# HG changeset patch # User Marcin Kuzminski # Date 2017-08-27 17:30:42 # Node ID adc2d1ca2a5b20da47f1e37911fa52712f016a33 # Parent 4ebc0a2c4a793c667aeb6b9a6a14a9544bef6e9b auth: expose a option to calculate how we end up having super-admin permission. This is now used only for visual display. The old way is still faster for permissions calculation. - the extended way will be used in permission summary showing a much more detailed permission summary for super-admins. diff --git a/rhodecode/lib/auth.py b/rhodecode/lib/auth.py --- a/rhodecode/lib/auth.py +++ b/rhodecode/lib/auth.py @@ -296,16 +296,17 @@ class CookieStoreWrapper(object): def _cached_perms_data(user_id, scope, user_is_admin, - user_inherit_default_permissions, explicit, algo): + user_inherit_default_permissions, explicit, algo, + calculate_super_admin): permissions = PermissionCalculator( user_id, scope, user_is_admin, user_inherit_default_permissions, - explicit, algo) + explicit, algo, calculate_super_admin) return permissions.calculate() class PermOrigin(object): - ADMIN = 'superadmin' + SUPER_ADMIN = 'superadmin' REPO_USER = 'user:%s' REPO_USERGROUP = 'usergroup:%s' @@ -359,12 +360,15 @@ class PermissionCalculator(object): def __init__( self, user_id, scope, user_is_admin, - user_inherit_default_permissions, explicit, algo): + user_inherit_default_permissions, explicit, algo, + calculate_super_admin=False): + self.user_id = user_id self.user_is_admin = user_is_admin self.inherit_default_permissions = user_inherit_default_permissions self.explicit = explicit self.algo = algo + self.calculate_super_admin = calculate_super_admin scope = scope or {} self.scope_repo_id = scope.get('repo_id') @@ -387,7 +391,7 @@ class PermissionCalculator(object): self.default_user_id, self.scope_user_group_id) def calculate(self): - if self.user_is_admin: + if self.user_is_admin and not self.calculate_super_admin: return self._admin_permissions() self._calculate_global_default_permissions() @@ -410,19 +414,19 @@ class PermissionCalculator(object): for perm in self.default_repo_perms: r_k = perm.UserRepoToPerm.repository.repo_name p = 'repository.admin' - self.permissions_repositories[r_k] = p, PermOrigin.ADMIN + self.permissions_repositories[r_k] = p, PermOrigin.SUPER_ADMIN # repository groups for perm in self.default_repo_groups_perms: rg_k = perm.UserRepoGroupToPerm.group.group_name p = 'group.admin' - self.permissions_repository_groups[rg_k] = p, PermOrigin.ADMIN + self.permissions_repository_groups[rg_k] = p, PermOrigin.SUPER_ADMIN # user groups for perm in self.default_user_group_perms: u_k = perm.UserUserGroupToPerm.user_group.users_group_name p = 'usergroup.admin' - self.permissions_user_groups[u_k] = p, PermOrigin.ADMIN + self.permissions_user_groups[u_k] = p, PermOrigin.SUPER_ADMIN return self._permission_structure() @@ -437,6 +441,10 @@ class PermissionCalculator(object): for perm in default_global_perms: self.permissions_global.add(perm.permission.permission_name) + if self.user_is_admin: + self.permissions_global.add('hg.admin') + self.permissions_global.add('hg.create.write_on_repogroup.true') + def _calculate_global_permissions(self): """ Set global system permissions with user permissions or permissions @@ -558,6 +566,11 @@ class PermissionCalculator(object): o = PermOrigin.REPO_OWNER self.permissions_repositories[r_k] = p, o + if self.user_is_admin: + p = 'repository.admin' + o = PermOrigin.SUPER_ADMIN + self.permissions_repositories[r_k] = p, o + # defaults for repository groups taken from `default` user permission # on given group for perm in self.default_repo_groups_perms: @@ -579,6 +592,11 @@ class PermissionCalculator(object): o = PermOrigin.REPOGROUP_OWNER self.permissions_repository_groups[rg_k] = p, o + if self.user_is_admin: + p = 'group.admin' + o = PermOrigin.SUPER_ADMIN + self.permissions_repository_groups[rg_k] = p, o + # defaults for user groups taken from `default` user permission # on given user group for perm in self.default_user_group_perms: @@ -600,6 +618,11 @@ class PermissionCalculator(object): o = PermOrigin.USERGROUP_OWNER self.permissions_user_groups[u_k] = p, o + if self.user_is_admin: + p = 'usergroup.admin' + o = PermOrigin.SUPER_ADMIN + self.permissions_user_groups[u_k] = p, o + def _calculate_repository_permissions(self): """ Repository permissions for the current user. @@ -634,6 +657,11 @@ class PermissionCalculator(object): o = PermOrigin.REPO_OWNER self.permissions_repositories[r_k] = p, o + if self.user_is_admin: + p = 'repository.admin' + o = PermOrigin.SUPER_ADMIN + self.permissions_repositories[r_k] = p, o + # user explicit permissions for repositories, overrides any specified # by the group permission user_repo_perms = Permission.get_default_repo_perms( @@ -656,6 +684,11 @@ class PermissionCalculator(object): o = PermOrigin.REPO_OWNER self.permissions_repositories[r_k] = p, o + if self.user_is_admin: + p = 'repository.admin' + o = PermOrigin.SUPER_ADMIN + self.permissions_repositories[r_k] = p, o + def _calculate_repository_group_permissions(self): """ Repository group permissions for the current user. @@ -688,6 +721,11 @@ class PermissionCalculator(object): o = PermOrigin.REPOGROUP_OWNER self.permissions_repository_groups[rg_k] = p, o + if self.user_is_admin: + p = 'group.admin' + o = PermOrigin.SUPER_ADMIN + self.permissions_repository_groups[rg_k] = p, o + # user explicit permissions for repository groups user_repo_groups_perms = Permission.get_default_group_perms( self.user_id, self.scope_repo_group_id) @@ -710,6 +748,11 @@ class PermissionCalculator(object): o = PermOrigin.REPOGROUP_OWNER self.permissions_repository_groups[rg_k] = p, o + if self.user_is_admin: + p = 'group.admin' + o = PermOrigin.SUPER_ADMIN + self.permissions_repository_groups[rg_k] = p, o + def _calculate_user_group_permissions(self): """ User group permissions for the current user. @@ -740,6 +783,11 @@ class PermissionCalculator(object): o = PermOrigin.USERGROUP_OWNER self.permissions_user_groups[ug_k] = p, o + if self.user_is_admin: + p = 'usergroup.admin' + o = PermOrigin.SUPER_ADMIN + self.permissions_user_groups[ug_k] = p, o + # user explicit permission for user groups user_user_groups_perms = Permission.get_default_user_group_perms( self.user_id, self.scope_user_group_id) @@ -762,6 +810,11 @@ class PermissionCalculator(object): o = PermOrigin.USERGROUP_OWNER self.permissions_user_groups[ug_k] = p, o + if self.user_is_admin: + p = 'usergroup.admin' + o = PermOrigin.SUPER_ADMIN + self.permissions_user_groups[ug_k] = p, o + def _choose_permission(self, new_perm, cur_perm): new_perm_val = Permission.PERM_WEIGHTS[new_perm] cur_perm_val = Permission.PERM_WEIGHTS[cur_perm] @@ -874,6 +927,11 @@ class AuthUser(object): def permissions(self): return self.get_perms(user=self, cache=False) + @LazyProperty + def permissions_full_details(self): + return self.get_perms( + user=self, cache=False, calculate_super_admin=True) + def permissions_with_scope(self, scope): """ Call the get_perms function with scoped data. The scope in that function @@ -957,7 +1015,7 @@ class AuthUser(object): log.debug('AuthUser: propagated user is now %s', self) def get_perms(self, user, scope=None, explicit=True, algo='higherwin', - cache=False): + calculate_super_admin=False, cache=False): """ Fills user permission attribute with permissions taken from database works for permissions given for repositories, and for permissions that @@ -984,7 +1042,8 @@ class AuthUser(object): 'short_term', 'cache_desc', condition=cache, func=_cached_perms_data) result = compute(user_id, scope, user_is_admin, - user_inherit_default_permissions, explicit, algo) + user_inherit_default_permissions, explicit, algo, + calculate_super_admin) result_repr = [] for k in result: diff --git a/rhodecode/templates/admin/my_account/my_account_perms.mako b/rhodecode/templates/admin/my_account/my_account_perms.mako --- a/rhodecode/templates/admin/my_account/my_account_perms.mako +++ b/rhodecode/templates/admin/my_account/my_account_perms.mako @@ -1,5 +1,5 @@ ## permissions overview
<%namespace name="p" file="/base/perms_summary.mako"/> -${p.perms_summary(c.perm_user.permissions, actions=False)} +${p.perms_summary(c.perm_user.permissions_full_details, actions=False)}
diff --git a/rhodecode/templates/admin/permissions/permissions_perms.mako b/rhodecode/templates/admin/permissions/permissions_perms.mako --- a/rhodecode/templates/admin/permissions/permissions_perms.mako +++ b/rhodecode/templates/admin/permissions/permissions_perms.mako @@ -2,4 +2,4 @@ ## permissions overview <%namespace name="p" file="/base/perms_summary.mako"/> -${p.perms_summary(c.perm_user.permissions, show_all=True)} +${p.perms_summary(c.perm_user.permissions_full_details, show_all=True)} diff --git a/rhodecode/templates/admin/users/user_edit_perms_summary.mako b/rhodecode/templates/admin/users/user_edit_perms_summary.mako --- a/rhodecode/templates/admin/users/user_edit_perms_summary.mako +++ b/rhodecode/templates/admin/users/user_edit_perms_summary.mako @@ -1,3 +1,3 @@ ## permissions overview <%namespace name="p" file="/base/perms_summary.mako"/> -${p.perms_summary(c.perm_user.permissions, show_all=True, side_link=h.route_path('edit_user_perms_summary_json', user_id=c.user.user_id))} +${p.perms_summary(c.perm_user.permissions_full_details, show_all=True, side_link=h.route_path('edit_user_perms_summary_json', user_id=c.user.user_id))} diff --git a/rhodecode/tests/lib/test_auth.py b/rhodecode/tests/lib/test_auth.py --- a/rhodecode/tests/lib/test_auth.py +++ b/rhodecode/tests/lib/test_auth.py @@ -79,6 +79,14 @@ def test_cached_perms_data_with_admin_us assert permissions['repositories'][repo_name] == 'repository.admin' +def test_cached_perms_data_with_admin_user_extended_calculation(user_regular, backend_random): + permissions = get_permissions(user_regular, user_is_admin=True, + calculate_super_admin=True) + repo_name = backend_random.repo.repo_name + assert 'hg.admin' in permissions['global'] + assert permissions['repositories'][repo_name] == 'repository.admin' + + def test_cached_perms_data_user_group_global_permissions(user_util): user, user_group = user_util.create_user_with_group() user_group.inherit_default_permissions = False @@ -559,6 +567,7 @@ def get_permissions(user, **kwargs): 'user_inherit_default_permissions': False, 'explicit': False, 'algo': 'higherwin', + 'calculate_super_admin': False, } call_args.update(kwargs) permissions = auth._cached_perms_data(**call_args)