def _get_user_repo_permissions(user, limit_to_repository_obj=None, limit_namespace=None, limit_repo_name=None): UserThroughTeam = User.alias() base_query = (RepositoryPermission.select( RepositoryPermission, Role, Repository, Namespace).join(Role).switch(RepositoryPermission).join( Repository).join(Namespace, on=(Repository.namespace_user == Namespace.id )).switch(RepositoryPermission)) if limit_to_repository_obj is not None: base_query = base_query.where( RepositoryPermission.repository == limit_to_repository_obj) elif limit_namespace and limit_repo_name: base_query = base_query.where(Repository.name == limit_repo_name, Namespace.username == limit_namespace) direct = base_query.clone().join(User).where(User.id == user) team = (base_query.clone().join(Team).join(TeamMember).join( UserThroughTeam, on=(UserThroughTeam.id == TeamMember.user)).where( UserThroughTeam.id == user)) return direct | team
def remove_organization_member(org, user_obj): org_admins = [u.username for u in __get_org_admin_users(org)] if len(org_admins) == 1 and user_obj.username in org_admins: raise DataModelException( "Cannot remove user as they are the only organization admin") with db_transaction(): # Find and remove the user from any repositories under the org. permissions = list( RepositoryPermission.select( RepositoryPermission.id).join(Repository).where( Repository.namespace_user == org, RepositoryPermission.user == user_obj)) if permissions: RepositoryPermission.delete().where( RepositoryPermission.id << permissions).execute() # Find and remove the user from any teams under the org. members = list( TeamMember.select(TeamMember.id).join(Team).where( Team.organization == org, TeamMember.user == user_obj)) if members: TeamMember.delete().where(TeamMember.id << members).execute()
def get_all_repo_users(namespace_name, repository_name): return (RepositoryPermission.select( User, Role, RepositoryPermission).join(User).switch(RepositoryPermission).join( Role).switch(RepositoryPermission).join(Repository).join( Namespace, on=(Repository.namespace_user == Namespace.id)).where( Namespace.username == namespace_name, Repository.name == repository_name))
def list_organization_member_permissions(organization, limit_to_user=None): query = (RepositoryPermission.select( RepositoryPermission, Repository, User).join(Repository).switch(RepositoryPermission).join(User).where( Repository.namespace_user == organization)) if limit_to_user is not None: query = query.where(RepositoryPermission.user == limit_to_user) else: query = query.where(User.robot == False) return query
def __entity_permission_repo_query(entity_id, entity_table, entity_id_property, namespace_name, repository_name): """ This method works for both users and teams. """ return (RepositoryPermission.select( entity_table, Repository, Namespace, Role, RepositoryPermission).join(entity_table).switch(RepositoryPermission). join(Role).switch(RepositoryPermission).join(Repository).join( Namespace, on=(Repository.namespace_user == Namespace.id)).where( Repository.name == repository_name, Namespace.username == namespace_name, entity_id_property == entity_id, ))
def get_teams_within_org(organization, has_external_auth=False): """ Returns a AttrDict of team info (id, name, description), its role under the org, the number of repositories on which it has permission, and the number of members. """ query = Team.select().where( Team.organization == organization).join(TeamRole) def _team_view(team): return { "id": team.id, "name": team.name, "description": team.description, "role_name": Team.role.get_name(team.role_id), "repo_count": 0, "member_count": 0, "is_synced": False, } teams = {team.id: _team_view(team) for team in query} if not teams: # Just in case. Should ideally never happen. return [] # Add repository permissions count. permission_tuples = (RepositoryPermission.select( RepositoryPermission.team, fn.Count(RepositoryPermission.id)).where( RepositoryPermission.team << list(teams.keys())).group_by( RepositoryPermission.team).tuples()) for perm_tuple in permission_tuples: teams[perm_tuple[0]]["repo_count"] = perm_tuple[1] # Add the member count. members_tuples = (TeamMember.select(TeamMember.team, fn.Count( TeamMember.id)).where(TeamMember.team << list(teams.keys())).group_by( TeamMember.team).tuples()) for member_tuple in members_tuples: teams[member_tuple[0]]["member_count"] = member_tuple[1] # Add syncing information. if has_external_auth: sync_query = TeamSync.select( TeamSync.team).where(TeamSync.team << list(teams.keys())) for team_sync in sync_query: teams[team_sync.team_id]["is_synced"] = True return [AttrDict(team_info) for team_info in list(teams.values())]
def _get_visible_repositories_for_user(user, repo_kind="image", include_public=False, namespace=None): """ Returns all repositories directly visible to the given user, by either repo permission, or the user being the admin of a namespace. """ for repo in Repository.select(): if repo_kind is not None and repo.kind.name != repo_kind: continue if namespace is not None and repo.namespace_user.username != namespace: continue if include_public and repo.visibility.name == "public": yield repo continue # Direct repo permission. try: RepositoryPermission.get(repository=repo, user=user).get() yield repo continue except RepositoryPermission.DoesNotExist: pass # Team permission. found_in_team = False for perm in RepositoryPermission.select().where( RepositoryPermission.repository == repo): if perm.team and _is_team_member(perm.team, user): found_in_team = True break if found_in_team: yield repo continue # Org namespace admin permission. if user in get_admin_users(repo.namespace_user): yield repo continue
def list_robot_permissions(robot_name): return (RepositoryPermission.select( RepositoryPermission, User, Repository).join(Repository).join(Visibility).switch( RepositoryPermission).join(Role).switch(RepositoryPermission).join( User).where(User.username == robot_name, User.robot == True))
def list_team_permissions(team): return (RepositoryPermission.select(RepositoryPermission).join(Repository). join(Visibility).switch(RepositoryPermission).join(Role).switch( RepositoryPermission).where(RepositoryPermission.team == team))