# HG changeset patch
# User Daniel Dourvaris <daniel@rhodecode.com>
# Date 2016-08-26 08:19:55
# Node ID 7a6d3636822b6aba22f3dd03a0ef074280b5db52
# Parent  08b9b215c73b091a84105288cefeb98ac7d97bcd

integrations: refactor/cleanup + features, fixes #4181

* added scopes on integrations, scopes are:
    - repo only
    - repogroup children only
    - root repos only
    - global (any repo)
* integrations schemas now have separate section for the
  settings (eg. slack) and options (eg. scope/enabled)
* added descriptions to integration types
* added icons to integration types
* added 'create new' integration page
* added scope of integration to integrations list
* added breadcrumbs for each repo/repogroup/global integrations pages
* added sorting to integrations list
* added pagination to integrations list
* added icons to integrations list
* added type filter to integrations list
* added message to integrations list if none we found
* added extra permissions check on integrations views
* db migration from 56 => 57 - adds child_repos_only field
* added tests for integrations triggered on events
* added tests for integrations schemas
* added tests for integrations views for repo/repogroup/admin

diff --git a/rhodecode/__init__.py b/rhodecode/__init__.py
--- a/rhodecode/__init__.py
+++ b/rhodecode/__init__.py
@@ -51,7 +51,7 @@ PYRAMID_SETTINGS = {}
 EXTENSIONS = {}
 
 __version__ = ('.'.join((str(each) for each in VERSION[:3])))
-__dbversion__ = 56  # defines current db version for migrations
+__dbversion__ = 57  # defines current db version for migrations
 __platform__ = platform.system()
 __license__ = 'AGPLv3, and Commercial License'
 __author__ = 'RhodeCode GmbH'
diff --git a/rhodecode/config/routing.py b/rhodecode/config/routing.py
--- a/rhodecode/config/routing.py
+++ b/rhodecode/config/routing.py
@@ -42,6 +42,7 @@ STATIC_FILE_PREFIX = '/_static'
 URL_NAME_REQUIREMENTS = {
     # group name can have a slash in them, but they must not end with a slash
     'group_name': r'.*?[^/]',
+    'repo_group_name': r'.*?[^/]',
     # repo names can have a slash in them, but they must not end with a slash
     'repo_name': r'.*?[^/]',
     # file path eats up everything at the end
diff --git a/rhodecode/integrations/routes.py b/rhodecode/integrations/routes.py
--- a/rhodecode/integrations/routes.py
+++ b/rhodecode/integrations/routes.py
@@ -31,6 +31,15 @@ log = logging.getLogger(__name__)
 def includeme(config):
 
     # global integrations
+
+    config.add_route('global_integrations_new',
+                     ADMIN_PREFIX + '/integrations/new')
+    config.add_view('rhodecode.integrations.views.GlobalIntegrationsView',
+                    attr='new_integration',
+                    renderer='rhodecode:templates/admin/integrations/new.html',
+                    request_method='GET',
+                    route_name='global_integrations_new')
+
     config.add_route('global_integrations_home',
                      ADMIN_PREFIX + '/integrations')
     config.add_route('global_integrations_list',
@@ -48,15 +57,75 @@ def includeme(config):
     config.add_route('global_integrations_edit',
                      ADMIN_PREFIX + '/integrations/{integration}/{integration_id}',
                      custom_predicates=(valid_integration,))
+
+
     for route_name in ['global_integrations_create', 'global_integrations_edit']:
         config.add_view('rhodecode.integrations.views.GlobalIntegrationsView',
                         attr='settings_get',
-                        renderer='rhodecode:templates/admin/integrations/edit.html',
+                        renderer='rhodecode:templates/admin/integrations/form.html',
                         request_method='GET',
                         route_name=route_name)
         config.add_view('rhodecode.integrations.views.GlobalIntegrationsView',
                         attr='settings_post',
-                        renderer='rhodecode:templates/admin/integrations/edit.html',
+                        renderer='rhodecode:templates/admin/integrations/form.html',
+                        request_method='POST',
+                        route_name=route_name)
+
+
+    # repo group integrations
+    config.add_route('repo_group_integrations_home',
+                     add_route_requirements(
+                        '{repo_group_name}/settings/integrations',
+                        URL_NAME_REQUIREMENTS
+                     ),
+                     custom_predicates=(valid_repo_group,)
+                     )
+    config.add_route('repo_group_integrations_list',
+                     add_route_requirements(
+                        '{repo_group_name}/settings/integrations/{integration}',
+                        URL_NAME_REQUIREMENTS
+                     ),
+                     custom_predicates=(valid_repo_group, valid_integration))
+    for route_name in ['repo_group_integrations_home', 'repo_group_integrations_list']:
+        config.add_view('rhodecode.integrations.views.RepoGroupIntegrationsView',
+                        attr='index',
+                        renderer='rhodecode:templates/admin/integrations/list.html',
+                        request_method='GET',
+                        route_name=route_name)
+
+    config.add_route('repo_group_integrations_new',
+                     add_route_requirements(
+                        '{repo_group_name}/settings/integrations/new',
+                        URL_NAME_REQUIREMENTS
+                     ),
+                     custom_predicates=(valid_repo_group,))
+    config.add_view('rhodecode.integrations.views.RepoGroupIntegrationsView',
+                    attr='new_integration',
+                    renderer='rhodecode:templates/admin/integrations/new.html',
+                    request_method='GET',
+                    route_name='repo_group_integrations_new')
+
+    config.add_route('repo_group_integrations_create',
+                     add_route_requirements(
+                        '{repo_group_name}/settings/integrations/{integration}/new',
+                        URL_NAME_REQUIREMENTS
+                     ),
+                     custom_predicates=(valid_repo_group, valid_integration))
+    config.add_route('repo_group_integrations_edit',
+                     add_route_requirements(
+                        '{repo_group_name}/settings/integrations/{integration}/{integration_id}',
+                        URL_NAME_REQUIREMENTS
+                     ),
+                     custom_predicates=(valid_repo_group, valid_integration))
+    for route_name in ['repo_group_integrations_edit', 'repo_group_integrations_create']:
+        config.add_view('rhodecode.integrations.views.RepoGroupIntegrationsView',
+                        attr='settings_get',
+                        renderer='rhodecode:templates/admin/integrations/form.html',
+                        request_method='GET',
+                        route_name=route_name)
+        config.add_view('rhodecode.integrations.views.RepoGroupIntegrationsView',
+                        attr='settings_post',
+                        renderer='rhodecode:templates/admin/integrations/form.html',
                         request_method='POST',
                         route_name=route_name)
 
@@ -78,8 +147,21 @@ def includeme(config):
         config.add_view('rhodecode.integrations.views.RepoIntegrationsView',
                         attr='index',
                         request_method='GET',
+                        renderer='rhodecode:templates/admin/integrations/list.html',
                         route_name=route_name)
 
+    config.add_route('repo_integrations_new',
+                     add_route_requirements(
+                        '{repo_name}/settings/integrations/new',
+                        URL_NAME_REQUIREMENTS
+                     ),
+                     custom_predicates=(valid_repo,))
+    config.add_view('rhodecode.integrations.views.RepoIntegrationsView',
+                    attr='new_integration',
+                    renderer='rhodecode:templates/admin/integrations/new.html',
+                    request_method='GET',
+                    route_name='repo_integrations_new')
+
     config.add_route('repo_integrations_create',
                      add_route_requirements(
                         '{repo_name}/settings/integrations/{integration}/new',
@@ -95,56 +177,12 @@ def includeme(config):
     for route_name in ['repo_integrations_edit', 'repo_integrations_create']:
         config.add_view('rhodecode.integrations.views.RepoIntegrationsView',
                         attr='settings_get',
-                        renderer='rhodecode:templates/admin/integrations/edit.html',
+                        renderer='rhodecode:templates/admin/integrations/form.html',
                         request_method='GET',
                         route_name=route_name)
         config.add_view('rhodecode.integrations.views.RepoIntegrationsView',
                         attr='settings_post',
-                        renderer='rhodecode:templates/admin/integrations/edit.html',
-                        request_method='POST',
-                        route_name=route_name)
-
-
-    # repo group integrations
-    config.add_route('repo_group_integrations_home',
-                     add_route_requirements(
-                        '{repo_group_name}/settings/integrations',
-                        URL_NAME_REQUIREMENTS
-                     ),
-                     custom_predicates=(valid_repo_group,))
-    config.add_route('repo_group_integrations_list',
-                     add_route_requirements(
-                        '{repo_group_name}/settings/integrations/{integration}',
-                        URL_NAME_REQUIREMENTS
-                     ),
-                     custom_predicates=(valid_repo_group, valid_integration))
-    for route_name in ['repo_group_integrations_home', 'repo_group_integrations_list']:
-        config.add_view('rhodecode.integrations.views.RepoGroupIntegrationsView',
-                        attr='index',
-                        request_method='GET',
-                        route_name=route_name)
-
-    config.add_route('repo_group_integrations_create',
-                     add_route_requirements(
-                        '{repo_group_name}/settings/integrations/{integration}/new',
-                        URL_NAME_REQUIREMENTS
-                     ),
-                     custom_predicates=(valid_repo_group, valid_integration))
-    config.add_route('repo_group_integrations_edit',
-                     add_route_requirements(
-                        '{repo_group_name}/settings/integrations/{integration}/{integration_id}',
-                        URL_NAME_REQUIREMENTS
-                     ),
-                     custom_predicates=(valid_repo_group, valid_integration))
-    for route_name in ['repo_group_integrations_edit', 'repo_group_integrations_create']:
-        config.add_view('rhodecode.integrations.views.RepoGroupIntegrationsView',
-                        attr='settings_get',
-                        renderer='rhodecode:templates/admin/integrations/edit.html',
-                        request_method='GET',
-                        route_name=route_name)
-        config.add_view('rhodecode.integrations.views.RepoGroupIntegrationsView',
-                        attr='settings_post',
-                        renderer='rhodecode:templates/admin/integrations/edit.html',
+                        renderer='rhodecode:templates/admin/integrations/form.html',
                         request_method='POST',
                         route_name=route_name)
 
@@ -194,7 +232,7 @@ def valid_integration(info, request):
             return False
         if repo and repo.repo_id != integration.repo_id:
             return False
-        if repo_group and repo_group.repo_group_id != integration.repo_group_id:
+        if repo_group and repo_group.group_id != integration.repo_group_id:
             return False
 
     return True
diff --git a/rhodecode/integrations/schema.py b/rhodecode/integrations/schema.py
--- a/rhodecode/integrations/schema.py
+++ b/rhodecode/integrations/schema.py
@@ -20,26 +20,52 @@
 
 import colander
 
-from rhodecode.translation import lazy_ugettext
+from rhodecode.translation import _
 
 
-class IntegrationSettingsSchemaBase(colander.MappingSchema):
-    """
-    This base schema is intended for use in integrations.
-    It adds a few default settings (e.g., "enabled"), so that integration
-    authors don't have to maintain a bunch of boilerplate.
-    """
+class IntegrationOptionsSchemaBase(colander.MappingSchema):
     enabled = colander.SchemaNode(
         colander.Bool(),
         default=True,
-        description=lazy_ugettext('Enable or disable this integration.'),
+        description=_('Enable or disable this integration.'),
         missing=False,
-        title=lazy_ugettext('Enabled'),
+        title=_('Enabled'),
     )
 
     name = colander.SchemaNode(
         colander.String(),
-        description=lazy_ugettext('Short name for this integration.'),
+        description=_('Short name for this integration.'),
         missing=colander.required,
-        title=lazy_ugettext('Integration name'),
+        title=_('Integration name'),
     )
+
+
+class RepoIntegrationOptionsSchema(IntegrationOptionsSchemaBase):
+    pass
+
+
+class RepoGroupIntegrationOptionsSchema(IntegrationOptionsSchemaBase):
+    child_repos_only = colander.SchemaNode(
+        colander.Bool(),
+        default=True,
+        description=_(
+            'Limit integrations to to work only on the direct children '
+            'repositories of this repository group (no subgroups)'),
+        missing=False,
+        title=_('Limit to childen repos only'),
+    )
+
+
+class GlobalIntegrationOptionsSchema(IntegrationOptionsSchemaBase):
+    child_repos_only = colander.SchemaNode(
+        colander.Bool(),
+        default=False,
+        description=_(
+            'Limit integrations to to work only on root level repositories'),
+        missing=False,
+        title=_('Root repositories only'),
+    )
+
+
+class IntegrationSettingsSchemaBase(colander.MappingSchema):
+    pass
diff --git a/rhodecode/integrations/types/base.py b/rhodecode/integrations/types/base.py
--- a/rhodecode/integrations/types/base.py
+++ b/rhodecode/integrations/types/base.py
@@ -18,25 +18,84 @@
 # RhodeCode Enterprise Edition, including its added features, Support services,
 # and proprietary license terms, please see https://rhodecode.com/licenses/
 
-from rhodecode.integrations.schema import IntegrationSettingsSchemaBase
+import colander
+from rhodecode.translation import _
 
 
 class IntegrationTypeBase(object):
     """ Base class for IntegrationType plugins """
 
+    description = ''
+    icon = '''
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   viewBox="0 -256 1792 1792"
+   id="svg3025"
+   version="1.1"
+   inkscape:version="0.48.3.1 r9886"
+   width="100%"
+   height="100%"
+   sodipodi:docname="cog_font_awesome.svg">
+  <metadata
+     id="metadata3035">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <defs
+     id="defs3033" />
+  <sodipodi:namedview
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1"
+     objecttolerance="10"
+     gridtolerance="10"
+     guidetolerance="10"
+     inkscape:pageopacity="0"
+     inkscape:pageshadow="2"
+     inkscape:window-width="640"
+     inkscape:window-height="480"
+     id="namedview3031"
+     showgrid="false"
+     inkscape:zoom="0.13169643"
+     inkscape:cx="896"
+     inkscape:cy="896"
+     inkscape:window-x="0"
+     inkscape:window-y="25"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="svg3025" />
+  <g
+     transform="matrix(1,0,0,-1,121.49153,1285.4237)"
+     id="g3027">
+    <path
+       d="m 1024,640 q 0,106 -75,181 -75,75 -181,75 -106,0 -181,-75 -75,-75 -75,-181 0,-106 75,-181 75,-75 181,-75 106,0 181,75 75,75 75,181 z m 512,109 V 527 q 0,-12 -8,-23 -8,-11 -20,-13 l -185,-28 q -19,-54 -39,-91 35,-50 107,-138 10,-12 10,-25 0,-13 -9,-23 -27,-37 -99,-108 -72,-71 -94,-71 -12,0 -26,9 l -138,108 q -44,-23 -91,-38 -16,-136 -29,-186 -7,-28 -36,-28 H 657 q -14,0 -24.5,8.5 Q 622,-111 621,-98 L 593,86 q -49,16 -90,37 L 362,16 Q 352,7 337,7 323,7 312,18 186,132 147,186 q -7,10 -7,23 0,12 8,23 15,21 51,66.5 36,45.5 54,70.5 -27,50 -41,99 L 29,495 Q 16,497 8,507.5 0,518 0,531 v 222 q 0,12 8,23 8,11 19,13 l 186,28 q 14,46 39,92 -40,57 -107,138 -10,12 -10,24 0,10 9,23 26,36 98.5,107.5 72.5,71.5 94.5,71.5 13,0 26,-10 l 138,-107 q 44,23 91,38 16,136 29,186 7,28 36,28 h 222 q 14,0 24.5,-8.5 Q 914,1391 915,1378 l 28,-184 q 49,-16 90,-37 l 142,107 q 9,9 24,9 13,0 25,-10 129,-119 165,-170 7,-8 7,-22 0,-12 -8,-23 -15,-21 -51,-66.5 -36,-45.5 -54,-70.5 26,-50 41,-98 l 183,-28 q 13,-2 21,-12.5 8,-10.5 8,-23.5 z"
+       id="path3029"
+       inkscape:connector-curvature="0"
+       style="fill:currentColor" />
+  </g>
+</svg>
+'''
+
     def __init__(self, settings):
         """
         :param settings: dict of settings to be used for the integration
         """
         self.settings = settings
 
-
     def settings_schema(self):
         """
         A colander schema of settings for the integration type
-
-        Subclasses can return their own schema but should always
-        inherit from IntegrationSettingsSchemaBase
         """
-        return IntegrationSettingsSchemaBase()
-
+        return colander.Schema()
diff --git a/rhodecode/integrations/types/email.py b/rhodecode/integrations/types/email.py
--- a/rhodecode/integrations/types/email.py
+++ b/rhodecode/integrations/types/email.py
@@ -26,11 +26,10 @@ import colander
 from mako.template import Template
 
 from rhodecode import events
-from rhodecode.translation import _, lazy_ugettext
+from rhodecode.translation import _
 from rhodecode.lib.celerylib import run_task
 from rhodecode.lib.celerylib import tasks
 from rhodecode.integrations.types.base import IntegrationTypeBase
-from rhodecode.integrations.schema import IntegrationSettingsSchemaBase
 
 
 log = logging.getLogger(__name__)
@@ -147,18 +146,79 @@ repo_push_template_html = Template('''
 </html>
 ''')
 
+email_icon = '''
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   viewBox="0 -256 1850 1850"
+   id="svg2989"
+   version="1.1"
+   inkscape:version="0.48.3.1 r9886"
+   width="100%"
+   height="100%"
+   sodipodi:docname="envelope_font_awesome.svg">
+  <metadata
+     id="metadata2999">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <defs
+     id="defs2997" />
+  <sodipodi:namedview
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1"
+     objecttolerance="10"
+     gridtolerance="10"
+     guidetolerance="10"
+     inkscape:pageopacity="0"
+     inkscape:pageshadow="2"
+     inkscape:window-width="640"
+     inkscape:window-height="480"
+     id="namedview2995"
+     showgrid="false"
+     inkscape:zoom="0.13169643"
+     inkscape:cx="896"
+     inkscape:cy="896"
+     inkscape:window-x="0"
+     inkscape:window-y="25"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="svg2989" />
+  <g
+     transform="matrix(1,0,0,-1,37.966102,1282.678)"
+     id="g2991">
+    <path
+       d="m 1664,32 v 768 q -32,-36 -69,-66 -268,-206 -426,-338 -51,-43 -83,-67 -32,-24 -86.5,-48.5 Q 945,256 897,256 h -1 -1 Q 847,256 792.5,280.5 738,305 706,329 674,353 623,396 465,528 197,734 160,764 128,800 V 32 Q 128,19 137.5,9.5 147,0 160,0 h 1472 q 13,0 22.5,9.5 9.5,9.5 9.5,22.5 z m 0,1051 v 11 13.5 q 0,0 -0.5,13 -0.5,13 -3,12.5 -2.5,-0.5 -5.5,9 -3,9.5 -9,7.5 -6,-2 -14,2.5 H 160 q -13,0 -22.5,-9.5 Q 128,1133 128,1120 128,952 275,836 468,684 676,519 682,514 711,489.5 740,465 757,452 774,439 801.5,420.5 829,402 852,393 q 23,-9 43,-9 h 1 1 q 20,0 43,9 23,9 50.5,27.5 27.5,18.5 44.5,31.5 17,13 46,37.5 29,24.5 35,29.5 208,165 401,317 54,43 100.5,115.5 46.5,72.5 46.5,131.5 z m 128,37 V 32 q 0,-66 -47,-113 -47,-47 -113,-47 H 160 Q 94,-128 47,-81 0,-34 0,32 v 1088 q 0,66 47,113 47,47 113,47 h 1472 q 66,0 113,-47 47,-47 47,-113 z"
+       id="path2993"
+       inkscape:connector-curvature="0"
+       style="fill:currentColor" />
+  </g>
+</svg>
+'''
 
-class EmailSettingsSchema(IntegrationSettingsSchemaBase):
+class EmailSettingsSchema(colander.Schema):
     @colander.instantiate(validator=colander.Length(min=1))
     class recipients(colander.SequenceSchema):
-        title = lazy_ugettext('Recipients')
-        description = lazy_ugettext('Email addresses to send push events to')
+        title = _('Recipients')
+        description = _('Email addresses to send push events to')
         widget = deform.widget.SequenceWidget(min_len=1)
 
         recipient = colander.SchemaNode(
             colander.String(),
-            title=lazy_ugettext('Email address'),
-            description=lazy_ugettext('Email address'),
+            title=_('Email address'),
+            description=_('Email address'),
             default='',
             validator=colander.Email(),
             widget=deform.widget.TextInputWidget(
@@ -169,8 +229,9 @@ class EmailSettingsSchema(IntegrationSet
 
 class EmailIntegrationType(IntegrationTypeBase):
     key = 'email'
-    display_name = lazy_ugettext('Email')
-    SettingsSchema = EmailSettingsSchema
+    display_name = _('Email')
+    description = _('Send repo push summaries to a list of recipients via email')
+    icon = email_icon
 
     def settings_schema(self):
         schema = EmailSettingsSchema()
diff --git a/rhodecode/integrations/types/hipchat.py b/rhodecode/integrations/types/hipchat.py
--- a/rhodecode/integrations/types/hipchat.py
+++ b/rhodecode/integrations/types/hipchat.py
@@ -29,29 +29,28 @@ from celery.task import task
 from mako.template import Template
 
 from rhodecode import events
-from rhodecode.translation import lazy_ugettext
+from rhodecode.translation import _
 from rhodecode.lib import helpers as h
 from rhodecode.lib.celerylib import run_task
 from rhodecode.lib.colander_utils import strip_whitespace
 from rhodecode.integrations.types.base import IntegrationTypeBase
-from rhodecode.integrations.schema import IntegrationSettingsSchemaBase
 
 log = logging.getLogger(__name__)
 
 
-class HipchatSettingsSchema(IntegrationSettingsSchemaBase):
+class HipchatSettingsSchema(colander.Schema):
     color_choices = [
-        ('yellow', lazy_ugettext('Yellow')),
-        ('red', lazy_ugettext('Red')),
-        ('green', lazy_ugettext('Green')),
-        ('purple', lazy_ugettext('Purple')),
-        ('gray', lazy_ugettext('Gray')),
+        ('yellow', _('Yellow')),
+        ('red', _('Red')),
+        ('green', _('Green')),
+        ('purple', _('Purple')),
+        ('gray', _('Gray')),
     ]
 
     server_url = colander.SchemaNode(
         colander.String(),
-        title=lazy_ugettext('Hipchat server URL'),
-        description=lazy_ugettext('Hipchat integration url.'),
+        title=_('Hipchat server URL'),
+        description=_('Hipchat integration url.'),
         default='',
         preparer=strip_whitespace,
         validator=colander.url,
@@ -61,15 +60,15 @@ class HipchatSettingsSchema(IntegrationS
     )
     notify = colander.SchemaNode(
         colander.Bool(),
-        title=lazy_ugettext('Notify'),
-        description=lazy_ugettext('Make a notification to the users in room.'),
+        title=_('Notify'),
+        description=_('Make a notification to the users in room.'),
         missing=False,
         default=False,
     )
     color = colander.SchemaNode(
         colander.String(),
-        title=lazy_ugettext('Color'),
-        description=lazy_ugettext('Background color of message.'),
+        title=_('Color'),
+        description=_('Background color of message.'),
         missing='',
         validator=colander.OneOf([x[0] for x in color_choices]),
         widget=deform.widget.Select2Widget(
@@ -98,10 +97,12 @@ in <a href="${data['repo']['url']}">${da
 ''')
 
 
-
 class HipchatIntegrationType(IntegrationTypeBase):
     key = 'hipchat'
-    display_name = lazy_ugettext('Hipchat')
+    display_name = _('Hipchat')
+    description = _('Send events such as repo pushes and pull requests to '
+                    'your hipchat channel.')
+    icon = '''<?xml version="1.0" encoding="utf-8"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 1000 1000" enable-background="new 0 0 1000 1000" xml:space="preserve"><g><g transform="translate(0.000000,511.000000) scale(0.100000,-0.100000)"><path fill="#205281" d="M4197.1,4662.4c-1661.5-260.4-3018-1171.6-3682.6-2473.3C219.9,1613.6,100,1120.3,100,462.6c0-1014,376.8-1918.4,1127-2699.4C2326.7-3377.6,3878.5-3898.3,5701-3730.5l486.5,44.5l208.9-123.3c637.2-373.4,1551.8-640.6,2240.4-650.9c304.9-6.9,335.7,0,417.9,75.4c185,174.7,147.3,411.1-89.1,548.1c-315.2,181.6-620,544.7-733.1,870.1l-51.4,157.6l472.7,472.7c349.4,349.4,520.7,551.5,657.7,774.2c784.5,1281.2,784.5,2788.5,0,4052.6c-236.4,376.8-794.8,966-1178.4,1236.7c-572.1,407.7-1264.1,709.1-1993.7,870.1c-267.2,58.2-479.6,75.4-1038,82.2C4714.4,4686.4,4310.2,4679.6,4197.1,4662.4z M5947.6,3740.9c1856.7-380.3,3127.6-1709.4,3127.6-3275c0-1000.3-534.4-1949.2-1466.2-2600.1c-188.4-133.6-287.8-226.1-301.5-284.4c-41.1-157.6,263.8-938.6,397.4-1020.8c20.5-10.3,34.3-44.5,34.3-75.4c0-167.8-811.9,195.3-1363.4,609.8l-181.6,137l-332.3-58.2c-445.3-78.8-1281.2-78.8-1702.6,0C2796-2569.2,1734.1-1832.6,1220.2-801.5C983.8-318.5,905,51.5,929,613.3c27.4,640.6,243.2,1192.1,685.1,1740.3c620,770.8,1661.5,1305.2,2822.8,1452.5C4806.9,3854,5553.7,3819.7,5947.6,3740.9z"/><path fill="#205281" d="M2381.5-345.9c-75.4-106.2-68.5-167.8,34.3-322c332.3-500.2,1010.6-928.4,1760.8-1120.2c417.9-106.2,1226.4-106.2,1644.3,0c712.5,181.6,1270.9,517.3,1685.4,1014C7681-561.7,7715.3-424.7,7616-325.4c-89.1,89.1-167.9,65.1-431.7-133.6c-835.8-630.3-2028-856.4-3086.5-585.8C3683.3-938.6,3142-685,2830.3-448.7C2576.8-253.4,2463.7-229.4,2381.5-345.9z"/></g></g><!-- Svg Vector Icons : http://www.onlinewebfonts.com/icon --></svg>'''
     valid_events = [
         events.PullRequestCloseEvent,
         events.PullRequestMergeEvent,
diff --git a/rhodecode/integrations/types/slack.py b/rhodecode/integrations/types/slack.py
--- a/rhodecode/integrations/types/slack.py
+++ b/rhodecode/integrations/types/slack.py
@@ -29,21 +29,20 @@ from celery.task import task
 from mako.template import Template
 
 from rhodecode import events
-from rhodecode.translation import lazy_ugettext
+from rhodecode.translation import _
 from rhodecode.lib import helpers as h
 from rhodecode.lib.celerylib import run_task
 from rhodecode.lib.colander_utils import strip_whitespace
 from rhodecode.integrations.types.base import IntegrationTypeBase
-from rhodecode.integrations.schema import IntegrationSettingsSchemaBase
 
 log = logging.getLogger(__name__)
 
 
-class SlackSettingsSchema(IntegrationSettingsSchemaBase):
+class SlackSettingsSchema(colander.Schema):
     service = colander.SchemaNode(
         colander.String(),
-        title=lazy_ugettext('Slack service URL'),
-        description=h.literal(lazy_ugettext(
+        title=_('Slack service URL'),
+        description=h.literal(_(
             'This can be setup at the '
             '<a href="https://my.slack.com/services/new/incoming-webhook/">'
             'slack app manager</a>')),
@@ -56,8 +55,8 @@ class SlackSettingsSchema(IntegrationSet
     )
     username = colander.SchemaNode(
         colander.String(),
-        title=lazy_ugettext('Username'),
-        description=lazy_ugettext('Username to show notifications coming from.'),
+        title=_('Username'),
+        description=_('Username to show notifications coming from.'),
         missing='Rhodecode',
         preparer=strip_whitespace,
         widget=deform.widget.TextInputWidget(
@@ -66,8 +65,8 @@ class SlackSettingsSchema(IntegrationSet
     )
     channel = colander.SchemaNode(
         colander.String(),
-        title=lazy_ugettext('Channel'),
-        description=lazy_ugettext('Channel to send notifications to.'),
+        title=_('Channel'),
+        description=_('Channel to send notifications to.'),
         missing='',
         preparer=strip_whitespace,
         widget=deform.widget.TextInputWidget(
@@ -76,8 +75,8 @@ class SlackSettingsSchema(IntegrationSet
     )
     icon_emoji = colander.SchemaNode(
         colander.String(),
-        title=lazy_ugettext('Emoji'),
-        description=lazy_ugettext('Emoji to use eg. :studio_microphone:'),
+        title=_('Emoji'),
+        description=_('Emoji to use eg. :studio_microphone:'),
         missing='',
         preparer=strip_whitespace,
         widget=deform.widget.TextInputWidget(
@@ -102,10 +101,14 @@ in <${data['repo']['url']}|${data['repo'
 ''')
 
 
+
+
 class SlackIntegrationType(IntegrationTypeBase):
     key = 'slack'
-    display_name = lazy_ugettext('Slack')
-    SettingsSchema = SlackSettingsSchema
+    display_name = _('Slack')
+    description = _('Send events such as repo pushes and pull requests to '
+                    'your slack channel.')
+    icon = '''<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg viewBox="0 0 256 256" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" preserveAspectRatio="xMidYMid"><g><path d="M165.963541,15.8384262 C162.07318,3.86308197 149.212328,-2.69009836 137.239082,1.20236066 C125.263738,5.09272131 118.710557,17.9535738 122.603016,29.9268197 L181.550164,211.292328 C185.597902,222.478689 197.682361,228.765377 209.282098,225.426885 C221.381246,221.943607 228.756984,209.093246 224.896,197.21023 C224.749115,196.756984 165.963541,15.8384262 165.963541,15.8384262" fill="#DFA22F"></path><path d="M74.6260984,45.515541 C70.7336393,33.5422951 57.8727869,26.9891148 45.899541,30.8794754 C33.9241967,34.7698361 27.3710164,47.6306885 31.2634754,59.6060328 L90.210623,240.971541 C94.2583607,252.157902 106.34282,258.44459 117.942557,255.104 C130.041705,251.62282 137.417443,238.772459 133.556459,226.887344 C133.409574,226.436197 74.6260984,45.515541 74.6260984,45.515541" fill="#3CB187"></path><path d="M240.161574,166.045377 C252.136918,162.155016 258.688,149.294164 254.797639,137.31882 C250.907279,125.345574 238.046426,118.792393 226.07318,122.682754 L44.7076721,181.632 C33.5213115,185.677639 27.234623,197.762098 30.5731148,209.361836 C34.0563934,221.460984 46.9067541,228.836721 58.7897705,224.975738 C59.2430164,224.828852 240.161574,166.045377 240.161574,166.045377" fill="#CE1E5B"></path><path d="M82.507541,217.270557 C94.312918,213.434754 109.528131,208.491016 125.855475,203.186361 C122.019672,191.380984 117.075934,176.163672 111.76918,159.83423 L68.4191475,173.924721 L82.507541,217.270557" fill="#392538"></path><path d="M173.847082,187.591344 C190.235279,182.267803 205.467279,177.31777 217.195016,173.507148 C213.359213,161.70177 208.413377,146.480262 203.106623,130.146623 L159.75659,144.237115 L173.847082,187.591344" fill="#BB242A"></path><path d="M210.484459,74.7058361 C222.457705,70.8154754 229.010885,57.954623 225.120525,45.9792787 C221.230164,34.0060328 208.369311,27.4528525 196.393967,31.3432131 L15.028459,90.292459 C3.84209836,94.3380984 -2.44459016,106.422557 0.896,118.022295 C4.37718033,130.121443 17.227541,137.49718 29.1126557,133.636197 C29.5638033,133.489311 210.484459,74.7058361 210.484459,74.7058361" fill="#72C5CD"></path><path d="M52.8220328,125.933115 C64.6274098,122.097311 79.8468197,117.151475 96.1762623,111.84682 C90.8527213,95.4565246 85.9026885,80.2245246 82.0920656,68.4946885 L38.731541,82.5872787 L52.8220328,125.933115" fill="#248C73"></path><path d="M144.159475,96.256 C160.551869,90.9303607 175.785967,85.9803279 187.515803,82.1676066 C182.190164,65.7752131 177.240131,50.5390164 173.42741,38.807082 L130.068984,52.8996721 L144.159475,96.256" fill="#62803A"></path></g></svg>'''
     valid_events = [
         events.PullRequestCloseEvent,
         events.PullRequestMergeEvent,
diff --git a/rhodecode/integrations/types/webhook.py b/rhodecode/integrations/types/webhook.py
--- a/rhodecode/integrations/types/webhook.py
+++ b/rhodecode/integrations/types/webhook.py
@@ -28,19 +28,19 @@ from celery.task import task
 from mako.template import Template
 
 from rhodecode import events
-from rhodecode.translation import lazy_ugettext
+from rhodecode.translation import _
 from rhodecode.integrations.types.base import IntegrationTypeBase
-from rhodecode.integrations.schema import IntegrationSettingsSchemaBase
 
 log = logging.getLogger(__name__)
 
 
-class WebhookSettingsSchema(IntegrationSettingsSchemaBase):
+class WebhookSettingsSchema(colander.Schema):
     url = colander.SchemaNode(
         colander.String(),
-        title=lazy_ugettext('Webhook URL'),
-        description=lazy_ugettext('URL of the webhook to receive POST event.'),
-        default='',
+        title=_('Webhook URL'),
+        description=_('URL of the webhook to receive POST event.'),
+        missing=colander.required,
+        required=True,
         validator=colander.url,
         widget=deform.widget.TextInputWidget(
             placeholder='https://www.example.com/webhook'
@@ -48,18 +48,24 @@ class WebhookSettingsSchema(IntegrationS
     )
     secret_token = colander.SchemaNode(
         colander.String(),
-        title=lazy_ugettext('Secret Token'),
-        description=lazy_ugettext('String used to validate received payloads.'),
+        title=_('Secret Token'),
+        description=_('String used to validate received payloads.'),
         default='',
+        missing='',
         widget=deform.widget.TextInputWidget(
             placeholder='secret_token'
         ),
     )
 
 
+
+
 class WebhookIntegrationType(IntegrationTypeBase):
     key = 'webhook'
-    display_name = lazy_ugettext('Webhook')
+    display_name = _('Webhook')
+    description = _('Post json events to a webhook endpoint')
+    icon = '''<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg viewBox="0 0 256 239" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" preserveAspectRatio="xMidYMid"><g><path d="M119.540432,100.502743 C108.930124,118.338815 98.7646301,135.611455 88.3876025,152.753617 C85.7226696,157.154315 84.4040417,160.738531 86.5332204,166.333309 C92.4107024,181.787152 84.1193605,196.825836 68.5350381,200.908244 C53.8383677,204.759349 39.5192953,195.099955 36.6032893,179.365384 C34.0194114,165.437749 44.8274148,151.78491 60.1824106,149.608284 C61.4694072,149.424428 62.7821041,149.402681 64.944891,149.240571 C72.469175,136.623655 80.1773157,123.700312 88.3025935,110.073173 C73.611854,95.4654658 64.8677898,78.3885437 66.803227,57.2292132 C68.1712787,42.2715849 74.0527146,29.3462646 84.8033863,18.7517722 C105.393354,-1.53572199 136.805164,-4.82141828 161.048542,10.7510424 C184.333097,25.7086706 194.996783,54.8450075 185.906752,79.7822957 C179.052655,77.9239597 172.151111,76.049808 164.563565,73.9917997 C167.418285,60.1274266 165.306899,47.6765751 155.95591,37.0109123 C149.777932,29.9690049 141.850349,26.2780332 132.835442,24.9178894 C114.764113,22.1877169 97.0209573,33.7983633 91.7563309,51.5355878 C85.7800012,71.6669027 94.8245623,88.1111998 119.540432,100.502743 L119.540432,100.502743 Z" fill="#C73A63"></path><path d="M149.841194,79.4106285 C157.316054,92.5969067 164.905578,105.982857 172.427885,119.246236 C210.44865,107.483365 239.114472,128.530009 249.398582,151.063322 C261.81978,178.282014 253.328765,210.520191 228.933162,227.312431 C203.893073,244.551464 172.226236,241.605803 150.040866,219.46195 C155.694953,214.729124 161.376716,209.974552 167.44794,204.895759 C189.360489,219.088306 208.525074,218.420096 222.753207,201.614016 C234.885769,187.277151 234.622834,165.900356 222.138374,151.863988 C207.730339,135.66681 188.431321,135.172572 165.103273,150.721309 C155.426087,133.553447 145.58086,116.521995 136.210101,99.2295848 C133.05093,93.4015266 129.561608,90.0209366 122.440622,88.7873178 C110.547271,86.7253555 102.868785,76.5124151 102.408155,65.0698097 C101.955433,53.7537294 108.621719,43.5249733 119.04224,39.5394355 C129.363912,35.5914599 141.476705,38.7783085 148.419765,47.554004 C154.093621,54.7244134 155.896602,62.7943365 152.911402,71.6372484 C152.081082,74.1025091 151.00562,76.4886916 149.841194,79.4106285 L149.841194,79.4106285 Z" fill="#4B4B4B"></path><path d="M167.706921,187.209935 L121.936499,187.209935 C117.54964,205.253587 108.074103,219.821756 91.7464461,229.085759 C79.0544063,236.285822 65.3738898,238.72736 50.8136292,236.376762 C24.0061432,232.053165 2.08568567,207.920497 0.156179306,180.745298 C-2.02835403,149.962159 19.1309765,122.599149 47.3341915,116.452801 C49.2814904,123.524363 51.2485589,130.663141 53.1958579,137.716911 C27.3195169,150.919004 18.3639187,167.553089 25.6054984,188.352614 C31.9811726,206.657224 50.0900643,216.690262 69.7528413,212.809503 C89.8327554,208.847688 99.9567329,192.160226 98.7211371,165.37844 C117.75722,165.37844 136.809118,165.180745 155.847178,165.475311 C163.280522,165.591951 169.019617,164.820939 174.620326,158.267339 C183.840836,147.48306 200.811003,148.455721 210.741239,158.640984 C220.88894,169.049642 220.402609,185.79839 209.663799,195.768166 C199.302587,205.38802 182.933414,204.874012 173.240413,194.508846 C171.247644,192.37176 169.677943,189.835329 167.706921,187.209935 L167.706921,187.209935 Z" fill="#4A4A4A"></path></g></svg>'''
+
     valid_events = [
         events.PullRequestCloseEvent,
         events.PullRequestMergeEvent,
diff --git a/rhodecode/integrations/views.py b/rhodecode/integrations/views.py
--- a/rhodecode/integrations/views.py
+++ b/rhodecode/integrations/views.py
@@ -18,23 +18,29 @@
 # RhodeCode Enterprise Edition, including its added features, Support services,
 # and proprietary license terms, please see https://rhodecode.com/licenses/
 
-import colander
-import logging
 import pylons
 import deform
+import logging
+import colander
+import peppercorn
+import webhelpers.paginate
 
-from pyramid.httpexceptions import HTTPFound, HTTPForbidden
+from pyramid.httpexceptions import HTTPFound, HTTPForbidden, HTTPBadRequest
 from pyramid.renderers import render
 from pyramid.response import Response
 
 from rhodecode.lib import auth
 from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator
+from rhodecode.lib.utils2 import safe_int
+from rhodecode.lib.helpers import Page
 from rhodecode.model.db import Repository, RepoGroup, Session, Integration
 from rhodecode.model.scm import ScmModel
 from rhodecode.model.integration import IntegrationModel
 from rhodecode.admin.navigation import navigation_list
 from rhodecode.translation import _
 from rhodecode.integrations import integration_type_registry
+from rhodecode.model.validation_schema.schemas.integration_schema import (
+    make_integration_schema)
 
 log = logging.getLogger(__name__)
 
@@ -65,30 +71,45 @@ class IntegrationSettingsViewBase(object
 
         request = self.request
 
-        if 'repo_name' in request.matchdict:  # we're in a repo context
+        if 'repo_name' in request.matchdict:  # in repo settings context
             repo_name = request.matchdict['repo_name']
             self.repo = Repository.get_by_repo_name(repo_name)
 
-        if 'repo_group_name' in request.matchdict: # we're in repo_group context
+        if 'repo_group_name' in request.matchdict: # in group settings context
             repo_group_name = request.matchdict['repo_group_name']
             self.repo_group = RepoGroup.get_by_group_name(repo_group_name)
 
-        if 'integration' in request.matchdict:  # we're in integration context
+
+        if 'integration' in request.matchdict:  # integration type context
             integration_type = request.matchdict['integration']
             self.IntegrationType = integration_type_registry[integration_type]
 
         if 'integration_id' in request.matchdict:  # single integration context
             integration_id = request.matchdict['integration_id']
             self.integration = Integration.get(integration_id)
-        else:                                      # list integrations context
-            integrations = IntegrationModel().get_integrations(
-                repo=self.repo, repo_group=self.repo_group)
 
-            for integration in integrations:
-                self.integrations.setdefault(integration.integration_type, []
-                    ).append(integration)
+            # extra perms check just in case
+            if not self._has_perms_for_integration(self.integration):
+                raise HTTPForbidden()
 
         self.settings = self.integration and self.integration.settings or {}
+        self.admin_view = not (self.repo or self.repo_group)
+
+    def _has_perms_for_integration(self, integration):
+        perms = self.request.user.permissions
+
+        if 'hg.admin' in perms['global']:
+            return True
+
+        if integration.repo:
+            return perms['repositories'].get(
+                integration.repo.repo_name) == 'repository.admin'
+
+        if integration.repo_group:
+            return perms['repositories_groups'].get(
+                integration.repo_group.group_name) == 'group.admin'
+
+        return False
 
     def _template_c_context(self):
         # TODO: dan: this is a stopgap in order to inherit from current pylons
@@ -102,6 +123,7 @@ class IntegrationSettingsViewBase(object
         c.repo_group = self.repo_group
         c.repo_name = self.repo and self.repo.repo_name or None
         c.repo_group_name = self.repo_group and self.repo_group.group_name or None
+
         if self.repo:
             c.repo_info = self.repo
             c.rhodecode_db_repo = self.repo
@@ -112,23 +134,25 @@ class IntegrationSettingsViewBase(object
         return c
 
     def _form_schema(self):
-        if self.integration:
-            settings = self.integration.settings
-        else:
-            settings = {}
-        return self.IntegrationType(settings=settings).settings_schema()
+        schema = make_integration_schema(IntegrationType=self.IntegrationType,
+                                         settings=self.settings)
 
-    def settings_get(self, defaults=None, errors=None, form=None):
-        """
-        View that displays the plugin settings as a form.
-        """
-        defaults = defaults or {}
-        errors = errors or {}
+        # returns a clone, important if mutating the schema later
+        return schema.bind(
+            permissions=self.request.user.permissions,
+            no_scope=not self.admin_view)
+
+
+    def _form_defaults(self):
+        defaults = {}
 
         if self.integration:
-            defaults = self.integration.settings or {}
-            defaults['name'] = self.integration.name
-            defaults['enabled'] = self.integration.enabled
+            defaults['settings'] = self.integration.settings or {}
+            defaults['options'] = {
+                'name': self.integration.name,
+                'enabled': self.integration.enabled,
+                'scope': self.integration.scope,
+            }
         else:
             if self.repo:
                 scope = _('{repo_name} repository').format(
@@ -139,11 +163,44 @@ class IntegrationSettingsViewBase(object
             else:
                 scope = _('Global')
 
-            defaults['name'] = '{} {} integration'.format(scope,
-                self.IntegrationType.display_name)
-            defaults['enabled'] = True
+            defaults['options'] = {
+                'enabled': True,
+                'name': _('{name} integration').format(
+                    name=self.IntegrationType.display_name),
+            }
+            if self.repo:
+                defaults['options']['scope'] = self.repo
+            elif self.repo_group:
+                defaults['options']['scope'] = self.repo_group
+
+        return defaults
 
-        schema = self._form_schema().bind(request=self.request)
+    def _delete_integration(self, integration):
+        Session().delete(self.integration)
+        Session().commit()
+        self.request.session.flash(
+            _('Integration {integration_name} deleted successfully.').format(
+                integration_name=self.integration.name),
+            queue='success')
+
+        if self.repo:
+            redirect_to = self.request.route_url(
+                'repo_integrations_home', repo_name=self.repo.repo_name)
+        elif self.repo_group:
+            redirect_to = self.request.route_url(
+                'repo_group_integrations_home',
+                repo_group_name=self.repo_group.group_name)
+        else:
+            redirect_to = self.request.route_url('global_integrations_home')
+        raise HTTPFound(redirect_to)
+
+    def settings_get(self, defaults=None, form=None):
+        """
+        View that displays the integration settings as a form.
+        """
+
+        defaults = defaults or self._form_defaults()
+        schema = self._form_schema()
 
         if self.integration:
             buttons = ('submit', 'delete')
@@ -152,23 +209,10 @@ class IntegrationSettingsViewBase(object
 
         form = form or deform.Form(schema, appstruct=defaults, buttons=buttons)
 
-        for node in schema:
-            setting = self.settings.get(node.name)
-            if setting is not None:
-                defaults.setdefault(node.name, setting)
-            else:
-                if node.default:
-                    defaults.setdefault(node.name, node.default)
-
         template_context = {
             'form': form,
-            'defaults': defaults,
-            'errors': errors,
-            'schema': schema,
             'current_IntegrationType': self.IntegrationType,
             'integration': self.integration,
-            'settings': self.settings,
-            'resource': self.context,
             'c': self._template_c_context(),
         }
 
@@ -177,79 +221,90 @@ class IntegrationSettingsViewBase(object
     @auth.CSRFRequired()
     def settings_post(self):
         """
-        View that validates and stores the plugin settings.
+        View that validates and stores the integration settings.
         """
-        if self.request.params.get('delete'):
-            Session().delete(self.integration)
-            Session().commit()
-            self.request.session.flash(
-                _('Integration {integration_name} deleted successfully.').format(
-                    integration_name=self.integration.name),
-                queue='success')
-            if self.repo:
-                redirect_to = self.request.route_url(
-                    'repo_integrations_home', repo_name=self.repo.repo_name)
-            else:
-                redirect_to = self.request.route_url('global_integrations_home')
-            raise HTTPFound(redirect_to)
+        controls = self.request.POST.items()
+        pstruct = peppercorn.parse(controls)
+
+        if self.integration and pstruct.get('delete'):
+            return self._delete_integration(self.integration)
+
+        schema = self._form_schema()
+
+        skip_settings_validation = False
+        if self.integration and 'enabled' not in pstruct.get('options', {}):
+            skip_settings_validation = True
+            schema['settings'].validator = None
+            for field in schema['settings'].children:
+                field.validator = None
+                field.missing = ''
 
-        schema = self._form_schema().bind(request=self.request)
+        if self.integration:
+            buttons = ('submit', 'delete')
+        else:
+            buttons = ('submit',)
 
-        form = deform.Form(schema, buttons=('submit', 'delete'))
+        form = deform.Form(schema, buttons=buttons)
 
-        params = {}
-        for node in schema.children:
-            if type(node.typ) in (colander.Set, colander.List):
-                val = self.request.params.getall(node.name)
-            else:
-                val = self.request.params.get(node.name)
-            if val:
-                params[node.name] = val
+        if not self.admin_view:
+            # scope is read only field in these cases, and has to be added
+            options = pstruct.setdefault('options', {})
+            if 'scope' not in options:
+                if self.repo:
+                    options['scope'] = 'repo:{}'.format(self.repo.repo_name)
+                elif self.repo_group:
+                    options['scope'] = 'repogroup:{}'.format(
+                        self.repo_group.group_name)
 
-        controls = self.request.POST.items()
         try:
-            valid_data = form.validate(controls)
+            valid_data = form.validate_pstruct(pstruct)
         except deform.ValidationFailure as e:
             self.request.session.flash(
                 _('Errors exist when saving integration settings. '
                   'Please check the form inputs.'),
                 queue='error')
-            return self.settings_get(errors={}, defaults=params, form=e)
+            return self.settings_get(form=e)
 
         if not self.integration:
             self.integration = Integration()
             self.integration.integration_type = self.IntegrationType.key
-            if self.repo:
-                self.integration.repo = self.repo
-            elif self.repo_group:
-                self.integration.repo_group = self.repo_group
             Session().add(self.integration)
 
-        self.integration.enabled = valid_data.pop('enabled', False)
-        self.integration.name = valid_data.pop('name')
-        self.integration.settings = valid_data
+        scope = valid_data['options']['scope']
 
+        IntegrationModel().update_integration(self.integration,
+            name=valid_data['options']['name'],
+            enabled=valid_data['options']['enabled'],
+            settings=valid_data['settings'],
+            scope=scope)
+
+        self.integration.settings = valid_data['settings']
         Session().commit()
-
         # Display success message and redirect.
         self.request.session.flash(
             _('Integration {integration_name} updated successfully.').format(
                 integration_name=self.IntegrationType.display_name),
             queue='success')
 
-        if self.repo:
-            redirect_to = self.request.route_url(
-                'repo_integrations_edit', repo_name=self.repo.repo_name,
+
+        # if integration scope changes, we must redirect to the right place
+        # keeping in mind if the original view was for /repo/ or /_admin/
+        admin_view = not (self.repo or self.repo_group)
+
+        if isinstance(self.integration.scope, Repository) and not admin_view:
+            redirect_to = self.request.route_path(
+                'repo_integrations_edit',
+                repo_name=self.integration.scope.repo_name,
                 integration=self.integration.integration_type,
                 integration_id=self.integration.integration_id)
-        elif self.repo:
-            redirect_to = self.request.route_url(
+        elif isinstance(self.integration.scope, RepoGroup) and not admin_view:
+            redirect_to = self.request.route_path(
                 'repo_group_integrations_edit',
-                repo_group_name=self.repo_group.group_name,
+                repo_group_name=self.integration.scope.group_name,
                 integration=self.integration.integration_type,
                 integration_id=self.integration.integration_id)
         else:
-            redirect_to = self.request.route_url(
+            redirect_to = self.request.route_path(
                 'global_integrations_edit',
                 integration=self.integration.integration_type,
                 integration_id=self.integration.integration_id)
@@ -257,31 +312,60 @@ class IntegrationSettingsViewBase(object
         return HTTPFound(redirect_to)
 
     def index(self):
-        current_integrations = self.integrations
-        if self.IntegrationType:
-            current_integrations = {
-                self.IntegrationType.key: self.integrations.get(
-                    self.IntegrationType.key, [])
-            }
+        """ List integrations """
+        if self.repo:
+            scope = self.repo
+        elif self.repo_group:
+            scope = self.repo_group
+        else:
+            scope = 'all'
+
+        integrations = []
+
+        for integration in IntegrationModel().get_integrations(
+                        scope=scope, IntegrationType=self.IntegrationType):
+
+            # extra permissions check *just in case*
+            if not self._has_perms_for_integration(integration):
+                continue
+            integrations.append(integration)
+
+        sort_arg = self.request.GET.get('sort', 'name:asc')
+        if ':' in sort_arg:
+            sort_field, sort_dir = sort_arg.split(':')
+        else:
+            sort_field = sort_arg, 'asc'
+
+        assert sort_field in ('name', 'integration_type', 'enabled', 'scope')
+
+        integrations.sort(
+            key=lambda x: getattr(x[1], sort_field), reverse=(sort_dir=='desc'))
+
+
+        page_url = webhelpers.paginate.PageURL(
+            self.request.path, self.request.GET)
+        page = safe_int(self.request.GET.get('page', 1), 1)
+
+        integrations = Page(integrations, page=page, items_per_page=10,
+                               url=page_url)
 
         template_context = {
+            'sort_field': sort_field,
+            'rev_sort_dir': sort_dir != 'desc' and 'desc' or 'asc',
             'current_IntegrationType': self.IntegrationType,
-            'current_integrations': current_integrations,
+            'integrations_list': integrations,
             'available_integrations': integration_type_registry,
-            'c': self._template_c_context()
+            'c': self._template_c_context(),
+            'request': self.request,
         }
+        return template_context
 
-        if self.repo:
-            html = render('rhodecode:templates/admin/integrations/list.html',
-                          template_context,
-                          request=self.request)
-        else:
-            html = render('rhodecode:templates/admin/integrations/list.html',
-                          template_context,
-                          request=self.request)
-
-        return Response(html)
-
+    def new_integration(self):
+        template_context = {
+            'available_integrations': integration_type_registry,
+            'c': self._template_c_context(),
+        }
+        return template_context
 
 class GlobalIntegrationsView(IntegrationSettingsViewBase):
     def perm_check(self, user):
@@ -293,7 +377,9 @@ class RepoIntegrationsView(IntegrationSe
         return auth.HasRepoPermissionAll('repository.admin'
             )(repo_name=self.repo.repo_name, user=user)
 
+
 class RepoGroupIntegrationsView(IntegrationSettingsViewBase):
     def perm_check(self, user):
         return auth.HasRepoGroupPermissionAll('group.admin'
             )(group_name=self.repo_group.group_name, user=user)
+
diff --git a/rhodecode/lib/dbmigrate/schema/db_4_4_0_0.py b/rhodecode/lib/dbmigrate/schema/db_4_4_0_0.py
--- a/rhodecode/lib/dbmigrate/schema/db_4_4_0_0.py
+++ b/rhodecode/lib/dbmigrate/schema/db_4_4_0_0.py
@@ -3481,7 +3481,6 @@ class Integration(Base, BaseModel):
     integration_type = Column('integration_type', String(255))
     enabled = Column('enabled', Boolean(), nullable=False)
     name = Column('name', String(255), nullable=False)
-
     settings = Column(
         'settings_json', MutationObj.as_mutable(
             JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
diff --git a/rhodecode/lib/dbmigrate/schema/db_4_4_0_1.py b/rhodecode/lib/dbmigrate/schema/db_4_4_0_1.py
new file mode 100644
--- /dev/null
+++ b/rhodecode/lib/dbmigrate/schema/db_4_4_0_1.py
@@ -0,0 +1,3529 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2010-2016  RhodeCode GmbH
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License, version 3
+# (only), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# This program is dual-licensed. If you wish to learn more about the
+# RhodeCode Enterprise Edition, including its added features, Support services,
+# and proprietary license terms, please see https://rhodecode.com/licenses/
+
+"""
+Database Models for RhodeCode Enterprise
+"""
+
+import os
+import sys
+import time
+import hashlib
+import logging
+import datetime
+import warnings
+import ipaddress
+import functools
+import traceback
+import collections
+
+
+from sqlalchemy import *
+from sqlalchemy.exc import IntegrityError
+from sqlalchemy.ext.declarative import declared_attr
+from sqlalchemy.ext.hybrid import hybrid_property
+from sqlalchemy.orm import (
+    relationship, joinedload, class_mapper, validates, aliased)
+from sqlalchemy.sql.expression import true
+from beaker.cache import cache_region, region_invalidate
+from webob.exc import HTTPNotFound
+from zope.cachedescriptors.property import Lazy as LazyProperty
+
+from pylons import url
+from pylons.i18n.translation import lazy_ugettext as _
+
+from rhodecode.lib.vcs import get_backend, get_vcs_instance
+from rhodecode.lib.vcs.utils.helpers import get_scm
+from rhodecode.lib.vcs.exceptions import VCSError
+from rhodecode.lib.vcs.backends.base import (
+    EmptyCommit, Reference, MergeFailureReason)
+from rhodecode.lib.utils2 import (
+    str2bool, safe_str, get_commit_safe, safe_unicode, remove_prefix, md5_safe,
+    time_to_datetime, aslist, Optional, safe_int, get_clone_url, AttributeDict)
+from rhodecode.lib.jsonalchemy import MutationObj, JsonType, JSONDict
+from rhodecode.lib.ext_json import json
+from rhodecode.lib.caching_query import FromCache
+from rhodecode.lib.encrypt import AESCipher
+
+from rhodecode.model.meta import Base, Session
+
+URL_SEP = '/'
+log = logging.getLogger(__name__)
+
+# =============================================================================
+# BASE CLASSES
+# =============================================================================
+
+# this is propagated from .ini file rhodecode.encrypted_values.secret or
+# beaker.session.secret if first is not set.
+# and initialized at environment.py
+ENCRYPTION_KEY = None
+
+# used to sort permissions by types, '#' used here is not allowed to be in
+# usernames, and it's very early in sorted string.printable table.
+PERMISSION_TYPE_SORT = {
+    'admin': '####',
+    'write': '###',
+    'read':  '##',
+    'none':  '#',
+}
+
+
+def display_sort(obj):
+    """
+    Sort function used to sort permissions in .permissions() function of
+    Repository, RepoGroup, UserGroup. Also it put the default user in front
+    of all other resources
+    """
+
+    if obj.username == User.DEFAULT_USER:
+        return '#####'
+    prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
+    return prefix + obj.username
+
+
+def _hash_key(k):
+    return md5_safe(k)
+
+
+class EncryptedTextValue(TypeDecorator):
+    """
+    Special column for encrypted long text data, use like::
+
+        value = Column("encrypted_value", EncryptedValue(), nullable=False)
+
+    This column is intelligent so if value is in unencrypted form it return
+    unencrypted form, but on save it always encrypts
+    """
+    impl = Text
+
+    def process_bind_param(self, value, dialect):
+        if not value:
+            return value
+        if value.startswith('enc$aes$') or value.startswith('enc$aes_hmac$'):
+            # protect against double encrypting if someone manually starts
+            # doing
+            raise ValueError('value needs to be in unencrypted format, ie. '
+                             'not starting with enc$aes')
+        return 'enc$aes_hmac$%s' % AESCipher(
+            ENCRYPTION_KEY, hmac=True).encrypt(value)
+
+    def process_result_value(self, value, dialect):
+        import rhodecode
+
+        if not value:
+            return value
+
+        parts = value.split('$', 3)
+        if not len(parts) == 3:
+            # probably not encrypted values
+            return value
+        else:
+            if parts[0] != 'enc':
+                # parts ok but without our header ?
+                return value
+            enc_strict_mode = str2bool(rhodecode.CONFIG.get(
+                'rhodecode.encrypted_values.strict') or True)
+            # at that stage we know it's our encryption
+            if parts[1] == 'aes':
+                decrypted_data = AESCipher(ENCRYPTION_KEY).decrypt(parts[2])
+            elif parts[1] == 'aes_hmac':
+                decrypted_data = AESCipher(
+                    ENCRYPTION_KEY, hmac=True,
+                    strict_verification=enc_strict_mode).decrypt(parts[2])
+            else:
+                raise ValueError(
+                    'Encryption type part is wrong, must be `aes` '
+                    'or `aes_hmac`, got `%s` instead' % (parts[1]))
+            return decrypted_data
+
+
+class BaseModel(object):
+    """
+    Base Model for all classes
+    """
+
+    @classmethod
+    def _get_keys(cls):
+        """return column names for this model """
+        return class_mapper(cls).c.keys()
+
+    def get_dict(self):
+        """
+        return dict with keys and values corresponding
+        to this model data """
+
+        d = {}
+        for k in self._get_keys():
+            d[k] = getattr(self, k)
+
+        # also use __json__() if present to get additional fields
+        _json_attr = getattr(self, '__json__', None)
+        if _json_attr:
+            # update with attributes from __json__
+            if callable(_json_attr):
+                _json_attr = _json_attr()
+            for k, val in _json_attr.iteritems():
+                d[k] = val
+        return d
+
+    def get_appstruct(self):
+        """return list with keys and values tuples corresponding
+        to this model data """
+
+        l = []
+        for k in self._get_keys():
+            l.append((k, getattr(self, k),))
+        return l
+
+    def populate_obj(self, populate_dict):
+        """populate model with data from given populate_dict"""
+
+        for k in self._get_keys():
+            if k in populate_dict:
+                setattr(self, k, populate_dict[k])
+
+    @classmethod
+    def query(cls):
+        return Session().query(cls)
+
+    @classmethod
+    def get(cls, id_):
+        if id_:
+            return cls.query().get(id_)
+
+    @classmethod
+    def get_or_404(cls, id_):
+        try:
+            id_ = int(id_)
+        except (TypeError, ValueError):
+            raise HTTPNotFound
+
+        res = cls.query().get(id_)
+        if not res:
+            raise HTTPNotFound
+        return res
+
+    @classmethod
+    def getAll(cls):
+        # deprecated and left for backward compatibility
+        return cls.get_all()
+
+    @classmethod
+    def get_all(cls):
+        return cls.query().all()
+
+    @classmethod
+    def delete(cls, id_):
+        obj = cls.query().get(id_)
+        Session().delete(obj)
+
+    @classmethod
+    def identity_cache(cls, session, attr_name, value):
+        exist_in_session = []
+        for (item_cls, pkey), instance in session.identity_map.items():
+            if cls == item_cls and getattr(instance, attr_name) == value:
+                exist_in_session.append(instance)
+        if exist_in_session:
+            if len(exist_in_session) == 1:
+                return exist_in_session[0]
+            log.exception(
+                'multiple objects with attr %s and '
+                'value %s found with same name: %r',
+                attr_name, value, exist_in_session)
+
+    def __repr__(self):
+        if hasattr(self, '__unicode__'):
+            # python repr needs to return str
+            try:
+                return safe_str(self.__unicode__())
+            except UnicodeDecodeError:
+                pass
+        return '<DB:%s>' % (self.__class__.__name__)
+
+
+class RhodeCodeSetting(Base, BaseModel):
+    __tablename__ = 'rhodecode_settings'
+    __table_args__ = (
+        UniqueConstraint('app_settings_name'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+
+    SETTINGS_TYPES = {
+        'str': safe_str,
+        'int': safe_int,
+        'unicode': safe_unicode,
+        'bool': str2bool,
+        'list': functools.partial(aslist, sep=',')
+    }
+    DEFAULT_UPDATE_URL = 'https://rhodecode.com/api/v1/info/versions'
+    GLOBAL_CONF_KEY = 'app_settings'
+
+    app_settings_id = Column("app_settings_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    app_settings_name = Column("app_settings_name", String(255), nullable=True, unique=None, default=None)
+    _app_settings_value = Column("app_settings_value", String(4096), nullable=True, unique=None, default=None)
+    _app_settings_type = Column("app_settings_type", String(255), nullable=True, unique=None, default=None)
+
+    def __init__(self, key='', val='', type='unicode'):
+        self.app_settings_name = key
+        self.app_settings_type = type
+        self.app_settings_value = val
+
+    @validates('_app_settings_value')
+    def validate_settings_value(self, key, val):
+        assert type(val) == unicode
+        return val
+
+    @hybrid_property
+    def app_settings_value(self):
+        v = self._app_settings_value
+        _type = self.app_settings_type
+        if _type:
+            _type = self.app_settings_type.split('.')[0]
+            # decode the encrypted value
+            if 'encrypted' in self.app_settings_type:
+                cipher = EncryptedTextValue()
+                v = safe_unicode(cipher.process_result_value(v, None))
+
+        converter = self.SETTINGS_TYPES.get(_type) or \
+            self.SETTINGS_TYPES['unicode']
+        return converter(v)
+
+    @app_settings_value.setter
+    def app_settings_value(self, val):
+        """
+        Setter that will always make sure we use unicode in app_settings_value
+
+        :param val:
+        """
+        val = safe_unicode(val)
+        # encode the encrypted value
+        if 'encrypted' in self.app_settings_type:
+            cipher = EncryptedTextValue()
+            val = safe_unicode(cipher.process_bind_param(val, None))
+        self._app_settings_value = val
+
+    @hybrid_property
+    def app_settings_type(self):
+        return self._app_settings_type
+
+    @app_settings_type.setter
+    def app_settings_type(self, val):
+        if val.split('.')[0] not in self.SETTINGS_TYPES:
+            raise Exception('type must be one of %s got %s'
+                            % (self.SETTINGS_TYPES.keys(), val))
+        self._app_settings_type = val
+
+    def __unicode__(self):
+        return u"<%s('%s:%s[%s]')>" % (
+            self.__class__.__name__,
+            self.app_settings_name, self.app_settings_value,
+            self.app_settings_type
+        )
+
+
+class RhodeCodeUi(Base, BaseModel):
+    __tablename__ = 'rhodecode_ui'
+    __table_args__ = (
+        UniqueConstraint('ui_key'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+
+    HOOK_REPO_SIZE = 'changegroup.repo_size'
+    # HG
+    HOOK_PRE_PULL = 'preoutgoing.pre_pull'
+    HOOK_PULL = 'outgoing.pull_logger'
+    HOOK_PRE_PUSH = 'prechangegroup.pre_push'
+    HOOK_PUSH = 'changegroup.push_logger'
+
+    # TODO: johbo: Unify way how hooks are configured for git and hg,
+    # git part is currently hardcoded.
+
+    # SVN PATTERNS
+    SVN_BRANCH_ID = 'vcs_svn_branch'
+    SVN_TAG_ID = 'vcs_svn_tag'
+
+    ui_id = Column(
+        "ui_id", Integer(), nullable=False, unique=True, default=None,
+        primary_key=True)
+    ui_section = Column(
+        "ui_section", String(255), nullable=True, unique=None, default=None)
+    ui_key = Column(
+        "ui_key", String(255), nullable=True, unique=None, default=None)
+    ui_value = Column(
+        "ui_value", String(255), nullable=True, unique=None, default=None)
+    ui_active = Column(
+        "ui_active", Boolean(), nullable=True, unique=None, default=True)
+
+    def __repr__(self):
+        return '<%s[%s]%s=>%s]>' % (self.__class__.__name__, self.ui_section,
+                                    self.ui_key, self.ui_value)
+
+
+class RepoRhodeCodeSetting(Base, BaseModel):
+    __tablename__ = 'repo_rhodecode_settings'
+    __table_args__ = (
+        UniqueConstraint(
+            'app_settings_name', 'repository_id',
+            name='uq_repo_rhodecode_setting_name_repo_id'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+
+    repository_id = Column(
+        "repository_id", Integer(), ForeignKey('repositories.repo_id'),
+        nullable=False)
+    app_settings_id = Column(
+        "app_settings_id", Integer(), nullable=False, unique=True,
+        default=None, primary_key=True)
+    app_settings_name = Column(
+        "app_settings_name", String(255), nullable=True, unique=None,
+        default=None)
+    _app_settings_value = Column(
+        "app_settings_value", String(4096), nullable=True, unique=None,
+        default=None)
+    _app_settings_type = Column(
+        "app_settings_type", String(255), nullable=True, unique=None,
+        default=None)
+
+    repository = relationship('Repository')
+
+    def __init__(self, repository_id, key='', val='', type='unicode'):
+        self.repository_id = repository_id
+        self.app_settings_name = key
+        self.app_settings_type = type
+        self.app_settings_value = val
+
+    @validates('_app_settings_value')
+    def validate_settings_value(self, key, val):
+        assert type(val) == unicode
+        return val
+
+    @hybrid_property
+    def app_settings_value(self):
+        v = self._app_settings_value
+        type_ = self.app_settings_type
+        SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
+        converter = SETTINGS_TYPES.get(type_) or SETTINGS_TYPES['unicode']
+        return converter(v)
+
+    @app_settings_value.setter
+    def app_settings_value(self, val):
+        """
+        Setter that will always make sure we use unicode in app_settings_value
+
+        :param val:
+        """
+        self._app_settings_value = safe_unicode(val)
+
+    @hybrid_property
+    def app_settings_type(self):
+        return self._app_settings_type
+
+    @app_settings_type.setter
+    def app_settings_type(self, val):
+        SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
+        if val not in SETTINGS_TYPES:
+            raise Exception('type must be one of %s got %s'
+                            % (SETTINGS_TYPES.keys(), val))
+        self._app_settings_type = val
+
+    def __unicode__(self):
+        return u"<%s('%s:%s:%s[%s]')>" % (
+            self.__class__.__name__, self.repository.repo_name,
+            self.app_settings_name, self.app_settings_value,
+            self.app_settings_type
+        )
+
+
+class RepoRhodeCodeUi(Base, BaseModel):
+    __tablename__ = 'repo_rhodecode_ui'
+    __table_args__ = (
+        UniqueConstraint(
+            'repository_id', 'ui_section', 'ui_key',
+            name='uq_repo_rhodecode_ui_repository_id_section_key'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+
+    repository_id = Column(
+        "repository_id", Integer(), ForeignKey('repositories.repo_id'),
+        nullable=False)
+    ui_id = Column(
+        "ui_id", Integer(), nullable=False, unique=True, default=None,
+        primary_key=True)
+    ui_section = Column(
+        "ui_section", String(255), nullable=True, unique=None, default=None)
+    ui_key = Column(
+        "ui_key", String(255), nullable=True, unique=None, default=None)
+    ui_value = Column(
+        "ui_value", String(255), nullable=True, unique=None, default=None)
+    ui_active = Column(
+        "ui_active", Boolean(), nullable=True, unique=None, default=True)
+
+    repository = relationship('Repository')
+
+    def __repr__(self):
+        return '<%s[%s:%s]%s=>%s]>' % (
+            self.__class__.__name__, self.repository.repo_name,
+            self.ui_section, self.ui_key, self.ui_value)
+
+
+class User(Base, BaseModel):
+    __tablename__ = 'users'
+    __table_args__ = (
+        UniqueConstraint('username'), UniqueConstraint('email'),
+        Index('u_username_idx', 'username'),
+        Index('u_email_idx', 'email'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    DEFAULT_USER = 'default'
+    DEFAULT_USER_EMAIL = 'anonymous@rhodecode.org'
+    DEFAULT_GRAVATAR_URL = 'https://secure.gravatar.com/avatar/{md5email}?d=identicon&s={size}'
+
+    user_id = Column("user_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    username = Column("username", String(255), nullable=True, unique=None, default=None)
+    password = Column("password", String(255), nullable=True, unique=None, default=None)
+    active = Column("active", Boolean(), nullable=True, unique=None, default=True)
+    admin = Column("admin", Boolean(), nullable=True, unique=None, default=False)
+    name = Column("firstname", String(255), nullable=True, unique=None, default=None)
+    lastname = Column("lastname", String(255), nullable=True, unique=None, default=None)
+    _email = Column("email", String(255), nullable=True, unique=None, default=None)
+    last_login = Column("last_login", DateTime(timezone=False), nullable=True, unique=None, default=None)
+    extern_type = Column("extern_type", String(255), nullable=True, unique=None, default=None)
+    extern_name = Column("extern_name", String(255), nullable=True, unique=None, default=None)
+    api_key = Column("api_key", String(255), nullable=True, unique=None, default=None)
+    inherit_default_permissions = Column("inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
+    created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
+    _user_data = Column("user_data", LargeBinary(), nullable=True)  # JSON data
+
+    user_log = relationship('UserLog')
+    user_perms = relationship('UserToPerm', primaryjoin="User.user_id==UserToPerm.user_id", cascade='all')
+
+    repositories = relationship('Repository')
+    repository_groups = relationship('RepoGroup')
+    user_groups = relationship('UserGroup')
+
+    user_followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_user_id==User.user_id', cascade='all')
+    followings = relationship('UserFollowing', primaryjoin='UserFollowing.user_id==User.user_id', cascade='all')
+
+    repo_to_perm = relationship('UserRepoToPerm', primaryjoin='UserRepoToPerm.user_id==User.user_id', cascade='all')
+    repo_group_to_perm = relationship('UserRepoGroupToPerm', primaryjoin='UserRepoGroupToPerm.user_id==User.user_id', cascade='all')
+    user_group_to_perm = relationship('UserUserGroupToPerm', primaryjoin='UserUserGroupToPerm.user_id==User.user_id', cascade='all')
+
+    group_member = relationship('UserGroupMember', cascade='all')
+
+    notifications = relationship('UserNotification', cascade='all')
+    # notifications assigned to this user
+    user_created_notifications = relationship('Notification', cascade='all')
+    # comments created by this user
+    user_comments = relationship('ChangesetComment', cascade='all')
+    # user profile extra info
+    user_emails = relationship('UserEmailMap', cascade='all')
+    user_ip_map = relationship('UserIpMap', cascade='all')
+    user_auth_tokens = relationship('UserApiKeys', cascade='all')
+    # gists
+    user_gists = relationship('Gist', cascade='all')
+    # user pull requests
+    user_pull_requests = relationship('PullRequest', cascade='all')
+    # external identities
+    extenal_identities = relationship(
+        'ExternalIdentity',
+        primaryjoin="User.user_id==ExternalIdentity.local_user_id",
+        cascade='all')
+
+    def __unicode__(self):
+        return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
+                                      self.user_id, self.username)
+
+    @hybrid_property
+    def email(self):
+        return self._email
+
+    @email.setter
+    def email(self, val):
+        self._email = val.lower() if val else None
+
+    @property
+    def firstname(self):
+        # alias for future
+        return self.name
+
+    @property
+    def emails(self):
+        other = UserEmailMap.query().filter(UserEmailMap.user==self).all()
+        return [self.email] + [x.email for x in other]
+
+    @property
+    def auth_tokens(self):
+        return [self.api_key] + [x.api_key for x in self.extra_auth_tokens]
+
+    @property
+    def extra_auth_tokens(self):
+        return UserApiKeys.query().filter(UserApiKeys.user == self).all()
+
+    @property
+    def feed_token(self):
+        feed_tokens = UserApiKeys.query()\
+            .filter(UserApiKeys.user == self)\
+            .filter(UserApiKeys.role == UserApiKeys.ROLE_FEED)\
+            .all()
+        if feed_tokens:
+            return feed_tokens[0].api_key
+        else:
+            # use the main token so we don't end up with nothing...
+            return self.api_key
+
+    @classmethod
+    def extra_valid_auth_tokens(cls, user, role=None):
+        tokens = UserApiKeys.query().filter(UserApiKeys.user == user)\
+                .filter(or_(UserApiKeys.expires == -1,
+                            UserApiKeys.expires >= time.time()))
+        if role:
+            tokens = tokens.filter(or_(UserApiKeys.role == role,
+                                       UserApiKeys.role == UserApiKeys.ROLE_ALL))
+        return tokens.all()
+
+    @property
+    def ip_addresses(self):
+        ret = UserIpMap.query().filter(UserIpMap.user == self).all()
+        return [x.ip_addr for x in ret]
+
+    @property
+    def username_and_name(self):
+        return '%s (%s %s)' % (self.username, self.firstname, self.lastname)
+
+    @property
+    def username_or_name_or_email(self):
+        full_name = self.full_name if self.full_name is not ' ' else None
+        return self.username or full_name or self.email
+
+    @property
+    def full_name(self):
+        return '%s %s' % (self.firstname, self.lastname)
+
+    @property
+    def full_name_or_username(self):
+        return ('%s %s' % (self.firstname, self.lastname)
+                if (self.firstname and self.lastname) else self.username)
+
+    @property
+    def full_contact(self):
+        return '%s %s <%s>' % (self.firstname, self.lastname, self.email)
+
+    @property
+    def short_contact(self):
+        return '%s %s' % (self.firstname, self.lastname)
+
+    @property
+    def is_admin(self):
+        return self.admin
+
+    @property
+    def AuthUser(self):
+        """
+        Returns instance of AuthUser for this user
+        """
+        from rhodecode.lib.auth import AuthUser
+        return AuthUser(user_id=self.user_id, api_key=self.api_key,
+                        username=self.username)
+
+    @hybrid_property
+    def user_data(self):
+        if not self._user_data:
+            return {}
+
+        try:
+            return json.loads(self._user_data)
+        except TypeError:
+            return {}
+
+    @user_data.setter
+    def user_data(self, val):
+        if not isinstance(val, dict):
+            raise Exception('user_data must be dict, got %s' % type(val))
+        try:
+            self._user_data = json.dumps(val)
+        except Exception:
+            log.error(traceback.format_exc())
+
+    @classmethod
+    def get_by_username(cls, username, case_insensitive=False,
+                        cache=False, identity_cache=False):
+        session = Session()
+
+        if case_insensitive:
+            q = cls.query().filter(
+                func.lower(cls.username) == func.lower(username))
+        else:
+            q = cls.query().filter(cls.username == username)
+
+        if cache:
+            if identity_cache:
+                val = cls.identity_cache(session, 'username', username)
+                if val:
+                    return val
+            else:
+                q = q.options(
+                    FromCache("sql_cache_short",
+                              "get_user_by_name_%s" % _hash_key(username)))
+
+        return q.scalar()
+
+    @classmethod
+    def get_by_auth_token(cls, auth_token, cache=False, fallback=True):
+        q = cls.query().filter(cls.api_key == auth_token)
+
+        if cache:
+            q = q.options(FromCache("sql_cache_short",
+                                    "get_auth_token_%s" % auth_token))
+        res = q.scalar()
+
+        if fallback and not res:
+            #fallback to additional keys
+            _res = UserApiKeys.query()\
+                .filter(UserApiKeys.api_key == auth_token)\
+                .filter(or_(UserApiKeys.expires == -1,
+                            UserApiKeys.expires >= time.time()))\
+                .first()
+            if _res:
+                res = _res.user
+        return res
+
+    @classmethod
+    def get_by_email(cls, email, case_insensitive=False, cache=False):
+
+        if case_insensitive:
+            q = cls.query().filter(func.lower(cls.email) == func.lower(email))
+
+        else:
+            q = cls.query().filter(cls.email == email)
+
+        if cache:
+            q = q.options(FromCache("sql_cache_short",
+                                    "get_email_key_%s" % _hash_key(email)))
+
+        ret = q.scalar()
+        if ret is None:
+            q = UserEmailMap.query()
+            # try fetching in alternate email map
+            if case_insensitive:
+                q = q.filter(func.lower(UserEmailMap.email) == func.lower(email))
+            else:
+                q = q.filter(UserEmailMap.email == email)
+            q = q.options(joinedload(UserEmailMap.user))
+            if cache:
+                q = q.options(FromCache("sql_cache_short",
+                                        "get_email_map_key_%s" % email))
+            ret = getattr(q.scalar(), 'user', None)
+
+        return ret
+
+    @classmethod
+    def get_from_cs_author(cls, author):
+        """
+        Tries to get User objects out of commit author string
+
+        :param author:
+        """
+        from rhodecode.lib.helpers import email, author_name
+        # Valid email in the attribute passed, see if they're in the system
+        _email = email(author)
+        if _email:
+            user = cls.get_by_email(_email, case_insensitive=True)
+            if user:
+                return user
+        # Maybe we can match by username?
+        _author = author_name(author)
+        user = cls.get_by_username(_author, case_insensitive=True)
+        if user:
+            return user
+
+    def update_userdata(self, **kwargs):
+        usr = self
+        old = usr.user_data
+        old.update(**kwargs)
+        usr.user_data = old
+        Session().add(usr)
+        log.debug('updated userdata with ', kwargs)
+
+    def update_lastlogin(self):
+        """Update user lastlogin"""
+        self.last_login = datetime.datetime.now()
+        Session().add(self)
+        log.debug('updated user %s lastlogin', self.username)
+
+    def update_lastactivity(self):
+        """Update user lastactivity"""
+        usr = self
+        old = usr.user_data
+        old.update({'last_activity': time.time()})
+        usr.user_data = old
+        Session().add(usr)
+        log.debug('updated user %s lastactivity', usr.username)
+
+    def update_password(self, new_password, change_api_key=False):
+        from rhodecode.lib.auth import get_crypt_password,generate_auth_token
+
+        self.password = get_crypt_password(new_password)
+        if change_api_key:
+            self.api_key = generate_auth_token(self.username)
+        Session().add(self)
+
+    @classmethod
+    def get_first_super_admin(cls):
+        user = User.query().filter(User.admin == true()).first()
+        if user is None:
+            raise Exception('FATAL: Missing administrative account!')
+        return user
+
+    @classmethod
+    def get_all_super_admins(cls):
+        """
+        Returns all admin accounts sorted by username
+        """
+        return User.query().filter(User.admin == true())\
+            .order_by(User.username.asc()).all()
+
+    @classmethod
+    def get_default_user(cls, cache=False):
+        user = User.get_by_username(User.DEFAULT_USER, cache=cache)
+        if user is None:
+            raise Exception('FATAL: Missing default account!')
+        return user
+
+    def _get_default_perms(self, user, suffix=''):
+        from rhodecode.model.permission import PermissionModel
+        return PermissionModel().get_default_perms(user.user_perms, suffix)
+
+    def get_default_perms(self, suffix=''):
+        return self._get_default_perms(self, suffix)
+
+    def get_api_data(self, include_secrets=False, details='full'):
+        """
+        Common function for generating user related data for API
+
+        :param include_secrets: By default secrets in the API data will be replaced
+           by a placeholder value to prevent exposing this data by accident. In case
+           this data shall be exposed, set this flag to ``True``.
+
+        :param details: details can be 'basic|full' basic gives only a subset of
+           the available user information that includes user_id, name and emails.
+        """
+        user = self
+        user_data = self.user_data
+        data = {
+            'user_id': user.user_id,
+            'username': user.username,
+            'firstname': user.name,
+            'lastname': user.lastname,
+            'email': user.email,
+            'emails': user.emails,
+        }
+        if details == 'basic':
+            return data
+
+        api_key_length = 40
+        api_key_replacement = '*' * api_key_length
+
+        extras = {
+            'api_key': api_key_replacement,
+            'api_keys': [api_key_replacement],
+            'active': user.active,
+            'admin': user.admin,
+            'extern_type': user.extern_type,
+            'extern_name': user.extern_name,
+            'last_login': user.last_login,
+            'ip_addresses': user.ip_addresses,
+            'language': user_data.get('language')
+        }
+        data.update(extras)
+
+        if include_secrets:
+            data['api_key'] = user.api_key
+            data['api_keys'] = user.auth_tokens
+        return data
+
+    def __json__(self):
+        data = {
+            'full_name': self.full_name,
+            'full_name_or_username': self.full_name_or_username,
+            'short_contact': self.short_contact,
+            'full_contact': self.full_contact,
+        }
+        data.update(self.get_api_data())
+        return data
+
+
+class UserApiKeys(Base, BaseModel):
+    __tablename__ = 'user_api_keys'
+    __table_args__ = (
+        Index('uak_api_key_idx', 'api_key'),
+        Index('uak_api_key_expires_idx', 'api_key', 'expires'),
+        UniqueConstraint('api_key'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    __mapper_args__ = {}
+
+    # ApiKey role
+    ROLE_ALL = 'token_role_all'
+    ROLE_HTTP = 'token_role_http'
+    ROLE_VCS = 'token_role_vcs'
+    ROLE_API = 'token_role_api'
+    ROLE_FEED = 'token_role_feed'
+    ROLES = [ROLE_ALL, ROLE_HTTP, ROLE_VCS, ROLE_API, ROLE_FEED]
+
+    user_api_key_id = Column("user_api_key_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
+    api_key = Column("api_key", String(255), nullable=False, unique=True)
+    description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
+    expires = Column('expires', Float(53), nullable=False)
+    role = Column('role', String(255), nullable=True)
+    created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
+
+    user = relationship('User', lazy='joined')
+
+    @classmethod
+    def _get_role_name(cls, role):
+        return {
+            cls.ROLE_ALL: _('all'),
+            cls.ROLE_HTTP: _('http/web interface'),
+            cls.ROLE_VCS: _('vcs (git/hg/svn protocol)'),
+            cls.ROLE_API: _('api calls'),
+            cls.ROLE_FEED: _('feed access'),
+        }.get(role, role)
+
+    @property
+    def expired(self):
+        if self.expires == -1:
+            return False
+        return time.time() > self.expires
+
+    @property
+    def role_humanized(self):
+        return self._get_role_name(self.role)
+
+
+class UserEmailMap(Base, BaseModel):
+    __tablename__ = 'user_email_map'
+    __table_args__ = (
+        Index('uem_email_idx', 'email'),
+        UniqueConstraint('email'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    __mapper_args__ = {}
+
+    email_id = Column("email_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
+    _email = Column("email", String(255), nullable=True, unique=False, default=None)
+    user = relationship('User', lazy='joined')
+
+    @validates('_email')
+    def validate_email(self, key, email):
+        # check if this email is not main one
+        main_email = Session().query(User).filter(User.email == email).scalar()
+        if main_email is not None:
+            raise AttributeError('email %s is present is user table' % email)
+        return email
+
+    @hybrid_property
+    def email(self):
+        return self._email
+
+    @email.setter
+    def email(self, val):
+        self._email = val.lower() if val else None
+
+
+class UserIpMap(Base, BaseModel):
+    __tablename__ = 'user_ip_map'
+    __table_args__ = (
+        UniqueConstraint('user_id', 'ip_addr'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    __mapper_args__ = {}
+
+    ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
+    ip_addr = Column("ip_addr", String(255), nullable=True, unique=False, default=None)
+    active = Column("active", Boolean(), nullable=True, unique=None, default=True)
+    description = Column("description", String(10000), nullable=True, unique=None, default=None)
+    user = relationship('User', lazy='joined')
+
+    @classmethod
+    def _get_ip_range(cls, ip_addr):
+        net = ipaddress.ip_network(ip_addr, strict=False)
+        return [str(net.network_address), str(net.broadcast_address)]
+
+    def __json__(self):
+        return {
+          'ip_addr': self.ip_addr,
+          'ip_range': self._get_ip_range(self.ip_addr),
+        }
+
+    def __unicode__(self):
+        return u"<%s('user_id:%s=>%s')>" % (self.__class__.__name__,
+                                            self.user_id, self.ip_addr)
+
+class UserLog(Base, BaseModel):
+    __tablename__ = 'user_logs'
+    __table_args__ = (
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+    user_log_id = Column("user_log_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
+    username = Column("username", String(255), nullable=True, unique=None, default=None)
+    repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True)
+    repository_name = Column("repository_name", String(255), nullable=True, unique=None, default=None)
+    user_ip = Column("user_ip", String(255), nullable=True, unique=None, default=None)
+    action = Column("action", Text().with_variant(Text(1200000), 'mysql'), nullable=True, unique=None, default=None)
+    action_date = Column("action_date", DateTime(timezone=False), nullable=True, unique=None, default=None)
+
+    def __unicode__(self):
+        return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
+                                      self.repository_name,
+                                      self.action)
+
+    @property
+    def action_as_day(self):
+        return datetime.date(*self.action_date.timetuple()[:3])
+
+    user = relationship('User')
+    repository = relationship('Repository', cascade='')
+
+
+class UserGroup(Base, BaseModel):
+    __tablename__ = 'users_groups'
+    __table_args__ = (
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+
+    users_group_id = Column("users_group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    users_group_name = Column("users_group_name", String(255), nullable=False, unique=True, default=None)
+    user_group_description = Column("user_group_description", String(10000), nullable=True, unique=None, default=None)
+    users_group_active = Column("users_group_active", Boolean(), nullable=True, unique=None, default=None)
+    inherit_default_permissions = Column("users_group_inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
+    created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
+    _group_data = Column("group_data", LargeBinary(), nullable=True)  # JSON data
+
+    members = relationship('UserGroupMember', cascade="all, delete, delete-orphan", lazy="joined")
+    users_group_to_perm = relationship('UserGroupToPerm', cascade='all')
+    users_group_repo_to_perm = relationship('UserGroupRepoToPerm', cascade='all')
+    users_group_repo_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
+    user_user_group_to_perm = relationship('UserUserGroupToPerm', cascade='all')
+    user_group_user_group_to_perm = relationship('UserGroupUserGroupToPerm ', primaryjoin="UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id", cascade='all')
+
+    user = relationship('User')
+
+    @hybrid_property
+    def group_data(self):
+        if not self._group_data:
+            return {}
+
+        try:
+            return json.loads(self._group_data)
+        except TypeError:
+            return {}
+
+    @group_data.setter
+    def group_data(self, val):
+        try:
+            self._group_data = json.dumps(val)
+        except Exception:
+            log.error(traceback.format_exc())
+
+    def __unicode__(self):
+        return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
+                                      self.users_group_id,
+                                      self.users_group_name)
+
+    @classmethod
+    def get_by_group_name(cls, group_name, cache=False,
+                          case_insensitive=False):
+        if case_insensitive:
+            q = cls.query().filter(func.lower(cls.users_group_name) ==
+                                   func.lower(group_name))
+
+        else:
+            q = cls.query().filter(cls.users_group_name == group_name)
+        if cache:
+            q = q.options(FromCache(
+                            "sql_cache_short",
+                            "get_group_%s" % _hash_key(group_name)))
+        return q.scalar()
+
+    @classmethod
+    def get(cls, user_group_id, cache=False):
+        user_group = cls.query()
+        if cache:
+            user_group = user_group.options(FromCache("sql_cache_short",
+                                    "get_users_group_%s" % user_group_id))
+        return user_group.get(user_group_id)
+
+    def permissions(self, with_admins=True, with_owner=True):
+        q = UserUserGroupToPerm.query().filter(UserUserGroupToPerm.user_group == self)
+        q = q.options(joinedload(UserUserGroupToPerm.user_group),
+                      joinedload(UserUserGroupToPerm.user),
+                      joinedload(UserUserGroupToPerm.permission),)
+
+        # get owners and admins and permissions. We do a trick of re-writing
+        # objects from sqlalchemy to named-tuples due to sqlalchemy session
+        # has a global reference and changing one object propagates to all
+        # others. This means if admin is also an owner admin_row that change
+        # would propagate to both objects
+        perm_rows = []
+        for _usr in q.all():
+            usr = AttributeDict(_usr.user.get_dict())
+            usr.permission = _usr.permission.permission_name
+            perm_rows.append(usr)
+
+        # filter the perm rows by 'default' first and then sort them by
+        # admin,write,read,none permissions sorted again alphabetically in
+        # each group
+        perm_rows = sorted(perm_rows, key=display_sort)
+
+        _admin_perm = 'usergroup.admin'
+        owner_row = []
+        if with_owner:
+            usr = AttributeDict(self.user.get_dict())
+            usr.owner_row = True
+            usr.permission = _admin_perm
+            owner_row.append(usr)
+
+        super_admin_rows = []
+        if with_admins:
+            for usr in User.get_all_super_admins():
+                # if this admin is also owner, don't double the record
+                if usr.user_id == owner_row[0].user_id:
+                    owner_row[0].admin_row = True
+                else:
+                    usr = AttributeDict(usr.get_dict())
+                    usr.admin_row = True
+                    usr.permission = _admin_perm
+                    super_admin_rows.append(usr)
+
+        return super_admin_rows + owner_row + perm_rows
+
+    def permission_user_groups(self):
+        q = UserGroupUserGroupToPerm.query().filter(UserGroupUserGroupToPerm.target_user_group == self)
+        q = q.options(joinedload(UserGroupUserGroupToPerm.user_group),
+                      joinedload(UserGroupUserGroupToPerm.target_user_group),
+                      joinedload(UserGroupUserGroupToPerm.permission),)
+
+        perm_rows = []
+        for _user_group in q.all():
+            usr = AttributeDict(_user_group.user_group.get_dict())
+            usr.permission = _user_group.permission.permission_name
+            perm_rows.append(usr)
+
+        return perm_rows
+
+    def _get_default_perms(self, user_group, suffix=''):
+        from rhodecode.model.permission import PermissionModel
+        return PermissionModel().get_default_perms(user_group.users_group_to_perm, suffix)
+
+    def get_default_perms(self, suffix=''):
+        return self._get_default_perms(self, suffix)
+
+    def get_api_data(self, with_group_members=True, include_secrets=False):
+        """
+        :param include_secrets: See :meth:`User.get_api_data`, this parameter is
+           basically forwarded.
+
+        """
+        user_group = self
+
+        data = {
+            'users_group_id': user_group.users_group_id,
+            'group_name': user_group.users_group_name,
+            'group_description': user_group.user_group_description,
+            'active': user_group.users_group_active,
+            'owner': user_group.user.username,
+        }
+        if with_group_members:
+            users = []
+            for user in user_group.members:
+                user = user.user
+                users.append(user.get_api_data(include_secrets=include_secrets))
+            data['users'] = users
+
+        return data
+
+
+class UserGroupMember(Base, BaseModel):
+    __tablename__ = 'users_groups_members'
+    __table_args__ = (
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+
+    users_group_member_id = Column("users_group_member_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
+
+    user = relationship('User', lazy='joined')
+    users_group = relationship('UserGroup')
+
+    def __init__(self, gr_id='', u_id=''):
+        self.users_group_id = gr_id
+        self.user_id = u_id
+
+
+class RepositoryField(Base, BaseModel):
+    __tablename__ = 'repositories_fields'
+    __table_args__ = (
+        UniqueConstraint('repository_id', 'field_key'),  # no-multi field
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+    PREFIX = 'ex_'  # prefix used in form to not conflict with already existing fields
+
+    repo_field_id = Column("repo_field_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
+    field_key = Column("field_key", String(250))
+    field_label = Column("field_label", String(1024), nullable=False)
+    field_value = Column("field_value", String(10000), nullable=False)
+    field_desc = Column("field_desc", String(1024), nullable=False)
+    field_type = Column("field_type", String(255), nullable=False, unique=None)
+    created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
+
+    repository = relationship('Repository')
+
+    @property
+    def field_key_prefixed(self):
+        return 'ex_%s' % self.field_key
+
+    @classmethod
+    def un_prefix_key(cls, key):
+        if key.startswith(cls.PREFIX):
+            return key[len(cls.PREFIX):]
+        return key
+
+    @classmethod
+    def get_by_key_name(cls, key, repo):
+        row = cls.query()\
+                .filter(cls.repository == repo)\
+                .filter(cls.field_key == key).scalar()
+        return row
+
+
+class Repository(Base, BaseModel):
+    __tablename__ = 'repositories'
+    __table_args__ = (
+        Index('r_repo_name_idx', 'repo_name', mysql_length=255),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+    DEFAULT_CLONE_URI = '{scheme}://{user}@{netloc}/{repo}'
+    DEFAULT_CLONE_URI_ID = '{scheme}://{user}@{netloc}/_{repoid}'
+
+    STATE_CREATED = 'repo_state_created'
+    STATE_PENDING = 'repo_state_pending'
+    STATE_ERROR = 'repo_state_error'
+
+    LOCK_AUTOMATIC = 'lock_auto'
+    LOCK_API = 'lock_api'
+    LOCK_WEB = 'lock_web'
+    LOCK_PULL = 'lock_pull'
+
+    NAME_SEP = URL_SEP
+
+    repo_id = Column(
+        "repo_id", Integer(), nullable=False, unique=True, default=None,
+        primary_key=True)
+    _repo_name = Column(
+        "repo_name", Text(), nullable=False, default=None)
+    _repo_name_hash = Column(
+        "repo_name_hash", String(255), nullable=False, unique=True)
+    repo_state = Column("repo_state", String(255), nullable=True)
+
+    clone_uri = Column(
+        "clone_uri", EncryptedTextValue(), nullable=True, unique=False,
+        default=None)
+    repo_type = Column(
+        "repo_type", String(255), nullable=False, unique=False, default=None)
+    user_id = Column(
+        "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
+        unique=False, default=None)
+    private = Column(
+        "private", Boolean(), nullable=True, unique=None, default=None)
+    enable_statistics = Column(
+        "statistics", Boolean(), nullable=True, unique=None, default=True)
+    enable_downloads = Column(
+        "downloads", Boolean(), nullable=True, unique=None, default=True)
+    description = Column(
+        "description", String(10000), nullable=True, unique=None, default=None)
+    created_on = Column(
+        'created_on', DateTime(timezone=False), nullable=True, unique=None,
+        default=datetime.datetime.now)
+    updated_on = Column(
+        'updated_on', DateTime(timezone=False), nullable=True, unique=None,
+        default=datetime.datetime.now)
+    _landing_revision = Column(
+        "landing_revision", String(255), nullable=False, unique=False,
+        default=None)
+    enable_locking = Column(
+        "enable_locking", Boolean(), nullable=False, unique=None,
+        default=False)
+    _locked = Column(
+        "locked", String(255), nullable=True, unique=False, default=None)
+    _changeset_cache = Column(
+        "changeset_cache", LargeBinary(), nullable=True)  # JSON data
+
+    fork_id = Column(
+        "fork_id", Integer(), ForeignKey('repositories.repo_id'),
+        nullable=True, unique=False, default=None)
+    group_id = Column(
+        "group_id", Integer(), ForeignKey('groups.group_id'), nullable=True,
+        unique=False, default=None)
+
+    user = relationship('User', lazy='joined')
+    fork = relationship('Repository', remote_side=repo_id, lazy='joined')
+    group = relationship('RepoGroup', lazy='joined')
+    repo_to_perm = relationship(
+        'UserRepoToPerm', cascade='all',
+        order_by='UserRepoToPerm.repo_to_perm_id')
+    users_group_to_perm = relationship('UserGroupRepoToPerm', cascade='all')
+    stats = relationship('Statistics', cascade='all', uselist=False)
+
+    followers = relationship(
+        'UserFollowing',
+        primaryjoin='UserFollowing.follows_repo_id==Repository.repo_id',
+        cascade='all')
+    extra_fields = relationship(
+        'RepositoryField', cascade="all, delete, delete-orphan")
+    logs = relationship('UserLog')
+    comments = relationship(
+        'ChangesetComment', cascade="all, delete, delete-orphan")
+    pull_requests_source = relationship(
+        'PullRequest',
+        primaryjoin='PullRequest.source_repo_id==Repository.repo_id',
+        cascade="all, delete, delete-orphan")
+    pull_requests_target = relationship(
+        'PullRequest',
+        primaryjoin='PullRequest.target_repo_id==Repository.repo_id',
+        cascade="all, delete, delete-orphan")
+    ui = relationship('RepoRhodeCodeUi', cascade="all")
+    settings = relationship('RepoRhodeCodeSetting', cascade="all")
+    integrations = relationship('Integration',
+                                cascade="all, delete, delete-orphan")
+
+    def __unicode__(self):
+        return u"<%s('%s:%s')>" % (self.__class__.__name__, self.repo_id,
+                                   safe_unicode(self.repo_name))
+
+    @hybrid_property
+    def landing_rev(self):
+        # always should return [rev_type, rev]
+        if self._landing_revision:
+            _rev_info = self._landing_revision.split(':')
+            if len(_rev_info) < 2:
+                _rev_info.insert(0, 'rev')
+            return [_rev_info[0], _rev_info[1]]
+        return [None, None]
+
+    @landing_rev.setter
+    def landing_rev(self, val):
+        if ':' not in val:
+            raise ValueError('value must be delimited with `:` and consist '
+                             'of <rev_type>:<rev>, got %s instead' % val)
+        self._landing_revision = val
+
+    @hybrid_property
+    def locked(self):
+        if self._locked:
+            user_id, timelocked, reason = self._locked.split(':')
+            lock_values = int(user_id), timelocked, reason
+        else:
+            lock_values = [None, None, None]
+        return lock_values
+
+    @locked.setter
+    def locked(self, val):
+        if val and isinstance(val, (list, tuple)):
+            self._locked = ':'.join(map(str, val))
+        else:
+            self._locked = None
+
+    @hybrid_property
+    def changeset_cache(self):
+        from rhodecode.lib.vcs.backends.base import EmptyCommit
+        dummy = EmptyCommit().__json__()
+        if not self._changeset_cache:
+            return dummy
+        try:
+            return json.loads(self._changeset_cache)
+        except TypeError:
+            return dummy
+        except Exception:
+            log.error(traceback.format_exc())
+            return dummy
+
+    @changeset_cache.setter
+    def changeset_cache(self, val):
+        try:
+            self._changeset_cache = json.dumps(val)
+        except Exception:
+            log.error(traceback.format_exc())
+
+    @hybrid_property
+    def repo_name(self):
+        return self._repo_name
+
+    @repo_name.setter
+    def repo_name(self, value):
+        self._repo_name = value
+        self._repo_name_hash = hashlib.sha1(safe_str(value)).hexdigest()
+
+    @classmethod
+    def normalize_repo_name(cls, repo_name):
+        """
+        Normalizes os specific repo_name to the format internally stored inside
+        database using URL_SEP
+
+        :param cls:
+        :param repo_name:
+        """
+        return cls.NAME_SEP.join(repo_name.split(os.sep))
+
+    @classmethod
+    def get_by_repo_name(cls, repo_name, cache=False, identity_cache=False):
+        session = Session()
+        q = session.query(cls).filter(cls.repo_name == repo_name)
+
+        if cache:
+            if identity_cache:
+                val = cls.identity_cache(session, 'repo_name', repo_name)
+                if val:
+                    return val
+            else:
+                q = q.options(
+                    FromCache("sql_cache_short",
+                              "get_repo_by_name_%s" % _hash_key(repo_name)))
+
+        return q.scalar()
+
+    @classmethod
+    def get_by_full_path(cls, repo_full_path):
+        repo_name = repo_full_path.split(cls.base_path(), 1)[-1]
+        repo_name = cls.normalize_repo_name(repo_name)
+        return cls.get_by_repo_name(repo_name.strip(URL_SEP))
+
+    @classmethod
+    def get_repo_forks(cls, repo_id):
+        return cls.query().filter(Repository.fork_id == repo_id)
+
+    @classmethod
+    def base_path(cls):
+        """
+        Returns base path when all repos are stored
+
+        :param cls:
+        """
+        q = Session().query(RhodeCodeUi)\
+            .filter(RhodeCodeUi.ui_key == cls.NAME_SEP)
+        q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
+        return q.one().ui_value
+
+    @classmethod
+    def is_valid(cls, repo_name):
+        """
+        returns True if given repo name is a valid filesystem repository
+
+        :param cls:
+        :param repo_name:
+        """
+        from rhodecode.lib.utils import is_valid_repo
+
+        return is_valid_repo(repo_name, cls.base_path())
+
+    @classmethod
+    def get_all_repos(cls, user_id=Optional(None), group_id=Optional(None),
+                      case_insensitive=True):
+        q = Repository.query()
+
+        if not isinstance(user_id, Optional):
+            q = q.filter(Repository.user_id == user_id)
+
+        if not isinstance(group_id, Optional):
+            q = q.filter(Repository.group_id == group_id)
+
+        if case_insensitive:
+            q = q.order_by(func.lower(Repository.repo_name))
+        else:
+            q = q.order_by(Repository.repo_name)
+        return q.all()
+
+    @property
+    def forks(self):
+        """
+        Return forks of this repo
+        """
+        return Repository.get_repo_forks(self.repo_id)
+
+    @property
+    def parent(self):
+        """
+        Returns fork parent
+        """
+        return self.fork
+
+    @property
+    def just_name(self):
+        return self.repo_name.split(self.NAME_SEP)[-1]
+
+    @property
+    def groups_with_parents(self):
+        groups = []
+        if self.group is None:
+            return groups
+
+        cur_gr = self.group
+        groups.insert(0, cur_gr)
+        while 1:
+            gr = getattr(cur_gr, 'parent_group', None)
+            cur_gr = cur_gr.parent_group
+            if gr is None:
+                break
+            groups.insert(0, gr)
+
+        return groups
+
+    @property
+    def groups_and_repo(self):
+        return self.groups_with_parents, self
+
+    @LazyProperty
+    def repo_path(self):
+        """
+        Returns base full path for that repository means where it actually
+        exists on a filesystem
+        """
+        q = Session().query(RhodeCodeUi).filter(
+            RhodeCodeUi.ui_key == self.NAME_SEP)
+        q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
+        return q.one().ui_value
+
+    @property
+    def repo_full_path(self):
+        p = [self.repo_path]
+        # we need to split the name by / since this is how we store the
+        # names in the database, but that eventually needs to be converted
+        # into a valid system path
+        p += self.repo_name.split(self.NAME_SEP)
+        return os.path.join(*map(safe_unicode, p))
+
+    @property
+    def cache_keys(self):
+        """
+        Returns associated cache keys for that repo
+        """
+        return CacheKey.query()\
+            .filter(CacheKey.cache_args == self.repo_name)\
+            .order_by(CacheKey.cache_key)\
+            .all()
+
+    def get_new_name(self, repo_name):
+        """
+        returns new full repository name based on assigned group and new new
+
+        :param group_name:
+        """
+        path_prefix = self.group.full_path_splitted if self.group else []
+        return self.NAME_SEP.join(path_prefix + [repo_name])
+
+    @property
+    def _config(self):
+        """
+        Returns db based config object.
+        """
+        from rhodecode.lib.utils import make_db_config
+        return make_db_config(clear_session=False, repo=self)
+
+    def permissions(self, with_admins=True, with_owner=True):
+        q = UserRepoToPerm.query().filter(UserRepoToPerm.repository == self)
+        q = q.options(joinedload(UserRepoToPerm.repository),
+                      joinedload(UserRepoToPerm.user),
+                      joinedload(UserRepoToPerm.permission),)
+
+        # get owners and admins and permissions. We do a trick of re-writing
+        # objects from sqlalchemy to named-tuples due to sqlalchemy session
+        # has a global reference and changing one object propagates to all
+        # others. This means if admin is also an owner admin_row that change
+        # would propagate to both objects
+        perm_rows = []
+        for _usr in q.all():
+            usr = AttributeDict(_usr.user.get_dict())
+            usr.permission = _usr.permission.permission_name
+            perm_rows.append(usr)
+
+        # filter the perm rows by 'default' first and then sort them by
+        # admin,write,read,none permissions sorted again alphabetically in
+        # each group
+        perm_rows = sorted(perm_rows, key=display_sort)
+
+        _admin_perm = 'repository.admin'
+        owner_row = []
+        if with_owner:
+            usr = AttributeDict(self.user.get_dict())
+            usr.owner_row = True
+            usr.permission = _admin_perm
+            owner_row.append(usr)
+
+        super_admin_rows = []
+        if with_admins:
+            for usr in User.get_all_super_admins():
+                # if this admin is also owner, don't double the record
+                if usr.user_id == owner_row[0].user_id:
+                    owner_row[0].admin_row = True
+                else:
+                    usr = AttributeDict(usr.get_dict())
+                    usr.admin_row = True
+                    usr.permission = _admin_perm
+                    super_admin_rows.append(usr)
+
+        return super_admin_rows + owner_row + perm_rows
+
+    def permission_user_groups(self):
+        q = UserGroupRepoToPerm.query().filter(
+            UserGroupRepoToPerm.repository == self)
+        q = q.options(joinedload(UserGroupRepoToPerm.repository),
+                      joinedload(UserGroupRepoToPerm.users_group),
+                      joinedload(UserGroupRepoToPerm.permission),)
+
+        perm_rows = []
+        for _user_group in q.all():
+            usr = AttributeDict(_user_group.users_group.get_dict())
+            usr.permission = _user_group.permission.permission_name
+            perm_rows.append(usr)
+
+        return perm_rows
+
+    def get_api_data(self, include_secrets=False):
+        """
+        Common function for generating repo api data
+
+        :param include_secrets: See :meth:`User.get_api_data`.
+
+        """
+        # TODO: mikhail: Here there is an anti-pattern, we probably need to
+        # move this methods on models level.
+        from rhodecode.model.settings import SettingsModel
+
+        repo = self
+        _user_id, _time, _reason = self.locked
+
+        data = {
+            'repo_id': repo.repo_id,
+            'repo_name': repo.repo_name,
+            'repo_type': repo.repo_type,
+            'clone_uri': repo.clone_uri or '',
+            'url': url('summary_home', repo_name=self.repo_name, qualified=True),
+            'private': repo.private,
+            'created_on': repo.created_on,
+            'description': repo.description,
+            'landing_rev': repo.landing_rev,
+            'owner': repo.user.username,
+            'fork_of': repo.fork.repo_name if repo.fork else None,
+            'enable_statistics': repo.enable_statistics,
+            'enable_locking': repo.enable_locking,
+            'enable_downloads': repo.enable_downloads,
+            'last_changeset': repo.changeset_cache,
+            'locked_by': User.get(_user_id).get_api_data(
+                include_secrets=include_secrets) if _user_id else None,
+            'locked_date': time_to_datetime(_time) if _time else None,
+            'lock_reason': _reason if _reason else None,
+        }
+
+        # TODO: mikhail: should be per-repo settings here
+        rc_config = SettingsModel().get_all_settings()
+        repository_fields = str2bool(
+            rc_config.get('rhodecode_repository_fields'))
+        if repository_fields:
+            for f in self.extra_fields:
+                data[f.field_key_prefixed] = f.field_value
+
+        return data
+
+    @classmethod
+    def lock(cls, repo, user_id, lock_time=None, lock_reason=None):
+        if not lock_time:
+            lock_time = time.time()
+        if not lock_reason:
+            lock_reason = cls.LOCK_AUTOMATIC
+        repo.locked = [user_id, lock_time, lock_reason]
+        Session().add(repo)
+        Session().commit()
+
+    @classmethod
+    def unlock(cls, repo):
+        repo.locked = None
+        Session().add(repo)
+        Session().commit()
+
+    @classmethod
+    def getlock(cls, repo):
+        return repo.locked
+
+    def is_user_lock(self, user_id):
+        if self.lock[0]:
+            lock_user_id = safe_int(self.lock[0])
+            user_id = safe_int(user_id)
+            # both are ints, and they are equal
+            return all([lock_user_id, user_id]) and lock_user_id == user_id
+
+        return False
+
+    def get_locking_state(self, action, user_id, only_when_enabled=True):
+        """
+        Checks locking on this repository, if locking is enabled and lock is
+        present returns a tuple of make_lock, locked, locked_by.
+        make_lock can have 3 states None (do nothing) True, make lock
+        False release lock, This value is later propagated to hooks, which
+        do the locking. Think about this as signals passed to hooks what to do.
+
+        """
+        # TODO: johbo: This is part of the business logic and should be moved
+        # into the RepositoryModel.
+
+        if action not in ('push', 'pull'):
+            raise ValueError("Invalid action value: %s" % repr(action))
+
+        # defines if locked error should be thrown to user
+        currently_locked = False
+        # defines if new lock should be made, tri-state
+        make_lock = None
+        repo = self
+        user = User.get(user_id)
+
+        lock_info = repo.locked
+
+        if repo and (repo.enable_locking or not only_when_enabled):
+            if action == 'push':
+                # check if it's already locked !, if it is compare users
+                locked_by_user_id = lock_info[0]
+                if user.user_id == locked_by_user_id:
+                    log.debug(
+                        'Got `push` action from user %s, now unlocking', user)
+                    # unlock if we have push from user who locked
+                    make_lock = False
+                else:
+                    # we're not the same user who locked, ban with
+                    # code defined in settings (default is 423 HTTP Locked) !
+                    log.debug('Repo %s is currently locked by %s', repo, user)
+                    currently_locked = True
+            elif action == 'pull':
+                # [0] user [1] date
+                if lock_info[0] and lock_info[1]:
+                    log.debug('Repo %s is currently locked by %s', repo, user)
+                    currently_locked = True
+                else:
+                    log.debug('Setting lock on repo %s by %s', repo, user)
+                    make_lock = True
+
+        else:
+            log.debug('Repository %s do not have locking enabled', repo)
+
+        log.debug('FINAL locking values make_lock:%s,locked:%s,locked_by:%s',
+                  make_lock, currently_locked, lock_info)
+
+        from rhodecode.lib.auth import HasRepoPermissionAny
+        perm_check = HasRepoPermissionAny('repository.write', 'repository.admin')
+        if make_lock and not perm_check(repo_name=repo.repo_name, user=user):
+            # if we don't have at least write permission we cannot make a lock
+            log.debug('lock state reset back to FALSE due to lack '
+                      'of at least read permission')
+            make_lock = False
+
+        return make_lock, currently_locked, lock_info
+
+    @property
+    def last_db_change(self):
+        return self.updated_on
+
+    @property
+    def clone_uri_hidden(self):
+        clone_uri = self.clone_uri
+        if clone_uri:
+            import urlobject
+            url_obj = urlobject.URLObject(clone_uri)
+            if url_obj.password:
+                clone_uri = url_obj.with_password('*****')
+        return clone_uri
+
+    def clone_url(self, **override):
+        qualified_home_url = url('home', qualified=True)
+
+        uri_tmpl = None
+        if 'with_id' in override:
+            uri_tmpl = self.DEFAULT_CLONE_URI_ID
+            del override['with_id']
+
+        if 'uri_tmpl' in override:
+            uri_tmpl = override['uri_tmpl']
+            del override['uri_tmpl']
+
+        # we didn't override our tmpl from **overrides
+        if not uri_tmpl:
+            uri_tmpl = self.DEFAULT_CLONE_URI
+            try:
+                from pylons import tmpl_context as c
+                uri_tmpl = c.clone_uri_tmpl
+            except Exception:
+                # in any case if we call this outside of request context,
+                # ie, not having tmpl_context set up
+                pass
+
+        return get_clone_url(uri_tmpl=uri_tmpl,
+                             qualifed_home_url=qualified_home_url,
+                             repo_name=self.repo_name,
+                             repo_id=self.repo_id, **override)
+
+    def set_state(self, state):
+        self.repo_state = state
+        Session().add(self)
+    #==========================================================================
+    # SCM PROPERTIES
+    #==========================================================================
+
+    def get_commit(self, commit_id=None, commit_idx=None, pre_load=None):
+        return get_commit_safe(
+            self.scm_instance(), commit_id, commit_idx, pre_load=pre_load)
+
+    def get_changeset(self, rev=None, pre_load=None):
+        warnings.warn("Use get_commit", DeprecationWarning)
+        commit_id = None
+        commit_idx = None
+        if isinstance(rev, basestring):
+            commit_id = rev
+        else:
+            commit_idx = rev
+        return self.get_commit(commit_id=commit_id, commit_idx=commit_idx,
+                               pre_load=pre_load)
+
+    def get_landing_commit(self):
+        """
+        Returns landing commit, or if that doesn't exist returns the tip
+        """
+        _rev_type, _rev = self.landing_rev
+        commit = self.get_commit(_rev)
+        if isinstance(commit, EmptyCommit):
+            return self.get_commit()
+        return commit
+
+    def update_commit_cache(self, cs_cache=None, config=None):
+        """
+        Update cache of last changeset for repository, keys should be::
+
+            short_id
+            raw_id
+            revision
+            parents
+            message
+            date
+            author
+
+        :param cs_cache:
+        """
+        from rhodecode.lib.vcs.backends.base import BaseChangeset
+        if cs_cache is None:
+            # use no-cache version here
+            scm_repo = self.scm_instance(cache=False, config=config)
+            if scm_repo:
+                cs_cache = scm_repo.get_commit(
+                    pre_load=["author", "date", "message", "parents"])
+            else:
+                cs_cache = EmptyCommit()
+
+        if isinstance(cs_cache, BaseChangeset):
+            cs_cache = cs_cache.__json__()
+
+        def is_outdated(new_cs_cache):
+            if (new_cs_cache['raw_id'] != self.changeset_cache['raw_id'] or
+                new_cs_cache['revision'] != self.changeset_cache['revision']):
+                return True
+            return False
+
+        # check if we have maybe already latest cached revision
+        if is_outdated(cs_cache) or not self.changeset_cache:
+            _default = datetime.datetime.fromtimestamp(0)
+            last_change = cs_cache.get('date') or _default
+            log.debug('updated repo %s with new cs cache %s',
+                      self.repo_name, cs_cache)
+            self.updated_on = last_change
+            self.changeset_cache = cs_cache
+            Session().add(self)
+            Session().commit()
+        else:
+            log.debug('Skipping update_commit_cache for repo:`%s` '
+                      'commit already with latest changes', self.repo_name)
+
+    @property
+    def tip(self):
+        return self.get_commit('tip')
+
+    @property
+    def author(self):
+        return self.tip.author
+
+    @property
+    def last_change(self):
+        return self.scm_instance().last_change
+
+    def get_comments(self, revisions=None):
+        """
+        Returns comments for this repository grouped by revisions
+
+        :param revisions: filter query by revisions only
+        """
+        cmts = ChangesetComment.query()\
+            .filter(ChangesetComment.repo == self)
+        if revisions:
+            cmts = cmts.filter(ChangesetComment.revision.in_(revisions))
+        grouped = collections.defaultdict(list)
+        for cmt in cmts.all():
+            grouped[cmt.revision].append(cmt)
+        return grouped
+
+    def statuses(self, revisions=None):
+        """
+        Returns statuses for this repository
+
+        :param revisions: list of revisions to get statuses for
+        """
+        statuses = ChangesetStatus.query()\
+            .filter(ChangesetStatus.repo == self)\
+            .filter(ChangesetStatus.version == 0)
+
+        if revisions:
+            # Try doing the filtering in chunks to avoid hitting limits
+            size = 500
+            status_results = []
+            for chunk in xrange(0, len(revisions), size):
+                status_results += statuses.filter(
+                    ChangesetStatus.revision.in_(
+                        revisions[chunk: chunk+size])
+                ).all()
+        else:
+            status_results = statuses.all()
+
+        grouped = {}
+
+        # maybe we have open new pullrequest without a status?
+        stat = ChangesetStatus.STATUS_UNDER_REVIEW
+        status_lbl = ChangesetStatus.get_status_lbl(stat)
+        for pr in PullRequest.query().filter(PullRequest.source_repo == self).all():
+            for rev in pr.revisions:
+                pr_id = pr.pull_request_id
+                pr_repo = pr.target_repo.repo_name
+                grouped[rev] = [stat, status_lbl, pr_id, pr_repo]
+
+        for stat in status_results:
+            pr_id = pr_repo = None
+            if stat.pull_request:
+                pr_id = stat.pull_request.pull_request_id
+                pr_repo = stat.pull_request.target_repo.repo_name
+            grouped[stat.revision] = [str(stat.status), stat.status_lbl,
+                                      pr_id, pr_repo]
+        return grouped
+
+    # ==========================================================================
+    # SCM CACHE INSTANCE
+    # ==========================================================================
+
+    def scm_instance(self, **kwargs):
+        import rhodecode
+
+        # Passing a config will not hit the cache currently only used
+        # for repo2dbmapper
+        config = kwargs.pop('config', None)
+        cache = kwargs.pop('cache', None)
+        full_cache = str2bool(rhodecode.CONFIG.get('vcs_full_cache'))
+        # if cache is NOT defined use default global, else we have a full
+        # control over cache behaviour
+        if cache is None and full_cache and not config:
+            return self._get_instance_cached()
+        return self._get_instance(cache=bool(cache), config=config)
+
+    def _get_instance_cached(self):
+        @cache_region('long_term')
+        def _get_repo(cache_key):
+            return self._get_instance()
+
+        invalidator_context = CacheKey.repo_context_cache(
+            _get_repo, self.repo_name, None, thread_scoped=True)
+
+        with invalidator_context as context:
+            context.invalidate()
+            repo = context.compute()
+
+        return repo
+
+    def _get_instance(self, cache=True, config=None):
+        config = config or self._config
+        custom_wire = {
+            'cache': cache  # controls the vcs.remote cache
+        }
+
+        repo = get_vcs_instance(
+            repo_path=safe_str(self.repo_full_path),
+            config=config,
+            with_wire=custom_wire,
+            create=False)
+
+        return repo
+
+    def __json__(self):
+        return {'landing_rev': self.landing_rev}
+
+    def get_dict(self):
+
+        # Since we transformed `repo_name` to a hybrid property, we need to
+        # keep compatibility with the code which uses `repo_name` field.
+
+        result = super(Repository, self).get_dict()
+        result['repo_name'] = result.pop('_repo_name', None)
+        return result
+
+
+class RepoGroup(Base, BaseModel):
+    __tablename__ = 'groups'
+    __table_args__ = (
+        UniqueConstraint('group_name', 'group_parent_id'),
+        CheckConstraint('group_id != group_parent_id'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+    __mapper_args__ = {'order_by': 'group_name'}
+
+    CHOICES_SEPARATOR = '/'  # used to generate select2 choices for nested groups
+
+    group_id = Column("group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    group_name = Column("group_name", String(255), nullable=False, unique=True, default=None)
+    group_parent_id = Column("group_parent_id", Integer(), ForeignKey('groups.group_id'), nullable=True, unique=None, default=None)
+    group_description = Column("group_description", String(10000), nullable=True, unique=None, default=None)
+    enable_locking = Column("enable_locking", Boolean(), nullable=False, unique=None, default=False)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
+    created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
+
+    repo_group_to_perm = relationship('UserRepoGroupToPerm', cascade='all', order_by='UserRepoGroupToPerm.group_to_perm_id')
+    users_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
+    parent_group = relationship('RepoGroup', remote_side=group_id)
+    user = relationship('User')
+
+    def __init__(self, group_name='', parent_group=None):
+        self.group_name = group_name
+        self.parent_group = parent_group
+
+    def __unicode__(self):
+        return u"<%s('id:%s:%s')>" % (self.__class__.__name__, self.group_id,
+                                      self.group_name)
+
+    @classmethod
+    def _generate_choice(cls, repo_group):
+        from webhelpers.html import literal as _literal
+        _name = lambda k: _literal(cls.CHOICES_SEPARATOR.join(k))
+        return repo_group.group_id, _name(repo_group.full_path_splitted)
+
+    @classmethod
+    def groups_choices(cls, groups=None, show_empty_group=True):
+        if not groups:
+            groups = cls.query().all()
+
+        repo_groups = []
+        if show_empty_group:
+            repo_groups = [('-1', u'-- %s --' % _('No parent'))]
+
+        repo_groups.extend([cls._generate_choice(x) for x in groups])
+
+        repo_groups = sorted(
+            repo_groups, key=lambda t: t[1].split(cls.CHOICES_SEPARATOR)[0])
+        return repo_groups
+
+    @classmethod
+    def url_sep(cls):
+        return URL_SEP
+
+    @classmethod
+    def get_by_group_name(cls, group_name, cache=False, case_insensitive=False):
+        if case_insensitive:
+            gr = cls.query().filter(func.lower(cls.group_name)
+                                    == func.lower(group_name))
+        else:
+            gr = cls.query().filter(cls.group_name == group_name)
+        if cache:
+            gr = gr.options(FromCache(
+                            "sql_cache_short",
+                            "get_group_%s" % _hash_key(group_name)))
+        return gr.scalar()
+
+    @classmethod
+    def get_all_repo_groups(cls, user_id=Optional(None), group_id=Optional(None),
+                            case_insensitive=True):
+        q = RepoGroup.query()
+
+        if not isinstance(user_id, Optional):
+            q = q.filter(RepoGroup.user_id == user_id)
+
+        if not isinstance(group_id, Optional):
+            q = q.filter(RepoGroup.group_parent_id == group_id)
+
+        if case_insensitive:
+            q = q.order_by(func.lower(RepoGroup.group_name))
+        else:
+            q = q.order_by(RepoGroup.group_name)
+        return q.all()
+
+    @property
+    def parents(self):
+        parents_recursion_limit = 10
+        groups = []
+        if self.parent_group is None:
+            return groups
+        cur_gr = self.parent_group
+        groups.insert(0, cur_gr)
+        cnt = 0
+        while 1:
+            cnt += 1
+            gr = getattr(cur_gr, 'parent_group', None)
+            cur_gr = cur_gr.parent_group
+            if gr is None:
+                break
+            if cnt == parents_recursion_limit:
+                # this will prevent accidental infinit loops
+                log.error(('more than %s parents found for group %s, stopping '
+                           'recursive parent fetching' % (parents_recursion_limit, self)))
+                break
+
+            groups.insert(0, gr)
+        return groups
+
+    @property
+    def children(self):
+        return RepoGroup.query().filter(RepoGroup.parent_group == self)
+
+    @property
+    def name(self):
+        return self.group_name.split(RepoGroup.url_sep())[-1]
+
+    @property
+    def full_path(self):
+        return self.group_name
+
+    @property
+    def full_path_splitted(self):
+        return self.group_name.split(RepoGroup.url_sep())
+
+    @property
+    def repositories(self):
+        return Repository.query()\
+                .filter(Repository.group == self)\
+                .order_by(Repository.repo_name)
+
+    @property
+    def repositories_recursive_count(self):
+        cnt = self.repositories.count()
+
+        def children_count(group):
+            cnt = 0
+            for child in group.children:
+                cnt += child.repositories.count()
+                cnt += children_count(child)
+            return cnt
+
+        return cnt + children_count(self)
+
+    def _recursive_objects(self, include_repos=True):
+        all_ = []
+
+        def _get_members(root_gr):
+            if include_repos:
+                for r in root_gr.repositories:
+                    all_.append(r)
+            childs = root_gr.children.all()
+            if childs:
+                for gr in childs:
+                    all_.append(gr)
+                    _get_members(gr)
+
+        _get_members(self)
+        return [self] + all_
+
+    def recursive_groups_and_repos(self):
+        """
+        Recursive return all groups, with repositories in those groups
+        """
+        return self._recursive_objects()
+
+    def recursive_groups(self):
+        """
+        Returns all children groups for this group including children of children
+        """
+        return self._recursive_objects(include_repos=False)
+
+    def get_new_name(self, group_name):
+        """
+        returns new full group name based on parent and new name
+
+        :param group_name:
+        """
+        path_prefix = (self.parent_group.full_path_splitted if
+                       self.parent_group else [])
+        return RepoGroup.url_sep().join(path_prefix + [group_name])
+
+    def permissions(self, with_admins=True, with_owner=True):
+        q = UserRepoGroupToPerm.query().filter(UserRepoGroupToPerm.group == self)
+        q = q.options(joinedload(UserRepoGroupToPerm.group),
+                      joinedload(UserRepoGroupToPerm.user),
+                      joinedload(UserRepoGroupToPerm.permission),)
+
+        # get owners and admins and permissions. We do a trick of re-writing
+        # objects from sqlalchemy to named-tuples due to sqlalchemy session
+        # has a global reference and changing one object propagates to all
+        # others. This means if admin is also an owner admin_row that change
+        # would propagate to both objects
+        perm_rows = []
+        for _usr in q.all():
+            usr = AttributeDict(_usr.user.get_dict())
+            usr.permission = _usr.permission.permission_name
+            perm_rows.append(usr)
+
+        # filter the perm rows by 'default' first and then sort them by
+        # admin,write,read,none permissions sorted again alphabetically in
+        # each group
+        perm_rows = sorted(perm_rows, key=display_sort)
+
+        _admin_perm = 'group.admin'
+        owner_row = []
+        if with_owner:
+            usr = AttributeDict(self.user.get_dict())
+            usr.owner_row = True
+            usr.permission = _admin_perm
+            owner_row.append(usr)
+
+        super_admin_rows = []
+        if with_admins:
+            for usr in User.get_all_super_admins():
+                # if this admin is also owner, don't double the record
+                if usr.user_id == owner_row[0].user_id:
+                    owner_row[0].admin_row = True
+                else:
+                    usr = AttributeDict(usr.get_dict())
+                    usr.admin_row = True
+                    usr.permission = _admin_perm
+                    super_admin_rows.append(usr)
+
+        return super_admin_rows + owner_row + perm_rows
+
+    def permission_user_groups(self):
+        q = UserGroupRepoGroupToPerm.query().filter(UserGroupRepoGroupToPerm.group == self)
+        q = q.options(joinedload(UserGroupRepoGroupToPerm.group),
+                      joinedload(UserGroupRepoGroupToPerm.users_group),
+                      joinedload(UserGroupRepoGroupToPerm.permission),)
+
+        perm_rows = []
+        for _user_group in q.all():
+            usr = AttributeDict(_user_group.users_group.get_dict())
+            usr.permission = _user_group.permission.permission_name
+            perm_rows.append(usr)
+
+        return perm_rows
+
+    def get_api_data(self):
+        """
+        Common function for generating api data
+
+        """
+        group = self
+        data = {
+            'group_id': group.group_id,
+            'group_name': group.group_name,
+            'group_description': group.group_description,
+            'parent_group': group.parent_group.group_name if group.parent_group else None,
+            'repositories': [x.repo_name for x in group.repositories],
+            'owner': group.user.username,
+        }
+        return data
+
+
+class Permission(Base, BaseModel):
+    __tablename__ = 'permissions'
+    __table_args__ = (
+        Index('p_perm_name_idx', 'permission_name'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+    PERMS = [
+        ('hg.admin', _('RhodeCode Super Administrator')),
+
+        ('repository.none', _('Repository no access')),
+        ('repository.read', _('Repository read access')),
+        ('repository.write', _('Repository write access')),
+        ('repository.admin', _('Repository admin access')),
+
+        ('group.none', _('Repository group no access')),
+        ('group.read', _('Repository group read access')),
+        ('group.write', _('Repository group write access')),
+        ('group.admin', _('Repository group admin access')),
+
+        ('usergroup.none', _('User group no access')),
+        ('usergroup.read', _('User group read access')),
+        ('usergroup.write', _('User group write access')),
+        ('usergroup.admin', _('User group admin access')),
+
+        ('hg.repogroup.create.false', _('Repository Group creation disabled')),
+        ('hg.repogroup.create.true', _('Repository Group creation enabled')),
+
+        ('hg.usergroup.create.false', _('User Group creation disabled')),
+        ('hg.usergroup.create.true', _('User Group creation enabled')),
+
+        ('hg.create.none', _('Repository creation disabled')),
+        ('hg.create.repository', _('Repository creation enabled')),
+        ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')),
+        ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')),
+
+        ('hg.fork.none', _('Repository forking disabled')),
+        ('hg.fork.repository', _('Repository forking enabled')),
+
+        ('hg.register.none', _('Registration disabled')),
+        ('hg.register.manual_activate', _('User Registration with manual account activation')),
+        ('hg.register.auto_activate', _('User Registration with automatic account activation')),
+
+        ('hg.extern_activate.manual', _('Manual activation of external account')),
+        ('hg.extern_activate.auto', _('Automatic activation of external account')),
+
+        ('hg.inherit_default_perms.false', _('Inherit object permissions from default user disabled')),
+        ('hg.inherit_default_perms.true', _('Inherit object permissions from default user enabled')),
+    ]
+
+    # definition of system default permissions for DEFAULT user
+    DEFAULT_USER_PERMISSIONS = [
+        'repository.read',
+        'group.read',
+        'usergroup.read',
+        'hg.create.repository',
+        'hg.repogroup.create.false',
+        'hg.usergroup.create.false',
+        'hg.create.write_on_repogroup.true',
+        'hg.fork.repository',
+        'hg.register.manual_activate',
+        'hg.extern_activate.auto',
+        'hg.inherit_default_perms.true',
+    ]
+
+    # defines which permissions are more important higher the more important
+    # Weight defines which permissions are more important.
+    # The higher number the more important.
+    PERM_WEIGHTS = {
+        'repository.none': 0,
+        'repository.read': 1,
+        'repository.write': 3,
+        'repository.admin': 4,
+
+        'group.none': 0,
+        'group.read': 1,
+        'group.write': 3,
+        'group.admin': 4,
+
+        'usergroup.none': 0,
+        'usergroup.read': 1,
+        'usergroup.write': 3,
+        'usergroup.admin': 4,
+
+        'hg.repogroup.create.false': 0,
+        'hg.repogroup.create.true': 1,
+
+        'hg.usergroup.create.false': 0,
+        'hg.usergroup.create.true': 1,
+
+        'hg.fork.none': 0,
+        'hg.fork.repository': 1,
+        'hg.create.none': 0,
+        'hg.create.repository': 1
+    }
+
+    permission_id = Column("permission_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    permission_name = Column("permission_name", String(255), nullable=True, unique=None, default=None)
+    permission_longname = Column("permission_longname", String(255), nullable=True, unique=None, default=None)
+
+    def __unicode__(self):
+        return u"<%s('%s:%s')>" % (
+            self.__class__.__name__, self.permission_id, self.permission_name
+        )
+
+    @classmethod
+    def get_by_key(cls, key):
+        return cls.query().filter(cls.permission_name == key).scalar()
+
+    @classmethod
+    def get_default_repo_perms(cls, user_id, repo_id=None):
+        q = Session().query(UserRepoToPerm, Repository, Permission)\
+            .join((Permission, UserRepoToPerm.permission_id == Permission.permission_id))\
+            .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\
+            .filter(UserRepoToPerm.user_id == user_id)
+        if repo_id:
+            q = q.filter(UserRepoToPerm.repository_id == repo_id)
+        return q.all()
+
+    @classmethod
+    def get_default_repo_perms_from_user_group(cls, user_id, repo_id=None):
+        q = Session().query(UserGroupRepoToPerm, Repository, Permission)\
+            .join(
+                Permission,
+                UserGroupRepoToPerm.permission_id == Permission.permission_id)\
+            .join(
+                Repository,
+                UserGroupRepoToPerm.repository_id == Repository.repo_id)\
+            .join(
+                UserGroup,
+                UserGroupRepoToPerm.users_group_id ==
+                UserGroup.users_group_id)\
+            .join(
+                UserGroupMember,
+                UserGroupRepoToPerm.users_group_id ==
+                UserGroupMember.users_group_id)\
+            .filter(
+                UserGroupMember.user_id == user_id,
+                UserGroup.users_group_active == true())
+        if repo_id:
+            q = q.filter(UserGroupRepoToPerm.repository_id == repo_id)
+        return q.all()
+
+    @classmethod
+    def get_default_group_perms(cls, user_id, repo_group_id=None):
+        q = Session().query(UserRepoGroupToPerm, RepoGroup, Permission)\
+            .join((Permission, UserRepoGroupToPerm.permission_id == Permission.permission_id))\
+            .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\
+            .filter(UserRepoGroupToPerm.user_id == user_id)
+        if repo_group_id:
+            q = q.filter(UserRepoGroupToPerm.group_id == repo_group_id)
+        return q.all()
+
+    @classmethod
+    def get_default_group_perms_from_user_group(
+            cls, user_id, repo_group_id=None):
+        q = Session().query(UserGroupRepoGroupToPerm, RepoGroup, Permission)\
+            .join(
+                Permission,
+                UserGroupRepoGroupToPerm.permission_id ==
+                Permission.permission_id)\
+            .join(
+                RepoGroup,
+                UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id)\
+            .join(
+                UserGroup,
+                UserGroupRepoGroupToPerm.users_group_id ==
+                UserGroup.users_group_id)\
+            .join(
+                UserGroupMember,
+                UserGroupRepoGroupToPerm.users_group_id ==
+                UserGroupMember.users_group_id)\
+            .filter(
+                UserGroupMember.user_id == user_id,
+                UserGroup.users_group_active == true())
+        if repo_group_id:
+            q = q.filter(UserGroupRepoGroupToPerm.group_id == repo_group_id)
+        return q.all()
+
+    @classmethod
+    def get_default_user_group_perms(cls, user_id, user_group_id=None):
+        q = Session().query(UserUserGroupToPerm, UserGroup, Permission)\
+            .join((Permission, UserUserGroupToPerm.permission_id == Permission.permission_id))\
+            .join((UserGroup, UserUserGroupToPerm.user_group_id == UserGroup.users_group_id))\
+            .filter(UserUserGroupToPerm.user_id == user_id)
+        if user_group_id:
+            q = q.filter(UserUserGroupToPerm.user_group_id == user_group_id)
+        return q.all()
+
+    @classmethod
+    def get_default_user_group_perms_from_user_group(
+            cls, user_id, user_group_id=None):
+        TargetUserGroup = aliased(UserGroup, name='target_user_group')
+        q = Session().query(UserGroupUserGroupToPerm, UserGroup, Permission)\
+            .join(
+                Permission,
+                UserGroupUserGroupToPerm.permission_id ==
+                Permission.permission_id)\
+            .join(
+                TargetUserGroup,
+                UserGroupUserGroupToPerm.target_user_group_id ==
+                TargetUserGroup.users_group_id)\
+            .join(
+                UserGroup,
+                UserGroupUserGroupToPerm.user_group_id ==
+                UserGroup.users_group_id)\
+            .join(
+                UserGroupMember,
+                UserGroupUserGroupToPerm.user_group_id ==
+                UserGroupMember.users_group_id)\
+            .filter(
+                UserGroupMember.user_id == user_id,
+                UserGroup.users_group_active == true())
+        if user_group_id:
+            q = q.filter(
+                UserGroupUserGroupToPerm.user_group_id == user_group_id)
+
+        return q.all()
+
+
+class UserRepoToPerm(Base, BaseModel):
+    __tablename__ = 'repo_to_perm'
+    __table_args__ = (
+        UniqueConstraint('user_id', 'repository_id', 'permission_id'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    repo_to_perm_id = Column("repo_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
+    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
+    repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
+
+    user = relationship('User')
+    repository = relationship('Repository')
+    permission = relationship('Permission')
+
+    @classmethod
+    def create(cls, user, repository, permission):
+        n = cls()
+        n.user = user
+        n.repository = repository
+        n.permission = permission
+        Session().add(n)
+        return n
+
+    def __unicode__(self):
+        return u'<%s => %s >' % (self.user, self.repository)
+
+
+class UserUserGroupToPerm(Base, BaseModel):
+    __tablename__ = 'user_user_group_to_perm'
+    __table_args__ = (
+        UniqueConstraint('user_id', 'user_group_id', 'permission_id'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    user_user_group_to_perm_id = Column("user_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
+    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
+    user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
+
+    user = relationship('User')
+    user_group = relationship('UserGroup')
+    permission = relationship('Permission')
+
+    @classmethod
+    def create(cls, user, user_group, permission):
+        n = cls()
+        n.user = user
+        n.user_group = user_group
+        n.permission = permission
+        Session().add(n)
+        return n
+
+    def __unicode__(self):
+        return u'<%s => %s >' % (self.user, self.user_group)
+
+
+class UserToPerm(Base, BaseModel):
+    __tablename__ = 'user_to_perm'
+    __table_args__ = (
+        UniqueConstraint('user_id', 'permission_id'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    user_to_perm_id = Column("user_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
+    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
+
+    user = relationship('User')
+    permission = relationship('Permission', lazy='joined')
+
+    def __unicode__(self):
+        return u'<%s => %s >' % (self.user, self.permission)
+
+
+class UserGroupRepoToPerm(Base, BaseModel):
+    __tablename__ = 'users_group_repo_to_perm'
+    __table_args__ = (
+        UniqueConstraint('repository_id', 'users_group_id', 'permission_id'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
+    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
+    repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
+
+    users_group = relationship('UserGroup')
+    permission = relationship('Permission')
+    repository = relationship('Repository')
+
+    @classmethod
+    def create(cls, users_group, repository, permission):
+        n = cls()
+        n.users_group = users_group
+        n.repository = repository
+        n.permission = permission
+        Session().add(n)
+        return n
+
+    def __unicode__(self):
+        return u'<UserGroupRepoToPerm:%s => %s >' % (self.users_group, self.repository)
+
+
+class UserGroupUserGroupToPerm(Base, BaseModel):
+    __tablename__ = 'user_group_user_group_to_perm'
+    __table_args__ = (
+        UniqueConstraint('target_user_group_id', 'user_group_id', 'permission_id'),
+        CheckConstraint('target_user_group_id != user_group_id'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    user_group_user_group_to_perm_id = Column("user_group_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    target_user_group_id = Column("target_user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
+    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
+    user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
+
+    target_user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id')
+    user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.user_group_id==UserGroup.users_group_id')
+    permission = relationship('Permission')
+
+    @classmethod
+    def create(cls, target_user_group, user_group, permission):
+        n = cls()
+        n.target_user_group = target_user_group
+        n.user_group = user_group
+        n.permission = permission
+        Session().add(n)
+        return n
+
+    def __unicode__(self):
+        return u'<UserGroupUserGroup:%s => %s >' % (self.target_user_group, self.user_group)
+
+
+class UserGroupToPerm(Base, BaseModel):
+    __tablename__ = 'users_group_to_perm'
+    __table_args__ = (
+        UniqueConstraint('users_group_id', 'permission_id',),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
+    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
+
+    users_group = relationship('UserGroup')
+    permission = relationship('Permission')
+
+
+class UserRepoGroupToPerm(Base, BaseModel):
+    __tablename__ = 'user_repo_group_to_perm'
+    __table_args__ = (
+        UniqueConstraint('user_id', 'group_id', 'permission_id'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+
+    group_to_perm_id = Column("group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
+    group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
+    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
+
+    user = relationship('User')
+    group = relationship('RepoGroup')
+    permission = relationship('Permission')
+
+    @classmethod
+    def create(cls, user, repository_group, permission):
+        n = cls()
+        n.user = user
+        n.group = repository_group
+        n.permission = permission
+        Session().add(n)
+        return n
+
+
+class UserGroupRepoGroupToPerm(Base, BaseModel):
+    __tablename__ = 'users_group_repo_group_to_perm'
+    __table_args__ = (
+        UniqueConstraint('users_group_id', 'group_id'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+
+    users_group_repo_group_to_perm_id = Column("users_group_repo_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
+    group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
+    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
+
+    users_group = relationship('UserGroup')
+    permission = relationship('Permission')
+    group = relationship('RepoGroup')
+
+    @classmethod
+    def create(cls, user_group, repository_group, permission):
+        n = cls()
+        n.users_group = user_group
+        n.group = repository_group
+        n.permission = permission
+        Session().add(n)
+        return n
+
+    def __unicode__(self):
+        return u'<UserGroupRepoGroupToPerm:%s => %s >' % (self.users_group, self.group)
+
+
+class Statistics(Base, BaseModel):
+    __tablename__ = 'statistics'
+    __table_args__ = (
+         UniqueConstraint('repository_id'),
+         {'extend_existing': True, 'mysql_engine': 'InnoDB',
+          'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    stat_id = Column("stat_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=True, default=None)
+    stat_on_revision = Column("stat_on_revision", Integer(), nullable=False)
+    commit_activity = Column("commit_activity", LargeBinary(1000000), nullable=False)#JSON data
+    commit_activity_combined = Column("commit_activity_combined", LargeBinary(), nullable=False)#JSON data
+    languages = Column("languages", LargeBinary(1000000), nullable=False)#JSON data
+
+    repository = relationship('Repository', single_parent=True)
+
+
+class UserFollowing(Base, BaseModel):
+    __tablename__ = 'user_followings'
+    __table_args__ = (
+        UniqueConstraint('user_id', 'follows_repository_id'),
+        UniqueConstraint('user_id', 'follows_user_id'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+
+    user_following_id = Column("user_following_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
+    follows_repo_id = Column("follows_repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=None, default=None)
+    follows_user_id = Column("follows_user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
+    follows_from = Column('follows_from', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
+
+    user = relationship('User', primaryjoin='User.user_id==UserFollowing.user_id')
+
+    follows_user = relationship('User', primaryjoin='User.user_id==UserFollowing.follows_user_id')
+    follows_repository = relationship('Repository', order_by='Repository.repo_name')
+
+    @classmethod
+    def get_repo_followers(cls, repo_id):
+        return cls.query().filter(cls.follows_repo_id == repo_id)
+
+
+class CacheKey(Base, BaseModel):
+    __tablename__ = 'cache_invalidation'
+    __table_args__ = (
+        UniqueConstraint('cache_key'),
+        Index('key_idx', 'cache_key'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+    CACHE_TYPE_ATOM = 'ATOM'
+    CACHE_TYPE_RSS = 'RSS'
+    CACHE_TYPE_README = 'README'
+
+    cache_id = Column("cache_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
+    cache_key = Column("cache_key", String(255), nullable=True, unique=None, default=None)
+    cache_args = Column("cache_args", String(255), nullable=True, unique=None, default=None)
+    cache_active = Column("cache_active", Boolean(), nullable=True, unique=None, default=False)
+
+    def __init__(self, cache_key, cache_args=''):
+        self.cache_key = cache_key
+        self.cache_args = cache_args
+        self.cache_active = False
+
+    def __unicode__(self):
+        return u"<%s('%s:%s[%s]')>" % (
+            self.__class__.__name__,
+            self.cache_id, self.cache_key, self.cache_active)
+
+    def _cache_key_partition(self):
+        prefix, repo_name, suffix = self.cache_key.partition(self.cache_args)
+        return prefix, repo_name, suffix
+
+    def get_prefix(self):
+        """
+        Try to extract prefix from existing cache key. The key could consist
+        of prefix, repo_name, suffix
+        """
+        # this returns prefix, repo_name, suffix
+        return self._cache_key_partition()[0]
+
+    def get_suffix(self):
+        """
+        get suffix that might have been used in _get_cache_key to
+        generate self.cache_key. Only used for informational purposes
+        in repo_edit.html.
+        """
+        # prefix, repo_name, suffix
+        return self._cache_key_partition()[2]
+
+    @classmethod
+    def delete_all_cache(cls):
+        """
+        Delete all cache keys from database.
+        Should only be run when all instances are down and all entries
+        thus stale.
+        """
+        cls.query().delete()
+        Session().commit()
+
+    @classmethod
+    def get_cache_key(cls, repo_name, cache_type):
+        """
+
+        Generate a cache key for this process of RhodeCode instance.
+        Prefix most likely will be process id or maybe explicitly set
+        instance_id from .ini file.
+        """
+        import rhodecode
+        prefix = safe_unicode(rhodecode.CONFIG.get('instance_id') or '')
+
+        repo_as_unicode = safe_unicode(repo_name)
+        key = u'{}_{}'.format(repo_as_unicode, cache_type) \
+            if cache_type else repo_as_unicode
+
+        return u'{}{}'.format(prefix, key)
+
+    @classmethod
+    def set_invalidate(cls, repo_name, delete=False):
+        """
+        Mark all caches of a repo as invalid in the database.
+        """
+
+        try:
+            qry = Session().query(cls).filter(cls.cache_args == repo_name)
+            if delete:
+                log.debug('cache objects deleted for repo %s',
+                          safe_str(repo_name))
+                qry.delete()
+            else:
+                log.debug('cache objects marked as invalid for repo %s',
+                          safe_str(repo_name))
+                qry.update({"cache_active": False})
+
+            Session().commit()
+        except Exception:
+            log.exception(
+                'Cache key invalidation failed for repository %s',
+                safe_str(repo_name))
+            Session().rollback()
+
+    @classmethod
+    def get_active_cache(cls, cache_key):
+        inv_obj = cls.query().filter(cls.cache_key == cache_key).scalar()
+        if inv_obj:
+            return inv_obj
+        return None
+
+    @classmethod
+    def repo_context_cache(cls, compute_func, repo_name, cache_type,
+                           thread_scoped=False):
+        """
+        @cache_region('long_term')
+        def _heavy_calculation(cache_key):
+            return 'result'
+
+        cache_context = CacheKey.repo_context_cache(
+            _heavy_calculation, repo_name, cache_type)
+
+        with cache_context as context:
+            context.invalidate()
+            computed = context.compute()
+
+        assert computed == 'result'
+        """
+        from rhodecode.lib import caches
+        return caches.InvalidationContext(
+            compute_func, repo_name, cache_type, thread_scoped=thread_scoped)
+
+
+class ChangesetComment(Base, BaseModel):
+    __tablename__ = 'changeset_comments'
+    __table_args__ = (
+        Index('cc_revision_idx', 'revision'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+
+    COMMENT_OUTDATED = u'comment_outdated'
+
+    comment_id = Column('comment_id', Integer(), nullable=False, primary_key=True)
+    repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
+    revision = Column('revision', String(40), nullable=True)
+    pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
+    pull_request_version_id = Column("pull_request_version_id", Integer(), ForeignKey('pull_request_versions.pull_request_version_id'), nullable=True)
+    line_no = Column('line_no', Unicode(10), nullable=True)
+    hl_lines = Column('hl_lines', Unicode(512), nullable=True)
+    f_path = Column('f_path', Unicode(1000), nullable=True)
+    user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
+    text = Column('text', UnicodeText().with_variant(UnicodeText(25000), 'mysql'), nullable=False)
+    created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
+    modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
+    renderer = Column('renderer', Unicode(64), nullable=True)
+    display_state = Column('display_state',  Unicode(128), nullable=True)
+
+    author = relationship('User', lazy='joined')
+    repo = relationship('Repository')
+    status_change = relationship('ChangesetStatus', cascade="all, delete, delete-orphan")
+    pull_request = relationship('PullRequest', lazy='joined')
+    pull_request_version = relationship('PullRequestVersion')
+
+    @classmethod
+    def get_users(cls, revision=None, pull_request_id=None):
+        """
+        Returns user associated with this ChangesetComment. ie those
+        who actually commented
+
+        :param cls:
+        :param revision:
+        """
+        q = Session().query(User)\
+                .join(ChangesetComment.author)
+        if revision:
+            q = q.filter(cls.revision == revision)
+        elif pull_request_id:
+            q = q.filter(cls.pull_request_id == pull_request_id)
+        return q.all()
+
+    def render(self, mentions=False):
+        from rhodecode.lib import helpers as h
+        return h.render(self.text, renderer=self.renderer, mentions=mentions)
+
+    def __repr__(self):
+        if self.comment_id:
+            return '<DB:ChangesetComment #%s>' % self.comment_id
+        else:
+            return '<DB:ChangesetComment at %#x>' % id(self)
+
+
+class ChangesetStatus(Base, BaseModel):
+    __tablename__ = 'changeset_statuses'
+    __table_args__ = (
+        Index('cs_revision_idx', 'revision'),
+        Index('cs_version_idx', 'version'),
+        UniqueConstraint('repo_id', 'revision', 'version'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    STATUS_NOT_REVIEWED = DEFAULT = 'not_reviewed'
+    STATUS_APPROVED = 'approved'
+    STATUS_REJECTED = 'rejected'
+    STATUS_UNDER_REVIEW = 'under_review'
+
+    STATUSES = [
+        (STATUS_NOT_REVIEWED, _("Not Reviewed")),  # (no icon) and default
+        (STATUS_APPROVED, _("Approved")),
+        (STATUS_REJECTED, _("Rejected")),
+        (STATUS_UNDER_REVIEW, _("Under Review")),
+    ]
+
+    changeset_status_id = Column('changeset_status_id', Integer(), nullable=False, primary_key=True)
+    repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
+    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None)
+    revision = Column('revision', String(40), nullable=False)
+    status = Column('status', String(128), nullable=False, default=DEFAULT)
+    changeset_comment_id = Column('changeset_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'))
+    modified_at = Column('modified_at', DateTime(), nullable=False, default=datetime.datetime.now)
+    version = Column('version', Integer(), nullable=False, default=0)
+    pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
+
+    author = relationship('User', lazy='joined')
+    repo = relationship('Repository')
+    comment = relationship('ChangesetComment', lazy='joined')
+    pull_request = relationship('PullRequest', lazy='joined')
+
+    def __unicode__(self):
+        return u"<%s('%s[%s]:%s')>" % (
+            self.__class__.__name__,
+            self.status, self.version, self.author
+        )
+
+    @classmethod
+    def get_status_lbl(cls, value):
+        return dict(cls.STATUSES).get(value)
+
+    @property
+    def status_lbl(self):
+        return ChangesetStatus.get_status_lbl(self.status)
+
+
+class _PullRequestBase(BaseModel):
+    """
+    Common attributes of pull request and version entries.
+    """
+
+    # .status values
+    STATUS_NEW = u'new'
+    STATUS_OPEN = u'open'
+    STATUS_CLOSED = u'closed'
+
+    title = Column('title', Unicode(255), nullable=True)
+    description = Column(
+        'description', UnicodeText().with_variant(UnicodeText(10240), 'mysql'),
+        nullable=True)
+    # new/open/closed status of pull request (not approve/reject/etc)
+    status = Column('status', Unicode(255), nullable=False, default=STATUS_NEW)
+    created_on = Column(
+        'created_on', DateTime(timezone=False), nullable=False,
+        default=datetime.datetime.now)
+    updated_on = Column(
+        'updated_on', DateTime(timezone=False), nullable=False,
+        default=datetime.datetime.now)
+
+    @declared_attr
+    def user_id(cls):
+        return Column(
+            "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
+            unique=None)
+
+    # 500 revisions max
+    _revisions = Column(
+        'revisions', UnicodeText().with_variant(UnicodeText(20500), 'mysql'))
+
+    @declared_attr
+    def source_repo_id(cls):
+        # TODO: dan: rename column to source_repo_id
+        return Column(
+            'org_repo_id', Integer(), ForeignKey('repositories.repo_id'),
+            nullable=False)
+
+    source_ref = Column('org_ref', Unicode(255), nullable=False)
+
+    @declared_attr
+    def target_repo_id(cls):
+        # TODO: dan: rename column to target_repo_id
+        return Column(
+            'other_repo_id', Integer(), ForeignKey('repositories.repo_id'),
+            nullable=False)
+
+    target_ref = Column('other_ref', Unicode(255), nullable=False)
+
+    # TODO: dan: rename column to last_merge_source_rev
+    _last_merge_source_rev = Column(
+        'last_merge_org_rev', String(40), nullable=True)
+    # TODO: dan: rename column to last_merge_target_rev
+    _last_merge_target_rev = Column(
+        'last_merge_other_rev', String(40), nullable=True)
+    _last_merge_status = Column('merge_status', Integer(), nullable=True)
+    merge_rev = Column('merge_rev', String(40), nullable=True)
+
+    @hybrid_property
+    def revisions(self):
+        return self._revisions.split(':') if self._revisions else []
+
+    @revisions.setter
+    def revisions(self, val):
+        self._revisions = ':'.join(val)
+
+    @declared_attr
+    def author(cls):
+        return relationship('User', lazy='joined')
+
+    @declared_attr
+    def source_repo(cls):
+        return relationship(
+            'Repository',
+            primaryjoin='%s.source_repo_id==Repository.repo_id' % cls.__name__)
+
+    @property
+    def source_ref_parts(self):
+        refs = self.source_ref.split(':')
+        return Reference(refs[0], refs[1], refs[2])
+
+    @declared_attr
+    def target_repo(cls):
+        return relationship(
+            'Repository',
+            primaryjoin='%s.target_repo_id==Repository.repo_id' % cls.__name__)
+
+    @property
+    def target_ref_parts(self):
+        refs = self.target_ref.split(':')
+        return Reference(refs[0], refs[1], refs[2])
+
+
+class PullRequest(Base, _PullRequestBase):
+    __tablename__ = 'pull_requests'
+    __table_args__ = (
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+
+    pull_request_id = Column(
+        'pull_request_id', Integer(), nullable=False, primary_key=True)
+
+    def __repr__(self):
+        if self.pull_request_id:
+            return '<DB:PullRequest #%s>' % self.pull_request_id
+        else:
+            return '<DB:PullRequest at %#x>' % id(self)
+
+    reviewers = relationship('PullRequestReviewers',
+                             cascade="all, delete, delete-orphan")
+    statuses = relationship('ChangesetStatus')
+    comments = relationship('ChangesetComment',
+                            cascade="all, delete, delete-orphan")
+    versions = relationship('PullRequestVersion',
+                            cascade="all, delete, delete-orphan")
+
+    def is_closed(self):
+        return self.status == self.STATUS_CLOSED
+
+    def get_api_data(self):
+        from rhodecode.model.pull_request import PullRequestModel
+        pull_request = self
+        merge_status = PullRequestModel().merge_status(pull_request)
+        data = {
+            'pull_request_id': pull_request.pull_request_id,
+            'url': url('pullrequest_show', repo_name=self.target_repo.repo_name,
+                                       pull_request_id=self.pull_request_id,
+                                       qualified=True),
+            'title': pull_request.title,
+            'description': pull_request.description,
+            'status': pull_request.status,
+            'created_on': pull_request.created_on,
+            'updated_on': pull_request.updated_on,
+            'commit_ids': pull_request.revisions,
+            'review_status': pull_request.calculated_review_status(),
+            'mergeable': {
+                'status': merge_status[0],
+                'message': unicode(merge_status[1]),
+            },
+            'source': {
+                'clone_url': pull_request.source_repo.clone_url(),
+                'repository': pull_request.source_repo.repo_name,
+                'reference': {
+                    'name': pull_request.source_ref_parts.name,
+                    'type': pull_request.source_ref_parts.type,
+                    'commit_id': pull_request.source_ref_parts.commit_id,
+                },
+            },
+            'target': {
+                'clone_url': pull_request.target_repo.clone_url(),
+                'repository': pull_request.target_repo.repo_name,
+                'reference': {
+                    'name': pull_request.target_ref_parts.name,
+                    'type': pull_request.target_ref_parts.type,
+                    'commit_id': pull_request.target_ref_parts.commit_id,
+                },
+            },
+            'author': pull_request.author.get_api_data(include_secrets=False,
+                                                       details='basic'),
+            'reviewers': [
+                {
+                    'user': reviewer.get_api_data(include_secrets=False,
+                                                  details='basic'),
+                    'review_status': st[0][1].status if st else 'not_reviewed',
+                }
+                for reviewer, st in pull_request.reviewers_statuses()
+            ]
+        }
+
+        return data
+
+    def __json__(self):
+        return {
+            'revisions': self.revisions,
+        }
+
+    def calculated_review_status(self):
+        # TODO: anderson: 13.05.15 Used only on templates/my_account_pullrequests.html
+        # because it's tricky on how to use ChangesetStatusModel from there
+        warnings.warn("Use calculated_review_status from ChangesetStatusModel", DeprecationWarning)
+        from rhodecode.model.changeset_status import ChangesetStatusModel
+        return ChangesetStatusModel().calculated_review_status(self)
+
+    def reviewers_statuses(self):
+        warnings.warn("Use reviewers_statuses from ChangesetStatusModel", DeprecationWarning)
+        from rhodecode.model.changeset_status import ChangesetStatusModel
+        return ChangesetStatusModel().reviewers_statuses(self)
+
+
+class PullRequestVersion(Base, _PullRequestBase):
+    __tablename__ = 'pull_request_versions'
+    __table_args__ = (
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+
+    pull_request_version_id = Column(
+        'pull_request_version_id', Integer(), nullable=False, primary_key=True)
+    pull_request_id = Column(
+        'pull_request_id', Integer(),
+        ForeignKey('pull_requests.pull_request_id'), nullable=False)
+    pull_request = relationship('PullRequest')
+
+    def __repr__(self):
+        if self.pull_request_version_id:
+            return '<DB:PullRequestVersion #%s>' % self.pull_request_version_id
+        else:
+            return '<DB:PullRequestVersion at %#x>' % id(self)
+
+
+class PullRequestReviewers(Base, BaseModel):
+    __tablename__ = 'pull_request_reviewers'
+    __table_args__ = (
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+
+    def __init__(self, user=None, pull_request=None):
+        self.user = user
+        self.pull_request = pull_request
+
+    pull_requests_reviewers_id = Column(
+        'pull_requests_reviewers_id', Integer(), nullable=False,
+        primary_key=True)
+    pull_request_id = Column(
+        "pull_request_id", Integer(),
+        ForeignKey('pull_requests.pull_request_id'), nullable=False)
+    user_id = Column(
+        "user_id", Integer(), ForeignKey('users.user_id'), nullable=True)
+
+    user = relationship('User')
+    pull_request = relationship('PullRequest')
+
+
+class Notification(Base, BaseModel):
+    __tablename__ = 'notifications'
+    __table_args__ = (
+        Index('notification_type_idx', 'type'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+
+    TYPE_CHANGESET_COMMENT = u'cs_comment'
+    TYPE_MESSAGE = u'message'
+    TYPE_MENTION = u'mention'
+    TYPE_REGISTRATION = u'registration'
+    TYPE_PULL_REQUEST = u'pull_request'
+    TYPE_PULL_REQUEST_COMMENT = u'pull_request_comment'
+
+    notification_id = Column('notification_id', Integer(), nullable=False, primary_key=True)
+    subject = Column('subject', Unicode(512), nullable=True)
+    body = Column('body', UnicodeText().with_variant(UnicodeText(50000), 'mysql'), nullable=True)
+    created_by = Column("created_by", Integer(), ForeignKey('users.user_id'), nullable=True)
+    created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
+    type_ = Column('type', Unicode(255))
+
+    created_by_user = relationship('User')
+    notifications_to_users = relationship('UserNotification', lazy='joined',
+                                          cascade="all, delete, delete-orphan")
+
+    @property
+    def recipients(self):
+        return [x.user for x in UserNotification.query()\
+                .filter(UserNotification.notification == self)\
+                .order_by(UserNotification.user_id.asc()).all()]
+
+    @classmethod
+    def create(cls, created_by, subject, body, recipients, type_=None):
+        if type_ is None:
+            type_ = Notification.TYPE_MESSAGE
+
+        notification = cls()
+        notification.created_by_user = created_by
+        notification.subject = subject
+        notification.body = body
+        notification.type_ = type_
+        notification.created_on = datetime.datetime.now()
+
+        for u in recipients:
+            assoc = UserNotification()
+            assoc.notification = notification
+
+            # if created_by is inside recipients mark his notification
+            # as read
+            if u.user_id == created_by.user_id:
+                assoc.read = True
+
+            u.notifications.append(assoc)
+        Session().add(notification)
+
+        return notification
+
+    @property
+    def description(self):
+        from rhodecode.model.notification import NotificationModel
+        return NotificationModel().make_description(self)
+
+
+class UserNotification(Base, BaseModel):
+    __tablename__ = 'user_to_notification'
+    __table_args__ = (
+        UniqueConstraint('user_id', 'notification_id'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
+    notification_id = Column("notification_id", Integer(), ForeignKey('notifications.notification_id'), primary_key=True)
+    read = Column('read', Boolean, default=False)
+    sent_on = Column('sent_on', DateTime(timezone=False), nullable=True, unique=None)
+
+    user = relationship('User', lazy="joined")
+    notification = relationship('Notification', lazy="joined",
+                                order_by=lambda: Notification.created_on.desc(),)
+
+    def mark_as_read(self):
+        self.read = True
+        Session().add(self)
+
+
+class Gist(Base, BaseModel):
+    __tablename__ = 'gists'
+    __table_args__ = (
+        Index('g_gist_access_id_idx', 'gist_access_id'),
+        Index('g_created_on_idx', 'created_on'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+    GIST_PUBLIC = u'public'
+    GIST_PRIVATE = u'private'
+    DEFAULT_FILENAME = u'gistfile1.txt'
+
+    ACL_LEVEL_PUBLIC = u'acl_public'
+    ACL_LEVEL_PRIVATE = u'acl_private'
+
+    gist_id = Column('gist_id', Integer(), primary_key=True)
+    gist_access_id = Column('gist_access_id', Unicode(250))
+    gist_description = Column('gist_description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
+    gist_owner = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True)
+    gist_expires = Column('gist_expires', Float(53), nullable=False)
+    gist_type = Column('gist_type', Unicode(128), nullable=False)
+    created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
+    modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
+    acl_level = Column('acl_level', Unicode(128), nullable=True)
+
+    owner = relationship('User')
+
+    def __repr__(self):
+        return '<Gist:[%s]%s>' % (self.gist_type, self.gist_access_id)
+
+    @classmethod
+    def get_or_404(cls, id_):
+        res = cls.query().filter(cls.gist_access_id == id_).scalar()
+        if not res:
+            raise HTTPNotFound
+        return res
+
+    @classmethod
+    def get_by_access_id(cls, gist_access_id):
+        return cls.query().filter(cls.gist_access_id == gist_access_id).scalar()
+
+    def gist_url(self):
+        import rhodecode
+        alias_url = rhodecode.CONFIG.get('gist_alias_url')
+        if alias_url:
+            return alias_url.replace('{gistid}', self.gist_access_id)
+
+        return url('gist', gist_id=self.gist_access_id, qualified=True)
+
+    @classmethod
+    def base_path(cls):
+        """
+        Returns base path when all gists are stored
+
+        :param cls:
+        """
+        from rhodecode.model.gist import GIST_STORE_LOC
+        q = Session().query(RhodeCodeUi)\
+            .filter(RhodeCodeUi.ui_key == URL_SEP)
+        q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
+        return os.path.join(q.one().ui_value, GIST_STORE_LOC)
+
+    def get_api_data(self):
+        """
+        Common function for generating gist related data for API
+        """
+        gist = self
+        data = {
+            'gist_id': gist.gist_id,
+            'type': gist.gist_type,
+            'access_id': gist.gist_access_id,
+            'description': gist.gist_description,
+            'url': gist.gist_url(),
+            'expires': gist.gist_expires,
+            'created_on': gist.created_on,
+            'modified_at': gist.modified_at,
+            'content': None,
+            'acl_level': gist.acl_level,
+        }
+        return data
+
+    def __json__(self):
+        data = dict(
+        )
+        data.update(self.get_api_data())
+        return data
+    # SCM functions
+
+    def scm_instance(self, **kwargs):
+        full_repo_path = os.path.join(self.base_path(), self.gist_access_id)
+        return get_vcs_instance(
+            repo_path=safe_str(full_repo_path), create=False)
+
+
+class DbMigrateVersion(Base, BaseModel):
+    __tablename__ = 'db_migrate_version'
+    __table_args__ = (
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
+    )
+    repository_id = Column('repository_id', String(250), primary_key=True)
+    repository_path = Column('repository_path', Text)
+    version = Column('version', Integer)
+
+
+class ExternalIdentity(Base, BaseModel):
+    __tablename__ = 'external_identities'
+    __table_args__ = (
+        Index('local_user_id_idx', 'local_user_id'),
+        Index('external_id_idx', 'external_id'),
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8'})
+
+    external_id = Column('external_id', Unicode(255), default=u'',
+                         primary_key=True)
+    external_username = Column('external_username', Unicode(1024), default=u'')
+    local_user_id = Column('local_user_id', Integer(),
+                           ForeignKey('users.user_id'), primary_key=True)
+    provider_name = Column('provider_name', Unicode(255), default=u'',
+                           primary_key=True)
+    access_token = Column('access_token', String(1024), default=u'')
+    alt_token = Column('alt_token', String(1024), default=u'')
+    token_secret = Column('token_secret', String(1024), default=u'')
+
+    @classmethod
+    def by_external_id_and_provider(cls, external_id, provider_name,
+                                    local_user_id=None):
+        """
+        Returns ExternalIdentity instance based on search params
+
+        :param external_id:
+        :param provider_name:
+        :return: ExternalIdentity
+        """
+        query = cls.query()
+        query = query.filter(cls.external_id == external_id)
+        query = query.filter(cls.provider_name == provider_name)
+        if local_user_id:
+            query = query.filter(cls.local_user_id == local_user_id)
+        return query.first()
+
+    @classmethod
+    def user_by_external_id_and_provider(cls, external_id, provider_name):
+        """
+        Returns User instance based on search params
+
+        :param external_id:
+        :param provider_name:
+        :return: User
+        """
+        query = User.query()
+        query = query.filter(cls.external_id == external_id)
+        query = query.filter(cls.provider_name == provider_name)
+        query = query.filter(User.user_id == cls.local_user_id)
+        return query.first()
+
+    @classmethod
+    def by_local_user_id(cls, local_user_id):
+        """
+        Returns all tokens for user
+
+        :param local_user_id:
+        :return: ExternalIdentity
+        """
+        query = cls.query()
+        query = query.filter(cls.local_user_id == local_user_id)
+        return query
+
+
+class Integration(Base, BaseModel):
+    __tablename__ = 'integrations'
+    __table_args__ = (
+        {'extend_existing': True, 'mysql_engine': 'InnoDB',
+         'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
+    )
+
+    integration_id = Column('integration_id', Integer(), primary_key=True)
+    integration_type = Column('integration_type', String(255))
+    enabled = Column('enabled', Boolean(), nullable=False)
+    name = Column('name', String(255), nullable=False)
+    child_repos_only = Column('child_repos_only', Boolean(), nullable=True)
+
+    settings = Column(
+        'settings_json', MutationObj.as_mutable(
+            JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
+    repo_id = Column(
+        'repo_id', Integer(), ForeignKey('repositories.repo_id'),
+        nullable=True, unique=None, default=None)
+    repo = relationship('Repository', lazy='joined')
+
+    repo_group_id = Column(
+        'repo_group_id', Integer(), ForeignKey('groups.group_id'),
+        nullable=True, unique=None, default=None)
+    repo_group = relationship('RepoGroup', lazy='joined')
+
+    @hybrid_property
+    def scope(self):
+        if self.repo:
+            return self.repo
+        if self.repo_group:
+            return self.repo_group
+        if self.child_repos_only:
+            return 'root_repos'
+        return 'global'
+
+    @scope.setter
+    def scope(self, value):
+        self.repo = None
+        self.repo_id = None
+        self.repo_group_id = None
+        self.repo_group = None
+        self.child_repos_only = None
+        if isinstance(value, Repository):
+            self.repo = value
+        elif isinstance(value, RepoGroup):
+            self.repo_group = value
+        elif value == 'root_repos':
+            self.child_repos_only = True
+        elif value == 'global':
+            pass
+        else:
+            raise Exception("invalid scope: %s, must be one of "
+                "['global', 'root_repos', <RepoGroup>. <Repository>]" % value)
+
+    def __repr__(self):
+        return '<Integration(%r, %r)>' % (self.integration_type, self.scope)
diff --git a/rhodecode/lib/dbmigrate/versions/057_version_4_4_0.py b/rhodecode/lib/dbmigrate/versions/057_version_4_4_0.py
new file mode 100644
--- /dev/null
+++ b/rhodecode/lib/dbmigrate/versions/057_version_4_4_0.py
@@ -0,0 +1,35 @@
+import logging
+import datetime
+
+from sqlalchemy import *
+from sqlalchemy.exc import DatabaseError
+from sqlalchemy.orm import relation, backref, class_mapper, joinedload
+from sqlalchemy.orm.session import Session
+from sqlalchemy.ext.declarative import declarative_base
+
+from rhodecode.lib.dbmigrate.migrate import *
+from rhodecode.lib.dbmigrate.migrate.changeset import *
+from rhodecode.lib.utils2 import str2bool
+
+from rhodecode.model.meta import Base
+from rhodecode.model import meta
+from rhodecode.lib.dbmigrate.versions import _reset_base, notify
+
+log = logging.getLogger(__name__)
+
+
+def upgrade(migrate_engine):
+    """
+    Upgrade operations go here.
+    Don't create your own engine; bind migrate_engine to your metadata
+    """
+    _reset_base(migrate_engine)
+    from rhodecode.lib.dbmigrate.schema import db_4_4_0_1
+
+    tbl = db_4_4_0_1.Integration.__table__
+    child_repos_only = db_4_4_0_1.Integration.child_repos_only
+    child_repos_only.create(table=tbl)
+
+def downgrade(migrate_engine):
+    meta = MetaData()
+    meta.bind = migrate_engine
diff --git a/rhodecode/model/db.py b/rhodecode/model/db.py
--- a/rhodecode/model/db.py
+++ b/rhodecode/model/db.py
@@ -2036,6 +2036,8 @@ class RepoGroup(Base, BaseModel):
     users_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
     parent_group = relationship('RepoGroup', remote_side=group_id)
     user = relationship('User')
+    integrations = relationship('Integration',
+                                cascade="all, delete, delete-orphan")
 
     def __init__(self, group_name='', parent_group=None):
         self.group_name = group_name
@@ -3481,6 +3483,8 @@ class Integration(Base, BaseModel):
     integration_type = Column('integration_type', String(255))
     enabled = Column('enabled', Boolean(), nullable=False)
     name = Column('name', String(255), nullable=False)
+    child_repos_only = Column('child_repos_only', Boolean(), nullable=False,
+        default=False)
 
     settings = Column(
         'settings_json', MutationObj.as_mutable(
@@ -3495,12 +3499,36 @@ class Integration(Base, BaseModel):
         nullable=True, unique=None, default=None)
     repo_group = relationship('RepoGroup', lazy='joined')
 
-    def __repr__(self):
+    @hybrid_property
+    def scope(self):
         if self.repo:
-            scope = 'repo=%r' % self.repo
-        elif self.repo_group:
-            scope = 'repo_group=%r' % self.repo_group
+            return self.repo
+        if self.repo_group:
+            return self.repo_group
+        if self.child_repos_only:
+            return 'root_repos'
+        return 'global'
+
+    @scope.setter
+    def scope(self, value):
+        self.repo = None
+        self.repo_id = None
+        self.repo_group_id = None
+        self.repo_group = None
+        self.child_repos_only = False
+        if isinstance(value, Repository):
+            self.repo_id = value.repo_id
+            self.repo = value
+        elif isinstance(value, RepoGroup):
+            self.repo_group_id = value.group_id
+            self.repo_group = value
+        elif value == 'root_repos':
+            self.child_repos_only = True
+        elif value == 'global':
+            pass
         else:
-            scope = 'global'
-
-        return '<Integration(%r, %r)>' % (self.integration_type, scope)
+            raise Exception("invalid scope: %s, must be one of "
+                "['global', 'root_repos', <RepoGroup>. <Repository>]" % value)
+
+    def __repr__(self):
+        return '<Integration(%r, %r)>' % (self.integration_type, self.scope)
diff --git a/rhodecode/model/integration.py b/rhodecode/model/integration.py
--- a/rhodecode/model/integration.py
+++ b/rhodecode/model/integration.py
@@ -29,7 +29,7 @@ import traceback
 
 from pylons import tmpl_context as c
 from pylons.i18n.translation import _, ungettext
-from sqlalchemy import or_
+from sqlalchemy import or_, and_
 from sqlalchemy.sql.expression import false, true
 from mako import exceptions
 
@@ -39,7 +39,7 @@ from rhodecode.lib import helpers as h
 from rhodecode.lib.caching_query import FromCache
 from rhodecode.lib.utils import PartialRenderer
 from rhodecode.model import BaseModel
-from rhodecode.model.db import Integration, User
+from rhodecode.model.db import Integration, User, Repository, RepoGroup
 from rhodecode.model.meta import Session
 from rhodecode.integrations import integration_type_registry
 from rhodecode.integrations.types.base import IntegrationTypeBase
@@ -61,28 +61,34 @@ class IntegrationModel(BaseModel):
                 raise Exception('integration must be int, long or Instance'
                                 ' of Integration got %s' % type(integration))
 
-    def create(self, IntegrationType, enabled, name, settings, repo=None):
+    def create(self, IntegrationType, name, enabled, scope, settings):
         """ Create an IntegrationType integration """
         integration = Integration()
         integration.integration_type = IntegrationType.key
-        integration.settings = {}
-        integration.repo = repo
-        integration.enabled = enabled
-        integration.name = name
-
         self.sa.add(integration)
+        self.update_integration(integration, name, enabled, scope, settings)
         self.sa.commit()
         return integration
 
+    def update_integration(self, integration, name, enabled, scope, settings):
+        """
+        :param scope: one of ['global', 'root_repos', <RepoGroup>. <Repository>]
+        """
+
+        integration = self.__get_integration(integration)
+
+        integration.scope = scope
+        integration.name = name
+        integration.enabled = enabled
+        integration.settings = settings
+
+        return integration
+
     def delete(self, integration):
-        try:
-            integration = self.__get_integration(integration)
-            if integration:
-                self.sa.delete(integration)
-                return True
-        except Exception:
-            log.error(traceback.format_exc())
-            raise
+        integration = self.__get_integration(integration)
+        if integration:
+            self.sa.delete(integration)
+            return True
         return False
 
     def get_integration_handler(self, integration):
@@ -100,41 +106,108 @@ class IntegrationModel(BaseModel):
         if handler:
             handler.send_event(event)
 
-    def get_integrations(self, repo=None, repo_group=None):
-        if repo:
-            return self.sa.query(Integration).filter(
-                Integration.repo_id==repo.repo_id).all()
-        elif repo_group:
-            return self.sa.query(Integration).filter(
-                Integration.repo_group_id==repo_group.group_id).all()
+    def get_integrations(self, scope, IntegrationType=None):
+        """
+        Return integrations for a scope, which must be one of:
+
+        'all' - every integration, global/repogroup/repo
+        'global' - global integrations only
+        <Repository> instance - integrations for this repo only
+        <RepoGroup> instance - integrations for this repogroup only
+        """
 
-        # global integrations
-        return self.sa.query(Integration).filter(
-            Integration.repo_id==None).all()
+        if isinstance(scope, Repository):
+            query = self.sa.query(Integration).filter(
+                Integration.repo==scope)
+        elif isinstance(scope, RepoGroup):
+            query = self.sa.query(Integration).filter(
+                Integration.repo_group==scope)
+        elif scope == 'global':
+            # global integrations
+            query = self.sa.query(Integration).filter(
+                and_(Integration.repo_id==None, Integration.repo_group_id==None)
+            )
+        elif scope == 'root_repos':
+            query = self.sa.query(Integration).filter(
+                and_(Integration.repo_id==None,
+                     Integration.repo_group_id==None,
+                     Integration.child_repos_only==True)
+            )
+        elif scope == 'all':
+            query = self.sa.query(Integration)
+        else:
+            raise Exception(
+                "invalid `scope`, must be one of: "
+                "['global', 'all', <Repository>, <RepoGroup>]")
+
+        if IntegrationType is not None:
+            query = query.filter(
+                Integration.integration_type==IntegrationType.key)
+
+        result = []
+        for integration in query.all():
+            IntType = integration_type_registry.get(integration.integration_type)
+            result.append((IntType, integration))
+        return result
 
     def get_for_event(self, event, cache=False):
         """
         Get integrations that match an event
         """
-        query = self.sa.query(Integration).filter(Integration.enabled==True)
+        query = self.sa.query(
+            Integration
+        ).filter(
+            Integration.enabled==True
+        )
+
+        global_integrations_filter = and_(
+            Integration.repo_id==None,
+            Integration.repo_group_id==None,
+            Integration.child_repos_only==False,
+        )
+
+        if isinstance(event, events.RepoEvent):
+            root_repos_integrations_filter = and_(
+                Integration.repo_id==None,
+                Integration.repo_group_id==None,
+                Integration.child_repos_only==True,
+            )
+
+            clauses = [
+                global_integrations_filter,
+            ]
 
-        if isinstance(event, events.RepoEvent): # global + repo integrations
-                                                # + repo_group integrations
-            parent_groups = event.repo.groups_with_parents
-            query = query.filter(
-                        or_(Integration.repo_id==None,
-                            Integration.repo_id==event.repo.repo_id,
-                            Integration.repo_group_id.in_(
-                                [group.group_id for group in parent_groups]
-                            )))
+            # repo integrations
+            if event.repo.repo_id: # pre create events dont have a repo_id yet
+                clauses.append(
+                    Integration.repo_id==event.repo.repo_id
+                )
+
+            if event.repo.group:
+                clauses.append(
+                    Integration.repo_group_id == event.repo.group.group_id
+                )
+                # repo group cascade to kids (maybe implement this sometime?)
+                # clauses.append(Integration.repo_group_id.in_(
+                #     [group.group_id for group in
+                #     event.repo.groups_with_parents]
+                # ))
+
+
+            if not event.repo.group: # root repo
+                clauses.append(root_repos_integrations_filter)
+
+            query = query.filter(or_(*clauses))
+
             if cache:
                 query = query.options(FromCache(
                     "sql_cache_short",
                     "get_enabled_repo_integrations_%i" % event.repo.repo_id))
         else: # only global integrations
-            query = query.filter(Integration.repo_id==None)
+            query = query.filter(global_integrations_filter)
             if cache:
                 query = query.options(FromCache(
                     "sql_cache_short", "get_enabled_global_integrations"))
 
-        return query.all()
+        result = query.all()
+        return result
\ No newline at end of file
diff --git a/rhodecode/model/repo_group.py b/rhodecode/model/repo_group.py
--- a/rhodecode/model/repo_group.py
+++ b/rhodecode/model/repo_group.py
@@ -469,6 +469,8 @@ class RepoGroupModel(BaseModel):
 
     def delete(self, repo_group, force_delete=False, fs_remove=True):
         repo_group = self._get_repo_group(repo_group)
+        if not repo_group:
+            return False
         try:
             self.sa.delete(repo_group)
             if fs_remove:
@@ -478,6 +480,7 @@ class RepoGroupModel(BaseModel):
 
             # Trigger delete event.
             events.trigger(events.RepoGroupDeleteEvent(repo_group))
+            return True
 
         except Exception:
             log.error('Error removing repo_group %s', repo_group)
diff --git a/rhodecode/model/validation_schema/schemas/integration_schema.py b/rhodecode/model/validation_schema/schemas/integration_schema.py
new file mode 100644
--- /dev/null
+++ b/rhodecode/model/validation_schema/schemas/integration_schema.py
@@ -0,0 +1,187 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016-2016  RhodeCode GmbH
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License, version 3
+# (only), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# This program is dual-licensed. If you wish to learn more about the
+# RhodeCode Enterprise Edition, including its added features, Support services,
+# and proprietary license terms, please see https://rhodecode.com/licenses/
+
+import os
+
+import deform
+import colander
+
+from rhodecode.translation import _
+from rhodecode.model.db import Repository, RepoGroup
+from rhodecode.model.validation_schema import validators, preparers
+
+
+def integration_scope_choices(permissions):
+    """
+    Return list of (value, label) choices for integration scopes depending on
+    the permissions
+    """
+    result = [('', _('Pick a scope:'))]
+    if 'hg.admin' in permissions['global']:
+        result.extend([
+           ('global', _('Global (all repositories)')),
+           ('root_repos', _('Top level repositories only')),
+        ])
+
+    repo_choices = [
+        ('repo:%s' % repo_name, '/' + repo_name)
+        for repo_name, repo_perm
+        in permissions['repositories'].items()
+        if repo_perm == 'repository.admin'
+    ]
+    repogroup_choices = [
+        ('repogroup:%s' % repo_group_name, '/' + repo_group_name + ' (group)')
+        for repo_group_name, repo_group_perm
+        in permissions['repositories_groups'].items()
+        if repo_group_perm == 'group.admin'
+    ]
+    result.extend(
+        sorted(repogroup_choices + repo_choices,
+            key=lambda (choice, label): choice.split(':', 1)[1]
+        )
+    )
+    return result
+
+
+@colander.deferred
+def deferred_integration_scopes_validator(node, kw):
+    perms = kw.get('permissions')
+    def _scope_validator(_node, scope):
+        is_super_admin = 'hg.admin' in perms['global']
+
+        if scope in ('global', 'root_repos'):
+            if is_super_admin:
+                return True
+            msg = _('Only superadmins can create global integrations')
+            raise colander.Invalid(_node, msg)
+        elif isinstance(scope, Repository):
+            if (is_super_admin or perms['repositories'].get(
+                                        scope.repo_name) == 'repository.admin'):
+                return True
+            msg = _('Only repo admins can create integrations')
+            raise colander.Invalid(_node, msg)
+        elif isinstance(scope, RepoGroup):
+            if (is_super_admin or perms['repositories_groups'].get(
+                                            scope.group_name) == 'group.admin'):
+                return True
+
+            msg = _('Only repogroup admins can create integrations')
+            raise colander.Invalid(_node, msg)
+
+        msg = _('Invalid integration scope: %s' % scope)
+        raise colander.Invalid(node, msg)
+
+    return _scope_validator
+
+
+@colander.deferred
+def deferred_integration_scopes_widget(node, kw):
+    if kw.get('no_scope'):
+        return deform.widget.TextInputWidget(readonly=True)
+
+    choices = integration_scope_choices(kw.get('permissions'))
+    widget = deform.widget.Select2Widget(values=choices)
+    return widget
+
+class IntegrationScope(colander.SchemaType):
+    def serialize(self, node, appstruct):
+        if appstruct is colander.null:
+            return colander.null
+
+        if isinstance(appstruct, Repository):
+            return 'repo:%s' % appstruct.repo_name
+        elif isinstance(appstruct, RepoGroup):
+            return 'repogroup:%s' % appstruct.group_name
+        elif appstruct in ('global', 'root_repos'):
+            return appstruct
+        raise colander.Invalid(node, '%r is not a valid scope' % appstruct)
+
+    def deserialize(self, node, cstruct):
+        if cstruct is colander.null:
+            return colander.null
+
+        if cstruct.startswith('repo:'):
+            repo = Repository.get_by_repo_name(cstruct.split(':')[1])
+            if repo:
+                return repo
+        elif cstruct.startswith('repogroup:'):
+            repo_group = RepoGroup.get_by_group_name(cstruct.split(':')[1])
+            if repo_group:
+                return repo_group
+        elif cstruct in ('global', 'root_repos'):
+            return cstruct
+
+        raise colander.Invalid(node, '%r is not a valid scope' % cstruct)
+
+class IntegrationOptionsSchemaBase(colander.MappingSchema):
+
+    name = colander.SchemaNode(
+        colander.String(),
+        description=_('Short name for this integration.'),
+        missing=colander.required,
+        title=_('Integration name'),
+    )
+
+    scope = colander.SchemaNode(
+        IntegrationScope(),
+        description=_(
+            'Scope of the integration. Group scope means the integration '
+            ' runs on all child repos of that group.'),
+        title=_('Integration scope'),
+        validator=deferred_integration_scopes_validator,
+        widget=deferred_integration_scopes_widget,
+        missing=colander.required,
+    )
+
+    enabled = colander.SchemaNode(
+        colander.Bool(),
+        default=True,
+        description=_('Enable or disable this integration.'),
+        missing=False,
+        title=_('Enabled'),
+    )
+
+
+
+def make_integration_schema(IntegrationType, settings=None):
+    """
+    Return a colander schema for an integration type
+
+    :param IntegrationType: the integration type class
+    :param settings: existing integration settings dict (optional)
+    """
+
+    settings = settings or {}
+    settings_schema = IntegrationType(settings=settings).settings_schema()
+
+    class IntegrationSchema(colander.Schema):
+        options = IntegrationOptionsSchemaBase()
+
+    schema = IntegrationSchema()
+    schema['options'].title = _('General integration options')
+
+    settings_schema.name = 'settings'
+    settings_schema.title = _('{integration_type} settings').format(
+        integration_type=IntegrationType.display_name)
+    schema.add(settings_schema)
+
+    return schema
+
+
diff --git a/rhodecode/public/css/deform.less b/rhodecode/public/css/deform.less
--- a/rhodecode/public/css/deform.less
+++ b/rhodecode/public/css/deform.less
@@ -38,6 +38,17 @@
 
   .form-control {
     width: 100%;
+    padding: 0.9em;
+    border: 1px solid #979797;
+    border-radius: 2px;
+  }
+  .form-control.select2-container {
+    padding: 0; /* padding already applied in .drop-menu a */
+  }
+
+  .form-control.readonly {
+    background: #eeeeee;
+    cursor: not-allowed;
   }
 
   .error-block {
diff --git a/rhodecode/public/css/main.less b/rhodecode/public/css/main.less
--- a/rhodecode/public/css/main.less
+++ b/rhodecode/public/css/main.less
@@ -1100,6 +1100,44 @@ table.issuetracker {
     }
 }
 
+table.integrations {
+    .td-icon {
+        width: 20px;
+        .integration-icon {
+            height: 20px;
+            width: 20px;
+        }
+    }
+}
+
+.integrations {
+    a.integration-box {
+        color: @text-color;
+        &:hover {
+            .panel {
+                background: #fbfbfb;
+            }
+        }
+        .integration-icon {
+          width: 30px;
+          height: 30px;
+          margin-right: 20px;
+          float: left;
+        }
+
+        .panel-body {
+            padding: 10px;
+        }
+        .panel {
+            margin-bottom: 10px;
+        }
+        h2 {
+            display: inline-block;
+            margin: 0;
+            min-width: 140px;
+        }
+    }
+}
 
 //Permissions Settings
 #add_perm {
diff --git a/rhodecode/public/css/type.less b/rhodecode/public/css/type.less
--- a/rhodecode/public/css/type.less
+++ b/rhodecode/public/css/type.less
@@ -261,7 +261,7 @@ mark,
       margin-bottom: 0;
     }
 
-    .links{
+    .links {
         float: right;
         display: inline;
         margin: 0;
@@ -270,7 +270,7 @@ mark,
         text-align: right;
 
         li:before { content: none; }
-
+        li { float: right; }
         a {
             display: inline-block;
             margin-left: @textmargin/2;
diff --git a/rhodecode/templates/admin/integrations/edit.html b/rhodecode/templates/admin/integrations/form.html
rename from rhodecode/templates/admin/integrations/edit.html
rename to rhodecode/templates/admin/integrations/form.html
--- a/rhodecode/templates/admin/integrations/edit.html
+++ b/rhodecode/templates/admin/integrations/form.html
@@ -11,6 +11,19 @@
       request.route_url(route_name='repo_integrations_list',
                         repo_name=c.repo.repo_name,
                         integration=current_IntegrationType.key))}
+  %elif c.repo_group:
+    ${h.link_to(_('Admin'),h.url('admin_home'))}
+    &raquo;
+    ${h.link_to(_('Repository Groups'),h.url('repo_groups'))}
+    &raquo;
+    ${h.link_to(c.repo_group.group_name,h.url('edit_repo_group', group_name=c.repo_group.group_name))}
+    &raquo;
+    ${h.link_to(_('Integrations'),request.route_url(route_name='repo_group_integrations_home', repo_group_name=c.repo_group.group_name))}
+    &raquo;
+    ${h.link_to(current_IntegrationType.display_name,
+      request.route_url(route_name='repo_group_integrations_list',
+                        repo_group_name=c.repo_group.group_name,
+                        integration=current_IntegrationType.key))}
   %else:
     ${h.link_to(_('Admin'),h.url('admin_home'))}
     &raquo;
@@ -22,18 +35,31 @@
       request.route_url(route_name='global_integrations_list',
                         integration=current_IntegrationType.key))}
   %endif
+
   %if integration:
     &raquo;
     ${integration.name}
+  %elif current_IntegrationType:
+    &raquo;
+    ${current_IntegrationType.display_name}
   %endif
 </%def>
+
+<style>
+.control-inputs.item-options, .control-inputs.item-settings {
+  float: left;
+  width: 100%;
+}
+</style>
 <div class="panel panel-default">
   <div class="panel-heading">
     <h2 class="panel-title">
       %if integration:
         ${current_IntegrationType.display_name} - ${integration.name}
       %else:
-        ${_('Create New %(integration_type)s Integration') % {'integration_type': current_IntegrationType.display_name}}
+        ${_('Create New %(integration_type)s Integration') % {
+          'integration_type': current_IntegrationType.display_name
+        }}
       %endif
     </h2>
   </div>
diff --git a/rhodecode/templates/admin/integrations/list.html b/rhodecode/templates/admin/integrations/list.html
--- a/rhodecode/templates/admin/integrations/list.html
+++ b/rhodecode/templates/admin/integrations/list.html
@@ -4,6 +4,12 @@
 <%def name="breadcrumbs_links()">
   %if c.repo:
     ${h.link_to('Settings',h.url('edit_repo', repo_name=c.repo.repo_name))}
+  %elif c.repo_group:
+    ${h.link_to(_('Admin'),h.url('admin_home'))}
+    &raquo;
+    ${h.link_to(_('Repository Groups'),h.url('repo_groups'))}
+    &raquo;
+    ${h.link_to(c.repo_group.group_name,h.url('edit_repo_group', group_name=c.repo_group.group_name))}
   %else:
     ${h.link_to(_('Admin'),h.url('admin_home'))}
     &raquo;
@@ -15,6 +21,10 @@
     ${h.link_to(_('Integrations'),
       request.route_url(route_name='repo_integrations_home',
                         repo_name=c.repo.repo_name))}
+    %elif c.repo_group:
+    ${h.link_to(_('Integrations'),
+      request.route_url(route_name='repo_group_integrations_home',
+                        repo_group_name=c.repo_group.group_name))}
     %else:
     ${h.link_to(_('Integrations'),
       request.route_url(route_name='global_integrations_home'))}
@@ -26,54 +36,105 @@
     ${_('Integrations')}
   %endif
 </%def>
+
 <div class="panel panel-default">
   <div class="panel-heading">
-    <h3 class="panel-title">${_('Create New Integration')}</h3>
+    <h3 class="panel-title">
+      %if c.repo:
+        ${_('Current Integrations for Repository: {repo_name}').format(repo_name=c.repo.repo_name)}
+      %elif c.repo_group:
+        ${_('Current Integrations for repository group: {repo_group_name}').format(repo_group_name=c.repo_group.group_name)}
+      %else:
+          ${_('Current Integrations')}
+      %endif
+      </h3>
   </div>
   <div class="panel-body">
-  %if not available_integrations:
-    ${_('No integrations available.')}
-  %else:
-    %for integration in available_integrations:
-      <%
-      if c.repo:
-        create_url = request.route_path('repo_integrations_create',
+    <%
+    if c.repo:
+      home_url = request.route_path('repo_integrations_home',
+                                    repo_name=c.repo.repo_name)
+    elif c.repo_group:
+      home_url = request.route_path('repo_group_integrations_home',
+                                    repo_group_name=c.repo_group.group_name)
+    else:
+      home_url = request.route_path('global_integrations_home')
+    %>
+
+    <a href="${home_url}" class="btn ${not current_IntegrationType and 'btn-primary' or ''}">${_('All')}</a>
+
+    %for integration_key, IntegrationType in available_integrations.items():
+        <%
+        if c.repo:
+          list_url = request.route_path('repo_integrations_list',
                                         repo_name=c.repo.repo_name,
-                                        integration=integration)
-      elif c.repo_group:
-        create_url = request.route_path('repo_group_integrations_create',
+                                        integration=integration_key)
+        elif c.repo_group:
+          list_url = request.route_path('repo_group_integrations_list',
                                         repo_group_name=c.repo_group.group_name,
-                                        integration=integration)
-      else:
-        create_url = request.route_path('global_integrations_create',
-                                        integration=integration)
-      %>
-      <a href="${create_url}" class="btn">
-        ${integration}
+                                        integration=integration_key)
+        else:
+          list_url = request.route_path('global_integrations_list',
+                                       integration=integration_key)
+        %>
+      <a href="${list_url}"
+         class="btn ${current_IntegrationType and integration_key == current_IntegrationType.key and 'btn-primary' or ''}">
+        ${IntegrationType.display_name}
       </a>
     %endfor
-  %endif
-  </div>
-</div>
-<div class="panel panel-default">
-  <div class="panel-heading">
-    <h3 class="panel-title">${_('Current Integrations')}</h3>
-  </div>
-  <div class="panel-body">
-    <table class="rctable issuetracker">
+
+    <%
+    if c.repo:
+      create_url = h.route_path('repo_integrations_new', repo_name=c.repo.repo_name)
+    elif c.repo_group:
+      create_url = h.route_path('repo_group_integrations_new', repo_group_name=c.repo_group.group_name)
+    else:
+      create_url = h.route_path('global_integrations_new')
+    %>
+    <p class="pull-right">
+      <a href="${create_url}" class="btn btn-small btn-success">${_(u'Create new integration')}</a>
+    </p>
+
+    <table class="rctable integrations">
       <thead>
         <tr>
-            <th>${_('Enabled')}</th>
-            <th>${_('Description')}</th>
-            <th>${_('Type')}</th>
+            <th><a href="?sort=enabled:${rev_sort_dir}">${_('Enabled')}</a></th>
+            <th><a href="?sort=name:${rev_sort_dir}">${_('Name')}</a></th>
+            <th colspan="2"><a href="?sort=integration_type:${rev_sort_dir}">${_('Type')}</a></th>
+            <th><a href="?sort=scope:${rev_sort_dir}">${_('Scope')}</a></th>
             <th>${_('Actions')}</th>
             <th></th>
         </tr>
       </thead>
       <tbody>
+  %if not integrations_list:
+        <tr>
+          <td colspan="7">
+          <% integration_type = current_IntegrationType and current_IntegrationType.display_name or '' %>
+            %if c.repo:
+              ${_('No {type} integrations for repo {repo} exist yet.').format(type=integration_type, repo=c.repo.repo_name)}
+            %elif c.repo_group:
+              ${_('No {type} integrations for repogroup {repogroup} exist yet.').format(type=integration_type, repogroup=c.repo_group.group_name)}
+            %else:
+              ${_('No {type} integrations exist yet.').format(type=integration_type)}
+            %endif
 
-  %for integration_type, integrations in sorted(current_integrations.items()):
-    %for integration in sorted(integrations, key=lambda x: x.name):
+            %if current_IntegrationType:
+            <%
+            if c.repo:
+              create_url = h.route_path('repo_integrations_create', repo_name=c.repo.repo_name, integration=current_IntegrationType.key)
+            elif c.repo_group:
+              create_url = h.route_path('repo_group_integrations_create', repo_group_name=c.repo_group.group_name, integration=current_IntegrationType.key)
+            else:
+              create_url = h.route_path('global_integrations_create', integration=current_IntegrationType.key)
+            %>
+            %endif
+
+            <a href="${create_url}">${_(u'Create one')}</a>
+          </td>
+        </tr>
+  %endif
+  %for IntegrationType, integration in integrations_list:
         <tr id="integration_${integration.integration_id}">
           <td class="td-enabled">
             %if integration.enabled:
@@ -85,11 +146,39 @@
           <td class="td-description">
             ${integration.name}
           </td>
-          <td class="td-regex">
+          <td class="td-icon">
+            %if integration.integration_type in available_integrations:
+            <div class="integration-icon">
+              ${available_integrations[integration.integration_type].icon|n}
+            </div>
+            %else:
+              ?
+            %endif
+          </td>
+          <td class="td-type">
             ${integration.integration_type}
           </td>
+          <td class="td-scope">
+            %if integration.repo:
+            <a href="${h.url('summary_home', repo_name=integration.repo.repo_name)}">
+              ${_('repo')}:${integration.repo.repo_name}
+            </a>
+            %elif integration.repo_group:
+            <a href="${h.url('repo_group_home', group_name=integration.repo_group.group_name)}">
+              ${_('repogroup')}:${integration.repo_group.group_name}
+            </a>
+            %else:
+              %if integration.scope == 'root_repos':
+              ${_('top level repos only')}
+              %elif integration.scope == 'global':
+              ${_('global')}
+              %else:
+              ${_('unknown scope')}: ${integration.scope}
+              %endif
+          </td>
+          %endif
           <td class="td-action">
-          %if integration_type not in available_integrations:
+          %if not IntegrationType:
           ${_('unknown integration')}
           %else:
             <%
@@ -122,11 +211,15 @@
           %endif
           </td>
         </tr>
-      %endfor
     %endfor
       <tr id="last-row"></tr>
       </tbody>
     </table>
+    <div class="integrations-paginator">
+      <div class="pagination-wh pagination-left">
+      ${integrations_list.pager('$link_previous ~2~ $link_next')}
+      </div>
+    </div>
   </div>
 </div>
 <script type="text/javascript">
diff --git a/rhodecode/templates/admin/integrations/new.html b/rhodecode/templates/admin/integrations/new.html
new file mode 100644
--- /dev/null
+++ b/rhodecode/templates/admin/integrations/new.html
@@ -0,0 +1,66 @@
+## -*- coding: utf-8 -*-
+<%inherit file="base.html"/>
+<%namespace name="widgets" file="/widgets.html"/>
+
+<%def name="breadcrumbs_links()">
+  %if c.repo:
+    ${h.link_to('Settings',h.url('edit_repo', repo_name=c.repo.repo_name))}
+    &raquo;
+    ${h.link_to(_('Integrations'),request.route_url(route_name='repo_integrations_home', repo_name=c.repo.repo_name))}
+  %elif c.repo_group:
+    ${h.link_to(_('Admin'),h.url('admin_home'))}
+    &raquo;
+    ${h.link_to(_('Repository Groups'),h.url('repo_groups'))}
+    &raquo;
+    ${h.link_to(c.repo_group.group_name,h.url('edit_repo_group', group_name=c.repo_group.group_name))}
+    &raquo;
+    ${h.link_to(_('Integrations'),request.route_url(route_name='repo_group_integrations_home', repo_group_name=c.repo_group.group_name))}
+  %else:
+    ${h.link_to(_('Admin'),h.url('admin_home'))}
+    &raquo;
+    ${h.link_to(_('Settings'),h.url('admin_settings'))}
+    &raquo;
+    ${h.link_to(_('Integrations'),request.route_url(route_name='global_integrations_home'))}
+  %endif
+    &raquo;
+    ${_('Create new integration')}
+</%def>
+<%widgets:panel class_='integrations'>
+    <%def name="title()">
+        %if c.repo:
+            ${_('Create New Integration for repository: {repo_name}').format(repo_name=c.repo.repo_name)}
+        %elif c.repo_group:
+            ${_('Create New Integration for repository group: {repo_group_name}').format(repo_group_name=c.repo_group.group_name)}
+        %else:
+            ${_('Create New Global Integration')}
+        %endif
+    </%def>
+
+    %for integration, IntegrationType in available_integrations.items():
+      <%
+      if c.repo:
+        create_url = request.route_path('repo_integrations_create',
+                                        repo_name=c.repo.repo_name,
+                                        integration=integration)
+      elif c.repo_group:
+        create_url = request.route_path('repo_group_integrations_create',
+                                        repo_group_name=c.repo_group.group_name,
+                                        integration=integration)
+      else:
+        create_url = request.route_path('global_integrations_create',
+                                        integration=integration)
+      %>
+        <a href="${create_url}" class="integration-box">
+          <%widgets:panel>
+            <h2>
+              <div class="integration-icon">
+                  ${IntegrationType.icon|n}
+              </div>
+              ${IntegrationType.display_name}
+            </h2>
+            ${IntegrationType.description or _('No description available')}
+          </%widgets:panel>
+        </a>
+    %endfor
+      <div style="clear:both"></div>
+</%widgets:panel>
diff --git a/rhodecode/templates/forms/mapping_item.pt b/rhodecode/templates/forms/mapping_item.pt
--- a/rhodecode/templates/forms/mapping_item.pt
+++ b/rhodecode/templates/forms/mapping_item.pt
@@ -10,7 +10,6 @@
      id="item-${oid}"
      tal:omit-tag="structural"
      i18n:domain="deform">
-
   <label for="${oid}"
          class="control-label ${required and 'required' or ''}"
          tal:condition="not structural"
@@ -18,7 +17,7 @@
          >
     ${title}
   </label>
-  <div class="control-inputs">
+  <div class="control-inputs ${field.widget.item_css_class or ''}">
     <div tal:define="input_prepend field.widget.input_prepend | None;
                      input_append field.widget.input_append  | None"
          tal:omit-tag="not (input_prepend or input_append)"
diff --git a/rhodecode/templates/forms/readonly/textinput.pt b/rhodecode/templates/forms/readonly/textinput.pt
new file mode 100644
--- /dev/null
+++ b/rhodecode/templates/forms/readonly/textinput.pt
@@ -0,0 +1,4 @@
+<div class="form-control readonly"
+   id="${oid|field.oid}">
+  ${cstruct}
+</div>
diff --git a/rhodecode/templates/widgets.html b/rhodecode/templates/widgets.html
--- a/rhodecode/templates/widgets.html
+++ b/rhodecode/templates/widgets.html
@@ -1,8 +1,16 @@
-<%def name="panel(title, class_='default')">
-    <div class="panel panel-${class_}">
+<%def name="panel(title='', category='default', class_='')">
+    <div class="panel panel-${category} ${class_}">
+    %if title or hasattr(caller, 'title'):
       <div class="panel-heading">
-        <h3 class="panel-title">${title}</h3>
+        <h3 class="panel-title">
+        %if title:
+        ${title}
+        %else:
+        ${caller.title()}
+        %endif
+        </h3>
       </div>
+    %endif
       <div class="panel-body">
         ${caller.body()}
       </div>
diff --git a/rhodecode/tests/functional/test_integrations.py b/rhodecode/tests/functional/test_integrations.py
new file mode 100644
--- /dev/null
+++ b/rhodecode/tests/functional/test_integrations.py
@@ -0,0 +1,262 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2010-2016  RhodeCode GmbH
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License, version 3
+# (only), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# This program is dual-licensed. If you wish to learn more about the
+# RhodeCode Enterprise Edition, including its added features, Support services,
+# and proprietary license terms, please see https://rhodecode.com/licenses/
+
+import mock
+import pytest
+from webob.exc import HTTPNotFound
+
+import rhodecode
+from rhodecode.model.db import Integration
+from rhodecode.model.meta import Session
+from rhodecode.tests import assert_session_flash, url, TEST_USER_ADMIN_LOGIN
+from rhodecode.tests.utils import AssertResponse
+from rhodecode.integrations import integration_type_registry
+from rhodecode.config.routing import ADMIN_PREFIX
+
+
+@pytest.mark.usefixtures('app', 'autologin_user')
+class TestIntegrationsView(object):
+    pass
+
+
+class TestGlobalIntegrationsView(TestIntegrationsView):
+    def test_index_no_integrations(self, app):
+        url = ADMIN_PREFIX + '/integrations'
+        response = app.get(url)
+
+        assert response.status_code == 200
+        assert 'exist yet' in response.body
+
+    def test_index_with_integrations(self, app, global_integration_stub):
+        url = ADMIN_PREFIX + '/integrations'
+        response = app.get(url)
+
+        assert response.status_code == 200
+        assert 'exist yet' not in response.body
+        assert global_integration_stub.name in response.body
+
+    def test_new_integration_page(self, app):
+        url = ADMIN_PREFIX + '/integrations/new'
+
+        response = app.get(url)
+
+        assert response.status_code == 200
+
+        for integration_key in integration_type_registry:
+            nurl = (ADMIN_PREFIX + '/integrations/{integration}/new').format(
+                    integration=integration_key)
+            assert nurl in response.body
+
+    @pytest.mark.parametrize(
+        'IntegrationType', integration_type_registry.values())
+    def test_get_create_integration_page(self, app, IntegrationType):
+        url = ADMIN_PREFIX + '/integrations/{integration_key}/new'.format(
+            integration_key=IntegrationType.key)
+
+        response = app.get(url)
+
+        assert response.status_code == 200
+        assert IntegrationType.display_name in response.body
+
+    def test_post_integration_page(self, app, StubIntegrationType, csrf_token,
+                                   test_repo_group, backend_random):
+        url = ADMIN_PREFIX + '/integrations/{integration_key}/new'.format(
+            integration_key=StubIntegrationType.key)
+
+        _post_integration_test_helper(app, url, csrf_token, admin_view=True,
+            repo=backend_random.repo, repo_group=test_repo_group)
+
+
+class TestRepoGroupIntegrationsView(TestIntegrationsView):
+    def test_index_no_integrations(self, app, test_repo_group):
+        url = '/{repo_group_name}/settings/integrations'.format(
+            repo_group_name=test_repo_group.group_name)
+        response = app.get(url)
+
+        assert response.status_code == 200
+        assert 'exist yet' in response.body
+
+    def test_index_with_integrations(self, app, test_repo_group,
+                                     repogroup_integration_stub):
+        url = '/{repo_group_name}/settings/integrations'.format(
+            repo_group_name=test_repo_group.group_name)
+
+        stub_name = repogroup_integration_stub.name
+        response = app.get(url)
+
+        assert response.status_code == 200
+        assert 'exist yet' not in response.body
+        assert stub_name in response.body
+
+    def test_new_integration_page(self, app, test_repo_group):
+        repo_group_name = test_repo_group.group_name
+        url = '/{repo_group_name}/settings/integrations/new'.format(
+            repo_group_name=test_repo_group.group_name)
+
+        response = app.get(url)
+
+        assert response.status_code == 200
+
+        for integration_key in integration_type_registry:
+            nurl = ('/{repo_group_name}/settings/integrations'
+                    '/{integration}/new').format(
+                    repo_group_name=repo_group_name,
+                    integration=integration_key)
+
+            assert nurl in response.body
+
+    @pytest.mark.parametrize(
+        'IntegrationType', integration_type_registry.values())
+    def test_get_create_integration_page(self, app, test_repo_group,
+                                         IntegrationType):
+        repo_group_name = test_repo_group.group_name
+        url = ('/{repo_group_name}/settings/integrations/{integration_key}/new'
+               ).format(repo_group_name=repo_group_name,
+                        integration_key=IntegrationType.key)
+
+        response = app.get(url)
+
+        assert response.status_code == 200
+        assert IntegrationType.display_name in response.body
+
+    def test_post_integration_page(self, app, test_repo_group, backend_random,
+                                   StubIntegrationType, csrf_token):
+        repo_group_name = test_repo_group.group_name
+        url = ('/{repo_group_name}/settings/integrations/{integration_key}/new'
+               ).format(repo_group_name=repo_group_name,
+                        integration_key=StubIntegrationType.key)
+
+        _post_integration_test_helper(app, url, csrf_token, admin_view=False,
+            repo=backend_random.repo, repo_group=test_repo_group)
+
+
+class TestRepoIntegrationsView(TestIntegrationsView):
+    def test_index_no_integrations(self, app, backend_random):
+        url = '/{repo_name}/settings/integrations'.format(
+            repo_name=backend_random.repo.repo_name)
+        response = app.get(url)
+
+        assert response.status_code == 200
+        assert 'exist yet' in response.body
+
+    def test_index_with_integrations(self, app, repo_integration_stub):
+        url = '/{repo_name}/settings/integrations'.format(
+            repo_name=repo_integration_stub.repo.repo_name)
+        stub_name = repo_integration_stub.name
+
+        response = app.get(url)
+
+        assert response.status_code == 200
+        assert stub_name in response.body
+        assert 'exist yet' not in response.body
+
+    def test_new_integration_page(self, app, backend_random):
+        repo_name = backend_random.repo.repo_name
+        url = '/{repo_name}/settings/integrations/new'.format(
+            repo_name=repo_name)
+
+        response = app.get(url)
+
+        assert response.status_code == 200
+
+        for integration_key in integration_type_registry:
+            nurl = ('/{repo_name}/settings/integrations'
+                    '/{integration}/new').format(
+                    repo_name=repo_name,
+                    integration=integration_key)
+
+            assert nurl in response.body
+
+    @pytest.mark.parametrize(
+        'IntegrationType', integration_type_registry.values())
+    def test_get_create_integration_page(self, app, backend_random,
+                                         IntegrationType):
+        repo_name = backend_random.repo.repo_name
+        url = '/{repo_name}/settings/integrations/{integration_key}/new'.format(
+            repo_name=repo_name, integration_key=IntegrationType.key)
+
+        response = app.get(url)
+
+        assert response.status_code == 200
+        assert IntegrationType.display_name in response.body
+
+    def test_post_integration_page(self, app, backend_random, test_repo_group,
+                                   StubIntegrationType, csrf_token):
+        repo_name = backend_random.repo.repo_name
+        url = '/{repo_name}/settings/integrations/{integration_key}/new'.format(
+            repo_name=repo_name, integration_key=StubIntegrationType.key)
+
+        _post_integration_test_helper(app, url, csrf_token, admin_view=False,
+            repo=backend_random.repo, repo_group=test_repo_group)
+
+
+def _post_integration_test_helper(app, url, csrf_token, repo, repo_group,
+                                  admin_view):
+    """
+    Posts form data to create integration at the url given then deletes it and
+    checks if the redirect url is correct.
+    """
+
+    app.post(url, params={}, status=403) # missing csrf check
+    response = app.post(url, params={'csrf_token': csrf_token})
+    assert response.status_code == 200
+    assert 'Errors exist' in response.body
+
+    scopes_destinations = [
+        ('global',
+            ADMIN_PREFIX + '/integrations'),
+        ('root_repos',
+                ADMIN_PREFIX + '/integrations'),
+        ('repo:%s' % repo.repo_name,
+                '/%s/settings/integrations' % repo.repo_name),
+        ('repogroup:%s' % repo_group.group_name,
+                '/%s/settings/integrations' % repo_group.group_name),
+    ]
+
+    for scope, destination in scopes_destinations:
+        if admin_view:
+            destination = ADMIN_PREFIX + '/integrations'
+
+        form_data = [
+            ('csrf_token', csrf_token),
+            ('__start__', 'options:mapping'),
+            ('name', 'test integration'),
+            ('scope', scope),
+            ('enabled', 'true'),
+            ('__end__', 'options:mapping'),
+            ('__start__', 'settings:mapping'),
+            ('test_int_field', '34'),
+            ('test_string_field', ''), # empty value on purpose as it's required
+            ('__end__', 'settings:mapping'),
+        ]
+        errors_response = app.post(url, form_data)
+        assert 'Errors exist' in errors_response.body
+
+        form_data[-2] = ('test_string_field', 'data!')
+        assert Session().query(Integration).count() == 0
+        created_response = app.post(url, form_data)
+        assert Session().query(Integration).count() == 1
+
+        delete_response = app.post(
+            created_response.location,
+            params={'csrf_token': csrf_token, 'delete': 'delete'})
+
+        assert Session().query(Integration).count() == 0
+        assert delete_response.location.endswith(destination)
diff --git a/rhodecode/tests/integrations/test_integration.py b/rhodecode/tests/integrations/test_integration.py
--- a/rhodecode/tests/integrations/test_integration.py
+++ b/rhodecode/tests/integrations/test_integration.py
@@ -18,61 +18,175 @@
 # RhodeCode Enterprise Edition, including its added features, Support services,
 # and proprietary license terms, please see https://rhodecode.com/licenses/
 
+import time
 import pytest
-import requests
-from mock import Mock, patch
 
 from rhodecode import events
+from rhodecode.tests.fixture import Fixture
 from rhodecode.model.db import Session, Integration
 from rhodecode.model.integration import IntegrationModel
 from rhodecode.integrations.types.base import IntegrationTypeBase
 
 
-class TestIntegrationType(IntegrationTypeBase):
-    """ Test integration type class """
-
-    key = 'test-integration'
-    display_name = 'Test integration type'
+class TestDeleteScopesDeletesIntegrations(object):
+    def test_delete_repo_with_integration_deletes_integration(self,
+        repo_integration_stub):
+        Session().delete(repo_integration_stub.repo)
+        Session().commit()
+        Session().expire_all()
+        integration = Integration.get(repo_integration_stub.integration_id)
+        assert integration is None
 
-    def __init__(self, settings):
-        super(IntegrationTypeBase, self).__init__(settings)
-        self.sent_events = [] # for testing
 
-    def send_event(self, event):
-        self.sent_events.append(event)
+    def test_delete_repo_group_with_integration_deletes_integration(self,
+        repogroup_integration_stub):
+        Session().delete(repogroup_integration_stub.repo_group)
+        Session().commit()
+        Session().expire_all()
+        integration = Integration.get(repogroup_integration_stub.integration_id)
+        assert integration is None
 
 
 @pytest.fixture
-def repo_integration_stub(request, repo_stub):
-    settings = {'test_key': 'test_value'}
-    integration = IntegrationModel().create(
-        TestIntegrationType, settings=settings, repo=repo_stub, enabled=True,
-        name='test repo integration')
+def integration_repos(request, StubIntegrationType, stub_integration_settings):
+    """
+    Create repositories and integrations for testing, and destroy them after
+    """
+    fixture = Fixture()
+
+    repo_group_1_id = 'int_test_repo_group_1_%s' % time.time()
+    repo_group_1 = fixture.create_repo_group(repo_group_1_id)
+    repo_group_2_id = 'int_test_repo_group_2_%s' % time.time()
+    repo_group_2 = fixture.create_repo_group(repo_group_2_id)
+
+    repo_1_id = 'int_test_repo_1_%s' % time.time()
+    repo_1 = fixture.create_repo(repo_1_id, repo_group=repo_group_1)
+    repo_2_id = 'int_test_repo_2_%s' % time.time()
+    repo_2 = fixture.create_repo(repo_2_id, repo_group=repo_group_2)
+
+    root_repo_id = 'int_test_repo_root_%s' % time.time()
+    root_repo = fixture.create_repo(root_repo_id)
 
-    @request.addfinalizer
-    def cleanup():
-        IntegrationModel().delete(integration)
+    integration_global = IntegrationModel().create(
+        StubIntegrationType, settings=stub_integration_settings,
+        enabled=True, name='test global integration', scope='global')
+    integration_root_repos = IntegrationModel().create(
+        StubIntegrationType, settings=stub_integration_settings,
+        enabled=True, name='test root repos integration', scope='root_repos')
+    integration_repo_1 = IntegrationModel().create(
+        StubIntegrationType, settings=stub_integration_settings,
+        enabled=True, name='test repo 1 integration', scope=repo_1)
+    integration_repo_group_1 = IntegrationModel().create(
+        StubIntegrationType, settings=stub_integration_settings,
+        enabled=True, name='test repo group 1 integration', scope=repo_group_1)
+    integration_repo_2 = IntegrationModel().create(
+        StubIntegrationType, settings=stub_integration_settings,
+        enabled=True, name='test repo 2 integration', scope=repo_2)
+    integration_repo_group_2 = IntegrationModel().create(
+        StubIntegrationType, settings=stub_integration_settings,
+        enabled=True, name='test repo group 2 integration', scope=repo_group_2)
+
+    Session().commit()
 
-    return integration
+    def _cleanup():
+        Session().delete(integration_global)
+        Session().delete(integration_root_repos)
+        Session().delete(integration_repo_1)
+        Session().delete(integration_repo_group_1)
+        Session().delete(integration_repo_2)
+        Session().delete(integration_repo_group_2)
+        fixture.destroy_repo(root_repo)
+        fixture.destroy_repo(repo_1)
+        fixture.destroy_repo(repo_2)
+        fixture.destroy_repo_group(repo_group_1)
+        fixture.destroy_repo_group(repo_group_2)
+
+    request.addfinalizer(_cleanup)
+
+    return {
+        'repos': {
+            'repo_1': repo_1,
+            'repo_2': repo_2,
+            'root_repo': root_repo,
+        },
+        'repo_groups': {
+            'repo_group_1': repo_group_1,
+            'repo_group_2': repo_group_2,
+        },
+        'integrations': {
+            'global': integration_global,
+            'root_repos': integration_root_repos,
+            'repo_1': integration_repo_1,
+            'repo_2': integration_repo_2,
+            'repo_group_1': integration_repo_group_1,
+            'repo_group_2': integration_repo_group_2,
+        }
+    }
 
 
-@pytest.fixture
-def global_integration_stub(request):
-    settings = {'test_key': 'test_value'}
-    integration = IntegrationModel().create(
-        TestIntegrationType, settings=settings, enabled=True,
-        name='test global integration')
+def test_enabled_integration_repo_scopes(integration_repos):
+    integrations = integration_repos['integrations']
+    repos = integration_repos['repos']
+
+    triggered_integrations = IntegrationModel().get_for_event(
+        events.RepoEvent(repos['root_repo']))
+
+    assert triggered_integrations == [
+        integrations['global'],
+        integrations['root_repos']
+    ]
+
+
+    triggered_integrations = IntegrationModel().get_for_event(
+        events.RepoEvent(repos['repo_1']))
 
-    @request.addfinalizer
-    def cleanup():
-        IntegrationModel().delete(integration)
+    assert triggered_integrations == [
+        integrations['global'],
+        integrations['repo_1'],
+        integrations['repo_group_1']
+    ]
+
 
-    return integration
+    triggered_integrations = IntegrationModel().get_for_event(
+        events.RepoEvent(repos['repo_2']))
+
+    assert triggered_integrations == [
+        integrations['global'],
+        integrations['repo_2'],
+        integrations['repo_group_2'],
+    ]
 
 
-def test_delete_repo_with_integration_deletes_integration(repo_integration_stub):
-    Session().delete(repo_integration_stub.repo)
+def test_disabled_integration_repo_scopes(integration_repos):
+    integrations = integration_repos['integrations']
+    repos = integration_repos['repos']
+
+    for integration in integrations.values():
+        integration.enabled = False
     Session().commit()
-    Session().expire_all()
-    assert Integration.get(repo_integration_stub.integration_id) is None
+
+    triggered_integrations = IntegrationModel().get_for_event(
+        events.RepoEvent(repos['root_repo']))
+
+    assert triggered_integrations == []
+
+
+    triggered_integrations = IntegrationModel().get_for_event(
+        events.RepoEvent(repos['repo_1']))
+
+    assert triggered_integrations == []
+
 
+    triggered_integrations = IntegrationModel().get_for_event(
+        events.RepoEvent(repos['repo_2']))
+
+    assert triggered_integrations == []
+
+
+def test_enabled_non_repo_integrations(integration_repos):
+    integrations = integration_repos['integrations']
+
+    triggered_integrations = IntegrationModel().get_for_event(
+        events.UserPreCreate({}))
+
+    assert triggered_integrations == [integrations['global']]
diff --git a/rhodecode/tests/models/schemas/test_integration_schema.py b/rhodecode/tests/models/schemas/test_integration_schema.py
new file mode 100644
--- /dev/null
+++ b/rhodecode/tests/models/schemas/test_integration_schema.py
@@ -0,0 +1,120 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016-2016  RhodeCode GmbH
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License, version 3
+# (only), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# This program is dual-licensed. If you wish to learn more about the
+# RhodeCode Enterprise Edition, including its added features, Support services,
+# and proprietary license terms, please see https://rhodecode.com/licenses/
+
+import colander
+import pytest
+
+from rhodecode.model import validation_schema
+
+from rhodecode.integrations import integration_type_registry
+from rhodecode.integrations.types.base import IntegrationTypeBase
+from rhodecode.model.validation_schema.schemas.integration_schema import (
+    make_integration_schema
+)
+
+
+@pytest.mark.usefixtures('app', 'autologin_user')
+class TestIntegrationSchema(object):
+
+    def test_deserialize_integration_schema_perms(self, backend_random,
+                                                  test_repo_group,
+                                                  StubIntegrationType):
+
+        repo = backend_random.repo
+        repo_group = test_repo_group
+
+
+        empty_perms_dict = {
+            'global': [],
+            'repositories': {},
+            'repositories_groups': {},
+        }
+
+        perms_tests = {
+            ('repo:%s' % repo.repo_name, repo): [
+                ({},  False),
+                ({'global': ['hg.admin']},  True),
+                ({'global': []},  False),
+                ({'repositories': {repo.repo_name: 'repository.admin'}}, True),
+                ({'repositories': {repo.repo_name: 'repository.read'}}, False),
+                ({'repositories': {repo.repo_name: 'repository.write'}}, False),
+                ({'repositories': {repo.repo_name: 'repository.none'}}, False),
+            ],
+            ('repogroup:%s' % repo_group.group_name, repo_group): [
+                ({},  False),
+                ({'global': ['hg.admin']},  True),
+                ({'global': []},  False),
+                ({'repositories_groups':
+                    {repo_group.group_name: 'group.admin'}}, True),
+                ({'repositories_groups':
+                    {repo_group.group_name: 'group.read'}}, False),
+                ({'repositories_groups':
+                    {repo_group.group_name: 'group.write'}}, False),
+                ({'repositories_groups':
+                    {repo_group.group_name: 'group.none'}}, False),
+            ],
+            ('global', 'global'): [
+                ({},  False),
+                ({'global': ['hg.admin']},  True),
+                ({'global': []},  False),
+            ],
+            ('root_repos', 'root_repos'): [
+                ({},  False),
+                ({'global': ['hg.admin']},  True),
+                ({'global': []},  False),
+            ],
+        }
+
+        for (scope_input, scope_output), perms_allowed in perms_tests.items():
+            for perms_update, allowed in perms_allowed:
+                perms = dict(empty_perms_dict, **perms_update)
+
+                schema = make_integration_schema(
+                    IntegrationType=StubIntegrationType
+                ).bind(permissions=perms)
+
+                input_data = {
+                    'options': {
+                        'enabled': 'true',
+                        'scope': scope_input,
+                        'name': 'test integration',
+                    },
+                    'settings': {
+                        'test_string_field': 'stringy',
+                        'test_int_field': '100',
+                    }
+                }
+
+                if not allowed:
+                    with pytest.raises(colander.Invalid):
+                        schema.deserialize(input_data)
+                else:
+                    assert schema.deserialize(input_data) == {
+                        'options': {
+                            'enabled': True,
+                            'scope': scope_output,
+                            'name': 'test integration',
+                        },
+                        'settings': {
+                            'test_string_field': 'stringy',
+                            'test_int_field': 100,
+                        }
+                    }
+
diff --git a/rhodecode/tests/plugin.py b/rhodecode/tests/plugin.py
--- a/rhodecode/tests/plugin.py
+++ b/rhodecode/tests/plugin.py
@@ -33,6 +33,7 @@ import uuid
 import mock
 import pyramid.testing
 import pytest
+import colander
 import requests
 from webtest.app import TestApp
 
@@ -41,7 +42,7 @@ from rhodecode.model.changeset_status im
 from rhodecode.model.comment import ChangesetCommentsModel
 from rhodecode.model.db import (
     PullRequest, Repository, RhodeCodeSetting, ChangesetStatus, RepoGroup,
-    UserGroup, RepoRhodeCodeUi, RepoRhodeCodeSetting, RhodeCodeUi)
+    UserGroup, RepoRhodeCodeUi, RepoRhodeCodeSetting, RhodeCodeUi, Integration)
 from rhodecode.model.meta import Session
 from rhodecode.model.pull_request import PullRequestModel
 from rhodecode.model.repo import RepoModel
@@ -49,6 +50,9 @@ from rhodecode.model.repo_group import R
 from rhodecode.model.user import UserModel
 from rhodecode.model.settings import VcsSettingsModel
 from rhodecode.model.user_group import UserGroupModel
+from rhodecode.model.integration import IntegrationModel
+from rhodecode.integrations import integration_type_registry
+from rhodecode.integrations.types.base import IntegrationTypeBase
 from rhodecode.lib.utils import repo2db_mapper
 from rhodecode.lib.vcs import create_vcsserver_proxy
 from rhodecode.lib.vcs.backends import get_backend
@@ -1636,3 +1640,101 @@ def config_stub(request, request_stub):
         pyramid.testing.tearDown()
 
     return config
+
+
+@pytest.fixture
+def StubIntegrationType():
+    class _StubIntegrationType(IntegrationTypeBase):
+        """ Test integration type class """
+
+        key = 'test'
+        display_name = 'Test integration type'
+        description = 'A test integration type for testing'
+        icon = 'test_icon_html_image'
+
+        def __init__(self, settings):
+            super(_StubIntegrationType, self).__init__(settings)
+            self.sent_events = [] # for testing
+
+        def send_event(self, event):
+            self.sent_events.append(event)
+
+        def settings_schema(self):
+            class SettingsSchema(colander.Schema):
+                test_string_field = colander.SchemaNode(
+                    colander.String(),
+                    missing=colander.required,
+                    title='test string field',
+                )
+                test_int_field = colander.SchemaNode(
+                    colander.Int(),
+                    title='some integer setting',
+                )
+            return SettingsSchema()
+
+
+    integration_type_registry.register_integration_type(_StubIntegrationType)
+    return _StubIntegrationType
+
+@pytest.fixture
+def stub_integration_settings():
+    return {
+        'test_string_field': 'some data',
+        'test_int_field': 100,
+    }
+
+
+@pytest.fixture
+def repo_integration_stub(request, repo_stub, StubIntegrationType,
+        stub_integration_settings):
+    integration = IntegrationModel().create(
+        StubIntegrationType, settings=stub_integration_settings, enabled=True,
+        name='test repo integration', scope=repo_stub)
+
+    @request.addfinalizer
+    def cleanup():
+        IntegrationModel().delete(integration)
+
+    return integration
+
+
+@pytest.fixture
+def repogroup_integration_stub(request, test_repo_group, StubIntegrationType,
+    stub_integration_settings):
+    integration = IntegrationModel().create(
+        StubIntegrationType, settings=stub_integration_settings, enabled=True,
+        name='test repogroup integration', scope=test_repo_group)
+
+    @request.addfinalizer
+    def cleanup():
+        IntegrationModel().delete(integration)
+
+    return integration
+
+
+@pytest.fixture
+def global_integration_stub(request, StubIntegrationType,
+    stub_integration_settings):
+    integration = IntegrationModel().create(
+        StubIntegrationType, settings=stub_integration_settings, enabled=True,
+        name='test global integration', scope='global')
+
+    @request.addfinalizer
+    def cleanup():
+        IntegrationModel().delete(integration)
+
+    return integration
+
+
+@pytest.fixture
+def root_repos_integration_stub(request, StubIntegrationType,
+    stub_integration_settings):
+    integration = IntegrationModel().create(
+        StubIntegrationType, settings=stub_integration_settings, enabled=True,
+        name='test global integration', scope='root_repos')
+
+    @request.addfinalizer
+    def cleanup():
+        IntegrationModel().delete(integration)
+
+    return integration