# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-03-07 13:11:19
# Node ID 6474fb977fdcf7988b34bb95c44bf48875c5b72a
# Parent  02d18047ff628fad82a0b5f9d3b44e24a2c1c0a9

admin: moved auth tokens into pyramid view.

- allows override to enable scoped tokens

diff --git a/rhodecode/apps/admin/__init__.py b/rhodecode/apps/admin/__init__.py
--- a/rhodecode/apps/admin/__init__.py
+++ b/rhodecode/apps/admin/__init__.py
@@ -53,5 +53,16 @@ def includeme(config):
         name='admin_settings_sessions_cleanup',
         pattern=ADMIN_PREFIX + '/settings/sessions/cleanup')
 
+    # user auth tokens
+    config.add_route(
+        name='edit_user_auth_tokens',
+        pattern=ADMIN_PREFIX + '/users/{user_id:\d+}/edit/auth_tokens')
+    config.add_route(
+        name='edit_user_auth_tokens_add',
+        pattern=ADMIN_PREFIX + '/users/{user_id:\d+}/edit/auth_tokens/new')
+    config.add_route(
+        name='edit_user_auth_tokens_delete',
+        pattern=ADMIN_PREFIX + '/users/{user_id:\d+}/edit/auth_tokens/delete')
+
     # Scan module for configuration decorators.
     config.scan()
diff --git a/rhodecode/apps/admin/views/users.py b/rhodecode/apps/admin/views/users.py
new file mode 100644
--- /dev/null
+++ b/rhodecode/apps/admin/views/users.py
@@ -0,0 +1,141 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016-2017 RhodeCode GmbH
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License, version 3
+# (only), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# This program is dual-licensed. If you wish to learn more about the
+# RhodeCode Enterprise Edition, including its added features, Support services,
+# and proprietary license terms, please see https://rhodecode.com/licenses/
+
+import logging
+
+from pyramid.httpexceptions import HTTPFound
+from pyramid.view import view_config
+
+from rhodecode.apps._base import BaseAppView
+from rhodecode.lib.auth import (
+    LoginRequired, HasPermissionAllDecorator, CSRFRequired)
+from rhodecode.lib import helpers as h
+from rhodecode.lib.utils import PartialRenderer
+from rhodecode.lib.utils2 import safe_int
+from rhodecode.model.auth_token import AuthTokenModel
+from rhodecode.model.db import User
+from rhodecode.model.meta import Session
+
+log = logging.getLogger(__name__)
+
+
+class AdminUsersView(BaseAppView):
+    ALLOW_SCOPED_TOKENS = False
+    """
+    This view has alternative version inside EE, if modified please take a look
+    in there as well.
+    """
+
+    def load_default_context(self):
+        c = self._get_local_tmpl_context()
+        c.auth_user = self.request.user
+        c.allow_scoped_tokens = self.ALLOW_SCOPED_TOKENS
+        self._register_global_c(c)
+        return c
+
+    def _redirect_for_default_user(self, username):
+        _ = self.request.translate
+        if username == User.DEFAULT_USER:
+            h.flash(_("You can't edit this user"), category='warning')
+            # TODO(marcink): redirect to 'users' admin panel once this
+            # is a pyramid view
+            raise HTTPFound('/')
+
+    @LoginRequired()
+    @HasPermissionAllDecorator('hg.admin')
+    @view_config(
+        route_name='edit_user_auth_tokens', request_method='GET',
+        renderer='rhodecode:templates/admin/users/user_edit.mako')
+    def auth_tokens(self):
+        _ = self.request.translate
+        c = self.load_default_context()
+
+        user_id = self.request.matchdict.get('user_id')
+        c.user = User.get_or_404(user_id, pyramid_exc=True)
+        self._redirect_for_default_user(c.user.username)
+
+        c.active = 'auth_tokens'
+
+        c.lifetime_values = [
+            (str(-1), _('forever')),
+            (str(5), _('5 minutes')),
+            (str(60), _('1 hour')),
+            (str(60 * 24), _('1 day')),
+            (str(60 * 24 * 30), _('1 month')),
+        ]
+        c.lifetime_options = [(c.lifetime_values, _("Lifetime"))]
+        c.role_values = [
+            (x, AuthTokenModel.cls._get_role_name(x))
+            for x in AuthTokenModel.cls.ROLES]
+        c.role_options = [(c.role_values, _("Role"))]
+        c.user_auth_tokens = AuthTokenModel().get_auth_tokens(
+            c.user.user_id, show_expired=True)
+        return self._get_template_context(c)
+
+    def maybe_attach_token_scope(self, token):
+        # implemented in EE edition
+        pass
+
+    @LoginRequired()
+    @HasPermissionAllDecorator('hg.admin')
+    @CSRFRequired()
+    @view_config(
+        route_name='edit_user_auth_tokens_add', request_method='POST')
+    def auth_tokens_add(self):
+        _ = self.request.translate
+        c = self.load_default_context()
+
+        user_id = self.request.matchdict.get('user_id')
+        c.user = User.get_or_404(user_id, pyramid_exc=True)
+        self._redirect_for_default_user(c.user.username)
+
+        lifetime = safe_int(self.request.POST.get('lifetime'), -1)
+        description = self.request.POST.get('description')
+        role = self.request.POST.get('role')
+
+        token = AuthTokenModel().create(
+            c.user.user_id, description, lifetime, role)
+        self.maybe_attach_token_scope(token)
+        Session().commit()
+
+        h.flash(_("Auth token successfully created"), category='success')
+        return HTTPFound(h.route_path('edit_user_auth_tokens', user_id=user_id))
+
+    @LoginRequired()
+    @HasPermissionAllDecorator('hg.admin')
+    @CSRFRequired()
+    @view_config(
+        route_name='edit_user_auth_tokens_delete', request_method='POST')
+    def auth_tokens_delete(self):
+        _ = self.request.translate
+        c = self.load_default_context()
+
+        user_id = self.request.matchdict.get('user_id')
+        c.user = User.get_or_404(user_id, pyramid_exc=True)
+        self._redirect_for_default_user(c.user.username)
+
+        del_auth_token = self.request.POST.get('del_auth_token')
+
+        if del_auth_token:
+            AuthTokenModel().delete(del_auth_token, c.user.user_id)
+            Session().commit()
+            h.flash(_("Auth token successfully deleted"), category='success')
+
+        return HTTPFound(h.route_path('edit_user_auth_tokens', user_id=user_id))
diff --git a/rhodecode/config/routing.py b/rhodecode/config/routing.py
--- a/rhodecode/config/routing.py
+++ b/rhodecode/config/routing.py
@@ -315,13 +315,6 @@ def make_map(config):
         m.connect('edit_user_advanced', '/users/{user_id}/edit/advanced',
                   action='update_advanced', conditions={'method': ['PUT']})
 
-        m.connect('edit_user_auth_tokens', '/users/{user_id}/edit/auth_tokens',
-                  action='edit_auth_tokens', conditions={'method': ['GET']})
-        m.connect('edit_user_auth_tokens', '/users/{user_id}/edit/auth_tokens',
-                  action='add_auth_token', conditions={'method': ['PUT']})
-        m.connect('edit_user_auth_tokens', '/users/{user_id}/edit/auth_tokens',
-                  action='delete_auth_token', conditions={'method': ['DELETE']})
-
         m.connect('edit_user_global_perms', '/users/{user_id}/edit/global_permissions',
                   action='edit_global_perms', conditions={'method': ['GET']})
         m.connect('edit_user_global_perms', '/users/{user_id}/edit/global_permissions',
diff --git a/rhodecode/controllers/admin/users.py b/rhodecode/controllers/admin/users.py
--- a/rhodecode/controllers/admin/users.py
+++ b/rhodecode/controllers/admin/users.py
@@ -452,70 +452,6 @@ class UsersController(BaseController):
             force_defaults=False)
 
     @HasPermissionAllDecorator('hg.admin')
-    def edit_auth_tokens(self, user_id):
-        user_id = safe_int(user_id)
-        c.user = User.get_or_404(user_id)
-        if c.user.username == User.DEFAULT_USER:
-            h.flash(_("You can't edit this user"), category='warning')
-            return redirect(url('users'))
-
-        c.active = 'auth_tokens'
-        show_expired = True
-        c.lifetime_values = [
-            (str(-1), _('forever')),
-            (str(5), _('5 minutes')),
-            (str(60), _('1 hour')),
-            (str(60 * 24), _('1 day')),
-            (str(60 * 24 * 30), _('1 month')),
-        ]
-        c.lifetime_options = [(c.lifetime_values, _("Lifetime"))]
-        c.role_values = [(x, AuthTokenModel.cls._get_role_name(x))
-                         for x in AuthTokenModel.cls.ROLES]
-        c.role_options = [(c.role_values, _("Role"))]
-        c.user_auth_tokens = AuthTokenModel().get_auth_tokens(
-            c.user.user_id, show_expired=show_expired)
-        defaults = c.user.get_dict()
-        return htmlfill.render(
-            render('admin/users/user_edit.mako'),
-            defaults=defaults,
-            encoding="UTF-8",
-            force_defaults=False)
-
-    @HasPermissionAllDecorator('hg.admin')
-    @auth.CSRFRequired()
-    def add_auth_token(self, user_id):
-        user_id = safe_int(user_id)
-        c.user = User.get_or_404(user_id)
-        if c.user.username == User.DEFAULT_USER:
-            h.flash(_("You can't edit this user"), category='warning')
-            return redirect(url('users'))
-
-        lifetime = safe_int(request.POST.get('lifetime'), -1)
-        description = request.POST.get('description')
-        role = request.POST.get('role')
-        AuthTokenModel().create(c.user.user_id, description, lifetime, role)
-        Session().commit()
-        h.flash(_("Auth token successfully created"), category='success')
-        return redirect(url('edit_user_auth_tokens', user_id=c.user.user_id))
-
-    @HasPermissionAllDecorator('hg.admin')
-    @auth.CSRFRequired()
-    def delete_auth_token(self, user_id):
-        user_id = safe_int(user_id)
-        c.user = User.get_or_404(user_id)
-        if c.user.username == User.DEFAULT_USER:
-            h.flash(_("You can't edit this user"), category='warning')
-            return redirect(url('users'))
-
-        del_auth_token = request.POST.get('del_auth_token')
-        if del_auth_token:
-            AuthTokenModel().delete(del_auth_token, c.user.user_id)
-            Session().commit()
-            h.flash(_("Auth token successfully deleted"), category='success')
-
-        return redirect(url('edit_user_auth_tokens', user_id=c.user.user_id))
-
-    @HasPermissionAllDecorator('hg.admin')
     def edit_global_perms(self, user_id):
         user_id = safe_int(user_id)
         c.user = User.get_or_404(user_id)
diff --git a/rhodecode/templates/admin/my_account/my_account_auth_tokens.mako b/rhodecode/templates/admin/my_account/my_account_auth_tokens.mako
--- a/rhodecode/templates/admin/my_account/my_account_auth_tokens.mako
+++ b/rhodecode/templates/admin/my_account/my_account_auth_tokens.mako
@@ -3,20 +3,21 @@
     <h3 class="panel-title">${_('Authentication Tokens')}</h3>
   </div>
   <div class="panel-body">
+    <div class="apikeys_wrap">
       <p>
          ${_('Each token can have a role. Token with a role can be used only in given context, '
          'e.g. VCS tokens can be used together with the authtoken auth plugin for git/hg/svn operations only.')}
       </p>
       <table class="rctable auth_tokens">
+        <tr>
+            <th>${_('Token')}</th>
+            <th>${_('Scope')}</th>
+            <th>${_('Description')}</th>
+            <th>${_('Role')}</th>
+            <th>${_('Expiration')}</th>
+            <th>${_('Action')}</th>
+        </tr>
         %if c.user_auth_tokens:
-            <tr>
-                <th>${_('Token')}</th>
-                <th>${_('Scope')}</th>
-                <th>${_('Description')}</th>
-                <th>${_('Role')}</th>
-                <th>${_('Expiration')}</th>
-                <th>${_('Action')}</th>
-            </tr>
             %for auth_token in c.user_auth_tokens:
               <tr class="${'expired' if auth_token.expired else ''}">
                 <td class="truncate-wrap td-authtoken">
@@ -52,9 +53,10 @@
               </tr>
             %endfor
         %else:
-        <tr><td><div class="ip">${_('No additional auth token specified')}</div></td></tr>
+        <tr><td><div class="ip">${_('No additional auth tokens specified')}</div></td></tr>
         %endif
       </table>
+    </div>
 
         <div class="user_auth_tokens">
             ${h.secure_form(h.route_path('my_account_auth_tokens_add'), method='post')}
@@ -66,7 +68,7 @@
                             <label for="new_email">${_('New authentication token')}:</label>
                         </div>
                         <div class="input">
-                            ${h.text('description', placeholder=_('Description'))}
+                            ${h.text('description', class_='medium', placeholder=_('Description'))}
                             ${h.select('lifetime', '', c.lifetime_options)}
                             ${h.select('role', '', c.role_options)}
 
@@ -76,9 +78,9 @@
                                 ${h.select('scope_repo_id_disabled', '', ['Scopes available in EE edition'], disabled='disabled')}
                             % endif
                         </div>
-                         <p class="help-block">
-                             ${_('Repository scope works only with tokens with VCS type.')}
-                         </p>
+                        <p class="help-block">
+                          ${_('Repository scope works only with tokens with VCS type.')}
+                        </p>
                      </div>
                     <div class="buttons">
                       ${h.submit('save',_('Add'),class_="btn")}
diff --git a/rhodecode/templates/admin/users/user_edit.mako b/rhodecode/templates/admin/users/user_edit.mako
--- a/rhodecode/templates/admin/users/user_edit.mako
+++ b/rhodecode/templates/admin/users/user_edit.mako
@@ -31,7 +31,7 @@
     <div class="sidebar">
         <ul class="nav nav-pills nav-stacked">
           <li class="${'active' if c.active=='profile' else ''}"><a href="${h.url('edit_user', user_id=c.user.user_id)}">${_('User Profile')}</a></li>
-          <li class="${'active' if c.active=='auth_tokens' else ''}"><a href="${h.url('edit_user_auth_tokens', user_id=c.user.user_id)}">${_('Auth tokens')}</a></li>
+          <li class="${'active' if c.active=='auth_tokens' else ''}"><a href="${h.route_path('edit_user_auth_tokens', user_id=c.user.user_id)}">${_('Auth tokens')}</a></li>
           <li class="${'active' if c.active=='advanced' else ''}"><a href="${h.url('edit_user_advanced', user_id=c.user.user_id)}">${_('Advanced')}</a></li>
           <li class="${'active' if c.active=='global_perms' else ''}"><a href="${h.url('edit_user_global_perms', user_id=c.user.user_id)}">${_('Global permissions')}</a></li>
           <li class="${'active' if c.active=='perms_summary' else ''}"><a href="${h.url('edit_user_perms_summary', user_id=c.user.user_id)}">${_('Permissions summary')}</a></li>
diff --git a/rhodecode/templates/admin/users/user_edit_auth_tokens.mako b/rhodecode/templates/admin/users/user_edit_auth_tokens.mako
--- a/rhodecode/templates/admin/users/user_edit_auth_tokens.mako
+++ b/rhodecode/templates/admin/users/user_edit_auth_tokens.mako
@@ -1,13 +1,12 @@
 <div class="panel panel-default">
     <div class="panel-heading">
-        <h3 class="panel-title">${_('Authentication Access Tokens')}</h3>
+      <h3 class="panel-title">${_('Authentication Tokens')}</h3>
     </div>
     <div class="panel-body">
         <div class="apikeys_wrap">
           <p>
              ${_('Each token can have a role. Token with a role can be used only in given context, '
              'e.g. VCS tokens can be used together with the authtoken auth plugin for git/hg/svn operations only.')}
-              ${_('Additionally scope for VCS type token can narrow the use to chosen repository.')}
           </p>
           <table class="rctable auth_tokens">
             <tr>
@@ -25,7 +24,7 @@
                     <td class="td">${auth_token.scope_humanized}</td>
                     <td class="td-wrap">${auth_token.description}</td>
                     <td class="td-tags">
-                        <span class="tag">${auth_token.role_humanized}</span>
+                        <span class="tag disabled">${auth_token.role_humanized}</span>
                     </td>
                     <td class="td-exp">
                          %if auth_token.expires == -1:
@@ -38,8 +37,8 @@
                             %endif
                          %endif
                     </td>
-                    <td>
-                        ${h.secure_form(url('edit_user_auth_tokens', user_id=c.user.user_id),method='delete')}
+                    <td class="td-action">
+                        ${h.secure_form(h.route_path('edit_user_auth_tokens_delete', user_id=c.user.user_id), method='post')}
                             ${h.hidden('del_auth_token',auth_token.api_key)}
                             <button class="btn btn-link btn-danger" type="submit"
                                     onclick="return confirm('${_('Confirm to remove this auth token: %s') % auth_token.api_key}');">
@@ -56,7 +55,7 @@
         </div>
 
         <div class="user_auth_tokens">
-            ${h.secure_form(url('edit_user_auth_tokens', user_id=c.user.user_id), method='put')}
+            ${h.secure_form(h.route_path('edit_user_auth_tokens_add', user_id=c.user.user_id), method='post')}
             <div class="form form-vertical">
                 <!-- fields -->
                 <div class="fields">
@@ -68,11 +67,20 @@
                             ${h.text('description', class_='medium', placeholder=_('Description'))}
                             ${h.select('lifetime', '', c.lifetime_options)}
                             ${h.select('role', '', c.role_options)}
+
+                            % if c.allow_scoped_tokens:
+                                ${h.hidden('scope_repo_id')}
+                            % else:
+                                ${h.select('scope_repo_id_disabled', '', ['Scopes available in EE edition'], disabled='disabled')}
+                            % endif
                         </div>
+                        <p class="help-block">
+                          ${_('Repository scope works only with tokens with VCS type.')}
+                        </p>
                      </div>
                     <div class="buttons">
-                      ${h.submit('save',_('Add'),class_="btn btn-small")}
-                      ${h.reset('reset',_('Reset'),class_="btn btn-small")}
+                      ${h.submit('save',_('Add'),class_="btn")}
+                      ${h.reset('reset',_('Reset'),class_="btn")}
                     </div>
                 </div>
             </div>
@@ -82,16 +90,68 @@
 </div>
 
 <script>
-    $(document).ready(function(){
-        $("#lifetime").select2({
-            'containerCssClass': "drop-menu",
-            'dropdownCssClass': "drop-menu-dropdown",
-            'dropdownAutoWidth': true
-        });
-        $("#role").select2({
-            'containerCssClass': "drop-menu",
-            'dropdownCssClass': "drop-menu-dropdown",
-            'dropdownAutoWidth': true
-        });
+
+$(document).ready(function(){
+var select2Options = {
+    'containerCssClass': "drop-menu",
+    'dropdownCssClass': "drop-menu-dropdown",
+    'dropdownAutoWidth': true
+};
+$("#lifetime").select2(select2Options);
+$("#role").select2(select2Options);
+
+var repoFilter = function(data) {
+    var results = [];
+
+    if (!data.results[0]) {
+        return data
+    }
+
+    $.each(data.results[0].children, function() {
+        // replace name to ID for submision
+        this.id = this.obj.repo_id;
+        results.push(this);
+    });
+
+    data.results[0].children = results;
+    return data;
+};
+
+$("#scope_repo_id_disabled").select2(select2Options);
+
+$("#scope_repo_id").select2({
+    cachedDataSource: {},
+    minimumInputLength: 2,
+    placeholder: "${_('repository scope')}",
+    dropdownAutoWidth: true,
+    containerCssClass: "drop-menu",
+    dropdownCssClass: "drop-menu-dropdown",
+    formatResult: formatResult,
+    query: $.debounce(250, function(query){
+        self = this;
+        var cacheKey = query.term;
+        var cachedData = self.cachedDataSource[cacheKey];
+
+        if (cachedData) {
+            query.callback({results: cachedData.results});
+        } else {
+            $.ajax({
+                url: "${h.url('repo_list_data')}",
+                data: {'query': query.term},
+                dataType: 'json',
+                type: 'GET',
+                success: function(data) {
+                    data = repoFilter(data);
+                    self.cachedDataSource[cacheKey] = data;
+                    query.callback({results: data.results});
+                },
+                error: function(data, textStatus, errorThrown) {
+                    alert("Error while fetching entries.\nError code {0} ({1}).".format(data.status, data.statusText));
+                }
+})
+        }
     })
+});
+
+});
 </script>