# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-02-27 16:15:55
# Node ID a9c54e36f3a73a43c976f99b44416ebc658cfa5b
# Parent  7da2c02476d17d53fd969941976d795a5d15d6fe

auth-tokens: add scope and show consitent token UI for my account and admin.

diff --git a/rhodecode/model/auth_token.py b/rhodecode/model/auth_token.py
--- a/rhodecode/model/auth_token.py
+++ b/rhodecode/model/auth_token.py
@@ -53,7 +53,8 @@ class AuthTokenModel(BaseModel):
         new_auth_token.user_id = user.user_id
         new_auth_token.description = description
         new_auth_token.role = role
-        new_auth_token.expires = time.time() + (lifetime * 60) if lifetime != -1 else -1
+        new_auth_token.expires = time.time() + (lifetime * 60) \
+            if lifetime != -1 else -1
         Session().add(new_auth_token)
 
         return new_auth_token
diff --git a/rhodecode/model/db.py b/rhodecode/model/db.py
--- a/rhodecode/model/db.py
+++ b/rhodecode/model/db.py
@@ -974,6 +974,17 @@ class UserApiKeys(Base, BaseModel):
     def role_humanized(self):
         return self._get_role_name(self.role)
 
+    def _get_scope(self):
+        if self.repo:
+            return repr(self.repo)
+        if self.repo_group:
+            return repr(self.repo_group) + ' (recursive)'
+        return 'global'
+
+    @property
+    def scope_humanized(self):
+        return self._get_scope()
+
 
 class UserEmailMap(Base, BaseModel):
     __tablename__ = 'user_email_map'
@@ -1038,6 +1049,7 @@ class UserIpMap(Base, BaseModel):
         return u"<%s('user_id:%s=>%s')>" % (self.__class__.__name__,
                                             self.user_id, self.ip_addr)
 
+
 class UserLog(Base, BaseModel):
     __tablename__ = 'user_logs'
     __table_args__ = (
diff --git a/rhodecode/templates/admin/my_account/my_account_auth_tokens.mako b/rhodecode/templates/admin/my_account/my_account_auth_tokens.mako
--- a/rhodecode/templates/admin/my_account/my_account_auth_tokens.mako
+++ b/rhodecode/templates/admin/my_account/my_account_auth_tokens.mako
@@ -4,25 +4,40 @@
   </div>
   <div class="panel-body">
       <p>
-         ${_('Each token can have a role. VCS tokens can be used together with the authtoken auth plugin for git/hg/svn operations.')}
+         ${_('Each token can have a role. Token with a role can be used only in given context, '
+         'e.g. VCS tokens can be used together with the authtoken auth plugin for git/hg/svn operations only.')}
+          ${_('Additionally scope for VCS type token can narrow the use to chosen repository.')}
       </p>
       <table class="rctable auth_tokens">
         %if c.user_auth_tokens:
+            <tr>
+                <th>${_('Token')}</th>
+                <th>${_('Scope')}</th>
+                <th>${_('Description')}</th>
+                <th>${_('Role')}</th>
+                <th>${_('Expiration')}</th>
+                <th>${_('Action')}</th>
+            </tr>
             %for auth_token in c.user_auth_tokens:
               <tr class="${'expired' if auth_token.expired else ''}">
-                <td class="truncate-wrap td-authtoken"><div class="user_auth_tokens truncate autoexpand"><code>${auth_token.api_key}</code></div></td>
+                <td class="truncate-wrap td-authtoken">
+                    <div class="user_auth_tokens truncate autoexpand">
+                    <code>${auth_token.api_key}</code>
+                    </div>
+                </td>
+                <td class="td">${auth_token.scope_humanized}</td>
                 <td class="td-wrap">${auth_token.description}</td>
                 <td class="td-tags">
                     <span class="tag disabled">${auth_token.role_humanized}</span>
                 </td>
                 <td class="td-exp">
                      %if auth_token.expires == -1:
-                      ${_('expires')}: ${_('never')}
+                      ${_('never')}
                      %else:
                         %if auth_token.expired:
-                            ${_('expired')}: ${h.age_component(h.time_to_utcdatetime(auth_token.expires))}
+                            <span style="text-decoration: line-through">${h.age_component(h.time_to_utcdatetime(auth_token.expires))}</span>
                         %else:
-                            ${_('expires')}: ${h.age_component(h.time_to_utcdatetime(auth_token.expires))}
+                            ${h.age_component(h.time_to_utcdatetime(auth_token.expires))}
                         %endif
                      %endif
                 </td>
diff --git a/rhodecode/templates/admin/users/user_edit_auth_tokens.mako b/rhodecode/templates/admin/users/user_edit_auth_tokens.mako
--- a/rhodecode/templates/admin/users/user_edit_auth_tokens.mako
+++ b/rhodecode/templates/admin/users/user_edit_auth_tokens.mako
@@ -4,23 +4,37 @@
     </div>
     <div class="panel-body">
         <div class="apikeys_wrap">
+          <p>
+             ${_('Each token can have a role. Token with a role can be used only in given context, '
+             'e.g. VCS tokens can be used together with the authtoken auth plugin for git/hg/svn operations only.')}
+              ${_('Additionally scope for VCS type token can narrow the use to chosen repository.')}
+          </p>
           <table class="rctable auth_tokens">
+            <tr>
+                <th>${_('Token')}</th>
+                <th>${_('Scope')}</th>
+                <th>${_('Description')}</th>
+                <th>${_('Role')}</th>
+                <th>${_('Expiration')}</th>
+                <th>${_('Action')}</th>
+            </tr>
             %if c.user_auth_tokens:
                 %for auth_token in c.user_auth_tokens:
                   <tr class="${'expired' if auth_token.expired else ''}">
                     <td class="truncate-wrap td-authtoken"><div class="user_auth_tokens truncate autoexpand"><code>${auth_token.api_key}</code></div></td>
+                    <td class="td">${auth_token.scope_humanized}</td>
                     <td class="td-wrap">${auth_token.description}</td>
                     <td class="td-tags">
                         <span class="tag">${auth_token.role_humanized}</span>
                     </td>
                     <td class="td-exp">
                          %if auth_token.expires == -1:
-                          ${_('expires')}: ${_('never')}
+                          ${_('never')}
                          %else:
                             %if auth_token.expired:
-                                ${_('expired')}: ${h.age_component(h.time_to_utcdatetime(auth_token.expires))}
+                                <span style="text-decoration: line-through">${h.age_component(h.time_to_utcdatetime(auth_token.expires))}</span>
                             %else:
-                                ${_('expires')}: ${h.age_component(h.time_to_utcdatetime(auth_token.expires))}
+                                ${h.age_component(h.time_to_utcdatetime(auth_token.expires))}
                             %endif
                          %endif
                     </td>
@@ -48,7 +62,7 @@
                 <div class="fields">
                      <div class="field">
                         <div class="label">
-                            <label for="new_email">${_('New auth token')}:</label>
+                            <label for="new_email">${_('New authentication token')}:</label>
                         </div>
                         <div class="input">
                             ${h.text('description', class_='medium', placeholder=_('Description'))}