def test_inactive_user_group_does_not_affect_repo_permissions_inverse(self): self.ug1 = fixture.create_user_group(u'G1') self.ug1.inherit_default_permissions = False user_group_model = UserGroupModel() user_group_model.add_user_to_group(self.ug1, self.u1) user_group_model.update(self.ug1, {'users_group_active': False}) # note: make u2 repo owner rather than u1, because the owner always has # admin permissions self.test_repo = fixture.create_repo(name=u'myownrepo', repo_type='hg', cur_user=self.u2) # enable only write access for user group on repo RepoModel().grant_user_group_permission(self.test_repo, group_name=self.ug1, perm='repository.write') # enable admin access for default user on repo RepoModel().grant_user_permission(self.test_repo, user='******', perm='repository.admin') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) self.assertEqual(u1_auth.permissions['repositories']['myownrepo'], 'repository.admin')
def test_enforce_groups(self, pre_existing, regular_should_be, external_should_be, groups, expected): # delete all groups for gr in UserGroup.query(): fixture.destroy_user_group(gr) Session().commit() user = User.get_by_username(base.TEST_USER_REGULAR_LOGIN) for gr in pre_existing: gr = fixture.create_user_group(gr) Session().commit() # make sure use is just in those groups for gr in regular_should_be: gr = fixture.create_user_group(gr) Session().commit() UserGroupModel().add_user_to_group(gr, user) Session().commit() # now special external groups created by auth plugins for gr in external_should_be: gr = fixture.create_user_group( gr, user_group_data={'extern_type': 'container'}) Session().commit() UserGroupModel().add_user_to_group(gr, user) Session().commit() UserGroupModel().enforce_groups(user, groups, 'container') Session().commit() user = User.get_by_username(base.TEST_USER_REGULAR_LOGIN) in_groups = user.group_member assert sorted(expected) == sorted(x.users_group.users_group_name for x in in_groups)
def test_repo_group_user_as_user_group_member(self): # create Group1 self.g1 = fixture.create_repo_group(u'group1', skip_if_exists=True) a1_auth = AuthUser(user_id=self.anon.user_id) assert a1_auth.permissions['repositories_groups'] == { u'group1': u'group.read' } # set default permission to none RepoGroupModel().grant_user_permission(repo_group=self.g1, user=self.anon, perm='group.none') # make group self.ug1 = fixture.create_user_group(u'G1') # add user to group UserGroupModel().add_user_to_group(self.ug1, self.u1) Session().commit() # check if user is in the group members = [ x.user_id for x in UserGroupModel().get(self.ug1.users_group_id).members ] assert members == [self.u1.user_id] # add some user to that group # check his permissions a1_auth = AuthUser(user_id=self.anon.user_id) assert a1_auth.permissions['repositories_groups'] == { u'group1': u'group.none' } u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories_groups'] == { u'group1': u'group.none' } # grant ug1 read permissions for RepoGroupModel().grant_user_group_permission(repo_group=self.g1, group_name=self.ug1, perm='group.read') Session().commit() # check if the obj = Session().query(UserGroupRepoGroupToPerm) \ .filter(UserGroupRepoGroupToPerm.group == self.g1) \ .filter(UserGroupRepoGroupToPerm.users_group == self.ug1) \ .scalar() assert obj.permission.permission_name == 'group.read' a1_auth = AuthUser(user_id=self.anon.user_id) assert a1_auth.permissions['repositories_groups'] == { u'group1': u'group.none' } u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories_groups'] == { u'group1': u'group.read' }
def test_ValidUserGroup(self): validator = v.ValidUserGroup() with pytest.raises(formencode.Invalid): validator.to_python('default') with pytest.raises(formencode.Invalid): validator.to_python('.,') gr = fixture.create_user_group('test') gr2 = fixture.create_user_group('tes2') Session().commit() with pytest.raises(formencode.Invalid): validator.to_python('test') assert gr.users_group_id is not None validator = v.ValidUserGroup( edit=True, old_data={'users_group_id': gr2.users_group_id}) with pytest.raises(formencode.Invalid): validator.to_python('test') with pytest.raises(formencode.Invalid): validator.to_python('TesT') with pytest.raises(formencode.Invalid): validator.to_python('TEST') UserGroupModel().delete(gr) UserGroupModel().delete(gr2) Session().commit()
def delete_perms(self, id): """ DELETE an existing repository group permission user :param group_name: """ try: obj_type = request.POST.get('obj_type') obj_id = None if obj_type == 'user': obj_id = safe_int(request.POST.get('user_id')) elif obj_type == 'user_group': obj_id = safe_int(request.POST.get('user_group_id')) if not c.authuser.is_admin: if obj_type == 'user' and c.authuser.user_id == obj_id: msg = _('Cannot revoke permission for yourself as admin') h.flash(msg, category='warning') raise Exception('revoke admin permission on self') if obj_type == 'user': UserGroupModel().revoke_user_permission(user_group=id, user=obj_id) elif obj_type == 'user_group': UserGroupModel().revoke_user_group_permission( target_user_group=id, user_group=obj_id) Session().commit() except Exception: log.error(traceback.format_exc()) h.flash(_('An error occurred during revoking of permission'), category='error') raise HTTPInternalServerError()
def test_create_and_remove(self): usr = UserModel().create_or_update(username=u'test_user', password=u'qweqwe', email=u'*****@*****.**', firstname=u'u1', lastname=u'u1') Session().commit() assert User.get_by_username(u'test_user') == usr assert User.get_by_username(u'test_USER', case_insensitive=True) == usr # User.get_by_username without explicit request for case insensitivty # will use database case sensitivity. The following will thus return # None on for example PostgreSQL but find test_user on MySQL - we are # fine with leaving that as undefined as long as it doesn't crash. User.get_by_username(u'test_USER', case_insensitive=False) # make user group user_group = fixture.create_user_group(u'some_example_group') Session().commit() UserGroupModel().add_user_to_group(user_group, usr) Session().commit() assert UserGroup.get(user_group.users_group_id) == user_group assert UserGroupMember.query().count() == 1 UserModel().delete(usr.user_id) Session().commit() assert UserGroupMember.query().all() == []
def test_propagated_permission_from_users_group(self): # make group self.ug1 = fixture.create_user_group('G1') UserGroupModel().add_user_to_group(self.ug1, self.u3) # grant perm for group this should override default permission from user new_perm_gr = 'repository.write' RepoModel().grant_user_group_permission(repo=HG_REPO, group_name=self.ug1, perm=new_perm_gr) # check perms u3_auth = AuthUser(user_id=self.u3.user_id) perms = { 'repositories_groups': {}, 'global': set([ u'hg.create.repository', u'repository.read', u'hg.register.manual_activate' ]), 'repositories': { u'vcs_test_hg': u'repository.read' } } self.assertEqual(u3_auth.permissions['repositories'][HG_REPO], new_perm_gr) self.assertEqual(u3_auth.permissions['repositories_groups'], perms['repositories_groups'])
def create(self): """POST /users_groups: Create a new item""" # url('users_groups') users_group_form = UserGroupForm()() try: form_result = users_group_form.to_python(dict(request.POST)) ug = UserGroupModel().create( name=form_result['users_group_name'], description=form_result['user_group_description'], owner=self.authuser.user_id, active=form_result['users_group_active']) gr = form_result['users_group_name'] action_logger(self.authuser, 'admin_created_users_group:%s' % gr, None, self.ip_addr, self.sa) h.flash(h.literal( _('Created user group %s') % h.link_to(h.escape(gr), url('edit_users_group', id=ug.users_group_id))), category='success') Session().commit() except formencode.Invalid, errors: return htmlfill.render( render('admin/user_groups/user_group_add.html'), defaults=errors.value, errors=errors.error_dict or {}, prefix_error=False, encoding="UTF-8", force_defaults=False)
def test_enforce_groups(self, pre_existing, regular_should_be, external_should_be, groups, expected): # delete all groups for gr in UserGroupModel.get_all(): fixture.destroy_user_group(gr) Session().commit() user = User.get_by_username(TEST_USER_REGULAR_LOGIN) for gr in pre_existing: gr = fixture.create_user_group(gr) Session().commit() # make sure use is just in those groups for gr in regular_should_be: gr = fixture.create_user_group(gr) Session().commit() UserGroupModel().add_user_to_group(gr, user) Session().commit() # now special external groups created by auth plugins for gr in external_should_be: gr = fixture.create_user_group(gr, user_group_data={'extern_type': 'container'}) Session().commit() UserGroupModel().add_user_to_group(gr, user) Session().commit() UserGroupModel().enforce_groups(user, groups, 'container') Session().commit() user = User.get_by_username(TEST_USER_REGULAR_LOGIN) in_groups = user.group_member self.assertEqual(expected, [x.users_group.users_group_name for x in in_groups])
def create(self): users_group_form = UserGroupForm()() try: form_result = users_group_form.to_python(dict(request.POST)) ug = UserGroupModel().create( name=form_result['users_group_name'], description=form_result['user_group_description'], owner=request.authuser.user_id, active=form_result['users_group_active']) gr = form_result['users_group_name'] action_logger(request.authuser, 'admin_created_users_group:%s' % gr, None, request.ip_addr) h.flash( h.HTML(_('Created user group %s')) % h.link_to(gr, url('edit_users_group', id=ug.users_group_id)), category='success') Session().commit() except formencode.Invalid as errors: return htmlfill.render( render('admin/user_groups/user_group_add.html'), defaults=errors.value, errors=errors.error_dict or {}, prefix_error=False, encoding="UTF-8", force_defaults=False) except Exception: log.error(traceback.format_exc()) h.flash(_('Error occurred during creation of user group %s') % request.POST.get('users_group_name'), category='error') raise HTTPFound(location=url('users_groups'))
def edit_default_perms(self, id): c.user_group = UserGroup.get_or_404(id) c.active = 'default_perms' permissions = { 'repositories': {}, 'repositories_groups': {} } ugroup_repo_perms = UserGroupRepoToPerm.query() \ .options(joinedload(UserGroupRepoToPerm.permission)) \ .options(joinedload(UserGroupRepoToPerm.repository)) \ .filter(UserGroupRepoToPerm.users_group_id == id) \ .all() for gr in ugroup_repo_perms: permissions['repositories'][gr.repository.repo_name] \ = gr.permission.permission_name ugroup_group_perms = UserGroupRepoGroupToPerm.query() \ .options(joinedload(UserGroupRepoGroupToPerm.permission)) \ .options(joinedload(UserGroupRepoGroupToPerm.group)) \ .filter(UserGroupRepoGroupToPerm.users_group_id == id) \ .all() for gr in ugroup_group_perms: permissions['repositories_groups'][gr.group.group_name] \ = gr.permission.permission_name c.permissions = permissions ug_model = UserGroupModel() defaults = c.user_group.get_dict() defaults.update({ 'create_repo_perm': ug_model.has_perm(c.user_group, 'hg.create.repository'), 'create_user_group_perm': ug_model.has_perm(c.user_group, 'hg.usergroup.create.true'), 'fork_repo_perm': ug_model.has_perm(c.user_group, 'hg.fork.repository'), }) return htmlfill.render( render('admin/user_groups/user_group_edit.html'), defaults=defaults, encoding="UTF-8", force_defaults=False )
def update(self, id): """PUT /user_groups/id: Update an existing item""" # Forms posted to this method should contain a hidden field: # <input type="hidden" name="_method" value="PUT" /> # Or using helpers: # h.form(url('users_group', id=ID), # method='put') # url('users_group', id=ID) c.user_group = UserGroup.get_or_404(id) c.active = 'settings' self.__load_data(id) available_members = [safe_unicode(x[0]) for x in c.available_members] users_group_form = UserGroupForm(edit=True, old_data=c.user_group.get_dict(), available_members=available_members)() try: form_result = users_group_form.to_python(request.POST) UserGroupModel().update(c.user_group, form_result) gr = form_result['users_group_name'] action_logger(self.authuser, 'admin_updated_users_group:%s' % gr, None, self.ip_addr, self.sa) h.flash(_('Updated user group %s') % gr, category='success') Session().commit() except formencode.Invalid, errors: ug_model = UserGroupModel() defaults = errors.value e = errors.error_dict or {} defaults.update({ 'create_repo_perm': ug_model.has_perm(id, 'hg.create.repository'), 'fork_repo_perm': ug_model.has_perm(id, 'hg.fork.repository'), '_method': 'put' }) return htmlfill.render( render('admin/user_groups/user_group_edit.html'), defaults=defaults, errors=e, prefix_error=False, encoding="UTF-8", force_defaults=False)
def update(self, id): c.user_group = UserGroup.get_or_404(id) c.active = 'settings' self.__load_data(id) available_members = [safe_str(x[0]) for x in c.available_members] users_group_form = UserGroupForm(edit=True, old_data=c.user_group.get_dict(), available_members=available_members)() try: form_result = users_group_form.to_python(request.POST) UserGroupModel().update(c.user_group, form_result) gr = form_result['users_group_name'] action_logger(request.authuser, 'admin_updated_users_group:%s' % gr, None, request.ip_addr) h.flash(_('Updated user group %s') % gr, category='success') Session().commit() except formencode.Invalid as errors: ug_model = UserGroupModel() defaults = errors.value e = errors.error_dict or {} defaults.update({ 'create_repo_perm': ug_model.has_perm(id, 'hg.create.repository'), 'fork_repo_perm': ug_model.has_perm(id, 'hg.fork.repository'), }) return htmlfill.render( render('admin/user_groups/user_group_edit.html'), defaults=defaults, errors=e, prefix_error=False, encoding="UTF-8", force_defaults=False) except Exception: log.error(traceback.format_exc()) h.flash(_('Error occurred during update of user group %s') % request.POST.get('users_group_name'), category='error') raise HTTPFound(location=url('edit_users_group', id=id))
def update(self, id): c.user_group = UserGroup.get_or_404(id) c.active = 'settings' self.__load_data(id) available_members = [safe_unicode(x[0]) for x in c.available_members] users_group_form = UserGroupForm(edit=True, old_data=c.user_group.get_dict(), available_members=available_members)() try: form_result = users_group_form.to_python(request.POST) UserGroupModel().update(c.user_group, form_result) gr = form_result['users_group_name'] action_logger(request.authuser, 'admin_updated_users_group:%s' % gr, None, request.ip_addr) h.flash(_('Updated user group %s') % gr, category='success') Session().commit() except formencode.Invalid as errors: ug_model = UserGroupModel() defaults = errors.value e = errors.error_dict or {} defaults.update({ 'create_repo_perm': ug_model.has_perm(id, 'hg.create.repository'), 'fork_repo_perm': ug_model.has_perm(id, 'hg.fork.repository'), }) return htmlfill.render( render('admin/user_groups/user_group_edit.html'), defaults=defaults, errors=e, prefix_error=False, encoding="UTF-8", force_defaults=False) except Exception: log.error(traceback.format_exc()) h.flash(_('Error occurred during update of user group %s') \ % request.POST.get('users_group_name'), category='error') raise HTTPFound(location=url('edit_users_group', id=id))
def edit_default_perms(self, id): c.user_group = UserGroup.get_or_404(id) c.active = 'default_perms' permissions = {'repositories': {}, 'repositories_groups': {}} ugroup_repo_perms = UserGroupRepoToPerm.query()\ .options(joinedload(UserGroupRepoToPerm.permission))\ .options(joinedload(UserGroupRepoToPerm.repository))\ .filter(UserGroupRepoToPerm.users_group_id == id)\ .all() for gr in ugroup_repo_perms: permissions['repositories'][gr.repository.repo_name] \ = gr.permission.permission_name ugroup_group_perms = UserGroupRepoGroupToPerm.query()\ .options(joinedload(UserGroupRepoGroupToPerm.permission))\ .options(joinedload(UserGroupRepoGroupToPerm.group))\ .filter(UserGroupRepoGroupToPerm.users_group_id == id)\ .all() for gr in ugroup_group_perms: permissions['repositories_groups'][gr.group.group_name] \ = gr.permission.permission_name c.permissions = permissions ug_model = UserGroupModel() defaults = c.user_group.get_dict() defaults.update({ 'create_repo_perm': ug_model.has_perm(c.user_group, 'hg.create.repository'), 'create_user_group_perm': ug_model.has_perm(c.user_group, 'hg.usergroup.create.true'), 'fork_repo_perm': ug_model.has_perm(c.user_group, 'hg.fork.repository'), }) return htmlfill.render( render('admin/user_groups/user_group_edit.html'), defaults=defaults, encoding="UTF-8", force_defaults=False)
def test_inactive_user_group_does_not_affect_repo_group_permissions_inverse(self): self.ug1 = fixture.create_user_group(u'G1') self.ug1.inherit_default_permissions = False user_group_model = UserGroupModel() user_group_model.add_user_to_group(self.ug1, self.u1) user_group_model.update(self.ug1, {'users_group_active': False}) self.g1 = fixture.create_repo_group(u'group1', skip_if_exists=True) # enable only write access for user group on repo group RepoGroupModel().grant_user_group_permission(self.g1, group_name=self.ug1, perm='group.write') # enable admin access for default user on repo group RepoGroupModel().grant_user_permission(self.g1, user='******', perm='group.admin') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories_groups'] == {u'group1': u'group.admin'}
def test_inactive_user_group_does_not_affect_user_group_permissions_inverse(self): self.ug1 = fixture.create_user_group(u'G1') self.ug1.inherit_default_permissions = False user_group_model = UserGroupModel() user_group_model.add_user_to_group(self.ug1, self.u1) user_group_model.update(self.ug1, {'users_group_active': False}) self.ug2 = fixture.create_user_group(u'G2') # enable only write access for user group on user group UserGroupModel().grant_user_group_permission(self.ug2, user_group=self.ug1, perm='usergroup.write') # enable admin access for default user on user group UserGroupModel().grant_user_permission(self.ug2, user='******', perm='usergroup.admin') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) self.assertEqual(u1_auth.permissions['user_groups'][u'G1'], u'usergroup.read') self.assertEqual(u1_auth.permissions['user_groups'][u'G2'], u'usergroup.admin')
def test_inactive_user_group_does_not_affect_repo_permissions_inverse( self): self.ug1 = fixture.create_user_group(u'G1') self.ug1.inherit_default_permissions = False user_group_model = UserGroupModel() user_group_model.add_user_to_group(self.ug1, self.u1) user_group_model.update(self.ug1, {'users_group_active': False}) # note: make u2 repo owner rather than u1, because the owner always has # admin permissions self.test_repo = fixture.create_repo(name=u'myownrepo', repo_type='hg', cur_user=self.u2) # enable only write access for user group on repo RepoModel().grant_user_group_permission(self.test_repo, group_name=self.ug1, perm='repository.write') # enable admin access for default user on repo RepoModel().grant_user_permission(self.test_repo, user='******', perm='repository.admin') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][ 'myownrepo'] == 'repository.admin'
def delete(self, id): usr_gr = UserGroup.get_or_404(id) try: UserGroupModel().delete(usr_gr) Session().commit() h.flash(_('Successfully deleted user group'), category='success') except UserGroupsAssignedException as e: h.flash(e, category='error') except Exception: log.error(traceback.format_exc()) h.flash(_('An error occurred during deletion of user group'), category='error') raise HTTPFound(location=url('users_groups'))
def test_propagated_permission_from_users_group(self): # make group self.ug1 = fixture.create_user_group('G1') UserGroupModel().add_user_to_group(self.ug1, self.u3) # grant perm for group this should override default permission from user new_perm_gr = 'repository.write' RepoModel().grant_user_group_permission(repo=base.HG_REPO, group_name=self.ug1, perm=new_perm_gr) # check perms u3_auth = AuthUser(user_id=self.u3.user_id) assert u3_auth.permissions['repositories'][base.HG_REPO] == new_perm_gr
def teardown_method(self, method): if hasattr(self, 'test_repo'): RepoModel().delete(repo=self.test_repo) UserModel().delete(self.u1) UserModel().delete(self.u2) UserModel().delete(self.u3) UserModel().delete(self.a1) Session().commit( ) # commit early to avoid SQLAlchemy warning from double cascade delete to users_groups_members if hasattr(self, 'g1'): RepoGroupModel().delete(self.g1.group_id) if hasattr(self, 'g2'): RepoGroupModel().delete(self.g2.group_id) if hasattr(self, 'ug2'): UserGroupModel().delete(self.ug2, force=True) if hasattr(self, 'ug1'): UserGroupModel().delete(self.ug1, force=True) Session().commit()
def delete(self, id): """DELETE /user_groups/id: Delete an existing item""" # Forms posted to this method should contain a hidden field: # <input type="hidden" name="_method" value="DELETE" /> # Or using helpers: # h.form(url('users_group', id=ID), # method='delete') # url('users_group', id=ID) usr_gr = UserGroup.get_or_404(id) try: UserGroupModel().delete(usr_gr) Session().commit() h.flash(_('Successfully deleted user group'), category='success') except UserGroupsAssignedException, e: h.flash(e, category='error')
def setup_module(): global test_u2_id, test_u2_gr_id, _get_repo_perms, _get_group_perms test_u2 = _create_project_tree() Session().commit() test_u2_id = test_u2.user_id gr1 = fixture.create_user_group(u'perms_group_1') Session().commit() test_u2_gr_id = gr1.users_group_id UserGroupModel().add_user_to_group(gr1, user=test_u2_id) Session().commit() _get_repo_perms = functools.partial(_get_perms, key='repositories', test_u1_id=test_u2_id) _get_group_perms = functools.partial(_get_perms, key='repositories_groups', test_u1_id=test_u2_id)
def create_user_group(self, name, **kwargs): if 'skip_if_exists' in kwargs: del kwargs['skip_if_exists'] gr = UserGroup.get_by_group_name(group_name=name) if gr: return gr form_data = self._get_user_group_create_params(name, **kwargs) owner = kwargs.get('cur_user', TEST_USER_ADMIN_LOGIN) user_group = UserGroupModel().create( name=form_data['users_group_name'], description=form_data['user_group_description'], owner=owner, active=form_data['users_group_active'], group_data=form_data['user_group_data']) Session().commit() user_group = UserGroup.get_by_group_name(user_group.users_group_name) return user_group
def tearDown(self): if hasattr(self, 'test_repo'): RepoModel().delete(repo=self.test_repo) UserModel().delete(self.u1) UserModel().delete(self.u2) UserModel().delete(self.u3) UserModel().delete(self.a1) if hasattr(self, 'g1'): RepoGroupModel().delete(self.g1.group_id) if hasattr(self, 'g2'): RepoGroupModel().delete(self.g2.group_id) if hasattr(self, 'ug1'): UserGroupModel().delete(self.ug1, force=True) Session().commit()
def test_inactive_user_group_does_not_affect_user_group_permissions(self): self.ug1 = fixture.create_user_group('G1') user_group_model = UserGroupModel() user_group_model.add_user_to_group(self.ug1, self.u1) user_group_model.update(self.ug1, {'users_group_active': False}) self.ug2 = fixture.create_user_group('G2') # enable admin access for user group on user group UserGroupModel().grant_user_group_permission(self.ug2, user_group=self.ug1, perm='usergroup.admin') # enable only write access for default user on user group UserGroupModel().grant_user_permission(self.ug2, user='******', perm='usergroup.write') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['user_groups']['G1'] == 'usergroup.read' assert u1_auth.permissions['user_groups']['G2'] == 'usergroup.write'
def _authenticate(self, userobj, username, passwd, settings, **kwargs): auth = super(KallitheaExternalAuthPlugin, self)._authenticate(userobj, username, passwd, settings, **kwargs) if auth: # maybe plugin will clean the username ? # we should use the return value username = auth['username'] # if user is not active from our extern type we should fail to auth # this can prevent from creating users in Kallithea when using # external authentication, but if it's inactive user we shouldn't # create that user anyway if auth['active_from_extern'] is False: log.warning( "User %s authenticated against %s, but is inactive" % (username, self.__module__)) return None if self.use_fake_password(): # Randomize the PW because we don't need it, but don't want # them blank either passwd = PasswordGenerator().gen_password(length=8) log.debug('Updating or creating user info from %s plugin' % self.name) user = UserModel().create_or_update( username=username, password=passwd, email=auth["email"], firstname=auth["firstname"], lastname=auth["lastname"], active=auth["active"], admin=auth["admin"], extern_name=auth["extern_name"], extern_type=self.name) Session().flush() # enforce user is just in given groups, all of them has to be ones # created from plugins. We store this info in _group_data JSON field groups = auth['groups'] or [] UserGroupModel().enforce_groups(user, groups, self.name) Session().commit() return auth
def test_owner_permissions_doesnot_get_overwritten_by_group(self): #create repo as USER, self.test_repo = fixture.create_repo(name='myownrepo', repo_type='hg', cur_user=self.u1) #he has permissions of admin as owner u1_auth = AuthUser(user_id=self.u1.user_id) self.assertEqual(u1_auth.permissions['repositories']['myownrepo'], 'repository.admin') #set his permission as user group, he should still be admin self.ug1 = fixture.create_user_group('G1') UserGroupModel().add_user_to_group(self.ug1, self.u1) RepoModel().grant_user_group_permission(self.test_repo, group_name=self.ug1, perm='repository.none') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) self.assertEqual(u1_auth.permissions['repositories']['myownrepo'], 'repository.admin')
def test_create_and_remove(self): usr = UserModel().create_or_update(username=u'test_user', password=u'qweqwe', email=u'*****@*****.**', firstname=u'u1', lastname=u'u1') Session().commit() self.assertEqual(User.get_by_username(u'test_user'), usr) # make user group user_group = fixture.create_user_group('some_example_group') Session().commit() UserGroupModel().add_user_to_group(user_group, usr) Session().commit() self.assertEqual(UserGroup.get(user_group.users_group_id), user_group) self.assertEqual(UserGroupMember.query().count(), 1) UserModel().delete(usr.user_id) Session().commit() self.assertEqual(UserGroupMember.query().all(), [])
def test_propagated_permission_from_users_group_lower_weight(self): # make group self.ug1 = fixture.create_user_group('G1') # add user to group UserGroupModel().add_user_to_group(self.ug1, self.u1) # set permission to lower new_perm_h = 'repository.write' RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1, perm=new_perm_h) Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) self.assertEqual(u1_auth.permissions['repositories'][HG_REPO], new_perm_h) # grant perm for group this should NOT override permission from user # since it's lower than granted new_perm_l = 'repository.read' RepoModel().grant_user_group_permission(repo=HG_REPO, group_name=self.ug1, perm=new_perm_l) # check perms u1_auth = AuthUser(user_id=self.u1.user_id) perms = { 'repositories_groups': {}, 'global': set([ u'hg.create.repository', u'repository.read', u'hg.register.manual_activate' ]), 'repositories': { u'vcs_test_hg': u'repository.write' } } self.assertEqual(u1_auth.permissions['repositories'][HG_REPO], new_perm_h) self.assertEqual(u1_auth.permissions['repositories_groups'], perms['repositories_groups'])
def update_perms(self, id): """ grant permission for given usergroup :param id: """ user_group = UserGroup.get_or_404(id) form = UserGroupPermsForm()().to_python(request.POST) # set the permissions ! try: UserGroupModel()._update_permissions(user_group, form['perms_new'], form['perms_updates']) except RepoGroupAssignmentError: h.flash(_('Target group cannot be the same'), category='error') return redirect(url('edit_user_group_perms', id=id)) #TODO: implement this #action_logger(self.authuser, 'admin_changed_repo_permissions', # repo_name, self.ip_addr, self.sa) Session().commit() h.flash(_('User Group permissions updated'), category='success') return redirect(url('edit_user_group_perms', id=id))
def test_propagated_permission_from_users_group_by_explicit_perms_exist( self): # make group self.ug1 = fixture.create_user_group(u'G1') UserGroupModel().add_user_to_group(self.ug1, self.u1) # set permission to lower new_perm = 'repository.none' RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1, perm=new_perm) Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][HG_REPO] == new_perm # grant perm for group this should not override permission from user # since it has explicitly set new_perm_gr = 'repository.write' RepoModel().grant_user_group_permission(repo=HG_REPO, group_name=self.ug1, perm=new_perm_gr) # check perms u1_auth = AuthUser(user_id=self.u1.user_id) perms = { 'repositories_groups': {}, 'global': set([ 'hg.create.repository', 'repository.read', 'hg.register.manual_activate' ]), 'repositories': { HG_REPO: 'repository.read' } } assert u1_auth.permissions['repositories'][HG_REPO] == new_perm assert u1_auth.permissions['repositories_groups'] == perms[ 'repositories_groups']
def test_propagated_permission_from_users_group_by_explicit_perms_exist( self): # make group self.ug1 = fixture.create_user_group('G1') UserGroupModel().add_user_to_group(self.ug1, self.u1) # set user permission none RepoModel().grant_user_permission(repo=base.HG_REPO, user=self.u1, perm='repository.none') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][ base.HG_REPO] == 'repository.read' # inherit from default user # grant perm for group this should override permission from user RepoModel().grant_user_group_permission(repo=base.HG_REPO, group_name=self.ug1, perm='repository.write') # verify that user group permissions win u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][ base.HG_REPO] == 'repository.write'
def test_propagated_permission_from_users_group_lower_weight(self): # make group self.ug1 = fixture.create_user_group('G1') # add user to group UserGroupModel().add_user_to_group(self.ug1, self.u1) # set permission to lower new_perm_h = 'repository.write' RepoModel().grant_user_permission(repo=base.HG_REPO, user=self.u1, perm=new_perm_h) Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][base.HG_REPO] == new_perm_h # grant perm for group this should NOT override permission from user # since it's lower than granted new_perm_l = 'repository.read' RepoModel().grant_user_group_permission(repo=base.HG_REPO, group_name=self.ug1, perm=new_perm_l) # check perms u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][base.HG_REPO] == new_perm_h
def _authenticate(self, userobj, username, passwd, settings, **kwargs): user_data = super(KallitheaExternalAuthPlugin, self)._authenticate(userobj, username, passwd, settings, **kwargs) if user_data is not None: if userobj is None: # external authentication of unknown user that will be created soon def_user_perms = AuthUser( dbuser=User.get_default_user()).permissions['global'] active = 'hg.extern_activate.auto' in def_user_perms else: active = userobj.active if self.use_fake_password(): # Randomize the PW because we don't need it, but don't want # them blank either passwd = PasswordGenerator().gen_password(length=8) log.debug('Updating or creating user info from %s plugin', self.name) user = UserModel().create_or_update( username=user_data['username'], password=passwd, email=user_data["email"], firstname=user_data["firstname"], lastname=user_data["lastname"], active=active, admin=user_data["admin"], extern_name=user_data["extern_name"], extern_type=self.name, ) # enforce user is just in given groups, all of them has to be ones # created from plugins. We store this info in _group_data JSON field groups = user_data['groups'] or [] UserGroupModel().enforce_groups(user, groups, self.name) Session().commit() return user_data
def test_inactive_user_group_does_not_affect_repo_group_permissions(self): self.ug1 = fixture.create_user_group('G1') user_group_model = UserGroupModel() user_group_model.add_user_to_group(self.ug1, self.u1) user_group_model.update(self.ug1, {'users_group_active': False}) self.g1 = fixture.create_repo_group('group1', skip_if_exists=True) # enable admin access for user group on repo group RepoGroupModel().grant_user_group_permission(self.g1, group_name=self.ug1, perm='group.admin') # enable only write access for default user on repo group RepoGroupModel().grant_user_permission(self.g1, user='******', perm='group.write') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories_groups'].get( 'group1') == 'group.write'
def update_default_perms(self, id): user_group = UserGroup.get_or_404(id) try: form = CustomDefaultPermissionsForm()() form_result = form.to_python(request.POST) inherit_perms = form_result['inherit_default_permissions'] user_group.inherit_default_permissions = inherit_perms usergroup_model = UserGroupModel() defs = UserGroupToPerm.query() \ .filter(UserGroupToPerm.users_group == user_group) \ .all() for ug in defs: Session().delete(ug) if form_result['create_repo_perm']: usergroup_model.grant_perm(id, 'hg.create.repository') else: usergroup_model.grant_perm(id, 'hg.create.none') if form_result['create_user_group_perm']: usergroup_model.grant_perm(id, 'hg.usergroup.create.true') else: usergroup_model.grant_perm(id, 'hg.usergroup.create.false') if form_result['fork_repo_perm']: usergroup_model.grant_perm(id, 'hg.fork.repository') else: usergroup_model.grant_perm(id, 'hg.fork.none') h.flash(_("Updated permissions"), category='success') Session().commit() except Exception: log.error(traceback.format_exc()) h.flash(_('An error occurred during permissions saving'), category='error') raise HTTPFound(location=url('edit_user_group_default_perms', id=id))
def tearDown(self): # delete all groups for gr in UserGroupModel.get_all(): fixture.destroy_user_group(gr) Session().commit()
def test_inactive_user_group_does_not_affect_global_permissions_inverse(self): # Issue #138: Inactive User Groups affecting permissions # Add user to inactive user group, set specific permissions on user # group and disable inherit-from-default. User permissions should still # inherit from default. self.ug1 = fixture.create_user_group(u'G1') self.ug1.inherit_default_permissions = False user_group_model = UserGroupModel() user_group_model.add_user_to_group(self.ug1, self.u1) user_group_model.update(self.ug1, {'users_group_active': False}) # disable fork and create on user group user_group_model.revoke_perm(self.ug1, perm='hg.create.repository') user_group_model.grant_perm(self.ug1, perm='hg.create.none') user_group_model.revoke_perm(self.ug1, perm='hg.fork.repository') user_group_model.grant_perm(self.ug1, perm='hg.fork.none') user_model = UserModel() # enable fork and create on default user usr = '******' user_model.revoke_perm(usr, 'hg.create.none') user_model.grant_perm(usr, 'hg.create.repository') user_model.revoke_perm(usr, 'hg.fork.none') user_model.grant_perm(usr, 'hg.fork.repository') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) self.assertEqual(u1_auth.permissions['global'], set(['hg.create.repository', 'hg.fork.repository', 'hg.register.manual_activate', 'hg.extern_activate.auto', 'repository.read', 'group.read', 'usergroup.read', 'hg.create.write_on_repogroup.true']))