# HG changeset patch # User Daniel Dourvaris # Date 2020-01-10 14:51:14 # Node ID 0268c0ee7ea664d172a3166364f6b9d6431f450d # Parent 6e228354c1c82c63a911447e88e5c016b362edb6 permissions: flush all user permissions in case of default user permission changes. - this is a special case that due to inheritance we need to flush ALL users permissions - before the default permission changes didn't flush the caches result in cached values beeing present until the cache expires diff --git a/rhodecode/apps/repo_group/views/repo_group_permissions.py b/rhodecode/apps/repo_group/views/repo_group_permissions.py --- a/rhodecode/apps/repo_group/views/repo_group_permissions.py +++ b/rhodecode/apps/repo_group/views/repo_group_permissions.py @@ -28,6 +28,7 @@ from rhodecode.lib import helpers as h from rhodecode.lib import audit_logger from rhodecode.lib.auth import ( LoginRequired, HasRepoGroupPermissionAnyDecorator, CSRFRequired) +from rhodecode.model.db import User from rhodecode.model.permission import PermissionModel from rhodecode.model.repo_group import RepoGroupModel from rhodecode.model.forms import RepoGroupPermsForm @@ -96,7 +97,13 @@ class RepoGroupPermissionsView(RepoGroup Session().commit() h.flash(_('Repository Group permissions updated'), category='success') - PermissionModel().flush_user_permission_caches(changes) + + affected_user_ids = None + if changes.get('default_user_changed', False): + # if we change the default user, we need to flush everyone permissions + affected_user_ids = [x.user_id for x in User.get_all()] + PermissionModel().flush_user_permission_caches( + changes, affected_user_ids=affected_user_ids) raise HTTPFound( h.route_path('edit_repo_group_perms', diff --git a/rhodecode/apps/repository/views/repo_permissions.py b/rhodecode/apps/repository/views/repo_permissions.py --- a/rhodecode/apps/repository/views/repo_permissions.py +++ b/rhodecode/apps/repository/views/repo_permissions.py @@ -28,6 +28,7 @@ from rhodecode.lib import helpers as h from rhodecode.lib import audit_logger from rhodecode.lib.auth import ( LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired) +from rhodecode.model.db import User from rhodecode.model.forms import RepoPermsForm from rhodecode.model.meta import Session from rhodecode.model.permission import PermissionModel @@ -89,7 +90,12 @@ class RepoSettingsPermissionsView(RepoAp Session().commit() h.flash(_('Repository access permissions updated'), category='success') - PermissionModel().flush_user_permission_caches(changes) + affected_user_ids = None + if changes.get('default_user_changed', False): + # if we change the default user, we need to flush everyone permissions + affected_user_ids = [x.user_id for x in User.get_all()] + PermissionModel().flush_user_permission_caches( + changes, affected_user_ids=affected_user_ids) raise HTTPFound( h.route_path('edit_repo_perms', repo_name=self.db_repo_name)) diff --git a/rhodecode/model/repo.py b/rhodecode/model/repo.py --- a/rhodecode/model/repo.py +++ b/rhodecode/model/repo.py @@ -619,13 +619,26 @@ class RepoModel(BaseModel): changes = { 'added': [], 'updated': [], - 'deleted': [] + 'deleted': [], + 'default_user_changed': None } + + repo = self._get_repo(repo) + # update permissions for member_id, perm, member_type in perm_updates: member_id = int(member_id) if member_type == 'user': member_name = User.get(member_id).username + if member_name == User.DEFAULT_USER: + # NOTE(dan): detect if we changed permissions for default user + perm_obj = self.sa.query(UserRepoToPerm) \ + .filter(UserRepoToPerm.user_id == member_id) \ + .filter(UserRepoToPerm.repository == repo) \ + .scalar() + if perm_obj and perm_obj.permission.permission_name != perm: + changes['default_user_changed'] = True + # this updates also current one if found self.grant_user_permission( repo=repo, user=member_id, perm=perm) diff --git a/rhodecode/model/repo_group.py b/rhodecode/model/repo_group.py --- a/rhodecode/model/repo_group.py +++ b/rhodecode/model/repo_group.py @@ -353,7 +353,8 @@ class RepoGroupModel(BaseModel): changes = { 'added': [], 'updated': [], - 'deleted': [] + 'deleted': [], + 'default_user_changed': None } def _set_perm_user(obj, user, perm): @@ -430,6 +431,15 @@ class RepoGroupModel(BaseModel): member_id = int(member_id) if member_type == 'user': member_name = User.get(member_id).username + if isinstance(obj, RepoGroup) and obj == repo_group and member_name == User.DEFAULT_USER: + # NOTE(dan): detect if we changed permissions for default user + perm_obj = self.sa.query(UserRepoGroupToPerm) \ + .filter(UserRepoGroupToPerm.user_id == member_id) \ + .filter(UserRepoGroupToPerm.group == repo_group) \ + .scalar() + if perm_obj and perm_obj.permission.permission_name != perm: + changes['default_user_changed'] = True + # this updates also current one if found _set_perm_user(obj, user=member_id, perm=perm) elif member_type == 'user_group':