=True, ip_addr=ip_addr) # User is default user (if active) or anonymous default_user = User.get_default_user() authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr) if authuser is None: # fall back to anonymous authuser = AuthUser( dbuser=default_user) # TODO: somehow use .make? return authuser
def edit_advanced_journal(self, repo_name): """ Sets this repository to be visible in public journal, in other words asking default user to follow this repo :param repo_name: """ try: repo_id = Repository.get_by_repo_name(repo_name).repo_id user_id = User.get_default_user().user_id self.scm_model.toggle_following_repo(repo_id, user_id) h.flash(_('Updated repository visibility in public journal'), category='success') Session().commit() except Exception: h.flash(_('An error occurred during setting this' ' repository in public journal'), category='error') raise HTTPFound( location=url('edit_repo_advanced', repo_name=repo_name))
def propagate_data(self): user_model = UserModel() self.anonymous_user = User.get_default_user(cache=True) is_user_loaded = False # lookup by userid if self.user_id is not None and self.user_id != self.anonymous_user.user_id: log.debug('Auth User lookup by USER ID %s' % self.user_id) is_user_loaded = user_model.fill_data(self, user_id=self.user_id) # try go get user by api key elif self._api_key and self._api_key != self.anonymous_user.api_key: log.debug('Auth User lookup by API KEY %s' % self._api_key) is_user_loaded = user_model.fill_data(self, api_key=self._api_key) # lookup by username elif self.username: log.debug('Auth User lookup by USER NAME %s' % self.username) is_user_loaded = user_model.fill_data(self, username=self.username) else: log.debug('No data in %s that could been used to log in' % self) if not is_user_loaded: # if we cannot authenticate user try anonymous if self.anonymous_user.active: user_model.fill_data(self, user_id=self.anonymous_user.user_id) # then we set this user is logged in self.is_authenticated = True else: self.user_id = None self.username = None self.is_authenticated = False if not self.username: self.username = '******' log.debug('Auth User is now %s' % self)