def get_all_user_repos(self, user):
"""
Get's all repositories that user have at least read access
:param user:
"""
from rhodecode.lib.auth import AuthUser
user = self._get_user(user)
repos = AuthUser(user_id=user.user_id).permissions['repositories']
access_check = lambda r: r[1] in ['repository.read',
'repository.write',
'repository.admin']
repos = [x[0] for x in filter(access_check, repos.items())]
return Repository.query().filter(Repository.repo_name.in_(repos))
def index(self):
# redirect if already logged in
c.came_from = request.GET.get('came_from', None)
if self.rhodecode_user.is_authenticated \
and self.rhodecode_user.username != 'default':
return redirect(url('home'))
if request.POST:
# import Login Form validator class
login_form = LoginForm()
try:
c.form_result = login_form.to_python(dict(request.POST))
# form checks for username/password, now we're authenticated
username = c.form_result['username']
user = User.get_by_username(username, case_insensitive=True)
auth_user = AuthUser(user.user_id)
auth_user.set_authenticated()
cs = auth_user.get_cookie_store()
session['rhodecode_user'] = cs
# If they want to be remembered, update the cookie
if c.form_result['remember'] is not False:
session.cookie_expires = False
session._set_cookie_values()
session._update_cookie_out()
session.save()
log.info('user %s is now authenticated and stored in '
'session, session attrs %s' % (username, cs))
user.update_lastlogin()
Session.commit()
if c.came_from:
return redirect(c.came_from)
else:
return redirect(url('home'))
except formencode.Invalid, errors:
return htmlfill.render(
render('/login.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8")
def index(self):
# redirect if already logged in
c.came_from = request.GET.get("came_from", None)
if self.rhodecode_user.is_authenticated and self.rhodecode_user.username != "default":
return redirect(url("home"))
if request.POST:
# import Login Form validator class
login_form = LoginForm()
try:
c.form_result = login_form.to_python(dict(request.POST))
# form checks for username/password, now we're authenticated
username = c.form_result["username"]
user = User.get_by_username(username, case_insensitive=True)
auth_user = AuthUser(user.user_id)
auth_user.set_authenticated()
session["rhodecode_user"] = auth_user
session.save()
log.info("user %s is now authenticated and stored in session", username)
user.update_lastlogin()
if c.came_from:
return redirect(c.came_from)
else:
return redirect(url("home"))
except formencode.Invalid, errors:
return htmlfill.render(
render("/login.html"),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8",
)
def test_default_admin_group_perms(self):
self.g1 = fixture.create_group('test1', skip_if_exists=True)
self.g2 = fixture.create_group('test2', skip_if_exists=True)
a1_auth = AuthUser(user_id=self.a1.user_id)
perms = {
'repositories_groups': {
u'test1': 'group.admin',
u'test2': 'group.admin'
},
'global': set(['hg.admin']),
'repositories': {
u'vcs_test_hg': 'repository.admin'
}
}
self.assertEqual(a1_auth.permissions['repositories'][HG_REPO],
perms['repositories'][HG_REPO])
self.assertEqual(a1_auth.permissions['repositories_groups'],
perms['repositories_groups'])
def test_default_group_perms(self):
self.g1 = fixture.create_group('test1', skip_if_exists=True)
self.g2 = fixture.create_group('test2', skip_if_exists=True)
u1_auth = AuthUser(user_id=self.u1.user_id)
perms = {
'repositories_groups': {
u'test1': 'group.read',
u'test2': 'group.read'
},
'global': set(Permission.DEFAULT_USER_PERMISSIONS),
'repositories': {
u'vcs_test_hg': u'repository.read'
}
}
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
perms['repositories'][HG_REPO])
self.assertEqual(u1_auth.permissions['repositories_groups'],
perms['repositories_groups'])
self.assertEqual(u1_auth.permissions['global'], perms['global'])
def edit(self, user_id):
"""GET /users/user_id/edit: Form to edit an existing item"""
# url('edit_user', user_id=ID)
user_id = safe_int(user_id)
c.user = User.get_or_404(user_id)
if c.user.username == User.DEFAULT_USER:
h.flash(_("You can't edit this user"), category='warning')
return redirect(url('users'))
c.active = 'profile'
c.extern_type = c.user.extern_type
c.extern_name = c.user.extern_name
c.perm_user = AuthUser(user_id=user_id, ip_addr=self.ip_addr)
defaults = c.user.get_dict()
defaults.update({'language': c.user.user_data.get('language')})
return htmlfill.render(render('admin/users/user_edit.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def test_inherited_permissions_from_default_on_user_disabled(self):
user_model = UserModel()
# disable fork and create on default user
usr = '******'
user_model.revoke_perm(usr, 'hg.create.repository')
user_model.grant_perm(usr, 'hg.create.none')
user_model.revoke_perm(usr, 'hg.fork.repository')
user_model.grant_perm(usr, 'hg.fork.none')
# make sure inherit flag is turned on
self.u1.inherit_default_permissions = True
Session().commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
# this user will have inherited permissions from default user
self.assertEqual(
u1_auth.permissions['global'],
set([
'hg.create.none', 'hg.fork.none',
'hg.register.manual_activate', 'hg.extern_activate.auto',
'repository.read', 'group.read', 'usergroup.read'
]))
def get_user(self, apiuser, userid=Optional(OAttr('apiuser'))):
""""
Get a user by username, or userid, if userid is given
:param apiuser:
:param userid:
"""
if not HasPermissionAnyApi('hg.admin')(user=apiuser):
#make sure normal user does not pass someone else userid,
#he is not allowed to do that
if not isinstance(userid, Optional) and userid != apiuser.user_id:
raise JSONRPCError('userid is not the same as your user')
if isinstance(userid, Optional):
userid = apiuser.user_id
user = get_user_or_error(userid)
data = user.get_api_data()
data['permissions'] = AuthUser(user_id=user.user_id).permissions
return data
def my_account_update(self):
"""PUT /_admin/my_account_update: Update an existing item"""
# Forms posted to this method should contain a hidden field:
# <input type="hidden" name="_method" value="PUT" />
# Or using helpers:
# h.form(url('admin_settings_my_account_update'),
# method='put')
# url('admin_settings_my_account_update', id=ID)
uid = self.rhodecode_user.user_id
c.user = User.get(self.rhodecode_user.user_id)
c.perm_user = AuthUser(user_id=self.rhodecode_user.user_id,
ip_addr=self.ip_addr)
c.ldap_dn = c.user.ldap_dn
email = self.rhodecode_user.email
_form = UserForm(edit=True, old_data={
'user_id': uid,
'email': email
})()
form_result = {}
try:
form_result = _form.to_python(dict(request.POST))
skip_attrs = ['admin', 'active'] # skip attr for my account
if c.ldap_dn:
#forbid updating username for ldap accounts
skip_attrs.append('username')
UserModel().update(uid, form_result, skip_attrs=skip_attrs)
h.flash(_('Your account was updated successfully'),
category='success')
Session().commit()
except formencode.Invalid, errors:
#json used to render the grid
c.data = self._load_my_repos_data()
c.form = htmlfill.render(
render('admin/users/user_edit_my_account_form.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8")
return render('admin/users/user_edit_my_account.html')
def test_default_group_perms(self):
self.g1 = _make_group('test1', skip_if_exists=True)
self.g2 = _make_group('test2', skip_if_exists=True)
u1_auth = AuthUser(user_id=self.u1.user_id)
perms = {
'repositories_groups': {
u'test1': 'group.read',
u'test2': 'group.read'
},
'global':
set([
u'hg.create.repository', u'repository.read',
u'hg.register.manual_activate'
]),
'repositories': {
u'vcs_test_hg': u'repository.read'
}
}
self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
perms['repositories'][HG_REPO])
self.assertEqual(u1_auth.permissions['repositories_groups'],
perms['repositories_groups'])
def get_user(self, apiuser, userid):
""""
Get a user by username
:param apiuser:
:param username:
"""
user = UserModel().get_user(userid)
if user is None:
return user
return dict(
id=user.user_id,
username=user.username,
firstname=user.name,
lastname=user.lastname,
email=user.email,
active=user.active,
admin=user.admin,
ldap_dn=user.ldap_dn,
last_login=user.last_login,
permissions=AuthUser(user_id=user.user_id).permissions
)
def get_user(request, apiuser, userid=Optional(OAttr('apiuser'))):
"""
Returns the information associated with a username or userid.
* If the ``userid`` is not set, this command returns the information
for the ``userid`` calling the method.
.. note::
Normal users may only run this command against their ``userid``. For
full privileges you must run this command using an |authtoken| with
admin rights.
:param apiuser: This is filled automatically from the |authtoken|.
:type apiuser: AuthUser
:param userid: Sets the userid for which data will be returned.
:type userid: Optional(str or int)
Example output:
.. code-block:: bash
{
"error": null,
"id": <id>,
"result": {
"active": true,
"admin": false,
"api_key": "api-key",
"api_keys": [ list of keys ],
"email": "*****@*****.**",
"emails": [
"*****@*****.**"
],
"extern_name": "rhodecode",
"extern_type": "rhodecode",
"firstname": "username",
"ip_addresses": [],
"language": null,
"last_login": "******",
"lastname": "surnae",
"permissions": {
"global": [
"hg.inherit_default_perms.true",
"usergroup.read",
"hg.repogroup.create.false",
"hg.create.none",
"hg.extern_activate.manual",
"hg.create.write_on_repogroup.false",
"hg.usergroup.create.false",
"group.none",
"repository.none",
"hg.register.none",
"hg.fork.repository"
],
"repositories": { "username/example": "repository.write"},
"repositories_groups": { "user-group/repo": "group.none" },
"user_groups": { "user_group_name": "usergroup.read" }
},
"user_id": 32,
"username": "******"
}
}
"""
if not has_superadmin_permission(apiuser):
# make sure normal user does not pass someone else userid,
# he is not allowed to do that
if not isinstance(userid, Optional) and userid != apiuser.user_id:
raise JSONRPCError('userid is not the same as your user')
userid = Optional.extract(userid, evaluate_locals=locals())
userid = getattr(userid, 'user_id', userid)
user = get_user_or_error(userid)
data = user.get_api_data(include_secrets=True)
data['permissions'] = AuthUser(user_id=user.user_id).permissions
return data
def index(self):
# redirect if already logged in
c.came_from = request.GET.get('came_from')
not_default = self.rhodecode_user.username != 'default'
ip_allowed = self.rhodecode_user.ip_allowed
if self.rhodecode_user.is_authenticated and not_default and ip_allowed:
return redirect(url('home'))
if request.POST:
# import Login Form validator class
login_form = LoginForm()
try:
session.invalidate()
c.form_result = login_form.to_python(dict(request.POST))
# form checks for username/password, now we're authenticated
username = c.form_result['username']
user = User.get_by_username(username, case_insensitive=True)
auth_user = AuthUser(user.user_id)
auth_user.set_authenticated()
cs = auth_user.get_cookie_store()
session['rhodecode_user'] = cs
user.update_lastlogin()
Session().commit()
# If they want to be remembered, update the cookie
if c.form_result['remember']:
_year = (datetime.datetime.now() +
datetime.timedelta(seconds=60 * 60 * 24 * 365))
session._set_cookie_expires(_year)
session.save()
log.info('user %s is now authenticated and stored in '
'session, session attrs %s' % (username, cs))
# dumps session attrs back to cookie
session._update_cookie_out()
# we set new cookie
headers = None
if session.request['set_cookie']:
# send set-cookie headers back to response to update cookie
headers = [('Set-Cookie', session.request['cookie_out'])]
allowed_schemes = ['http', 'https']
if c.came_from:
parsed = urlparse.urlparse(c.came_from)
server_parsed = urlparse.urlparse(url.current())
if parsed.scheme and parsed.scheme not in allowed_schemes:
log.error(
'Suspicious URL scheme detected %s for url %s' %
(parsed.scheme, parsed))
c.came_from = url('home')
elif server_parsed.netloc != parsed.netloc:
log.error('Suspicious NETLOC detected %s for url %s'
'server url is: %s' %
(parsed.netloc, parsed, server_parsed))
c.came_from = url('home')
raise HTTPFound(location=c.came_from, headers=headers)
else:
raise HTTPFound(location=url('home'), headers=headers)
except formencode.Invalid, errors:
return htmlfill.render(
render('/login.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8")
def index(self):
# redirect if already logged in
c.came_from = request.GET.get('came_from')
not_default = self.rhodecode_user.username != 'default'
ip_allowed = self.rhodecode_user.ip_allowed
if self.rhodecode_user.is_authenticated and not_default and ip_allowed:
return redirect(url('home'))
if request.POST:
# import Login Form validator class
login_form = LoginForm()
try:
session.invalidate()
c.form_result = login_form.to_python(dict(request.POST))
# form checks for username/password, now we're authenticated
username = c.form_result['username']
user = User.get_by_username(username, case_insensitive=True)
auth_user = AuthUser(user.user_id)
auth_user.set_authenticated()
cs = auth_user.get_cookie_store()
session['rhodecode_user'] = cs
user.update_lastlogin()
Session().commit()
# If they want to be remembered, update the cookie
if c.form_result['remember']:
_year = (datetime.datetime.now() +
datetime.timedelta(seconds=60 * 60 * 24 * 365))
session._set_cookie_expires(_year)
session.save()
log.info('user %s is now authenticated and stored in '
'session, session attrs %s' % (username, cs))
# dumps session attrs back to cookie
session._update_cookie_out()
# we set new cookie
headers = None
if session.request['set_cookie']:
# send set-cookie headers back to response to update cookie
headers = [('Set-Cookie', session.request['cookie_out'])]
allowed_schemes = ['http', 'https']
if c.came_from:
parsed = urlparse.urlparse(c.came_from)
server_parsed = urlparse.urlparse(url.current())
if parsed.scheme and parsed.scheme not in allowed_schemes:
log.error(
'Suspicious URL scheme detected %s for url %s' %
(parsed.scheme, parsed))
c.came_from = url('home')
elif server_parsed.netloc != parsed.netloc:
log.error('Suspicious NETLOC detected %s for url %s'
'server url is: %s' %
(parsed.netloc, parsed, server_parsed))
c.came_from = url('home')
raise HTTPFound(location=c.came_from, headers=headers)
else:
raise HTTPFound(location=url('home'), headers=headers)
except formencode.Invalid, errors:
return htmlfill.render(
render('/login.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8")
except UserCreationError, e:
# container auth or other auth functions that create users on
# the fly can throw this exception signaling that there's issue
# with user creation, explanation should be provided in
# Exception itself
h.flash(e, 'error')
def request_view(request):
"""
Main request handling method. It handles all logic to call a specific
exposed method
"""
# check if we can find this session using api_key, get_by_auth_token
# search not expired tokens only
try:
u = User.get_by_auth_token(request.rpc_api_key)
if u is None:
return jsonrpc_error(request,
retid=request.rpc_id,
message='Invalid API KEY')
if not u.active:
return jsonrpc_error(request,
retid=request.rpc_id,
message='Request from this user not allowed')
# check if we are allowed to use this IP
auth_u = AuthUser(u.user_id,
request.rpc_api_key,
ip_addr=request.rpc_ip_addr)
if not auth_u.ip_allowed:
return jsonrpc_error(request,
retid=request.rpc_id,
message='Request from IP:%s not allowed' %
(request.rpc_ip_addr, ))
else:
log.info('Access for IP:%s allowed' % (request.rpc_ip_addr, ))
# now check if token is valid for API
role = UserApiKeys.ROLE_API
extra_auth_tokens = [
x.api_key for x in User.extra_valid_auth_tokens(u, role=role)
]
active_tokens = [u.api_key] + extra_auth_tokens
log.debug('Checking if API key has proper role')
if request.rpc_api_key not in active_tokens:
return jsonrpc_error(
request,
retid=request.rpc_id,
message='API KEY has bad role for an API call')
except Exception as e:
log.exception('Error on API AUTH')
return jsonrpc_error(request,
retid=request.rpc_id,
message='Invalid API KEY')
method = request.rpc_method
func = request.registry.jsonrpc_methods[method]
# now that we have a method, add request._req_params to
# self.kargs and dispatch control to WGIController
argspec = inspect.getargspec(func)
arglist = argspec[0]
defaults = map(type, argspec[3] or [])
default_empty = types.NotImplementedType
# kw arguments required by this method
func_kwargs = dict(
itertools.izip_longest(reversed(arglist),
reversed(defaults),
fillvalue=default_empty))
# This attribute will need to be first param of a method that uses
# api_key, which is translated to instance of user at that name
user_var = 'apiuser'
request_var = 'request'
for arg in [user_var, request_var]:
if arg not in arglist:
return jsonrpc_error(request,
retid=request.rpc_id,
message='This method [%s] does not support '
'required parameter `%s`' %
(func.__name__, arg))
# get our arglist and check if we provided them as args
for arg, default in func_kwargs.items():
if arg in [user_var, request_var]:
# user_var and request_var are pre-hardcoded parameters and we
# don't need to do any translation
continue
# skip the required param check if it's default value is
# NotImplementedType (default_empty)
if default == default_empty and arg not in request.rpc_params:
return jsonrpc_error(
request,
retid=request.rpc_id,
message=('Missing non optional `%s` arg in JSON DATA' % arg))
# sanitze extra passed arguments
for k in request.rpc_params.keys()[:]:
if k not in func_kwargs:
del request.rpc_params[k]
call_params = request.rpc_params
call_params.update({'request': request, 'apiuser': auth_u})
try:
ret_value = func(**call_params)
return jsonrpc_response(request, ret_value)
except JSONRPCBaseError:
raise
except Exception:
log.exception('Unhandled exception occured on api call: %s', func)
return jsonrpc_error(request,
retid=request.rpc_id,
message='Internal server error')
def test_repo_in_group_permissions(self):
self.g1 = fixture.create_group('group1', skip_if_exists=True)
self.g2 = fixture.create_group('group2', skip_if_exists=True)
# both perms should be read !
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'], {
u'group1': u'group.read',
u'group2': u'group.read'
})
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'], {
u'group1': u'group.read',
u'group2': u'group.read'
})
#Change perms to none for both groups
ReposGroupModel().grant_user_permission(repos_group=self.g1,
user=self.anon,
perm='group.none')
ReposGroupModel().grant_user_permission(repos_group=self.g2,
user=self.anon,
perm='group.none')
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'], {
u'group1': u'group.none',
u'group2': u'group.none'
})
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'], {
u'group1': u'group.none',
u'group2': u'group.none'
})
# add repo to group
name = RepoGroup.url_sep().join([self.g1.group_name, 'test_perm'])
self.test_repo = fixture.create_repo(
name=name,
repo_type='hg',
repos_group=self.g1,
cur_user=self.u1,
)
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'], {
u'group1': u'group.none',
u'group2': u'group.none'
})
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'], {
u'group1': u'group.none',
u'group2': u'group.none'
})
#grant permission for u2 !
ReposGroupModel().grant_user_permission(repos_group=self.g1,
user=self.u2,
perm='group.read')
ReposGroupModel().grant_user_permission(repos_group=self.g2,
user=self.u2,
perm='group.read')
Session().commit()
self.assertNotEqual(self.u1, self.u2)
#u1 and anon should have not change perms while u2 should !
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'], {
u'group1': u'group.none',
u'group2': u'group.none'
})
u2_auth = AuthUser(user_id=self.u2.user_id)
self.assertEqual(u2_auth.permissions['repositories_groups'], {
u'group1': u'group.read',
u'group2': u'group.read'
})
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'], {
u'group1': u'group.none',
u'group2': u'group.none'
})
def my_account_update(self):
"""
POST /_admin/my_account Updates info of my account
"""
# url('my_account')
c.active = 'profile_edit'
self.__load_data()
c.perm_user = AuthUser(user_id=c.rhodecode_user.user_id,
ip_addr=self.ip_addr)
c.extern_type = c.user.extern_type
c.extern_name = c.user.extern_name
defaults = c.user.get_dict()
update = False
_form = UserForm(edit=True,
old_data={
'user_id': c.rhodecode_user.user_id,
'email': c.rhodecode_user.email
})()
form_result = {}
try:
post_data = dict(request.POST)
post_data['new_password'] = ''
post_data['password_confirmation'] = ''
form_result = _form.to_python(post_data)
# skip updating those attrs for my account
skip_attrs = [
'admin', 'active', 'extern_type', 'extern_name',
'new_password', 'password_confirmation'
]
# TODO: plugin should define if username can be updated
if c.extern_type != "rhodecode":
# forbid updating username for external accounts
skip_attrs.append('username')
UserModel().update_user(c.rhodecode_user.user_id,
skip_attrs=skip_attrs,
**form_result)
h.flash(_('Your account was updated successfully'),
category='success')
Session().commit()
update = True
except formencode.Invalid as errors:
return htmlfill.render(render('admin/my_account/my_account.html'),
defaults=errors.value,
errors=errors.error_dict or {},
prefix_error=False,
encoding="UTF-8",
force_defaults=False)
except Exception:
log.exception("Exception updating user")
h.flash(_('Error occurred during update of user %s') %
form_result.get('username'),
category='error')
if update:
return redirect('my_account')
return htmlfill.render(render('admin/my_account/my_account.html'),
defaults=defaults,
encoding="UTF-8",
force_defaults=False)
def index(self, repo_name=None):
searcher = searcher_from_config(config)
formatted_results = []
execution_time = ''
schema = validation_schema.SearchParamsSchema()
search_params = {}
errors = []
try:
search_params = schema.deserialize(
dict(search_query=request.GET.get('q'),
search_type=request.GET.get('type'),
search_sort=request.GET.get('sort'),
page_limit=request.GET.get('page_limit'),
requested_page=request.GET.get('page'))
)
except validation_schema.Invalid as e:
errors = e.children
def url_generator(**kw):
q = urllib.quote(safe_str(search_query))
return update_params(
"?q=%s&type=%s" % (q, safe_str(search_type)), **kw)
search_query = search_params.get('search_query')
search_type = search_params.get('search_type')
search_sort = search_params.get('search_sort')
if search_params.get('search_query'):
page_limit = search_params['page_limit']
requested_page = search_params['requested_page']
c.perm_user = AuthUser(user_id=c.rhodecode_user.user_id,
ip_addr=self.ip_addr)
try:
search_result = searcher.search(
search_query, search_type, c.perm_user, repo_name,
requested_page, page_limit, search_sort)
formatted_results = Page(
search_result['results'], page=requested_page,
item_count=search_result['count'],
items_per_page=page_limit, url=url_generator)
finally:
searcher.cleanup()
if not search_result['error']:
execution_time = '%s results (%.3f seconds)' % (
search_result['count'],
search_result['runtime'])
elif not errors:
node = schema['search_query']
errors = [
validation_schema.Invalid(node, search_result['error'])]
c.sort = search_sort
c.url_generator = url_generator
c.errors = errors
c.formatted_results = formatted_results
c.runtime = execution_time
c.cur_query = search_query
c.search_type = search_type
# Return a rendered template
return render('/search/search.html')
def global_perms(user):
auth_user = AuthUser(user_id=user.user_id)
return auth_user.permissions['global']
def user_group_perms(user):
auth_user = AuthUser(user_id=user.user_id)
return auth_user.permissions['user_groups']
'method: %s, params: %s' % (self._req_method,
self._request_params)
)
except KeyError, e:
return jsonrpc_error(retid=self._req_id,
message='Incorrect JSON query missing %s' % e)
# check if we can find this session using api_key
try:
u = User.get_by_api_key(self._req_api_key)
if u is None:
return jsonrpc_error(retid=self._req_id,
message='Invalid API KEY')
#check if we are allowed to use this IP
auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr)
if not auth_u.ip_allowed:
return jsonrpc_error(retid=self._req_id,
message='request from IP:%s not allowed' % (ip_addr))
else:
log.info('Access for IP:%s allowed' % (ip_addr))
except Exception, e:
return jsonrpc_error(retid=self._req_id,
message='Invalid API KEY')
self._error = None
try:
self._func = self._find_method()
except AttributeError, e:
return jsonrpc_error(retid=self._req_id,
try:
self._req_api_key = json_body['api_key']
self._req_id = json_body['id']
self._req_method = json_body['method']
self._request_params = json_body['args']
log.debug('method: %s, params: %s' %
(self._req_method, self._request_params))
except KeyError, e:
return jsonrpc_error(message='Incorrect JSON query missing %s' % e)
# check if we can find this session using api_key
try:
u = User.get_by_api_key(self._req_api_key)
if u is None:
return jsonrpc_error(message='Invalid API KEY')
auth_u = AuthUser(u.user_id, self._req_api_key)
except Exception, e:
return jsonrpc_error(message='Invalid API KEY')
self._error = None
try:
self._func = self._find_method()
except AttributeError, e:
return jsonrpc_error(message=str(e))
# now that we have a method, add self._req_params to
# self.kargs and dispatch control to WGIController
argspec = inspect.getargspec(self._func)
arglist = argspec[0][1:]
defaults = map(type, argspec[3] or [])
default_empty = types.NotImplementedType
def test_repo_in_group_permissions(self):
self.g1 = _make_group('group1', skip_if_exists=True)
self.g2 = _make_group('group2', skip_if_exists=True)
Session.commit()
# both perms should be read !
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'], {
u'group1': u'group.read',
u'group2': u'group.read'
})
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'], {
u'group1': u'group.read',
u'group2': u'group.read'
})
#Change perms to none for both groups
ReposGroupModel().grant_user_permission(repos_group=self.g1,
user=self.anon,
perm='group.none')
ReposGroupModel().grant_user_permission(repos_group=self.g2,
user=self.anon,
perm='group.none')
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'], {
u'group1': u'group.none',
u'group2': u'group.none'
})
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'], {
u'group1': u'group.none',
u'group2': u'group.none'
})
# add repo to group
form_data = {
'repo_name':
HG_REPO,
'repo_name_full':
RepoGroup.url_sep().join([self.g1.group_name, HG_REPO]),
'repo_type':
'hg',
'clone_uri':
'',
'repo_group':
self.g1.group_id,
'description':
'desc',
'private':
False
}
self.test_repo = RepoModel().create(form_data, cur_user=self.u1)
Session.commit()
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'], {
u'group1': u'group.none',
u'group2': u'group.none'
})
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'], {
u'group1': u'group.none',
u'group2': u'group.none'
})
#grant permission for u2 !
ReposGroupModel().grant_user_permission(repos_group=self.g1,
user=self.u2,
perm='group.read')
ReposGroupModel().grant_user_permission(repos_group=self.g2,
user=self.u2,
perm='group.read')
Session.commit()
self.assertNotEqual(self.u1, self.u2)
#u1 and anon should have not change perms while u2 should !
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories_groups'], {
u'group1': u'group.none',
u'group2': u'group.none'
})
u2_auth = AuthUser(user_id=self.u2.user_id)
self.assertEqual(u2_auth.permissions['repositories_groups'], {
u'group1': u'group.read',
u'group2': u'group.read'
})
a1_auth = AuthUser(user_id=self.anon.user_id)
self.assertEqual(a1_auth.permissions['repositories_groups'], {
u'group1': u'group.none',
u'group2': u'group.none'
})
def group_perms(user):
auth_user = AuthUser(user_id=user.user_id)
return auth_user.permissions['repositories_groups']
