def test_add_delete_ips(self):
self.log_user()
clear_all_caches()
# ADD
default_user_id = User.get_default_user().user_id
response = self.app.post(url('edit_user_ips', user_id=default_user_id),
params={
'new_ip': '127.0.0.0/24',
'_method': 'put',
'csrf_token': self.csrf_token
})
response = self.app.get(url('admin_permissions_ips'))
response.mustcontain('127.0.0.0/24')
response.mustcontain('127.0.0.0 - 127.0.0.255')
# DELETE
default_user_id = User.get_default_user().user_id
del_ip_id = UserIpMap.query().filter(
UserIpMap.user_id == default_user_id).first().ip_id
response = self.app.post(url('edit_user_ips', user_id=default_user_id),
params={
'_method': 'delete',
'del_ip_id': del_ip_id,
'csrf_token': self.csrf_token
})
clear_all_caches()
response = self.app.get(url('admin_permissions_ips'))
response.mustcontain('All IP addresses are allowed')
response.mustcontain(no=['127.0.0.0/24'])
response.mustcontain(no=['127.0.0.0 - 127.0.0.255'])
def set_anonymous_access(enabled):
"""(Dis)allows anonymous access depending on parameter `enabled`"""
user = User.get_default_user()
user.active = enabled
Session().add(user)
Session().commit()
log.info('anonymous access is now: %s', enabled)
assert enabled == User.get_default_user().active, (
'Cannot set anonymous access')
def test_index_with_anonymous_access_disabled(self):
anon = User.get_default_user()
anon.active = False
Session().add(anon)
Session().commit()
time.sleep(1.5) # must sleep for cache (1s to expire)
try:
response = self.app.get(url(controller='home', action='index'),
status=302)
assert 'login' in response.location
finally:
anon = User.get_default_user()
anon.active = True
Session().add(anon)
Session().commit()
def test_index_with_anonymous_access_disabled(self):
anon = User.get_default_user()
anon.active = False
Session().add(anon)
Session().commit()
time.sleep(1.5) # must sleep for cache (1s to expire)
try:
response = self.app.get(url(controller='home', action='index'),
status=302)
assert 'login' in response.location
finally:
anon = User.get_default_user()
anon.active = True
Session().add(anon)
Session().commit()
def prepare_users(self, request):
# TODO: User creation is a duplicate of test_nofitications, check
# if that can be unified
self.u1 = UserModel().create_or_update(username=u'u1',
password=u'qweqwe',
email=u'*****@*****.**',
firstname=u'u1',
lastname=u'u1')
self.u2 = UserModel().create_or_update(username=u'u2',
password=u'qweqwe',
email=u'*****@*****.**',
firstname=u'u2',
lastname=u'u2')
self.u3 = UserModel().create_or_update(username=u'u3',
password=u'qweqwe',
email=u'*****@*****.**',
firstname=u'u3',
lastname=u'u3')
self.anon = User.get_default_user()
self.a1 = UserModel().create_or_update(username=u'a1',
password=u'qweqwe',
email=u'*****@*****.**',
firstname=u'a1',
lastname=u'a1',
admin=True)
Session().commit()
request.addfinalizer(self.cleanup)
def test_user_permissions_on_group_with_recursive_mode_for_default_user():
# set permission to g0 recursive mode, all children including
# other repos and groups should have this permission now set !
recursive = True
group = 'g0'
default_user_id = User.get_default_user().user_id
permissions_setup_func(group, 'group.write', recursive=recursive,
user_id=default_user_id)
# change default to get perms for default user
_get_repo_perms = functools.partial(_get_perms, key='repositories',
test_u1_id=default_user_id)
_get_group_perms = functools.partial(_get_perms, key='repositories_groups',
test_u1_id=default_user_id)
repo_items = [x for x in _get_repo_perms(group, recursive)]
items = [x for x in _get_group_perms(group, recursive)]
_check_expected_count(items, repo_items, expected_count(group, True))
for name, perm in repo_items:
yield check_tree_perms, name, perm, group, 'repository.write'
for name, perm in items:
yield check_tree_perms, name, perm, group, 'group.write'
def _remove_default_user_from_query_cache():
user = User.get_default_user(cache=True)
query = Session().query(User).filter(User.username == user.username)
query = query.options(
FromCache("sql_cache_short", "get_user_%s" % _hash_key(user.username)))
query.invalidate()
Session().expire(user)
def repo_public_journal(self, repo_name):
"""
Set's this repository to be visible in public journal,
in other words assing default user to follow this repo
:param repo_name:
"""
cur_token = request.POST.get('auth_token')
token = get_token()
if cur_token == token:
try:
repo_id = Repository.get_by_repo_name(repo_name).repo_id
user_id = User.get_default_user().user_id
self.scm_model.toggle_following_repo(repo_id, user_id)
h.flash(_('Updated repository visibility in public journal'),
category='success')
Session().commit()
except Exception:
h.flash(_('An error occurred during setting this'
' repository in public journal'),
category='error')
else:
h.flash(_('Token mismatch'), category='error')
return redirect(url('edit_repo', repo_name=repo_name))
def repo_public_journal(self, repo_name):
"""
Set's this repository to be visible in public journal,
in other words assing default user to follow this repo
:param repo_name:
"""
cur_token = request.POST.get('auth_token')
token = get_token()
if cur_token == token:
try:
repo_id = Repository.get_by_repo_name(repo_name).repo_id
user_id = User.get_default_user().user_id
self.scm_model.toggle_following_repo(repo_id, user_id)
h.flash(_('Updated repository visibility in public journal'),
category='success')
Session().commit()
except Exception:
h.flash(_('An error occurred during setting this'
' repository in public journal'),
category='error')
else:
h.flash(_('Token mismatch'), category='error')
return redirect(url('edit_repo', repo_name=repo_name))
def test_inherited_permissions_on_objects(self, perm, expected_perm):
_form_result = {
'default_inherit_default_permissions': perm,
}
PermissionModel().set_new_user_perms(User.get_default_user(),
_form_result)
Session().commit()
# make sure inherit flag is turned on
self.u1.inherit_default_permissions = True
Session().commit()
# this user will have inherited permissions from default user
assert global_perms(self.u1) == set([
'hg.create.none',
'hg.fork.none',
'hg.register.manual_activate',
'hg.extern_activate.auto',
'repository.read',
'group.read',
'usergroup.read',
'hg.create.write_on_repogroup.true',
'hg.usergroup.create.false',
'hg.repogroup.create.false',
perm,
])
assert set(repo_perms(self.u1).values()) == set([expected_perm])
def permissions_setup_func(group_name='g0',
perm='group.read',
recursive='all',
user_id=None):
"""
Resets all permissions to perm attribute
"""
if not user_id:
user_id = test_u1_id
# called by the @with_setup decorator also reset the default user stuff
permissions_setup_func(group_name,
perm,
recursive,
user_id=User.get_default_user().user_id)
# TODO: DRY, compare test_user_group:permissions_setup_func
repo_group = RepoGroup.get_by_group_name(group_name=group_name)
if not repo_group:
raise Exception('Cannot get group %s' % group_name)
perm_updates = [[user_id, perm, 'user']]
RepoGroupModel().update_permissions(repo_group,
perm_updates=perm_updates,
recursive=recursive,
check_perms=False)
Session().commit()
def test_user_permissions_on_group_with_rec_group_mode_for_default_user():
# set permission to g0/g0_1 with recursive groups only mode, all children
# sincluding other groups should have this permission now set. repositories
# should remain intact as we use groups only mode !
recursive = 'groups'
group = 'g0/g0_1'
default_user_id = User.get_default_user().user_id
# TODO: workaround due to different setup calls, adept to py.test style
permissions_setup_func()
permissions_setup_func(group,
'group.write',
recursive=recursive,
user_id=default_user_id)
# change default to get perms for default user
_get_repo_perms = functools.partial(_get_perms,
key='repositories',
test_u1_id=default_user_id)
_get_group_perms = functools.partial(_get_perms,
key='repositories_groups',
test_u1_id=default_user_id)
repo_items = [x for x in _get_repo_perms(group, recursive)]
items = [x for x in _get_group_perms(group, recursive)]
_check_expected_count(items, repo_items, expected_count(group, True))
for name, perm in repo_items:
check_tree_perms(name, perm, group, 'repository.read')
for name, perm in items:
check_tree_perms(name, perm, group, 'group.write')
def register(self):
c.auto_active = 'hg.register.auto_activate' in User.get_default_user()\
.AuthUser.permissions['global']
if request.POST:
register_form = RegisterForm()()
try:
form_result = register_form.to_python(dict(request.POST))
form_result['active'] = c.auto_active
UserModel().create_registration(form_result)
h.flash(_('You have successfully registered into RhodeCode'),
category='success')
Session().commit()
return redirect(url('login_home'))
except formencode.Invalid, errors:
return htmlfill.render(
render('/register.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8")
except UserCreationError, e:
# container auth or other auth functions that create users on
# the fly can throw this exception signaling that there's issue
# with user creation, explanation should be provided in
# Exception itself
h.flash(e, 'error')
def permission_ips(self):
c.active = 'ips'
c.user = User.get_default_user()
c.user_ip_map = (UserIpMap.query().filter(
UserIpMap.user == c.user).all())
return render('admin/permissions/permissions.html')
def test_api_update_user_default_user(self):
usr = User.get_default_user()
id_, params = build_data(self.apikey,
'update_user',
userid=usr.user_id)
response = api_call(self.app, params)
expected = 'editing default user is forbidden'
assert_error(id_, expected, given=response.body)
def permission_objects(self):
c.active = 'objects'
self.__load_data()
c.user = User.get_default_user()
defaults = {}
defaults.update(c.user.get_default_perms())
return htmlfill.render(render('admin/permissions/permissions.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def test_auth_user_get_cookie_store_for_default_user():
default_user = User.get_default_user()
auth_user = auth.AuthUser()
expected_data = {
'username': User.DEFAULT_USER,
'user_id': default_user.user_id,
'password': md5(default_user.password),
'is_authenticated': True
}
assert auth_user.get_cookie_store() == expected_data
def test_cached_perms_data_default_permissions_on_repository_group(user_util):
# Have a repository group with default permissions set
repo_group = user_util.create_repo_group()
default_user = User.get_default_user()
user_util.grant_user_permission_to_repo_group(
repo_group, default_user, 'repository.write')
user = user_util.create_user()
permissions = get_permissions(user)
assert permissions['repositories_groups'][repo_group.group_name] == \
'repository.write'
def edit(self, id, format='html'):
"""GET /permissions/id/edit: Form to edit an existing item"""
#url('edit_permission', id=ID)
#this form can only edit default user permissions
if id == 'default':
c.user = User.get_default_user()
defaults = {'anonymous': c.user.active}
c.perm_user = c.user.AuthUser
c.user_ip_map = UserIpMap.query()\
.filter(UserIpMap.user == c.user).all()
for p in c.user.user_perms:
if p.permission.permission_name.startswith('repository.'):
defaults[
'default_repo_perm'] = p.permission.permission_name
if p.permission.permission_name.startswith('group.'):
defaults[
'default_group_perm'] = p.permission.permission_name
if p.permission.permission_name.startswith('usergroup.'):
defaults[
'default_user_group_perm'] = p.permission.permission_name
if p.permission.permission_name.startswith('hg.create.'):
defaults[
'default_repo_create'] = p.permission.permission_name
if p.permission.permission_name.startswith('hg.repogroup.'):
defaults[
'default_repo_group_create'] = p.permission.permission_name
if p.permission.permission_name.startswith('hg.usergroup.'):
defaults[
'default_user_group_create'] = p.permission.permission_name
if p.permission.permission_name.startswith('hg.register.'):
defaults['default_register'] = p.permission.permission_name
if p.permission.permission_name.startswith(
'hg.extern_activate.'):
defaults[
'default_extern_activate'] = p.permission.permission_name
if p.permission.permission_name.startswith('hg.fork.'):
defaults['default_fork'] = p.permission.permission_name
return htmlfill.render(
render('admin/permissions/permissions.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
else:
return redirect(url('admin_home'))
def __load_data(self, repo_name=None):
"""
Load defaults settings for edit, and update
:param repo_name:
"""
self.__load_defaults()
c.repo_info = db_repo = Repository.get_by_repo_name(repo_name)
repo = db_repo.scm_instance
if c.repo_info is None:
h.not_mapped_error(repo_name)
return redirect(url('repos'))
##override defaults for exact repo info here git/hg etc
choices, c.landing_revs = ScmModel().get_repo_landing_revs(c.repo_info)
c.landing_revs_choices = choices
c.default_user_id = User.get_default_user().user_id
c.in_public_journal = UserFollowing.query()\
.filter(UserFollowing.user_id == c.default_user_id)\
.filter(UserFollowing.follows_repository == c.repo_info).scalar()
if c.repo_info.stats:
# this is on what revision we ended up so we add +1 for count
last_rev = c.repo_info.stats.stat_on_revision + 1
else:
last_rev = 0
c.stats_revision = last_rev
c.repo_last_rev = repo.count() if repo.revisions else 0
if last_rev == 0 or c.repo_last_rev == 0:
c.stats_percentage = 0
else:
c.stats_percentage = '%.2f' % ((float((last_rev)) /
c.repo_last_rev) * 100)
c.repo_fields = RepositoryField.query()\
.filter(RepositoryField.repository == db_repo).all()
defaults = RepoModel()._get_defaults(repo_name)
_repos = Repository.query().order_by(Repository.repo_name).all()
read_access_repos = RepoList(_repos)
c.repos_list = [('', _('--REMOVE FORK--'))]
c.repos_list += [(x.repo_id, x.repo_name)
for x in read_access_repos
if x.repo_id != c.repo_info.repo_id]
defaults['id_fork_of'] = db_repo.fork.repo_id if db_repo.fork else ''
return defaults
def test_cached_perms_data_repository_permissions_for_owner(
backend_random, user_util):
user = user_util.create_user()
repo = backend_random.create_repo()
repo.user_id = user.user_id
permissions = get_permissions(user)
assert permissions['repositories'][repo.repo_name] == 'repository.admin'
# TODO: johbo: Make cleanup in UserUtility smarter, then remove this hack
repo.user_id = User.get_default_user().user_id
def __load_data(self, repo_name=None):
"""
Load defaults settings for edit, and update
:param repo_name:
"""
self.__load_defaults()
c.repo_info = db_repo = Repository.get_by_repo_name(repo_name)
repo = db_repo.scm_instance
if c.repo_info is None:
h.not_mapped_error(repo_name)
return redirect(url('repos'))
##override defaults for exact repo info here git/hg etc
choices, c.landing_revs = ScmModel().get_repo_landing_revs(c.repo_info)
c.landing_revs_choices = choices
c.default_user_id = User.get_default_user().user_id
c.in_public_journal = UserFollowing.query()\
.filter(UserFollowing.user_id == c.default_user_id)\
.filter(UserFollowing.follows_repository == c.repo_info).scalar()
if c.repo_info.stats:
# this is on what revision we ended up so we add +1 for count
last_rev = c.repo_info.stats.stat_on_revision + 1
else:
last_rev = 0
c.stats_revision = last_rev
c.repo_last_rev = repo.count() if repo.revisions else 0
if last_rev == 0 or c.repo_last_rev == 0:
c.stats_percentage = 0
else:
c.stats_percentage = '%.2f' % ((float(
(last_rev)) / c.repo_last_rev) * 100)
c.repo_fields = RepositoryField.query()\
.filter(RepositoryField.repository == db_repo).all()
defaults = RepoModel()._get_defaults(repo_name)
_repos = Repository.query().order_by(Repository.repo_name).all()
read_access_repos = RepoList(_repos)
c.repos_list = [('', _('--REMOVE FORK--'))]
c.repos_list += [(x.repo_id, x.repo_name) for x in read_access_repos
if x.repo_id != c.repo_info.repo_id]
defaults['id_fork_of'] = db_repo.fork.repo_id if db_repo.fork else ''
return defaults
def register_post(self):
captcha_private_key = SettingsModel().get_setting_by_name(
'rhodecode_captcha_private_key')
captcha_active = bool(captcha_private_key)
auto_active = 'hg.register.auto_activate' in User.get_default_user()\
.AuthUser.permissions['global']
register_form = RegisterForm()()
try:
form_result = register_form.to_python(self.request.params)
form_result['active'] = auto_active
if captcha_active:
response = submit(
self.request.params.get('recaptcha_challenge_field'),
self.request.params.get('recaptcha_response_field'),
private_key=captcha_private_key,
remoteip=get_ip_addr(self.request.environ))
if captcha_active and not response.is_valid:
_value = form_result
_msg = _('bad captcha')
error_dict = {'recaptcha_field': _msg}
raise formencode.Invalid(_msg, _value, None,
error_dict=error_dict)
new_user = UserModel().create_registration(form_result)
event = UserRegistered(user=new_user, session=self.session)
self.request.registry.notify(event)
self.session.flash(
_('You have successfully registered with RhodeCode'),
queue='success')
Session().commit()
redirect_ro = self.request.route_path('login')
raise HTTPFound(redirect_ro)
except formencode.Invalid as errors:
del errors.value['password']
del errors.value['password_confirmation']
return self.register(
defaults=errors.value, errors=errors.error_dict)
except UserCreationError as e:
# container auth or other auth functions that create users on
# the fly can throw this exception signaling that there's issue
# with user creation, explanation should be provided in
# Exception itself
self.session.flash(e, queue='error')
return self.register()
def _create_default_perms(self, new_group):
# create default permission
default_perm = 'group.read'
def_user = User.get_default_user()
for p in def_user.user_perms:
if p.permission.permission_name.startswith('group.'):
default_perm = p.permission.permission_name
break
repo_group_to_perm = UserRepoGroupToPerm()
repo_group_to_perm.permission = Permission.get_by_key(default_perm)
repo_group_to_perm.group = new_group
repo_group_to_perm.user_id = def_user.user_id
return repo_group_to_perm
def _create_default_perms(self, new_group):
# create default permission
default_perm = 'group.read'
def_user = User.get_default_user()
for p in def_user.user_perms:
if p.permission.permission_name.startswith('group.'):
default_perm = p.permission.permission_name
break
repo_group_to_perm = UserRepoGroupToPerm()
repo_group_to_perm.permission = Permission.get_by_key(default_perm)
repo_group_to_perm.group = new_group
repo_group_to_perm.user_id = def_user.user_id
return repo_group_to_perm
def _create_default_perms(self, user_group):
# create default permission
default_perm = "usergroup.read"
def_user = User.get_default_user()
for p in def_user.user_perms:
if p.permission.permission_name.startswith("usergroup."):
default_perm = p.permission.permission_name
break
user_group_to_perm = UserUserGroupToPerm()
user_group_to_perm.permission = Permission.get_by_key(default_perm)
user_group_to_perm.user_group = user_group
user_group_to_perm.user_id = def_user.user_id
return user_group_to_perm
def fixup_groups(self):
def_usr = User.get_default_user()
for g in RepoGroup.query().all():
g.group_name = g.get_new_name(g.name)
self.sa.add(g)
# get default perm
default = UserRepoGroupToPerm.query()\
.filter(UserRepoGroupToPerm.group == g)\
.filter(UserRepoGroupToPerm.user == def_usr)\
.scalar()
if default is None:
log.debug('missing default permission for group %s adding' % g)
perm_obj = RepoGroupModel()._create_default_perms(g)
self.sa.add(perm_obj)
def fixup_groups(self):
def_usr = User.get_default_user()
for g in RepoGroup.query().all():
g.group_name = g.get_new_name(g.name)
self.sa.add(g)
# get default perm
default = UserRepoGroupToPerm.query()\
.filter(UserRepoGroupToPerm.group == g)\
.filter(UserRepoGroupToPerm.user == def_usr)\
.scalar()
if default is None:
log.debug('missing default permission for group %s adding' % g)
perm_obj = ReposGroupModel()._create_default_perms(g)
self.sa.add(perm_obj)
def edit_global_perms(self, user_group_id):
user_group_id = safe_int(user_group_id)
c.user_group = UserGroup.get_or_404(user_group_id)
c.active = 'global_perms'
c.default_user = User.get_default_user()
defaults = c.user_group.get_dict()
defaults.update(c.default_user.get_default_perms(suffix='_inherited'))
defaults.update(c.user_group.get_default_perms())
return htmlfill.render(
render('admin/user_groups/user_group_edit.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def _create_default_perms(self, user_group):
# create default permission
default_perm = 'usergroup.read'
def_user = User.get_default_user()
for p in def_user.user_perms:
if p.permission.permission_name.startswith('usergroup.'):
default_perm = p.permission.permission_name
break
user_group_to_perm = UserUserGroupToPerm()
user_group_to_perm.permission = Permission.get_by_key(default_perm)
user_group_to_perm.user_group = user_group
user_group_to_perm.user_id = def_user.user_id
return user_group_to_perm
def test_inherited_permissions_from_default_on_user_enabled(self):
# enable fork and create on default user
_form_result = {
'default_repo_create': 'hg.create.repository',
'default_fork_create': 'hg.fork.repository'
}
PermissionModel().set_new_user_perms(User.get_default_user(),
_form_result)
Session().commit()
# make sure inherit flag is turned on
self.u1.inherit_default_permissions = True
Session().commit()
# this user will have inherited permissions from default user
assert global_perms(self.u1) == default_perms()
def update(self, id):
"""PUT /permissions/id: Update an existing item"""
# Forms posted to this method should contain a hidden field:
# <input type="hidden" name="_method" value="PUT" />
# Or using helpers:
# h.form(url('permission', id=ID),
# method='put')
# url('permission', id=ID)
if id == 'default':
c.user = default_user = User.get_default_user()
c.perm_user = AuthUser(user_id=default_user.user_id)
c.user_ip_map = UserIpMap.query()\
.filter(UserIpMap.user == default_user).all()
_form = DefaultPermissionsForm(
[x[0] for x in c.repo_perms_choices],
[x[0] for x in c.group_perms_choices],
[x[0] for x in c.user_group_perms_choices],
[x[0] for x in c.repo_create_choices],
[x[0] for x in c.repo_group_create_choices],
[x[0] for x in c.user_group_create_choices],
[x[0] for x in c.fork_choices],
[x[0] for x in c.register_choices],
[x[0] for x in c.extern_activate_choices],
)()
try:
form_result = _form.to_python(dict(request.POST))
form_result.update({'perm_user_name': id})
PermissionModel().update(form_result)
Session().commit()
h.flash(_('Default permissions updated successfully'),
category='success')
except formencode.Invalid, errors:
defaults = errors.value
return htmlfill.render(
render('admin/permissions/permissions.html'),
defaults=defaults,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8")
except Exception:
log.error(traceback.format_exc())
h.flash(_('Error occurred during update of permissions'),
category='error')
def edit(self, id, format='html'):
"""GET /permissions/id/edit: Form to edit an existing item"""
#url('edit_permission', id=ID)
#this form can only edit default user permissions
if id == 'default':
c.user = User.get_default_user()
defaults = {'anonymous': c.user.active}
c.perm_user = c.user.AuthUser
c.user_ip_map = UserIpMap.query()\
.filter(UserIpMap.user == c.user).all()
for p in c.user.user_perms:
if p.permission.permission_name.startswith('repository.'):
defaults['default_repo_perm'] = p.permission.permission_name
if p.permission.permission_name.startswith('group.'):
defaults['default_group_perm'] = p.permission.permission_name
if p.permission.permission_name.startswith('usergroup.'):
defaults['default_user_group_perm'] = p.permission.permission_name
if p.permission.permission_name.startswith('hg.create.'):
defaults['default_repo_create'] = p.permission.permission_name
if p.permission.permission_name.startswith('hg.repogroup.'):
defaults['default_repo_group_create'] = p.permission.permission_name
if p.permission.permission_name.startswith('hg.usergroup.'):
defaults['default_user_group_create'] = p.permission.permission_name
if p.permission.permission_name.startswith('hg.register.'):
defaults['default_register'] = p.permission.permission_name
if p.permission.permission_name.startswith('hg.extern_activate.'):
defaults['default_extern_activate'] = p.permission.permission_name
if p.permission.permission_name.startswith('hg.fork.'):
defaults['default_fork'] = p.permission.permission_name
return htmlfill.render(
render('admin/permissions/permissions.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False
)
else:
return redirect(url('admin_home'))
def update(self, id):
"""PUT /permissions/id: Update an existing item"""
# Forms posted to this method should contain a hidden field:
# <input type="hidden" name="_method" value="PUT" />
# Or using helpers:
# h.form(url('permission', id=ID),
# method='put')
# url('permission', id=ID)
if id == 'default':
c.user = default_user = User.get_default_user()
c.perm_user = AuthUser(user_id=default_user.user_id)
c.user_ip_map = UserIpMap.query()\
.filter(UserIpMap.user == default_user).all()
_form = DefaultPermissionsForm(
[x[0] for x in c.repo_perms_choices],
[x[0] for x in c.group_perms_choices],
[x[0] for x in c.user_group_perms_choices],
[x[0] for x in c.repo_create_choices],
[x[0] for x in c.repo_group_create_choices],
[x[0] for x in c.user_group_create_choices],
[x[0] for x in c.fork_choices],
[x[0] for x in c.register_choices],
[x[0] for x in c.extern_activate_choices],
)()
try:
form_result = _form.to_python(dict(request.POST))
form_result.update({'perm_user_name': id})
PermissionModel().update(form_result)
Session().commit()
h.flash(_('Default permissions updated successfully'),
category='success')
except formencode.Invalid, errors:
defaults = errors.value
return htmlfill.render(
render('admin/permissions/permissions.html'),
defaults=defaults,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8")
except Exception:
log.error(traceback.format_exc())
h.flash(_('Error occurred during update of permissions'),
category='error')
def test_cached_perms_data_default_permissions_on_repository_group_no_inherit(
user_util):
# Have a repository group
repo_group = user_util.create_repo_group()
default_user = User.get_default_user()
# Add a permission for the default user to hit the code path
user_util.grant_user_permission_to_repo_group(
repo_group, default_user, 'repository.write')
# Don't inherit default object permissions
user = user_util.create_user()
UserModel().grant_perm(user, 'hg.inherit_default_perms.false')
permissions = get_permissions(user)
assert permissions['repositories_groups'][repo_group.group_name] == \
'group.none'
def test_cached_perms_data_default_permissions_on_repository_group_owner(
user_util):
# Have a repository group
repo_group = user_util.create_repo_group()
default_user = User.get_default_user()
# Add a permission for the default user to hit the code path
user_util.grant_user_permission_to_repo_group(
repo_group, default_user, 'repository.write')
# Have an owner of the group
user = user_util.create_user()
repo_group.user_id = user.user_id
permissions = get_permissions(user)
assert permissions['repositories_groups'][repo_group.group_name] == \
'group.admin'
def _create_default_perms(self, repository, private):
# create default permission
default = 'repository.read'
def_user = User.get_default_user()
for p in def_user.user_perms:
if p.permission.permission_name.startswith('repository.'):
default = p.permission.permission_name
break
default_perm = 'repository.none' if private else default
repo_to_perm = UserRepoToPerm()
repo_to_perm.permission = Permission.get_by_key(default_perm)
repo_to_perm.repository = repository
repo_to_perm.user_id = def_user.user_id
return repo_to_perm
def _create_default_perms(self, repository, private):
# create default permission
default = 'repository.read'
def_user = User.get_default_user()
for p in def_user.user_perms:
if p.permission.permission_name.startswith('repository.'):
default = p.permission.permission_name
break
default_perm = 'repository.none' if private else default
repo_to_perm = UserRepoToPerm()
repo_to_perm.permission = Permission.get_by_key(default_perm)
repo_to_perm.repository = repository
repo_to_perm.user_id = def_user.user_id
return repo_to_perm
def setUp(self):
self.u1 = UserModel().create_or_update(
username=u'u1', password=u'qweqwe',
email=u'*****@*****.**', firstname=u'u1', lastname=u'u1'
)
self.u2 = UserModel().create_or_update(
username=u'u2', password=u'qweqwe',
email=u'*****@*****.**', firstname=u'u2', lastname=u'u2'
)
self.u3 = UserModel().create_or_update(
username=u'u3', password=u'qweqwe',
email=u'*****@*****.**', firstname=u'u3', lastname=u'u3'
)
self.anon = User.get_default_user()
self.a1 = UserModel().create_or_update(
username=u'a1', password=u'qweqwe',
email=u'*****@*****.**', firstname=u'a1', lastname=u'a1', admin=True
)
Session().commit()
def __load_data(self, repo_name=None):
"""
Load defaults settings for edit, and update
:param repo_name:
"""
self.__load_defaults()
c.repo_info = db_repo = Repository.get_by_repo_name(repo_name)
repo = db_repo.scm_instance
if c.repo_info is None:
h.not_mapped_error(repo_name)
return redirect(url('repos'))
c.default_user_id = User.get_default_user().user_id
c.in_public_journal = UserFollowing.query()\
.filter(UserFollowing.user_id == c.default_user_id)\
.filter(UserFollowing.follows_repository == c.repo_info).scalar()
if c.repo_info.stats:
last_rev = c.repo_info.stats.stat_on_revision + 1
else:
last_rev = 0
c.stats_revision = last_rev
c.repo_last_rev = repo.count() if repo.revisions else 0
if last_rev == 0 or c.repo_last_rev == 0:
c.stats_percentage = 0
else:
c.stats_percentage = '%.2f' % ((float(
(last_rev)) / c.repo_last_rev) * 100)
defaults = RepoModel()._get_defaults(repo_name)
# alter the description to indicate a fork
defaults['description'] = (
'fork of repository: %s \n%s' %
(defaults['repo_name'], defaults['description']))
# add suffix to fork
defaults['repo_name'] = '%s-fork' % defaults['repo_name']
return defaults
def __load_data(self, repo_name=None):
"""
Load defaults settings for edit, and update
:param repo_name:
"""
self.__load_defaults()
c.repo_info = db_repo = Repository.get_by_repo_name(repo_name)
repo = db_repo.scm_instance
if c.repo_info is None:
h.not_mapped_error(repo_name)
return redirect(url('repos'))
c.default_user_id = User.get_default_user().user_id
c.in_public_journal = UserFollowing.query()\
.filter(UserFollowing.user_id == c.default_user_id)\
.filter(UserFollowing.follows_repository == c.repo_info).scalar()
if c.repo_info.stats:
last_rev = c.repo_info.stats.stat_on_revision+1
else:
last_rev = 0
c.stats_revision = last_rev
c.repo_last_rev = repo.count() if repo.revisions else 0
if last_rev == 0 or c.repo_last_rev == 0:
c.stats_percentage = 0
else:
c.stats_percentage = '%.2f' % ((float((last_rev)) /
c.repo_last_rev) * 100)
defaults = RepoModel()._get_defaults(repo_name)
# alter the description to indicate a fork
defaults['description'] = ('fork of repository: %s \n%s'
% (defaults['repo_name'],
defaults['description']))
# add suffix to fork
defaults['repo_name'] = '%s-fork' % defaults['repo_name']
return defaults
def register(self):
c.auto_active = 'hg.register.auto_activate' in User.get_default_user()\
.AuthUser.permissions['global']
if request.POST:
register_form = RegisterForm()()
try:
form_result = register_form.to_python(dict(request.POST))
form_result['active'] = c.auto_active
UserModel().create_registration(form_result)
h.flash(_('You have successfully registered into RhodeCode'),
category='success')
Session().commit()
return redirect(url('login_home'))
except formencode.Invalid, errors:
return htmlfill.render(
render('/register.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8")
def login_container_auth(username):
user = User.get_by_username(username)
if user is None:
user_attrs = {
'name': username,
'lastname': None,
'email': None,
'active': 'hg.extern_activate.auto' in User.get_default_user()\
.AuthUser.permissions['global']
}
user = UserModel().create_for_container_auth(username, user_attrs)
if not user:
return None
log.info('User %s was created by container authentication' % username)
if not user.active:
return None
user.update_lastlogin()
Session().commit()
log.debug('User %s is now logged in by container authentication',
user.username)
return user
def authenticate(username, password):
"""
Authentication function used for access control,
firstly checks for db authentication then if ldap is enabled for ldap
authentication, also creates ldap user if not in database
:param username: username
:param password: password
"""
user_model = UserModel()
user = User.get_by_username(username)
log.debug('Authenticating user using RhodeCode account')
if user is not None and not user.ldap_dn:
if user.active:
if user.username == 'default' and user.active:
log.info('user %s authenticated correctly as anonymous user' %
username)
return True
elif user.username == username and check_password(password,
user.password):
log.info('user %s authenticated correctly' % username)
return True
else:
log.warning('user %s tried auth but is disabled' % username)
else:
log.debug('Regular authentication failed')
user_obj = User.get_by_username(username, case_insensitive=True)
if user_obj is not None and not user_obj.ldap_dn:
log.debug('this user already exists as non ldap')
return False
ldap_settings = RhodeCodeSetting.get_ldap_settings()
#======================================================================
# FALLBACK TO LDAP AUTH IF ENABLE
#======================================================================
if str2bool(ldap_settings.get('ldap_active')):
log.debug("Authenticating user using ldap")
kwargs = {
'server': ldap_settings.get('ldap_host', ''),
'base_dn': ldap_settings.get('ldap_base_dn', ''),
'port': ldap_settings.get('ldap_port'),
'bind_dn': ldap_settings.get('ldap_dn_user'),
'bind_pass': ldap_settings.get('ldap_dn_pass'),
'tls_kind': ldap_settings.get('ldap_tls_kind'),
'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'),
'ldap_filter': ldap_settings.get('ldap_filter'),
'search_scope': ldap_settings.get('ldap_search_scope'),
'attr_login': ldap_settings.get('ldap_attr_login'),
'ldap_version': 3,
}
log.debug('Checking for ldap authentication')
try:
aldap = AuthLdap(**kwargs)
(user_dn, ldap_attrs) = aldap.authenticate_ldap(username,
password)
log.debug('Got ldap DN response %s' % user_dn)
get_ldap_attr = lambda k: ldap_attrs.get(ldap_settings\
.get(k), [''])[0]
user_attrs = {
'name': safe_unicode(get_ldap_attr('ldap_attr_firstname')),
'lastname': safe_unicode(get_ldap_attr('ldap_attr_lastname')),
'email': get_ldap_attr('ldap_attr_email'),
'active': 'hg.extern_activate.auto' in User.get_default_user()\
.AuthUser.permissions['global']
}
# don't store LDAP password since we don't need it. Override
# with some random generated password
_password = PasswordGenerator().gen_password(length=8)
# create this user on the fly if it doesn't exist in rhodecode
# database
if user_model.create_ldap(username, _password, user_dn,
user_attrs):
log.info('created new ldap user %s' % username)
Session().commit()
return True
except (LdapUsernameError, LdapPasswordError, LdapImportError):
pass
except (Exception,):
log.error(traceback.format_exc())
pass
return False
