def test_repo_group_user_as_user_group_member(self): # create Group1 self.g1 = fixture.create_repo_group(u'group1', skip_if_exists=True) a1_auth = AuthUser(user_id=self.anon.user_id) assert a1_auth.permissions['repositories_groups'] == { u'group1': u'group.read' } # set default permission to none RepoGroupModel().grant_user_permission(repo_group=self.g1, user=self.anon, perm='group.none') # make group self.ug1 = fixture.create_user_group(u'G1') # add user to group UserGroupModel().add_user_to_group(self.ug1, self.u1) Session().commit() # check if user is in the group members = [ x.user_id for x in UserGroupModel().get(self.ug1.users_group_id).members ] assert members == [self.u1.user_id] # add some user to that group # check his permissions a1_auth = AuthUser(user_id=self.anon.user_id) assert a1_auth.permissions['repositories_groups'] == { u'group1': u'group.none' } u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories_groups'] == { u'group1': u'group.none' } # grant ug1 read permissions for RepoGroupModel().grant_user_group_permission(repo_group=self.g1, group_name=self.ug1, perm='group.read') Session().commit() # check if the obj = Session().query(UserGroupRepoGroupToPerm) \ .filter(UserGroupRepoGroupToPerm.group == self.g1) \ .filter(UserGroupRepoGroupToPerm.users_group == self.ug1) \ .scalar() assert obj.permission.permission_name == 'group.read' a1_auth = AuthUser(user_id=self.anon.user_id) assert a1_auth.permissions['repositories_groups'] == { u'group1': u'group.none' } u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories_groups'] == { u'group1': u'group.read' }
def _determine_auth_user(api_key, bearer_token, session_authuser): """ Create an `AuthUser` object given the API key/bearer token (if any) and the value of the authuser session cookie. """ # Authenticate by bearer token if bearer_token is not None: api_key = bearer_token # Authenticate by API key if api_key is not None: au = AuthUser(dbuser=User.get_by_api_key(api_key), authenticating_api_key=api_key, is_external_auth=True) if au.is_anonymous: log.warning('API key ****%s is NOT valid', api_key[-4:]) raise webob.exc.HTTPForbidden(_('Invalid API key')) return au # Authenticate by session cookie # In ancient login sessions, 'authuser' may not be a dict. # In that case, the user will have to log in again. # v0.3 and earlier included an 'is_authenticated' key; if present, # this must be True. if isinstance(session_authuser, dict) and session_authuser.get('is_authenticated', True): try: return AuthUser.from_cookie(session_authuser) except UserCreationError as e: # container auth or other auth functions that create users on # the fly can throw UserCreationError to signal issues with # user creation. Explanation should be provided in the # exception object. from kallithea.lib import helpers as h h.flash(e, 'error', logf=log.error) # Authenticate by auth_container plugin (if enabled) if any( plugin.is_container_auth for plugin in auth_modules.get_auth_plugins() ): try: user_info = auth_modules.authenticate('', '', request.environ) except UserCreationError as e: from kallithea.lib import helpers as h h.flash(e, 'error', logf=log.error) else: if user_info is not None: username = user_info['username'] user = User.get_by_username(username, case_insensitive=True) return log_in_user(user, remember=False, is_external_auth=True) # User is anonymous return AuthUser()
def test_default_perms_set(self): u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][ base.HG_REPO] == 'repository.read' new_perm = 'repository.write' RepoModel().grant_user_permission(repo=base.HG_REPO, user=self.u1, perm=new_perm) Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][base.HG_REPO] == new_perm
def test_default_admin_perms_set(self): a1_auth = AuthUser(user_id=self.a1.user_id) assert a1_auth.permissions['repositories'][ base.HG_REPO] == 'repository.admin' new_perm = 'repository.write' RepoModel().grant_user_permission(repo=base.HG_REPO, user=self.a1, perm=new_perm) Session().commit() # cannot really downgrade admins permissions !? they still gets set as # admin ! u1_auth = AuthUser(user_id=self.a1.user_id) assert u1_auth.permissions['repositories'][ base.HG_REPO] == 'repository.admin'
def _render_edit_profile(self, user): c.user = user c.active = 'profile' c.perm_user = AuthUser(dbuser=user) managed_fields = auth_modules.get_managed_fields(user) c.readonly = lambda n: 'readonly' if n in managed_fields else None return render('admin/users/user_edit.html')
def test_inactive_user_group_does_not_affect_global_permissions(self): # Add user to inactive user group, set specific permissions on user # group and and verify it really is inactive. self.ug1 = fixture.create_user_group('G1') user_group_model = UserGroupModel() user_group_model.add_user_to_group(self.ug1, self.u1) user_group_model.update(self.ug1, {'users_group_active': False}) # enable fork and create on user group user_group_model.revoke_perm(self.ug1, perm='hg.create.none') user_group_model.grant_perm(self.ug1, perm='hg.create.repository') user_group_model.revoke_perm(self.ug1, perm='hg.fork.none') user_group_model.grant_perm(self.ug1, perm='hg.fork.repository') user_model = UserModel() # disable fork and create on default user usr = '******' user_model.revoke_perm(usr, 'hg.create.repository') user_model.grant_perm(usr, 'hg.create.none') user_model.revoke_perm(usr, 'hg.fork.repository') user_model.grant_perm(usr, 'hg.fork.none') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['global'] == set([ 'hg.create.none', 'hg.fork.none', 'hg.register.manual_activate', 'hg.extern_activate.auto', 'repository.read', 'group.read', 'usergroup.read', 'hg.create.write_on_repogroup.true' ])
def test_non_inherited_permissions_from_default_on_user_disabled(self): user_model = UserModel() # disable fork and create on default user usr = '******' user_model.revoke_perm(usr, 'hg.create.repository') user_model.grant_perm(usr, 'hg.create.none') user_model.revoke_perm(usr, 'hg.fork.repository') user_model.grant_perm(usr, 'hg.fork.none') #enable global perms on specific user user_model.revoke_perm(self.u1, 'hg.create.none') user_model.grant_perm(self.u1, 'hg.create.repository') user_model.revoke_perm(self.u1, 'hg.fork.none') user_model.grant_perm(self.u1, 'hg.fork.repository') # make sure inherit flag is turned off self.u1.inherit_default_permissions = False Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) # this user will have non inherited permissions from he's # explicitly set permissions self.assertEqual( u1_auth.permissions['global'], set([ 'hg.create.repository', 'hg.fork.repository', 'hg.register.manual_activate', 'hg.extern_activate.auto', 'repository.read', 'group.read', 'usergroup.read', 'hg.create.write_on_repogroup.true' ]))
def _store_user_in_session(self, username, remember=False): user = User.get_by_username(username, case_insensitive=True) auth_user = AuthUser(user.user_id) auth_user.set_authenticated() cs = auth_user.get_cookie_store() session['authuser'] = cs user.update_lastlogin() Session().commit() # If they want to be remembered, update the cookie if remember: _year = (datetime.datetime.now() + datetime.timedelta(seconds=60 * 60 * 24 * 365)) session._set_cookie_expires(_year) session.save() log.info('user %s is now authenticated and stored in ' 'session, session attrs %s' % (username, cs)) # dumps session attrs back to cookie session._update_cookie_out() # we set new cookie headers = None if session.request['set_cookie']: # send set-cookie headers back to response to update cookie headers = [('Set-Cookie', session.request['cookie_out'])] return headers
def test_propagated_permission_from_users_group(self): # make group self.ug1 = fixture.create_user_group('G1') UserGroupModel().add_user_to_group(self.ug1, self.u3) # grant perm for group this should override default permission from user new_perm_gr = 'repository.write' RepoModel().grant_user_group_permission(repo=HG_REPO, group_name=self.ug1, perm=new_perm_gr) # check perms u3_auth = AuthUser(user_id=self.u3.user_id) perms = { 'repositories_groups': {}, 'global': set([ u'hg.create.repository', u'repository.read', u'hg.register.manual_activate' ]), 'repositories': { u'vcs_test_hg': u'repository.read' } } self.assertEqual(u3_auth.permissions['repositories'][HG_REPO], new_perm_gr) self.assertEqual(u3_auth.permissions['repositories_groups'], perms['repositories_groups'])
def create_pullrequest(self, testcontroller, repo_name, pr_src_rev, pr_dst_rev, title='title'): org_ref = 'branch:stable:%s' % pr_src_rev other_ref = 'branch:default:%s' % pr_dst_rev with test_context( testcontroller.app): # needed to be able to mock request user org_repo = other_repo = Repository.get_by_repo_name(repo_name) owner_user = User.get_by_username(TEST_USER_ADMIN_LOGIN) reviewers = [User.get_by_username(TEST_USER_REGULAR_LOGIN)] request.authuser = AuthUser(dbuser=owner_user) # creating a PR sends a message with an absolute URL - without routing that requires mocking with mock.patch.object( helpers, 'url', (lambda arg, qualified=False, **kwargs: ('https://localhost' if qualified else '') + '/fake/' + arg)): cmd = CreatePullRequestAction(org_repo, other_repo, org_ref, other_ref, title, 'No description', owner_user, reviewers) pull_request = cmd.execute() Session().commit() return pull_request.pull_request_id
def my_account_perms(self): c.active = 'perms' self.__load_data() c.perm_user = AuthUser(user_id=self.authuser.user_id, ip_addr=self.ip_addr) return render('admin/my_account/my_account.html')
def test_inactive_user_group_does_not_affect_global_permissions_inverse( self): # Issue #138: Inactive User Groups affecting permissions # Add user to inactive user group, set specific permissions on user # group and disable inherit-from-default. User permissions should still # inherit from default. self.ug1 = fixture.create_user_group(u'G1') self.ug1.inherit_default_permissions = False user_group_model = UserGroupModel() user_group_model.add_user_to_group(self.ug1, self.u1) user_group_model.update(self.ug1, {'users_group_active': False}) # disable fork and create on user group user_group_model.revoke_perm(self.ug1, perm='hg.create.repository') user_group_model.grant_perm(self.ug1, perm='hg.create.none') user_group_model.revoke_perm(self.ug1, perm='hg.fork.repository') user_group_model.grant_perm(self.ug1, perm='hg.fork.none') user_model = UserModel() # enable fork and create on default user usr = '******' user_model.revoke_perm(usr, 'hg.create.none') user_model.grant_perm(usr, 'hg.create.repository') user_model.revoke_perm(usr, 'hg.fork.none') user_model.grant_perm(usr, 'hg.fork.repository') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['global'] == set([ 'hg.create.repository', 'hg.fork.repository', 'hg.register.manual_activate', 'hg.extern_activate.auto', 'repository.read', 'group.read', 'usergroup.read', 'hg.create.write_on_repogroup.true' ])
def test_inactive_user_group_does_not_affect_repo_permissions_inverse( self): self.ug1 = fixture.create_user_group(u'G1') self.ug1.inherit_default_permissions = False user_group_model = UserGroupModel() user_group_model.add_user_to_group(self.ug1, self.u1) user_group_model.update(self.ug1, {'users_group_active': False}) # note: make u2 repo owner rather than u1, because the owner always has # admin permissions self.test_repo = fixture.create_repo(name=u'myownrepo', repo_type='hg', cur_user=self.u2) # enable only write access for user group on repo RepoModel().grant_user_group_permission(self.test_repo, group_name=self.ug1, perm='repository.write') # enable admin access for default user on repo RepoModel().grant_user_permission(self.test_repo, user='******', perm='repository.admin') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][ 'myownrepo'] == 'repository.admin'
def _get_perms(filter_='', recursive=None, key=None, test_u1_id=None): test_u1 = AuthUser(user_id=test_u1_id) for k, v in test_u1.permissions[key].items(): if recursive in ['all', 'repos', 'groups'] and k.startswith(filter_): yield k, v elif recursive in ['none']: if k == filter_: yield k, v
def test_owner_permissions_doesnot_get_overwritten_by_others(self): #create repo as USER, self.test_repo = fixture.create_repo(name='myownrepo', repo_type='hg', cur_user=self.u1) #he has permissions of admin as owner u1_auth = AuthUser(user_id=self.u1.user_id) self.assertEqual(u1_auth.permissions['repositories']['myownrepo'], 'repository.admin') #set his permission as user, he should still be admin RepoModel().grant_user_permission(self.test_repo, user=self.u1, perm='repository.none') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) self.assertEqual(u1_auth.permissions['repositories']['myownrepo'], 'repository.admin')
def my_account(self): """ GET /_admin/my_account Displays info about my account """ # url('my_account') c.active = 'profile' self.__load_data() c.perm_user = AuthUser(user_id=self.authuser.user_id, ip_addr=self.ip_addr) c.extern_type = c.user.extern_type c.extern_name = c.user.extern_name defaults = c.user.get_dict() update = False if request.POST: _form = UserForm(edit=True, old_data={ 'user_id': self.authuser.user_id, 'email': self.authuser.email })() form_result = {} try: post_data = dict(request.POST) post_data['new_password'] = '' post_data['password_confirmation'] = '' form_result = _form.to_python(post_data) # skip updating those attrs for my account skip_attrs = [ 'admin', 'active', 'extern_type', 'extern_name', 'new_password', 'password_confirmation' ] #TODO: plugin should define if username can be updated if c.extern_type != EXTERN_TYPE_INTERNAL: # forbid updating username for external accounts skip_attrs.append('username') UserModel().update(self.authuser.user_id, form_result, skip_attrs=skip_attrs) h.flash(_('Your account was updated successfully'), category='success') Session().commit() update = True except formencode.Invalid, errors: return htmlfill.render( render('admin/my_account/my_account.html'), defaults=errors.value, errors=errors.error_dict or {}, prefix_error=False, encoding="UTF-8", force_defaults=False) except Exception: log.error(traceback.format_exc()) h.flash(_('Error occurred during update of user %s') \ % form_result.get('username'), category='error')
def test_default_admin_group_perms(self): self.g1 = fixture.create_repo_group('test1', skip_if_exists=True) self.g2 = fixture.create_repo_group('test2', skip_if_exists=True) a1_auth = AuthUser(user_id=self.a1.user_id) assert a1_auth.permissions['repositories'][ base.HG_REPO] == 'repository.admin' assert a1_auth.permissions['repositories_groups'].get( 'test1') == 'group.admin' assert a1_auth.permissions['repositories_groups'].get( 'test2') == 'group.admin'
def my_account(self): c.active = 'profile' self.__load_data() c.perm_user = AuthUser(user_id=request.authuser.user_id) managed_fields = auth_modules.get_managed_fields(c.user) def_user_perms = User.get_default_user().AuthUser.permissions['global'] if 'hg.register.none' in def_user_perms: managed_fields.extend(['username', 'firstname', 'lastname', 'email']) c.readonly = lambda n: 'readonly' if n in managed_fields else None defaults = c.user.get_dict() update = False if request.POST: _form = UserForm(edit=True, old_data={'user_id': request.authuser.user_id, 'email': request.authuser.email})() form_result = {} try: post_data = dict(request.POST) post_data['new_password'] = '' post_data['password_confirmation'] = '' form_result = _form.to_python(post_data) # skip updating those attrs for my account skip_attrs = ['admin', 'active', 'extern_type', 'extern_name', 'new_password', 'password_confirmation', ] + managed_fields UserModel().update(request.authuser.user_id, form_result, skip_attrs=skip_attrs) h.flash(_('Your account was updated successfully'), category='success') Session().commit() update = True except formencode.Invalid as errors: return htmlfill.render( render('admin/my_account/my_account.html'), defaults=errors.value, errors=errors.error_dict or {}, prefix_error=False, encoding="UTF-8", force_defaults=False) except Exception: log.error(traceback.format_exc()) h.flash(_('Error occurred during update of user %s') \ % form_result.get('username'), category='error') if update: raise HTTPFound(location='my_account') return htmlfill.render( render('admin/my_account/my_account.html'), defaults=defaults, encoding="UTF-8", force_defaults=False)
def __call__(self, environ, start_response): """Invoke the Controller""" # WSGIController.__call__ dispatches to the Controller method # the request is routed to. This routing information is # available in environ['pylons.routes_dict'] try: self.ip_addr = _get_ip_addr(environ) # make sure that we update permissions each time we call controller api_key = request.GET.get('api_key') if api_key: # when using API_KEY we are sure user exists. auth_user = AuthUser(api_key=api_key, ip_addr=self.ip_addr) authenticated = False else: cookie_store = CookieStoreWrapper(session.get('authuser')) try: auth_user = AuthUser(user_id=cookie_store.get( 'user_id', None), ip_addr=self.ip_addr) except UserCreationError, e: from kallithea.lib import helpers as h h.flash(e, 'error') # container auth or other auth functions that create users on # the fly can throw this exception signaling that there's issue # with user creation, explanation should be provided in # Exception itself auth_user = AuthUser(ip_addr=self.ip_addr) authenticated = cookie_store.get('is_authenticated') if not auth_user.is_authenticated and auth_user.user_id is not None: # user is not authenticated and not empty auth_user.set_authenticated(authenticated) request.user = auth_user #set globals for auth user self.authuser = c.authuser = auth_user log.info('IP: %s User: %s accessed %s' % (self.ip_addr, auth_user, safe_unicode(_get_access_path(environ)))) return WSGIController.__call__(self, environ, start_response)
def test_default_admin_perms_set(self): a1_auth = AuthUser(user_id=self.a1.user_id) perms = { 'repositories_groups': {}, 'global': set([u'hg.admin', 'hg.create.write_on_repogroup.true']), 'repositories': { u'vcs_test_hg': u'repository.admin' } } self.assertEqual(a1_auth.permissions['repositories'][HG_REPO], perms['repositories'][HG_REPO]) new_perm = 'repository.write' RepoModel().grant_user_permission(repo=HG_REPO, user=self.a1, perm=new_perm) Session().commit() # cannot really downgrade admins permissions !? they still gets set as # admin ! u1_auth = AuthUser(user_id=self.a1.user_id) self.assertEqual(u1_auth.permissions['repositories'][HG_REPO], perms['repositories'][HG_REPO])
def test_default_group_perms(self): self.g1 = fixture.create_repo_group('test1', skip_if_exists=True) self.g2 = fixture.create_repo_group('test2', skip_if_exists=True) u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][ base.HG_REPO] == 'repository.read' assert u1_auth.permissions['repositories_groups'].get( 'test1') == 'group.read' assert u1_auth.permissions['repositories_groups'].get( 'test2') == 'group.read' assert u1_auth.permissions['global'] == set( Permission.DEFAULT_USER_PERMISSIONS)
def test_owner_permissions_doesnot_get_overwritten_by_group(self): #create repo as USER, self.test_repo = fixture.create_repo(name=u'myownrepo', repo_type='hg', cur_user=self.u1) #he has permissions of admin as owner u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][ 'myownrepo'] == 'repository.admin' #set his permission as user group, he should still be admin self.ug1 = fixture.create_user_group(u'G1') UserGroupModel().add_user_to_group(self.ug1, self.u1) RepoModel().grant_user_group_permission(self.test_repo, group_name=self.ug1, perm='repository.none') Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][ 'myownrepo'] == 'repository.admin'
def register(self): def_user_perms = AuthUser( dbuser=User.get_default_user()).permissions['global'] c.auto_active = 'hg.register.auto_activate' in def_user_perms settings = Setting.get_app_settings() captcha_private_key = settings.get('captcha_private_key') c.captcha_active = bool(captcha_private_key) c.captcha_public_key = settings.get('captcha_public_key') if request.POST: register_form = RegisterForm()() try: form_result = register_form.to_python(dict(request.POST)) form_result['active'] = c.auto_active if c.captcha_active: from kallithea.lib.recaptcha import submit response = submit(request.POST.get('g-recaptcha-response'), private_key=captcha_private_key, remoteip=request.ip_addr) if not response.is_valid: _value = form_result _msg = _('Bad captcha') error_dict = {'recaptcha_field': _msg} raise formencode.Invalid(_msg, _value, None, error_dict=error_dict) UserModel().create_registration(form_result) h.flash(_('You have successfully registered with %s') % (c.site_name or 'Kallithea'), category='success') Session().commit() raise HTTPFound(location=url('login_home')) except formencode.Invalid as errors: return htmlfill.render(render('/register.html'), defaults=errors.value, errors=errors.error_dict or {}, prefix_error=False, encoding="UTF-8", force_defaults=False) except UserCreationError as e: # container auth or other auth functions that create users on # the fly can throw this exception signaling that there's issue # with user creation, explanation should be provided in # Exception itself h.flash(e, 'error') return render('/register.html')
def test_propagated_permission_from_users_group(self): # make group self.ug1 = fixture.create_user_group('G1') UserGroupModel().add_user_to_group(self.ug1, self.u3) # grant perm for group this should override default permission from user new_perm_gr = 'repository.write' RepoModel().grant_user_group_permission(repo=base.HG_REPO, group_name=self.ug1, perm=new_perm_gr) # check perms u3_auth = AuthUser(user_id=self.u3.user_id) assert u3_auth.permissions['repositories'][base.HG_REPO] == new_perm_gr
def test_propagated_permission_from_users_group_lower_weight(self): # make group self.ug1 = fixture.create_user_group('G1') # add user to group UserGroupModel().add_user_to_group(self.ug1, self.u1) # set permission to lower new_perm_h = 'repository.write' RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1, perm=new_perm_h) Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) self.assertEqual(u1_auth.permissions['repositories'][HG_REPO], new_perm_h) # grant perm for group this should NOT override permission from user # since it's lower than granted new_perm_l = 'repository.read' RepoModel().grant_user_group_permission(repo=HG_REPO, group_name=self.ug1, perm=new_perm_l) # check perms u1_auth = AuthUser(user_id=self.u1.user_id) perms = { 'repositories_groups': {}, 'global': set([ u'hg.create.repository', u'repository.read', u'hg.register.manual_activate' ]), 'repositories': { u'vcs_test_hg': u'repository.write' } } self.assertEqual(u1_auth.permissions['repositories'][HG_REPO], new_perm_h) self.assertEqual(u1_auth.permissions['repositories_groups'], perms['repositories_groups'])
def get_all_user_repos(self, user): """ Gets all repositories that user have at least read access :param user: """ from kallithea.lib.auth import AuthUser user = User.guess_instance(user) repos = AuthUser(dbuser=user).permissions['repositories'] access_check = lambda r: r[ 1] in ['repository.read', 'repository.write', 'repository.admin'] repos = [x[0] for x in filter(access_check, repos.items())] return Repository.query().filter(Repository.repo_name.in_(repos))
def update(self, id): """PUT /users/id: Update an existing item""" # Forms posted to this method should contain a hidden field: # <input type="hidden" name="_method" value="PUT" /> # Or using helpers: # h.form(url('update_user', id=ID), # method='put') # url('user', id=ID) c.active = 'profile' user_model = UserModel() c.user = user_model.get(id) c.extern_type = c.user.extern_type c.extern_name = c.user.extern_name c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr) _form = UserForm(edit=True, old_data={ 'user_id': id, 'email': c.user.email })() form_result = {} try: form_result = _form.to_python(dict(request.POST)) skip_attrs = ['extern_type', 'extern_name'] #TODO: plugin should define if username can be updated if c.extern_type != kallithea.EXTERN_TYPE_INTERNAL: # forbid updating username for external accounts skip_attrs.append('username') user_model.update(id, form_result, skip_attrs=skip_attrs) usr = form_result['username'] action_logger(self.authuser, 'admin_updated_user:%s' % usr, None, self.ip_addr, self.sa) h.flash(_('User updated successfully'), category='success') Session().commit() except formencode.Invalid, errors: defaults = errors.value e = errors.error_dict or {} defaults.update({ 'create_repo_perm': user_model.has_perm(id, 'hg.create.repository'), 'fork_repo_perm': user_model.has_perm(id, 'hg.fork.repository'), '_method': 'put' }) return htmlfill.render(render('admin/users/user_edit.html'), defaults=defaults, errors=e, prefix_error=False, encoding="UTF-8", force_defaults=False)
def get_all_user_repos(self, user): """ Gets all repositories that user have at least read access :param user: """ from kallithea.lib.auth import AuthUser auth_user = AuthUser(dbuser=User.guess_instance(user)) repos = [ repo_name for repo_name, perm in auth_user.permissions['repositories'].items() if perm in ['repository.read', 'repository.write', 'repository.admin'] ] return Repository.query().filter(Repository.repo_name.in_(repos))
def test_default_perms_set(self): u1_auth = AuthUser(user_id=self.u1.user_id) perms = { 'repositories_groups': {}, 'global': set([ 'hg.create.repository', 'repository.read', 'hg.register.manual_activate' ]), 'repositories': { HG_REPO: 'repository.read' } } assert u1_auth.permissions['repositories'][HG_REPO] == perms[ 'repositories'][HG_REPO] new_perm = 'repository.write' RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1, perm=new_perm) Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][HG_REPO] == new_perm
def test_propagated_permission_from_users_group_by_explicit_perms_exist( self): # make group self.ug1 = fixture.create_user_group(u'G1') UserGroupModel().add_user_to_group(self.ug1, self.u1) # set permission to lower new_perm = 'repository.none' RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1, perm=new_perm) Session().commit() u1_auth = AuthUser(user_id=self.u1.user_id) assert u1_auth.permissions['repositories'][HG_REPO] == new_perm # grant perm for group this should not override permission from user # since it has explicitly set new_perm_gr = 'repository.write' RepoModel().grant_user_group_permission(repo=HG_REPO, group_name=self.ug1, perm=new_perm_gr) # check perms u1_auth = AuthUser(user_id=self.u1.user_id) perms = { 'repositories_groups': {}, 'global': set([ 'hg.create.repository', 'repository.read', 'hg.register.manual_activate' ]), 'repositories': { HG_REPO: 'repository.read' } } assert u1_auth.permissions['repositories'][HG_REPO] == new_perm assert u1_auth.permissions['repositories_groups'] == perms[ 'repositories_groups']