diff --git a/rhodecode/api/views/user_group_api.py b/rhodecode/api/views/user_group_api.py --- a/rhodecode/api/views/user_group_api.py +++ b/rhodecode/api/views/user_group_api.py @@ -638,8 +638,18 @@ def grant_user_permission_to_user_group( perm = get_perm_or_error(perm, prefix='usergroup.') try: - UserGroupModel().grant_user_permission( + changes = UserGroupModel().grant_user_permission( user_group=user_group, user=user, perm=perm) + + action_data = { + 'added': changes['added'], + 'updated': changes['updated'], + 'deleted': changes['deleted'], + } + audit_logger.store_api( + 'user_group.edit.permissions', action_data=action_data, + user=apiuser) + Session().commit() return { 'msg': @@ -698,8 +708,17 @@ def revoke_user_permission_from_user_gro user = get_user_or_error(userid) try: - UserGroupModel().revoke_user_permission( + changes = UserGroupModel().revoke_user_permission( user_group=user_group, user=user) + action_data = { + 'added': changes['added'], + 'updated': changes['updated'], + 'deleted': changes['deleted'], + } + audit_logger.store_api( + 'user_group.edit.permissions', action_data=action_data, + user=apiuser) + Session().commit() return { 'msg': 'Revoked perm for user: `%s` in user group: `%s`' % ( @@ -764,11 +783,20 @@ def grant_user_group_permission_to_user_ 'user group `%s` does not exist' % (sourceusergroupid,)) try: - UserGroupModel().grant_user_group_permission( + changes = UserGroupModel().grant_user_group_permission( target_user_group=target_user_group, user_group=user_group, perm=perm) + + action_data = { + 'added': changes['added'], + 'updated': changes['updated'], + 'deleted': changes['deleted'], + } + audit_logger.store_api( + 'user_group.edit.permissions', action_data=action_data, + user=apiuser) + Session().commit() - return { 'msg': 'Granted perm: `%s` for user group: `%s` ' 'in user group: `%s`' % ( @@ -835,8 +863,17 @@ def revoke_user_group_permission_from_us 'user group `%s` does not exist' % (sourceusergroupid,)) try: - UserGroupModel().revoke_user_group_permission( + changes = UserGroupModel().revoke_user_group_permission( target_user_group=target_user_group, user_group=user_group) + action_data = { + 'added': changes['added'], + 'updated': changes['updated'], + 'deleted': changes['deleted'], + } + audit_logger.store_api( + 'user_group.edit.permissions', action_data=action_data, + user=apiuser) + Session().commit() return { diff --git a/rhodecode/model/user_group.py b/rhodecode/model/user_group.py --- a/rhodecode/model/user_group.py +++ b/rhodecode/model/user_group.py @@ -80,6 +80,7 @@ class UserGroupModel(BaseModel): 'updated': [], 'deleted': [] } + change_obj = user_group.get_api_data() # update permissions for member_id, perm, member_type in perm_updates: member_id = int(member_id) @@ -97,8 +98,10 @@ class UserGroupModel(BaseModel): self.grant_user_group_permission( target_user_group=user_group, user_group=member_id, perm=perm) - changes['updated'].append({'type': member_type, 'id': member_id, - 'name': member_name, 'new_perm': perm}) + changes['updated'].append({ + 'change_obj': change_obj, + 'type': member_type, 'id': member_id, + 'name': member_name, 'new_perm': perm}) # set new permissions for member_id, perm, member_type in perm_additions: @@ -115,8 +118,10 @@ class UserGroupModel(BaseModel): self.grant_user_group_permission( target_user_group=user_group, user_group=member_id, perm=perm) - changes['added'].append({'type': member_type, 'id': member_id, - 'name': member_name, 'new_perm': perm}) + changes['added'].append({ + 'change_obj': change_obj, + 'type': member_type, 'id': member_id, + 'name': member_name, 'new_perm': perm}) # delete permissions for member_id, perm, member_type in perm_deletions: @@ -132,8 +137,11 @@ class UserGroupModel(BaseModel): self.revoke_user_group_permission( target_user_group=user_group, user_group=member_id) - changes['deleted'].append({'type': member_type, 'id': member_id, - 'name': member_name, 'new_perm': perm}) + changes['deleted'].append({ + 'change_obj': change_obj, + 'type': member_type, 'id': member_id, + 'name': member_name, 'new_perm': perm}) + return changes def get(self, user_group_id, cache=False): @@ -400,10 +408,18 @@ class UserGroupModel(BaseModel): :param user: Instance of User, user_id or username :param perm: Instance of Permission, or permission_name """ + changes = { + 'added': [], + 'updated': [], + 'deleted': [] + } user_group = self._get_user_group(user_group) user = self._get_user(user) permission = self._get_perm(perm) + perm_name = permission.permission_name + member_id = user.user_id + member_name = user.username # check if we have that permission already obj = self.sa.query(UserUserGroupToPerm)\ @@ -422,7 +438,12 @@ class UserGroupModel(BaseModel): 'granted permission: {} to user: {} on usergroup: {}'.format( perm, user, user_group), namespace='security.usergroup') - return obj + changes['added'].append({ + 'change_obj': user_group.get_api_data(), + 'type': 'user', 'id': member_id, + 'name': member_name, 'new_perm': perm_name}) + + return changes def revoke_user_permission(self, user_group, user): """ @@ -432,9 +453,17 @@ class UserGroupModel(BaseModel): or users_group name :param user: Instance of User, user_id or username """ + changes = { + 'added': [], + 'updated': [], + 'deleted': [] + } user_group = self._get_user_group(user_group) user = self._get_user(user) + perm_name = 'usergroup.none' + member_id = user.user_id + member_name = user.username obj = self.sa.query(UserUserGroupToPerm)\ .filter(UserUserGroupToPerm.user == user)\ @@ -447,6 +476,13 @@ class UserGroupModel(BaseModel): 'revoked permission from user: {} on usergroup: {}'.format( user, user_group), namespace='security.usergroup') + changes['deleted'].append({ + 'change_obj': user_group.get_api_data(), + 'type': 'user', 'id': member_id, + 'name': member_name, 'new_perm': perm_name}) + + return changes + def grant_user_group_permission(self, target_user_group, user_group, perm): """ Grant user group permission for given target_user_group @@ -455,9 +491,19 @@ class UserGroupModel(BaseModel): :param user_group: :param perm: """ + changes = { + 'added': [], + 'updated': [], + 'deleted': [] + } + target_user_group = self._get_user_group(target_user_group) user_group = self._get_user_group(user_group) permission = self._get_perm(perm) + perm_name = permission.permission_name + member_id = user_group.users_group_id + member_name = user_group.users_group_name + # forbid assigning same user group to itself if target_user_group == user_group: raise RepoGroupAssignmentError('target repo:%s cannot be ' @@ -482,7 +528,12 @@ class UserGroupModel(BaseModel): perm, user_group, target_user_group), namespace='security.usergroup') - return obj + changes['added'].append({ + 'change_obj': target_user_group.get_api_data(), + 'type': 'user_group', 'id': member_id, + 'name': member_name, 'new_perm': perm_name}) + + return changes def revoke_user_group_permission(self, target_user_group, user_group): """ @@ -491,8 +542,17 @@ class UserGroupModel(BaseModel): :param target_user_group: :param user_group: """ + changes = { + 'added': [], + 'updated': [], + 'deleted': [] + } + target_user_group = self._get_user_group(target_user_group) user_group = self._get_user_group(user_group) + perm_name = 'usergroup.none' + member_id = user_group.users_group_id + member_name = user_group.users_group_name obj = self.sa.query(UserGroupUserGroupToPerm)\ .filter(UserGroupUserGroupToPerm.target_user_group == target_user_group)\ @@ -507,6 +567,13 @@ class UserGroupModel(BaseModel): user_group, target_user_group), namespace='security.repogroup') + changes['deleted'].append({ + 'change_obj': target_user_group.get_api_data(), + 'type': 'user_group', 'id': member_id, + 'name': member_name, 'new_perm': perm_name}) + + return changes + def get_perms_summary(self, user_group_id): permissions = { 'repositories': {},