def test_repo_group_user_as_user_group_member(self):
# create Group1
self.g1 = fixture.create_repo_group(u'group1', skip_if_exists=True)
a1_auth = AuthUser(user_id=self.anon.user_id)
assert a1_auth.permissions['repositories_groups'] == {
u'group1': u'group.read'
}
# set default permission to none
RepoGroupModel().grant_user_permission(repo_group=self.g1,
user=self.anon,
perm='group.none')
# make group
self.ug1 = fixture.create_user_group(u'G1')
# add user to group
UserGroupModel().add_user_to_group(self.ug1, self.u1)
Session().commit()
# check if user is in the group
members = [
x.user_id
for x in UserGroupModel().get(self.ug1.users_group_id).members
]
assert members == [self.u1.user_id]
# add some user to that group
# check his permissions
a1_auth = AuthUser(user_id=self.anon.user_id)
assert a1_auth.permissions['repositories_groups'] == {
u'group1': u'group.none'
}
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories_groups'] == {
u'group1': u'group.none'
}
# grant ug1 read permissions for
RepoGroupModel().grant_user_group_permission(repo_group=self.g1,
group_name=self.ug1,
perm='group.read')
Session().commit()
# check if the
obj = Session().query(UserGroupRepoGroupToPerm) \
.filter(UserGroupRepoGroupToPerm.group == self.g1) \
.filter(UserGroupRepoGroupToPerm.users_group == self.ug1) \
.scalar()
assert obj.permission.permission_name == 'group.read'
a1_auth = AuthUser(user_id=self.anon.user_id)
assert a1_auth.permissions['repositories_groups'] == {
u'group1': u'group.none'
}
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories_groups'] == {
u'group1': u'group.read'
}
def _determine_auth_user(api_key, bearer_token, session_authuser):
"""
Create an `AuthUser` object given the API key/bearer token
(if any) and the value of the authuser session cookie.
"""
# Authenticate by bearer token
if bearer_token is not None:
api_key = bearer_token
# Authenticate by API key
if api_key is not None:
au = AuthUser(dbuser=User.get_by_api_key(api_key),
authenticating_api_key=api_key, is_external_auth=True)
if au.is_anonymous:
log.warning('API key ****%s is NOT valid', api_key[-4:])
raise webob.exc.HTTPForbidden(_('Invalid API key'))
return au
# Authenticate by session cookie
# In ancient login sessions, 'authuser' may not be a dict.
# In that case, the user will have to log in again.
# v0.3 and earlier included an 'is_authenticated' key; if present,
# this must be True.
if isinstance(session_authuser, dict) and session_authuser.get('is_authenticated', True):
try:
return AuthUser.from_cookie(session_authuser)
except UserCreationError as e:
# container auth or other auth functions that create users on
# the fly can throw UserCreationError to signal issues with
# user creation. Explanation should be provided in the
# exception object.
from kallithea.lib import helpers as h
h.flash(e, 'error', logf=log.error)
# Authenticate by auth_container plugin (if enabled)
if any(
plugin.is_container_auth
for plugin in auth_modules.get_auth_plugins()
):
try:
user_info = auth_modules.authenticate('', '', request.environ)
except UserCreationError as e:
from kallithea.lib import helpers as h
h.flash(e, 'error', logf=log.error)
else:
if user_info is not None:
username = user_info['username']
user = User.get_by_username(username, case_insensitive=True)
return log_in_user(user, remember=False,
is_external_auth=True)
# User is anonymous
return AuthUser()
def test_default_perms_set(self):
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][
base.HG_REPO] == 'repository.read'
new_perm = 'repository.write'
RepoModel().grant_user_permission(repo=base.HG_REPO,
user=self.u1,
perm=new_perm)
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][base.HG_REPO] == new_perm
def test_default_admin_perms_set(self):
a1_auth = AuthUser(user_id=self.a1.user_id)
assert a1_auth.permissions['repositories'][
base.HG_REPO] == 'repository.admin'
new_perm = 'repository.write'
RepoModel().grant_user_permission(repo=base.HG_REPO,
user=self.a1,
perm=new_perm)
Session().commit()
# cannot really downgrade admins permissions !? they still gets set as
# admin !
u1_auth = AuthUser(user_id=self.a1.user_id)
assert u1_auth.permissions['repositories'][
base.HG_REPO] == 'repository.admin'
def _render_edit_profile(self, user):
c.user = user
c.active = 'profile'
c.perm_user = AuthUser(dbuser=user)
managed_fields = auth_modules.get_managed_fields(user)
c.readonly = lambda n: 'readonly' if n in managed_fields else None
return render('admin/users/user_edit.html')
def test_inactive_user_group_does_not_affect_global_permissions(self):
# Add user to inactive user group, set specific permissions on user
# group and and verify it really is inactive.
self.ug1 = fixture.create_user_group('G1')
user_group_model = UserGroupModel()
user_group_model.add_user_to_group(self.ug1, self.u1)
user_group_model.update(self.ug1, {'users_group_active': False})
# enable fork and create on user group
user_group_model.revoke_perm(self.ug1, perm='hg.create.none')
user_group_model.grant_perm(self.ug1, perm='hg.create.repository')
user_group_model.revoke_perm(self.ug1, perm='hg.fork.none')
user_group_model.grant_perm(self.ug1, perm='hg.fork.repository')
user_model = UserModel()
# disable fork and create on default user
usr = '******'
user_model.revoke_perm(usr, 'hg.create.repository')
user_model.grant_perm(usr, 'hg.create.none')
user_model.revoke_perm(usr, 'hg.fork.repository')
user_model.grant_perm(usr, 'hg.fork.none')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['global'] == set([
'hg.create.none', 'hg.fork.none', 'hg.register.manual_activate',
'hg.extern_activate.auto', 'repository.read', 'group.read',
'usergroup.read', 'hg.create.write_on_repogroup.true'
])
def test_non_inherited_permissions_from_default_on_user_disabled(self):
user_model = UserModel()
# disable fork and create on default user
usr = '******'
user_model.revoke_perm(usr, 'hg.create.repository')
user_model.grant_perm(usr, 'hg.create.none')
user_model.revoke_perm(usr, 'hg.fork.repository')
user_model.grant_perm(usr, 'hg.fork.none')
#enable global perms on specific user
user_model.revoke_perm(self.u1, 'hg.create.none')
user_model.grant_perm(self.u1, 'hg.create.repository')
user_model.revoke_perm(self.u1, 'hg.fork.none')
user_model.grant_perm(self.u1, 'hg.fork.repository')
# make sure inherit flag is turned off
self.u1.inherit_default_permissions = False
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
# this user will have non inherited permissions from he's
# explicitly set permissions
self.assertEqual(
u1_auth.permissions['global'],
set([
'hg.create.repository', 'hg.fork.repository',
'hg.register.manual_activate', 'hg.extern_activate.auto',
'repository.read', 'group.read', 'usergroup.read',
'hg.create.write_on_repogroup.true'
]))
def _store_user_in_session(self, username, remember=False):
user = User.get_by_username(username, case_insensitive=True)
auth_user = AuthUser(user.user_id)
auth_user.set_authenticated()
cs = auth_user.get_cookie_store()
session['authuser'] = cs
user.update_lastlogin()
Session().commit()
# If they want to be remembered, update the cookie
if remember:
_year = (datetime.datetime.now() +
datetime.timedelta(seconds=60 * 60 * 24 * 365))
session._set_cookie_expires(_year)
session.save()
log.info('user %s is now authenticated and stored in '
'session, session attrs %s' % (username, cs))
# dumps session attrs back to cookie
session._update_cookie_out()
# we set new cookie
headers = None
if session.request['set_cookie']:
# send set-cookie headers back to response to update cookie
headers = [('Set-Cookie', session.request['cookie_out'])]
return headers
def test_propagated_permission_from_users_group(self):
# make group
self.ug1 = fixture.create_user_group('G1')
UserGroupModel().add_user_to_group(self.ug1, self.u3)
# grant perm for group this should override default permission from user
new_perm_gr = 'repository.write'
RepoModel().grant_user_group_permission(repo=HG_REPO,
group_name=self.ug1,
perm=new_perm_gr)
# check perms
u3_auth = AuthUser(user_id=self.u3.user_id)
perms = {
'repositories_groups': {},
'global':
set([
u'hg.create.repository', u'repository.read',
u'hg.register.manual_activate'
]),
'repositories': {
u'vcs_test_hg': u'repository.read'
}
}
self.assertEqual(u3_auth.permissions['repositories'][HG_REPO],
new_perm_gr)
self.assertEqual(u3_auth.permissions['repositories_groups'],
perms['repositories_groups'])
def create_pullrequest(self,
testcontroller,
repo_name,
pr_src_rev,
pr_dst_rev,
title='title'):
org_ref = 'branch:stable:%s' % pr_src_rev
other_ref = 'branch:default:%s' % pr_dst_rev
with test_context(
testcontroller.app): # needed to be able to mock request user
org_repo = other_repo = Repository.get_by_repo_name(repo_name)
owner_user = User.get_by_username(TEST_USER_ADMIN_LOGIN)
reviewers = [User.get_by_username(TEST_USER_REGULAR_LOGIN)]
request.authuser = AuthUser(dbuser=owner_user)
# creating a PR sends a message with an absolute URL - without routing that requires mocking
with mock.patch.object(
helpers, 'url',
(lambda arg, qualified=False, **kwargs:
('https://localhost' if qualified else '') + '/fake/' + arg)):
cmd = CreatePullRequestAction(org_repo, other_repo, org_ref,
other_ref, title,
'No description', owner_user,
reviewers)
pull_request = cmd.execute()
Session().commit()
return pull_request.pull_request_id
def my_account_perms(self):
c.active = 'perms'
self.__load_data()
c.perm_user = AuthUser(user_id=self.authuser.user_id,
ip_addr=self.ip_addr)
return render('admin/my_account/my_account.html')
def test_inactive_user_group_does_not_affect_global_permissions_inverse(
self):
# Issue #138: Inactive User Groups affecting permissions
# Add user to inactive user group, set specific permissions on user
# group and disable inherit-from-default. User permissions should still
# inherit from default.
self.ug1 = fixture.create_user_group(u'G1')
self.ug1.inherit_default_permissions = False
user_group_model = UserGroupModel()
user_group_model.add_user_to_group(self.ug1, self.u1)
user_group_model.update(self.ug1, {'users_group_active': False})
# disable fork and create on user group
user_group_model.revoke_perm(self.ug1, perm='hg.create.repository')
user_group_model.grant_perm(self.ug1, perm='hg.create.none')
user_group_model.revoke_perm(self.ug1, perm='hg.fork.repository')
user_group_model.grant_perm(self.ug1, perm='hg.fork.none')
user_model = UserModel()
# enable fork and create on default user
usr = '******'
user_model.revoke_perm(usr, 'hg.create.none')
user_model.grant_perm(usr, 'hg.create.repository')
user_model.revoke_perm(usr, 'hg.fork.none')
user_model.grant_perm(usr, 'hg.fork.repository')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['global'] == set([
'hg.create.repository', 'hg.fork.repository',
'hg.register.manual_activate', 'hg.extern_activate.auto',
'repository.read', 'group.read', 'usergroup.read',
'hg.create.write_on_repogroup.true'
])
def test_inactive_user_group_does_not_affect_repo_permissions_inverse(
self):
self.ug1 = fixture.create_user_group(u'G1')
self.ug1.inherit_default_permissions = False
user_group_model = UserGroupModel()
user_group_model.add_user_to_group(self.ug1, self.u1)
user_group_model.update(self.ug1, {'users_group_active': False})
# note: make u2 repo owner rather than u1, because the owner always has
# admin permissions
self.test_repo = fixture.create_repo(name=u'myownrepo',
repo_type='hg',
cur_user=self.u2)
# enable only write access for user group on repo
RepoModel().grant_user_group_permission(self.test_repo,
group_name=self.ug1,
perm='repository.write')
# enable admin access for default user on repo
RepoModel().grant_user_permission(self.test_repo,
user='******',
perm='repository.admin')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][
'myownrepo'] == 'repository.admin'
def _get_perms(filter_='', recursive=None, key=None, test_u1_id=None):
test_u1 = AuthUser(user_id=test_u1_id)
for k, v in test_u1.permissions[key].items():
if recursive in ['all', 'repos', 'groups'] and k.startswith(filter_):
yield k, v
elif recursive in ['none']:
if k == filter_:
yield k, v
def test_owner_permissions_doesnot_get_overwritten_by_others(self):
#create repo as USER,
self.test_repo = fixture.create_repo(name='myownrepo',
repo_type='hg',
cur_user=self.u1)
#he has permissions of admin as owner
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
'repository.admin')
#set his permission as user, he should still be admin
RepoModel().grant_user_permission(self.test_repo,
user=self.u1,
perm='repository.none')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
'repository.admin')
def my_account(self):
"""
GET /_admin/my_account Displays info about my account
"""
# url('my_account')
c.active = 'profile'
self.__load_data()
c.perm_user = AuthUser(user_id=self.authuser.user_id,
ip_addr=self.ip_addr)
c.extern_type = c.user.extern_type
c.extern_name = c.user.extern_name
defaults = c.user.get_dict()
update = False
if request.POST:
_form = UserForm(edit=True,
old_data={
'user_id': self.authuser.user_id,
'email': self.authuser.email
})()
form_result = {}
try:
post_data = dict(request.POST)
post_data['new_password'] = ''
post_data['password_confirmation'] = ''
form_result = _form.to_python(post_data)
# skip updating those attrs for my account
skip_attrs = [
'admin', 'active', 'extern_type', 'extern_name',
'new_password', 'password_confirmation'
]
#TODO: plugin should define if username can be updated
if c.extern_type != EXTERN_TYPE_INTERNAL:
# forbid updating username for external accounts
skip_attrs.append('username')
UserModel().update(self.authuser.user_id,
form_result,
skip_attrs=skip_attrs)
h.flash(_('Your account was updated successfully'),
category='success')
Session().commit()
update = True
except formencode.Invalid, errors:
return htmlfill.render(
render('admin/my_account/my_account.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except Exception:
log.error(traceback.format_exc())
h.flash(_('Error occurred during update of user %s') \
% form_result.get('username'), category='error')
def test_default_admin_group_perms(self):
self.g1 = fixture.create_repo_group('test1', skip_if_exists=True)
self.g2 = fixture.create_repo_group('test2', skip_if_exists=True)
a1_auth = AuthUser(user_id=self.a1.user_id)
assert a1_auth.permissions['repositories'][
base.HG_REPO] == 'repository.admin'
assert a1_auth.permissions['repositories_groups'].get(
'test1') == 'group.admin'
assert a1_auth.permissions['repositories_groups'].get(
'test2') == 'group.admin'
def my_account(self):
c.active = 'profile'
self.__load_data()
c.perm_user = AuthUser(user_id=request.authuser.user_id)
managed_fields = auth_modules.get_managed_fields(c.user)
def_user_perms = User.get_default_user().AuthUser.permissions['global']
if 'hg.register.none' in def_user_perms:
managed_fields.extend(['username', 'firstname', 'lastname', 'email'])
c.readonly = lambda n: 'readonly' if n in managed_fields else None
defaults = c.user.get_dict()
update = False
if request.POST:
_form = UserForm(edit=True,
old_data={'user_id': request.authuser.user_id,
'email': request.authuser.email})()
form_result = {}
try:
post_data = dict(request.POST)
post_data['new_password'] = ''
post_data['password_confirmation'] = ''
form_result = _form.to_python(post_data)
# skip updating those attrs for my account
skip_attrs = ['admin', 'active', 'extern_type', 'extern_name',
'new_password', 'password_confirmation',
] + managed_fields
UserModel().update(request.authuser.user_id, form_result,
skip_attrs=skip_attrs)
h.flash(_('Your account was updated successfully'),
category='success')
Session().commit()
update = True
except formencode.Invalid as errors:
return htmlfill.render(
render('admin/my_account/my_account.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except Exception:
log.error(traceback.format_exc())
h.flash(_('Error occurred during update of user %s') \
% form_result.get('username'), category='error')
if update:
raise HTTPFound(location='my_account')
return htmlfill.render(
render('admin/my_account/my_account.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def __call__(self, environ, start_response):
"""Invoke the Controller"""
# WSGIController.__call__ dispatches to the Controller method
# the request is routed to. This routing information is
# available in environ['pylons.routes_dict']
try:
self.ip_addr = _get_ip_addr(environ)
# make sure that we update permissions each time we call controller
api_key = request.GET.get('api_key')
if api_key:
# when using API_KEY we are sure user exists.
auth_user = AuthUser(api_key=api_key, ip_addr=self.ip_addr)
authenticated = False
else:
cookie_store = CookieStoreWrapper(session.get('authuser'))
try:
auth_user = AuthUser(user_id=cookie_store.get(
'user_id', None),
ip_addr=self.ip_addr)
except UserCreationError, e:
from kallithea.lib import helpers as h
h.flash(e, 'error')
# container auth or other auth functions that create users on
# the fly can throw this exception signaling that there's issue
# with user creation, explanation should be provided in
# Exception itself
auth_user = AuthUser(ip_addr=self.ip_addr)
authenticated = cookie_store.get('is_authenticated')
if not auth_user.is_authenticated and auth_user.user_id is not None:
# user is not authenticated and not empty
auth_user.set_authenticated(authenticated)
request.user = auth_user
#set globals for auth user
self.authuser = c.authuser = auth_user
log.info('IP: %s User: %s accessed %s' %
(self.ip_addr, auth_user,
safe_unicode(_get_access_path(environ))))
return WSGIController.__call__(self, environ, start_response)
def test_default_admin_perms_set(self):
a1_auth = AuthUser(user_id=self.a1.user_id)
perms = {
'repositories_groups': {},
'global': set([u'hg.admin', 'hg.create.write_on_repogroup.true']),
'repositories': {
u'vcs_test_hg': u'repository.admin'
}
}
self.assertEqual(a1_auth.permissions['repositories'][HG_REPO],
perms['repositories'][HG_REPO])
new_perm = 'repository.write'
RepoModel().grant_user_permission(repo=HG_REPO,
user=self.a1,
perm=new_perm)
Session().commit()
# cannot really downgrade admins permissions !? they still gets set as
# admin !
u1_auth = AuthUser(user_id=self.a1.user_id)
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
perms['repositories'][HG_REPO])
def test_default_group_perms(self):
self.g1 = fixture.create_repo_group('test1', skip_if_exists=True)
self.g2 = fixture.create_repo_group('test2', skip_if_exists=True)
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][
base.HG_REPO] == 'repository.read'
assert u1_auth.permissions['repositories_groups'].get(
'test1') == 'group.read'
assert u1_auth.permissions['repositories_groups'].get(
'test2') == 'group.read'
assert u1_auth.permissions['global'] == set(
Permission.DEFAULT_USER_PERMISSIONS)
def test_owner_permissions_doesnot_get_overwritten_by_group(self):
#create repo as USER,
self.test_repo = fixture.create_repo(name=u'myownrepo',
repo_type='hg',
cur_user=self.u1)
#he has permissions of admin as owner
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][
'myownrepo'] == 'repository.admin'
#set his permission as user group, he should still be admin
self.ug1 = fixture.create_user_group(u'G1')
UserGroupModel().add_user_to_group(self.ug1, self.u1)
RepoModel().grant_user_group_permission(self.test_repo,
group_name=self.ug1,
perm='repository.none')
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][
'myownrepo'] == 'repository.admin'
def register(self):
def_user_perms = AuthUser(
dbuser=User.get_default_user()).permissions['global']
c.auto_active = 'hg.register.auto_activate' in def_user_perms
settings = Setting.get_app_settings()
captcha_private_key = settings.get('captcha_private_key')
c.captcha_active = bool(captcha_private_key)
c.captcha_public_key = settings.get('captcha_public_key')
if request.POST:
register_form = RegisterForm()()
try:
form_result = register_form.to_python(dict(request.POST))
form_result['active'] = c.auto_active
if c.captcha_active:
from kallithea.lib.recaptcha import submit
response = submit(request.POST.get('g-recaptcha-response'),
private_key=captcha_private_key,
remoteip=request.ip_addr)
if not response.is_valid:
_value = form_result
_msg = _('Bad captcha')
error_dict = {'recaptcha_field': _msg}
raise formencode.Invalid(_msg,
_value,
None,
error_dict=error_dict)
UserModel().create_registration(form_result)
h.flash(_('You have successfully registered with %s') %
(c.site_name or 'Kallithea'),
category='success')
Session().commit()
raise HTTPFound(location=url('login_home'))
except formencode.Invalid as errors:
return htmlfill.render(render('/register.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except UserCreationError as e:
# container auth or other auth functions that create users on
# the fly can throw this exception signaling that there's issue
# with user creation, explanation should be provided in
# Exception itself
h.flash(e, 'error')
return render('/register.html')
def test_propagated_permission_from_users_group(self):
# make group
self.ug1 = fixture.create_user_group('G1')
UserGroupModel().add_user_to_group(self.ug1, self.u3)
# grant perm for group this should override default permission from user
new_perm_gr = 'repository.write'
RepoModel().grant_user_group_permission(repo=base.HG_REPO,
group_name=self.ug1,
perm=new_perm_gr)
# check perms
u3_auth = AuthUser(user_id=self.u3.user_id)
assert u3_auth.permissions['repositories'][base.HG_REPO] == new_perm_gr
def test_propagated_permission_from_users_group_lower_weight(self):
# make group
self.ug1 = fixture.create_user_group('G1')
# add user to group
UserGroupModel().add_user_to_group(self.ug1, self.u1)
# set permission to lower
new_perm_h = 'repository.write'
RepoModel().grant_user_permission(repo=HG_REPO,
user=self.u1,
perm=new_perm_h)
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
new_perm_h)
# grant perm for group this should NOT override permission from user
# since it's lower than granted
new_perm_l = 'repository.read'
RepoModel().grant_user_group_permission(repo=HG_REPO,
group_name=self.ug1,
perm=new_perm_l)
# check perms
u1_auth = AuthUser(user_id=self.u1.user_id)
perms = {
'repositories_groups': {},
'global':
set([
u'hg.create.repository', u'repository.read',
u'hg.register.manual_activate'
]),
'repositories': {
u'vcs_test_hg': u'repository.write'
}
}
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
new_perm_h)
self.assertEqual(u1_auth.permissions['repositories_groups'],
perms['repositories_groups'])
def get_all_user_repos(self, user):
"""
Gets all repositories that user have at least read access
:param user:
"""
from kallithea.lib.auth import AuthUser
user = User.guess_instance(user)
repos = AuthUser(dbuser=user).permissions['repositories']
access_check = lambda r: r[
1] in ['repository.read', 'repository.write', 'repository.admin']
repos = [x[0] for x in filter(access_check, repos.items())]
return Repository.query().filter(Repository.repo_name.in_(repos))
def update(self, id):
"""PUT /users/id: Update an existing item"""
# Forms posted to this method should contain a hidden field:
# <input type="hidden" name="_method" value="PUT" />
# Or using helpers:
# h.form(url('update_user', id=ID),
# method='put')
# url('user', id=ID)
c.active = 'profile'
user_model = UserModel()
c.user = user_model.get(id)
c.extern_type = c.user.extern_type
c.extern_name = c.user.extern_name
c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr)
_form = UserForm(edit=True,
old_data={
'user_id': id,
'email': c.user.email
})()
form_result = {}
try:
form_result = _form.to_python(dict(request.POST))
skip_attrs = ['extern_type', 'extern_name']
#TODO: plugin should define if username can be updated
if c.extern_type != kallithea.EXTERN_TYPE_INTERNAL:
# forbid updating username for external accounts
skip_attrs.append('username')
user_model.update(id, form_result, skip_attrs=skip_attrs)
usr = form_result['username']
action_logger(self.authuser, 'admin_updated_user:%s' % usr, None,
self.ip_addr, self.sa)
h.flash(_('User updated successfully'), category='success')
Session().commit()
except formencode.Invalid, errors:
defaults = errors.value
e = errors.error_dict or {}
defaults.update({
'create_repo_perm':
user_model.has_perm(id, 'hg.create.repository'),
'fork_repo_perm':
user_model.has_perm(id, 'hg.fork.repository'),
'_method':
'put'
})
return htmlfill.render(render('admin/users/user_edit.html'),
defaults=defaults,
errors=e,
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
def get_all_user_repos(self, user):
"""
Gets all repositories that user have at least read access
:param user:
"""
from kallithea.lib.auth import AuthUser
auth_user = AuthUser(dbuser=User.guess_instance(user))
repos = [
repo_name for repo_name, perm in
auth_user.permissions['repositories'].items() if perm in
['repository.read', 'repository.write', 'repository.admin']
]
return Repository.query().filter(Repository.repo_name.in_(repos))
def test_default_perms_set(self):
u1_auth = AuthUser(user_id=self.u1.user_id)
perms = {
'repositories_groups': {},
'global':
set([
'hg.create.repository', 'repository.read',
'hg.register.manual_activate'
]),
'repositories': {
HG_REPO: 'repository.read'
}
}
assert u1_auth.permissions['repositories'][HG_REPO] == perms[
'repositories'][HG_REPO]
new_perm = 'repository.write'
RepoModel().grant_user_permission(repo=HG_REPO,
user=self.u1,
perm=new_perm)
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][HG_REPO] == new_perm
def test_propagated_permission_from_users_group_by_explicit_perms_exist(
self):
# make group
self.ug1 = fixture.create_user_group(u'G1')
UserGroupModel().add_user_to_group(self.ug1, self.u1)
# set permission to lower
new_perm = 'repository.none'
RepoModel().grant_user_permission(repo=HG_REPO,
user=self.u1,
perm=new_perm)
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
assert u1_auth.permissions['repositories'][HG_REPO] == new_perm
# grant perm for group this should not override permission from user
# since it has explicitly set
new_perm_gr = 'repository.write'
RepoModel().grant_user_group_permission(repo=HG_REPO,
group_name=self.ug1,
perm=new_perm_gr)
# check perms
u1_auth = AuthUser(user_id=self.u1.user_id)
perms = {
'repositories_groups': {},
'global':
set([
'hg.create.repository', 'repository.read',
'hg.register.manual_activate'
]),
'repositories': {
HG_REPO: 'repository.read'
}
}
assert u1_auth.permissions['repositories'][HG_REPO] == new_perm
assert u1_auth.permissions['repositories_groups'] == perms[
'repositories_groups']