rhodecode-enterprise-ce Commit - r102:1a9dcffb

authn: Fix form validation of authentication plugins....

johbo -

r102:1a9dcffb default

parent child

rhodecode/authentication/base.py

0 +1 -6

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2016  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Authentication modules
             """
             import logging
             import time
             import traceback
             from pyramid.threadlocal import get_current_registry
             from sqlalchemy.ext.hybrid import hybrid_property
             from rhodecode.authentication.interface import IAuthnPluginRegistry
             from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
             from rhodecode.lib import caches
             from rhodecode.lib.auth import PasswordGenerator, _RhodeCodeCryptoBCrypt
             from rhodecode.lib.utils2 import md5_safe, safe_int
             from rhodecode.lib.utils2 import safe_str
             from rhodecode.model.db import User
             from rhodecode.model.meta import Session
             from rhodecode.model.settings import SettingsModel
             from rhodecode.model.user import UserModel
             from rhodecode.model.user_group import UserGroupModel
             log = logging.getLogger(__name__)
             # auth types that authenticate() function can receive
             VCS_TYPE = 'vcs'
             HTTP_TYPE = 'http'
             class LazyFormencode(object):
                 def __init__(self, formencode_obj, *args, **kwargs):
                     self.formencode_obj = formencode_obj
                     self.args = args
                     self.kwargs = kwargs
                 def __call__(self, *args, **kwargs):
                     from inspect import isfunction
                     formencode_obj = self.formencode_obj
                     if isfunction(formencode_obj):
                         # case we wrap validators into functions
                         formencode_obj = self.formencode_obj(*args, **kwargs)
                     return formencode_obj(*self.args, **self.kwargs)
             class RhodeCodeAuthPluginBase(object):
                 # cache the authentication request for N amount of seconds. Some kind
                 # of authentication methods are very heavy and it's very efficient to cache
                 # the result of a call. If it's set to None (default) cache is off
                 AUTH_CACHE_TTL = None
                 AUTH_CACHE = {}
                 auth_func_attrs = {
                     "username": "unique username",
                     "firstname": "first name",
                     "lastname": "last name",
                     "email": "email address",
                     "groups": '["list", "of", "groups"]',
                     "extern_name": "name in external source of record",
                     "extern_type": "type of external source of record",
                     "admin": 'True|False defines if user should be RhodeCode super admin',
                     "active":
                         'True|False defines active state of user internally for RhodeCode',
                     "active_from_extern":
                         "True|False\None, active state from the external auth, "
                         "None means use definition from RhodeCode extern_type active value"
                 }
                 # set on authenticate() method and via set_auth_type func.
                 auth_type = None
                 # List of setting names to store encrypted. Plugins may override this list
                 # to store settings encrypted.
                 _settings_encrypted = []
                 # Mapping of python to DB settings model types. Plugins may override or
                 # extend this mapping.
                 _settings_type_map = {
                     str: 'str',
                     int: 'int',
                     unicode: 'unicode',
                     bool: 'bool',
                     list: 'list',
                 }
                 def __init__(self, plugin_id):
                     self._plugin_id = plugin_id
                 def _get_setting_full_name(self, name):
                     """
                     Return the full setting name used for storing values in the database.
                     """
                     # TODO: johbo: Using the name here is problematic. It would be good to
                     # introduce either new models in the database to hold Plugin and
                     # PluginSetting or to use the plugin id here.
                     return 'auth_{}_{}'.format(self.name, name)
                 def _get_setting_type(self, name, value):
                     """
                     Get the type as used by the SettingsModel accordingly to type of passed
                     value. Optionally the suffix `.encrypted` is appended to instruct
                     SettingsModel to store it encrypted.
                     """
                     type_ = self._settings_type_map.get(type(value), 'unicode')
                     if name in self._settings_encrypted:
                         type_ = '{}.encrypted'.format(type_)
                     return type_
                 def is_enabled(self):
                     """
                     Returns true if this plugin is enabled. An enabled plugin can be
                     configured in the admin interface but it is not consulted during
                     authentication.
                     """
                     auth_plugins = SettingsModel().get_auth_plugins()
                     return self.get_id() in auth_plugins
                 def is_active(self):
                     """
                     Returns true if the plugin is activated. An activated plugin is
                     consulted during authentication, assumed it is also enabled.
                     """
                     return self.get_setting_by_name('enabled')
                 def get_id(self):
                     """
                     Returns the plugin id.
                     """
                     return self._plugin_id
                 def get_display_name(self):
                     """
                     Returns a translation string for displaying purposes.
                     """
                     raise NotImplementedError('Not implemented in base class')
                 def get_settings_schema(self):
                     """
                     Returns a colander schema, representing the plugin settings.
                     """
                     return AuthnPluginSettingsSchemaBase()
                 def get_setting_by_name(self, name):
                     """
                     Returns a plugin setting by name.
                     """
                     full_name = self._get_setting_full_name(name)
                     db_setting = SettingsModel().get_setting_by_name(full_name)
                     return db_setting.app_settings_value if db_setting else None
                 def create_or_update_setting(self, name, value):
                     """
                     Create or update a setting for this plugin in the persistent storage.
                     """
                     full_name = self._get_setting_full_name(name)
                     type_ = self._get_setting_type(name, value)
                     db_setting = SettingsModel().create_or_update_setting(
                         full_name, value, type_)
                     return db_setting.app_settings_value
                 def get_settings(self):
                     """
                     Returns the plugin settings as dictionary.
                     """
                     settings = {}
                     for node in self.get_settings_schema():
                         settings[node.name] = self.get_setting_by_name(node.name)
                     return settings
                 @property
                 def validators(self):
                     """
                     Exposes RhodeCode validators modules
                     """
                     # this is a hack to overcome issues with pylons threadlocals and
                     # translator object _() not beein registered properly.
                     class LazyCaller(object):
                         def __init__(self, name):
                             self.validator_name = name
                         def __call__(self, *args, **kwargs):
                             from rhodecode.model import validators as v
                             obj = getattr(v, self.validator_name)
                             # log.debug('Initializing lazy formencode object: %s', obj)
                             return LazyFormencode(obj, *args, **kwargs)
                     class ProxyGet(object):
                         def __getattribute__(self, name):
                             return LazyCaller(name)
                     return ProxyGet()
                 @hybrid_property
                 def name(self):
                     """
                     Returns the name of this authentication plugin.
                     :returns: string
                     """
                     raise NotImplementedError("Not implemented in base class")
                 @hybrid_property
                 def is_container_auth(self):
                     """
                     Returns bool if this module uses container auth.
                     This property will trigger an automatic call to authenticate on
                     a visit to the website or during a push/pull.
                     :returns: bool
                     """
                     return False
                 @hybrid_property
                 def allows_creating_users(self):
                     """
                     Defines if Plugin allows users to be created on-the-fly when
                     authentication is called. Controls how external plugins should behave
                     in terms if they are allowed to create new users, or not. Base plugins
                     should not be allowed to, but External ones should be !
                     :return: bool
                     """
                     return False
                 def set_auth_type(self, auth_type):
                     self.auth_type = auth_type
                 def allows_authentication_from(
                         self, user, allows_non_existing_user=True,
                         allowed_auth_plugins=None, allowed_auth_sources=None):
                     """
                     Checks if this authentication module should accept a request for
                     the current user.
                     :param user: user object fetched using plugin's get_user() method.
                     :param allows_non_existing_user: if True, don't allow the
                         user to be empty, meaning not existing in our database
                     :param allowed_auth_plugins: if provided, users extern_type will be
                         checked against a list of provided extern types, which are plugin
                         auth_names in the end
                     :param allowed_auth_sources: authentication type allowed,
                         `http` or `vcs` default is both.
                         defines if plugin will accept only http authentication vcs
                         authentication(git/hg) or both
                     :returns: boolean
                     """
                     if not user and not allows_non_existing_user:
                         log.debug('User is empty but plugin does not allow empty users,'
                                   'not allowed to authenticate')
                         return False
                     expected_auth_plugins = allowed_auth_plugins or [self.name]
                     if user and (user.extern_type and
                                  user.extern_type not in expected_auth_plugins):
                         log.debug(
                             'User `%s` is bound to `%s` auth type. Plugin allows only '
                             '%s, skipping', user, user.extern_type, expected_auth_plugins)
                         return False
                     # by default accept both
                     expected_auth_from = allowed_auth_sources or [HTTP_TYPE, VCS_TYPE]
                     if self.auth_type not in expected_auth_from:
                         log.debug('Current auth source is %s but plugin only allows %s',
                                   self.auth_type, expected_auth_from)
                         return False
                     return True
                 def get_user(self, username=None, **kwargs):
                     """
                     Helper method for user fetching in plugins, by default it's using
                     simple fetch by username, but this method can be custimized in plugins
                     eg. container auth plugin to fetch user by environ params
                     :param username: username if given to fetch from database
                     :param kwargs: extra arguments needed for user fetching.
                     """
                     user = None
                     log.debug(
                         'Trying to fetch user `%s` from RhodeCode database', username)
                     if username:
                         user = User.get_by_username(username)
                         if not user:
                             log.debug('User not found, fallback to fetch user in '
                                       'case insensitive mode')
                             user = User.get_by_username(username, case_insensitive=True)
                     else:
                         log.debug('provided username:`%s` is empty skipping...', username)
                     if not user:
                         log.debug('User `%s` not found in database', username)
                     return user
                 def user_activation_state(self):
                     """
                     Defines user activation state when creating new users
                     :returns: boolean
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def auth(self, userobj, username, passwd, settings, **kwargs):
                     """
                     Given a user object (which may be null), username, a plaintext
                     password, and a settings object (containing all the keys needed as
                     listed in settings()), authenticate this user's login attempt.
                     Return None on failure. On success, return a dictionary of the form:
                         see: RhodeCodeAuthPluginBase.auth_func_attrs
                     This is later validated for correctness
                     """
                     raise NotImplementedError("not implemented in base class")
                 def _authenticate(self, userobj, username, passwd, settings, **kwargs):
                     """
                     Wrapper to call self.auth() that validates call on it
                     :param userobj: userobj
                     :param username: username
                     :param passwd: plaintext password
                     :param settings: plugin settings
                     """
                     auth = self.auth(userobj, username, passwd, settings, **kwargs)
                     if auth:
                         # check if hash should be migrated ?
                         new_hash = auth.get('_hash_migrate')
                         if new_hash:
                             self._migrate_hash_to_bcrypt(username, passwd, new_hash)
                         return self._validate_auth_return(auth)
                     return auth
                 def _migrate_hash_to_bcrypt(self, username, password, new_hash):
                     new_hash_cypher = _RhodeCodeCryptoBCrypt()
                     # extra checks, so make sure new hash is correct.
                     password_encoded = safe_str(password)
                     if new_hash and new_hash_cypher.hash_check(
                             password_encoded, new_hash):
                         cur_user = User.get_by_username(username)
                         cur_user.password = new_hash
                         Session().add(cur_user)
                         Session().flush()
                         log.info('Migrated user %s hash to bcrypt', cur_user)
                 def _validate_auth_return(self, ret):
                     if not isinstance(ret, dict):
                         raise Exception('returned value from auth must be a dict')
                     for k in self.auth_func_attrs:
                         if k not in ret:
                             raise Exception('Missing %s attribute from returned data' % k)
                     return ret
             class RhodeCodeExternalAuthPlugin(RhodeCodeAuthPluginBase):
                 @hybrid_property
                 def allows_creating_users(self):
                     return True
                 def use_fake_password(self):
                     """
                     Return a boolean that indicates whether or not we should set the user's
                     password to a random value when it is authenticated by this plugin.
                     If your plugin provides authentication, then you will generally
                     want this.
                     :returns: boolean
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def _authenticate(self, userobj, username, passwd, settings, **kwargs):
                     # at this point _authenticate calls plugin's `auth()` function
                     auth = super(RhodeCodeExternalAuthPlugin, self)._authenticate(
                         userobj, username, passwd, settings, **kwargs)
                     if auth:
                         # maybe plugin will clean the username ?
                         # we should use the return value
                         username = auth['username']
                         # if external source tells us that user is not active, we should
                         # skip rest of the process. This can prevent from creating users in
                         # RhodeCode when using external authentication, but if it's
                         # inactive user we shouldn't create that user anyway
                         if auth['active_from_extern'] is False:
                             log.warning(
                                 "User %s authenticated against %s, but is inactive",
                                 username, self.__module__)
                             return None
                         cur_user = User.get_by_username(username, case_insensitive=True)
                         is_user_existing = cur_user is not None
                         if is_user_existing:
                             log.debug('Syncing user `%s` from '
                                       '`%s` plugin', username, self.name)
                         else:
                             log.debug('Creating non existing user `%s` from '
                                       '`%s` plugin', username, self.name)
                         if self.allows_creating_users:
                             log.debug('Plugin `%s` allows to '
                                       'create new users', self.name)
                         else:
                             log.debug('Plugin `%s` does not allow to '
                                       'create new users', self.name)
                         user_parameters = {
                             'username': username,
                             'email': auth["email"],
                             'firstname': auth["firstname"],
                             'lastname': auth["lastname"],
                             'active': auth["active"],
                             'admin': auth["admin"],
                             'extern_name': auth["extern_name"],
                             'extern_type': self.name,
                             'plugin': self,
                             'allow_to_create_user': self.allows_creating_users,
                         }
                         if not is_user_existing:
                             if self.use_fake_password():
                                 # Randomize the PW because we don't need it, but don't want
                                 # them blank either
                                 passwd = PasswordGenerator().gen_password(length=16)
                             user_parameters['password'] = passwd
                         else:
                             # Since the password is required by create_or_update method of
                             # UserModel, we need to set it explicitly.
                             # The create_or_update method is smart and recognises the
                             # password hashes as well.
                             user_parameters['password'] = cur_user.password
                         # we either create or update users, we also pass the flag
                         # that controls if this method can actually do that.
                         # raises NotAllowedToCreateUserError if it cannot, and we try to.
                         user = UserModel().create_or_update(**user_parameters)
                         Session().flush()
                         # enforce user is just in given groups, all of them has to be ones
                         # created from plugins. We store this info in _group_data JSON
                         # field
                         try:
                             groups = auth['groups'] or []
                             UserGroupModel().enforce_groups(user, groups, self.name)
                         except Exception:
                             # for any reason group syncing fails, we should
                             # proceed with login
                             log.error(traceback.format_exc())
                         Session().commit()
                     return auth
             def loadplugin(plugin_id):
                 """
                 Loads and returns an instantiated authentication plugin.
                 Returns the RhodeCodeAuthPluginBase subclass on success,
-                raises exceptions on failure.
+                or None on failure.
-                raises:
-                    KeyError -- if no plugin available with given name
-                    TypeError -- if the RhodeCodeAuthPlugin is not a subclass of
-                                 ours RhodeCodeAuthPluginBase
                 """
                 # TODO: Disusing pyramids thread locals to retrieve the registry.
                 authn_registry = get_current_registry().getUtility(IAuthnPluginRegistry)
                 plugin = authn_registry.get_plugin(plugin_id)
                 if plugin is None:
                     log.error('Authentication plugin not found: "%s"', plugin_id)
                 return plugin
             def get_auth_cache_manager(custom_ttl=None):
                 return caches.get_cache_manager(
                     'auth_plugins', 'rhodecode.authentication', custom_ttl)
             def authenticate(username, password, environ=None, auth_type=None,
                              skip_missing=False):
                 """
                 Authentication function used for access control,
                 It tries to authenticate based on enabled authentication modules.
                 :param username: username can be empty for container auth
                 :param password: password can be empty for container auth
                 :param environ: environ headers passed for container auth
                 :param auth_type: type of authentication, either `HTTP_TYPE` or `VCS_TYPE`
                 :param skip_missing: ignores plugins that are in db but not in environment
                 :returns: None if auth failed, plugin_user dict if auth is correct
                 """
                 if not auth_type or auth_type not in [HTTP_TYPE, VCS_TYPE]:
                     raise ValueError('auth type must be on of http, vcs got "%s" instead'
                                      % auth_type)
                 container_only = environ and not (username and password)
                 authn_registry = get_current_registry().getUtility(IAuthnPluginRegistry)
                 for plugin in authn_registry.get_plugins_for_authentication():
                     plugin.set_auth_type(auth_type)
                     user = plugin.get_user(username)
                     display_user = user.username if user else username
                     if container_only and not plugin.is_container_auth:
                         log.debug('Auth type is for container only and plugin `%s` is not '
                                   'container plugin, skipping...', plugin.get_id())
                         continue
                     # load plugin settings from RhodeCode database
                     plugin_settings = plugin.get_settings()
                     log.debug('Plugin settings:%s', plugin_settings)
                     log.debug('Trying authentication using ** %s **', plugin.get_id())
                     # use plugin's method of user extraction.
                     user = plugin.get_user(username, environ=environ,
                                            settings=plugin_settings)
                     display_user = user.username if user else username
                     log.debug(
                         'Plugin %s extracted user is `%s`', plugin.get_id(), display_user)
                     if not plugin.allows_authentication_from(user):
                         log.debug('Plugin %s does not accept user `%s` for authentication',
                                   plugin.get_id(), display_user)
                         continue
                     else:
                         log.debug('Plugin %s accepted user `%s` for authentication',
                                   plugin.get_id(), display_user)
                     log.info('Authenticating user `%s` using %s plugin',
                              display_user, plugin.get_id())
                     _cache_ttl = 0
                     if isinstance(plugin.AUTH_CACHE_TTL, (int, long)):
                         # plugin cache set inside is more important than the settings value
                         _cache_ttl = plugin.AUTH_CACHE_TTL
                     elif plugin_settings.get('auth_cache_ttl'):
                         _cache_ttl = safe_int(plugin_settings.get('auth_cache_ttl'), 0)
                     plugin_cache_active = bool(_cache_ttl and _cache_ttl > 0)
                     # get instance of cache manager configured for a namespace
                     cache_manager = get_auth_cache_manager(custom_ttl=_cache_ttl)
                     log.debug('Cache for plugin `%s` active: %s', plugin.get_id(),
                               plugin_cache_active)
                     # for environ based password can be empty, but then the validation is
                     # on the server that fills in the env data needed for authentication
                     _password_hash = md5_safe(plugin.name + username + (password or ''))
                     # _authenticate is a wrapper for .auth() method of plugin.
                     # it checks if .auth() sends proper data.
                     # For RhodeCodeExternalAuthPlugin it also maps users to
                     # Database and maps the attributes returned from .auth()
                     # to RhodeCode database. If this function returns data
                     # then auth is correct.
                     start = time.time()
                     log.debug('Running plugin `%s` _authenticate method',
                               plugin.get_id())
                     def auth_func():
                         """
                         This function is used internally in Cache of Beaker to calculate
                         Results
                         """
                         return plugin._authenticate(
                             user, username, password, plugin_settings,
                             environ=environ or {})
                     if plugin_cache_active:
                         plugin_user = cache_manager.get(
                             _password_hash, createfunc=auth_func)
                     else:
                         plugin_user = auth_func()
                     auth_time = time.time() - start
                     log.debug('Authentication for plugin `%s` completed in %.3fs, '
                               'expiration time of fetched cache %.1fs.',
                               plugin.get_id(), auth_time, _cache_ttl)
                     log.debug('PLUGIN USER DATA: %s', plugin_user)
                     if plugin_user:
                         log.debug('Plugin returned proper authentication data')
                         return plugin_user
                     # we failed to Auth because .auth() method didn't return proper user
                     log.debug("User `%s` failed to authenticate against %s",
                               display_user, plugin.get_id())
                 return None

rhodecode/model/validators.py

0 +13 -12

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2016  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Set of generic validators
             """
             import logging
             import os
             import re
             from collections import defaultdict
             import formencode
             import ipaddress
             from formencode.validators import (
                 UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set,
                 NotEmpty, IPAddress, CIDR, String, FancyValidator
             )
             from pylons.i18n.translation import _
             from sqlalchemy.sql.expression import true
             from sqlalchemy.util import OrderedSet
             from webhelpers.pylonslib.secure_form import authentication_token
             from rhodecode.config.routing import ADMIN_PREFIX
             from rhodecode.lib.auth import HasRepoGroupPermissionAny, HasPermissionAny
             from rhodecode.lib.exceptions import LdapImportError
             from rhodecode.lib.utils import repo_name_slug, make_db_config
             from rhodecode.lib.utils2 import safe_int, str2bool, aslist, md5
             from rhodecode.lib.vcs.backends.git.repository import GitRepository
             from rhodecode.lib.vcs.backends.hg.repository import MercurialRepository
             from rhodecode.lib.vcs.backends.svn.repository import SubversionRepository
             from rhodecode.model.db import (
                 RepoGroup, Repository, UserGroup, User, ChangesetStatus, Gist)
             from rhodecode.model.settings import VcsSettingsModel
             # silence warnings and pylint
             UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set, \
                 NotEmpty, IPAddress, CIDR, String, FancyValidator
             log = logging.getLogger(__name__)
             class _Missing(object):
                 pass
             Missing = _Missing()
             class StateObj(object):
                 """
                 this is needed to translate the messages using _() in validators
                 """
                 _ = staticmethod(_)
             def M(self, key, state=None, **kwargs):
                 """
                 returns string from self.message based on given key,
                 passed kw params are used to substitute %(named)s params inside
                 translated strings
                 :param msg:
                 :param state:
                 """
                 if state is None:
                     state = StateObj()
                 else:
                     state._ = staticmethod(_)
                 # inject validator into state object
                 return self.message(key, state, **kwargs)
             def UniqueList(convert=None):
                 class _UniqueList(formencode.FancyValidator):
                     """
                     Unique List !
                     """
                     messages = {
                         'empty': _(u'Value cannot be an empty list'),
                         'missing_value': _(u'Value cannot be an empty list'),
                     }
                     def _to_python(self, value, state):
                         ret_val = []
                         def make_unique(value):
                             seen = []
                             return [c for c in value if not (c in seen or seen.append(c))]
                         if isinstance(value, list):
                             ret_val = make_unique(value)
                         elif isinstance(value, set):
                             ret_val = make_unique(list(value))
                         elif isinstance(value, tuple):
                             ret_val = make_unique(list(value))
                         elif value is None:
                             ret_val = []
                         else:
                             ret_val = [value]
                         if convert:
                             ret_val = map(convert, ret_val)
                         return ret_val
                     def empty_value(self, value):
                         return []
                 return _UniqueList
             def UniqueListFromString():
                 class _UniqueListFromString(UniqueList()):
                     def _to_python(self, value, state):
                         if isinstance(value, basestring):
                             value = aslist(value, ',')
                         return super(_UniqueListFromString, self)._to_python(value, state)
                 return _UniqueListFromString
             def ValidSvnPattern(section, repo_name=None):
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'pattern_exists': _(u'Pattern already exists'),
                     }
                     def validate_python(self, value, state):
                         if not value:
                             return
                         model = VcsSettingsModel(repo=repo_name)
                         ui_settings = model.get_svn_patterns(section=section)
                         for entry in ui_settings:
                             if value == entry.value:
                                 msg = M(self, 'pattern_exists', state)
                                 raise formencode.Invalid(msg, value, state)
                 return _validator
             def ValidUsername(edit=False, old_data={}):
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'username_exists': _(u'Username "%(username)s" already exists'),
                         'system_invalid_username':
                             _(u'Username "%(username)s" is forbidden'),
                         'invalid_username':
                             _(u'Username may only contain alphanumeric characters '
                                 u'underscores, periods or dashes and must begin with '
                                 u'alphanumeric character or underscore')
                     }
                     def validate_python(self, value, state):
                         if value in ['default', 'new_user']:
                             msg = M(self, 'system_invalid_username', state, username=value)
                             raise formencode.Invalid(msg, value, state)
                         # check if user is unique
                         old_un = None
                         if edit:
                             old_un = User.get(old_data.get('user_id')).username
                         if old_un != value or not edit:
                             if User.get_by_username(value, case_insensitive=True):
                                 msg = M(self, 'username_exists', state, username=value)
                                 raise formencode.Invalid(msg, value, state)
                         if (re.match(r'^[\w]{1}[\w\-\.]{0,254}$', value)
                                 is None):
                             msg = M(self, 'invalid_username', state)
                             raise formencode.Invalid(msg, value, state)
                 return _validator
             def ValidRegex(msg=None):
                 class _validator(formencode.validators.Regex):
                     messages = {'invalid': msg or _(u'The input is not valid')}
                 return _validator
             def ValidRepoUser():
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_username': _(u'Username %(username)s is not valid')
                     }
                     def validate_python(self, value, state):
                         try:
                             User.query().filter(User.active == true())\
                                 .filter(User.username == value).one()
                         except Exception:
                             msg = M(self, 'invalid_username', state, username=value)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'username': msg}
                             )
                 return _validator
             def ValidUserGroup(edit=False, old_data={}):
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_group': _(u'Invalid user group name'),
                         'group_exist': _(u'User group "%(usergroup)s" already exists'),
                         'invalid_usergroup_name':
                             _(u'user group name may only contain alphanumeric '
                               u'characters underscores, periods or dashes and must begin '
                               u'with alphanumeric character')
                     }
                     def validate_python(self, value, state):
                         if value in ['default']:
                             msg = M(self, 'invalid_group', state)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'users_group_name': msg}
                             )
                         # check if group is unique
                         old_ugname = None
                         if edit:
                             old_id = old_data.get('users_group_id')
                             old_ugname = UserGroup.get(old_id).users_group_name
                         if old_ugname != value or not edit:
                             is_existing_group = UserGroup.get_by_group_name(
                                 value, case_insensitive=True)
                             if is_existing_group:
                                 msg = M(self, 'group_exist', state, usergroup=value)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'users_group_name': msg}
                                 )
                         if re.match(r'^[a-zA-Z0-9]{1}[a-zA-Z0-9\-\_\.]+$', value) is None:
                             msg = M(self, 'invalid_usergroup_name', state)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'users_group_name': msg}
                             )
                 return _validator
             def ValidRepoGroup(edit=False, old_data={}, can_create_in_root=False):
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'group_parent_id': _(u'Cannot assign this group as parent'),
                         'group_exists': _(u'Group "%(group_name)s" already exists'),
                         'repo_exists': _(u'Repository with name "%(group_name)s" '
                                          u'already exists'),
                         'permission_denied': _(u"no permission to store repository group"
                                                u"in this location"),
                         'permission_denied_root': _(
                             u"no permission to store repository group "
                             u"in root location")
                     }
                     def _to_python(self, value, state):
                         group_name = repo_name_slug(value.get('group_name', ''))
                         group_parent_id = safe_int(value.get('group_parent_id'))
                         gr = RepoGroup.get(group_parent_id)
                         if gr:
                             parent_group_path = gr.full_path
                             # value needs to be aware of group name in order to check
                             # db key This is an actual just the name to store in the
                             # database
                             group_name_full = (
                                 parent_group_path + RepoGroup.url_sep() + group_name)
                         else:
                             group_name_full = group_name
                         value['group_name'] = group_name
                         value['group_name_full'] = group_name_full
                         value['group_parent_id'] = group_parent_id
                         return value
                     def validate_python(self, value, state):
                         old_group_name = None
                         group_name = value.get('group_name')
                         group_name_full = value.get('group_name_full')
                         group_parent_id = safe_int(value.get('group_parent_id'))
                         if group_parent_id == -1:
                             group_parent_id = None
                         group_obj = RepoGroup.get(old_data.get('group_id'))
                         parent_group_changed = False
                         if edit:
                             old_group_name = group_obj.group_name
                             old_group_parent_id = group_obj.group_parent_id
                             if group_parent_id != old_group_parent_id:
                                 parent_group_changed = True
                             # TODO: mikhail: the following if statement is not reached
                             # since group_parent_id's OneOf validation fails before.
                             # Can be removed.
                             # check against setting a parent of self
                             parent_of_self = (
                                 old_data['group_id'] == group_parent_id
                                 if group_parent_id else False
                             )
                             if parent_of_self:
                                 msg = M(self, 'group_parent_id', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'group_parent_id': msg}
                                 )
                         # group we're moving current group inside
                         child_group = None
                         if group_parent_id:
                             child_group = RepoGroup.query().filter(
                                 RepoGroup.group_id == group_parent_id).scalar()
                         # do a special check that we cannot move a group to one of
                         # it's children
                         if edit and child_group:
                             parents = [x.group_id for x in child_group.parents]
                             move_to_children = old_data['group_id'] in parents
                             if move_to_children:
                                 msg = M(self, 'group_parent_id', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'group_parent_id': msg})
                         # Check if we have permission to store in the parent.
                         # Only check if the parent group changed.
                         if parent_group_changed:
                             if child_group is None:
                                 if not can_create_in_root:
                                     msg = M(self, 'permission_denied_root', state)
                                     raise formencode.Invalid(
                                         msg, value, state,
                                         error_dict={'group_parent_id': msg})
                             else:
                                 valid = HasRepoGroupPermissionAny('group.admin')
                                 forbidden = not valid(
                                     child_group.group_name, 'can create group validator')
                                 if forbidden:
                                     msg = M(self, 'permission_denied', state)
                                     raise formencode.Invalid(
                                         msg, value, state,
                                         error_dict={'group_parent_id': msg})
                         # if we change the name or it's new group, check for existing names
                         # or repositories with the same name
                         if old_group_name != group_name_full or not edit:
                             # check group
                             gr = RepoGroup.get_by_group_name(group_name_full)
                             if gr:
                                 msg = M(self, 'group_exists', state, group_name=group_name)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'group_name': msg})
                             # check for same repo
                             repo = Repository.get_by_repo_name(group_name_full)
                             if repo:
                                 msg = M(self, 'repo_exists', state, group_name=group_name)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'group_name': msg})
                 return _validator
             def ValidPassword():
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_password':
                             _(u'Invalid characters (non-ascii) in password')
                     }
                     def validate_python(self, value, state):
                         try:
                             (value or '').decode('ascii')
                         except UnicodeError:
                             msg = M(self, 'invalid_password', state)
                             raise formencode.Invalid(msg, value, state,)
                 return _validator
             def ValidOldPassword(username):
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_password': _(u'Invalid old password')
                     }
                     def validate_python(self, value, state):
                         from rhodecode.authentication.base import authenticate, HTTP_TYPE
                         if not authenticate(username, value, '', HTTP_TYPE):
                             msg = M(self, 'invalid_password', state)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'current_password': msg}
                             )
                 return _validator
             def ValidPasswordsMatch(
                     passwd='new_password', passwd_confirmation='password_confirmation'):
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'password_mismatch': _(u'Passwords do not match'),
                     }
                     def validate_python(self, value, state):
                         pass_val = value.get('password') or value.get(passwd)
                         if pass_val != value[passwd_confirmation]:
                             msg = M(self, 'password_mismatch', state)
                             raise formencode.Invalid(
                                 msg, value, state,
                                 error_dict={passwd: msg, passwd_confirmation: msg}
                             )
                 return _validator
             def ValidAuth():
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_password': _(u'invalid password'),
                         'invalid_username': _(u'invalid user name'),
                         'disabled_account': _(u'Your account is disabled')
                     }
                     def validate_python(self, value, state):
                         from rhodecode.authentication.base import authenticate, HTTP_TYPE
                         password = value['password']
                         username = value['username']
                         if not authenticate(username, password, '', HTTP_TYPE,
                                             skip_missing=True):
                             user = User.get_by_username(username)
                             if user and not user.active:
                                 log.warning('user %s is disabled', username)
                                 msg = M(self, 'disabled_account', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'username': msg}
                                 )
                             else:
                                 log.warning('user `%s` failed to authenticate', username)
                                 msg = M(self, 'invalid_username', state)
                                 msg2 = M(self, 'invalid_password', state)
                                 raise formencode.Invalid(
                                     msg, value, state,
                                     error_dict={'username': msg, 'password': msg2}
                                 )
                 return _validator
             def ValidAuthToken():
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_token': _(u'Token mismatch')
                     }
                     def validate_python(self, value, state):
                         if value != authentication_token():
                             msg = M(self, 'invalid_token', state)
                             raise formencode.Invalid(msg, value, state)
                 return _validator
             def ValidRepoName(edit=False, old_data={}):
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_repo_name':
                             _(u'Repository name %(repo)s is disallowed'),
                         # top level
                         'repository_exists': _(u'Repository with name %(repo)s '
                                                u'already exists'),
                         'group_exists': _(u'Repository group with name "%(repo)s" '
                                           u'already exists'),
                         # inside a group
                         'repository_in_group_exists': _(u'Repository with name %(repo)s '
                                                         u'exists in group "%(group)s"'),
                         'group_in_group_exists': _(
                             u'Repository group with name "%(repo)s" '
                             u'exists in group "%(group)s"'),
                     }
                     def _to_python(self, value, state):
                         repo_name = repo_name_slug(value.get('repo_name', ''))
                         repo_group = value.get('repo_group')
                         if repo_group:
                             gr = RepoGroup.get(repo_group)
                             group_path = gr.full_path
                             group_name = gr.group_name
                             # value needs to be aware of group name in order to check
                             # db key This is an actual just the name to store in the
                             # database
                             repo_name_full = group_path + RepoGroup.url_sep() + repo_name
                         else:
                             group_name = group_path = ''
                             repo_name_full = repo_name
                         value['repo_name'] = repo_name
                         value['repo_name_full'] = repo_name_full
                         value['group_path'] = group_path
                         value['group_name'] = group_name
                         return value
                     def validate_python(self, value, state):
                         repo_name = value.get('repo_name')
                         repo_name_full = value.get('repo_name_full')
                         group_path = value.get('group_path')
                         group_name = value.get('group_name')
                         if repo_name in [ADMIN_PREFIX, '']:
                             msg = M(self, 'invalid_repo_name', state, repo=repo_name)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'repo_name': msg})
                         rename = old_data.get('repo_name') != repo_name_full
                         create = not edit
                         if rename or create:
                             if group_path:
                                 if Repository.get_by_repo_name(repo_name_full):
                                     msg = M(self, 'repository_in_group_exists', state,
                                             repo=repo_name, group=group_name)
                                     raise formencode.Invalid(
                                         msg, value, state, error_dict={'repo_name': msg})
                                 if RepoGroup.get_by_group_name(repo_name_full):
                                     msg = M(self, 'group_in_group_exists', state,
                                             repo=repo_name, group=group_name)
                                     raise formencode.Invalid(
                                         msg, value, state, error_dict={'repo_name': msg})
                             else:
                                 if RepoGroup.get_by_group_name(repo_name_full):
                                     msg = M(self, 'group_exists', state, repo=repo_name)
                                     raise formencode.Invalid(
                                         msg, value, state, error_dict={'repo_name': msg})
                                 if Repository.get_by_repo_name(repo_name_full):
                                     msg = M(
                                         self, 'repository_exists', state, repo=repo_name)
                                     raise formencode.Invalid(
                                         msg, value, state, error_dict={'repo_name': msg})
                         return value
                 return _validator
             def ValidForkName(*args, **kwargs):
                 return ValidRepoName(*args, **kwargs)
             def SlugifyName():
                 class _validator(formencode.validators.FancyValidator):
                     def _to_python(self, value, state):
                         return repo_name_slug(value)
                     def validate_python(self, value, state):
                         pass
                 return _validator
             def ValidCloneUri():
                 class InvalidCloneUrl(Exception):
                     allowed_prefixes = ()
                 def url_handler(repo_type, url):
                     config = make_db_config(clear_session=False)
                     if repo_type == 'hg':
                         allowed_prefixes = ('http', 'svn+http', 'git+http')
                         if 'http' in url[:4]:
                             # initially check if it's at least the proper URL
                             # or does it pass basic auth
                             MercurialRepository.check_url(url, config)
                         elif 'svn+http' in url[:8]:  # svn->hg import
                             SubversionRepository.check_url(url, config)
                         elif 'git+http' in url[:8]:  # git->hg import
                             raise NotImplementedError()
                         else:
                             exc = InvalidCloneUrl('Clone from URI %s not allowed. '
                                                   'Allowed url must start with one of %s'
                                                   % (url, ','.join(allowed_prefixes)))
                             exc.allowed_prefixes = allowed_prefixes
                             raise exc
                     elif repo_type == 'git':
                         allowed_prefixes = ('http', 'svn+http', 'hg+http')
                         if 'http' in url[:4]:
                             # initially check if it's at least the proper URL
                             # or does it pass basic auth
                             GitRepository.check_url(url, config)
                         elif 'svn+http' in url[:8]:  # svn->git import
                             raise NotImplementedError()
                         elif 'hg+http' in url[:8]:  # hg->git import
                             raise NotImplementedError()
                         else:
                             exc = InvalidCloneUrl('Clone from URI %s not allowed. '
                                                   'Allowed url must start with one of %s'
                                                   % (url, ','.join(allowed_prefixes)))
                             exc.allowed_prefixes = allowed_prefixes
                             raise exc
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'clone_uri': _(u'invalid clone url for %(rtype)s repository'),
                         'invalid_clone_uri': _(
                             u'Invalid clone url, provide a valid clone '
                             u'url starting with one of %(allowed_prefixes)s')
                     }
                     def validate_python(self, value, state):
                         repo_type = value.get('repo_type')
                         url = value.get('clone_uri')
                         if url:
                             try:
                                 url_handler(repo_type, url)
                             except InvalidCloneUrl as e:
                                 log.warning(e)
                                 msg = M(self, 'invalid_clone_uri', rtype=repo_type,
                                         allowed_prefixes=','.join(e.allowed_prefixes))
                                 raise formencode.Invalid(msg, value, state,
                                                          error_dict={'clone_uri': msg})
                             except Exception:
                                 log.exception('Url validation failed')
                                 msg = M(self, 'clone_uri', rtype=repo_type)
                                 raise formencode.Invalid(msg, value, state,
                                                          error_dict={'clone_uri': msg})
                 return _validator
             def ValidForkType(old_data={}):
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_fork_type': _(u'Fork have to be the same type as parent')
                     }
                     def validate_python(self, value, state):
                         if old_data['repo_type'] != value:
                             msg = M(self, 'invalid_fork_type', state)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'repo_type': msg}
                             )
                 return _validator
             def CanWriteGroup(old_data=None):
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'permission_denied': _(
                             u"You do not have the permission "
                             u"to create repositories in this group."),
                         'permission_denied_root': _(
                             u"You do not have the permission to store repositories in "
                             u"the root location.")
                     }
                     def _to_python(self, value, state):
                         # root location
                         if value in [-1, "-1"]:
                             return None
                         return value
                     def validate_python(self, value, state):
                         gr = RepoGroup.get(value)
                         gr_name = gr.group_name if gr else None  # None means ROOT location
                         # create repositories with write permission on group is set to true
                         create_on_write = HasPermissionAny(
                             'hg.create.write_on_repogroup.true')()
                         group_admin = HasRepoGroupPermissionAny('group.admin')(
                             gr_name, 'can write into group validator')
                         group_write = HasRepoGroupPermissionAny('group.write')(
                             gr_name, 'can write into group validator')
                         forbidden = not (group_admin or (group_write and create_on_write))
                         can_create_repos = HasPermissionAny(
                             'hg.admin', 'hg.create.repository')
                         gid = (old_data['repo_group'].get('group_id')
                                if (old_data and 'repo_group' in old_data) else None)
                         value_changed = gid != safe_int(value)
                         new = not old_data
                         # do check if we changed the value, there's a case that someone got
                         # revoked write permissions to a repository, he still created, we
                         # don't need to check permission if he didn't change the value of
                         # groups in form box
                         if value_changed or new:
                             # parent group need to be existing
                             if gr and forbidden:
                                 msg = M(self, 'permission_denied', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'repo_type': msg}
                                 )
                             # check if we can write to root location !
                             elif gr is None and not can_create_repos():
                                 msg = M(self, 'permission_denied_root', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'repo_type': msg}
                                 )
                 return _validator
             def ValidPerms(type_='repo'):
                 if type_ == 'repo_group':
                     EMPTY_PERM = 'group.none'
                 elif type_ == 'repo':
                     EMPTY_PERM = 'repository.none'
                 elif type_ == 'user_group':
                     EMPTY_PERM = 'usergroup.none'
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'perm_new_member_name':
                             _(u'This username or user group name is not valid')
                     }
                     def _to_python(self, value, state):
                         perm_updates = OrderedSet()
                         perm_additions = OrderedSet()
                         perm_deletions = OrderedSet()
                         # build a list of permission to update/delete and new permission
                         # Read the perm_new_member/perm_del_member attributes and group
                         # them by they IDs
                         new_perms_group = defaultdict(dict)
                         del_perms_group = defaultdict(dict)
                         for k, v in value.copy().iteritems():
                             if k.startswith('perm_del_member'):
                                 # delete from org storage so we don't process that later
                                 del value[k]
                                 # part is `id`, `type`
                                 _type, part = k.split('perm_del_member_')
                                 args = part.split('_')
                                 if len(args) == 2:
                                     _key, pos = args
                                     del_perms_group[pos][_key] = v
                             if k.startswith('perm_new_member'):
                                 # delete from org storage so we don't process that later
                                 del value[k]
                                 # part is `id`, `type`, `perm`
                                 _type, part = k.split('perm_new_member_')
                                 args = part.split('_')
                                 if len(args) == 2:
                                     _key, pos = args
                                     new_perms_group[pos][_key] = v
                         # store the deletes
                         for k in sorted(del_perms_group.keys()):
                             perm_dict = del_perms_group[k]
                             del_member = perm_dict.get('id')
                             del_type = perm_dict.get('type')
                             if del_member and del_type:
                                 perm_deletions.add((del_member, None, del_type))
                         # store additions in order of how they were added in web form
                         for k in sorted(new_perms_group.keys()):
                             perm_dict = new_perms_group[k]
                             new_member = perm_dict.get('id')
                             new_type = perm_dict.get('type')
                             new_perm = perm_dict.get('perm')
                             if new_member and new_perm and new_type:
                                 perm_additions.add((new_member, new_perm, new_type))
                         # get updates of permissions
                         # (read the existing radio button states)
                         for k, update_value in value.iteritems():
                             if k.startswith('u_perm_') or k.startswith('g_perm_'):
                                 member = k[7:]
                                 update_type = {'u': 'user',
                                                'g': 'users_group'}[k[0]]
                                 if member == User.DEFAULT_USER:
                                     if str2bool(value.get('repo_private')):
                                         # set none for default when updating to
                                         # private repo protects agains form manipulation
                                         update_value = EMPTY_PERM
                                 perm_updates.add((member, update_value, update_type))
                         # check the deletes
                         value['perm_additions'] = list(perm_additions)
                         value['perm_updates'] = list(perm_updates)
                         value['perm_deletions'] = list(perm_deletions)
                         # validate users they exist and they are active !
                         for member_id, _perm, member_type in perm_additions:
                             try:
                                 if member_type == 'user':
                                     self.user_db = User.query()\
                                         .filter(User.active == true())\
                                         .filter(User.user_id == member_id).one()
                                 if member_type == 'users_group':
                                     self.user_db = UserGroup.query()\
                                         .filter(UserGroup.users_group_active == true())\
                                         .filter(UserGroup.users_group_id == member_id)\
                                         .one()
                             except Exception:
                                 log.exception('Updated permission failed: org_exc:')
                                 msg = M(self, 'perm_new_member_type', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={
                                         'perm_new_member_name': msg}
                                 )
                         return value
                 return _validator
             def ValidSettings():
                 class _validator(formencode.validators.FancyValidator):
                     def _to_python(self, value, state):
                         # settings  form for users that are not admin
                         # can't edit certain parameters, it's extra backup if they mangle
                         # with forms
                         forbidden_params = [
                             'user', 'repo_type', 'repo_enable_locking',
                             'repo_enable_downloads', 'repo_enable_statistics'
                         ]
                         for param in forbidden_params:
                             if param in value:
                                 del value[param]
                         return value
                     def validate_python(self, value, state):
                         pass
                 return _validator
             def ValidPath():
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_path': _(u'This is not a valid path')
                     }
                     def validate_python(self, value, state):
                         if not os.path.isdir(value):
                             msg = M(self, 'invalid_path', state)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'paths_root_path': msg}
                             )
                 return _validator
             def UniqSystemEmail(old_data={}):
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'email_taken': _(u'This e-mail address is already taken')
                     }
                     def _to_python(self, value, state):
                         return value.lower()
                     def validate_python(self, value, state):
                         if (old_data.get('email') or '').lower() != value:
                             user = User.get_by_email(value, case_insensitive=True)
                             if user:
                                 msg = M(self, 'email_taken', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'email': msg}
                                 )
                 return _validator
             def ValidSystemEmail():
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'non_existing_email': _(u'e-mail "%(email)s" does not exist.')
                     }
                     def _to_python(self, value, state):
                         return value.lower()
                     def validate_python(self, value, state):
                         user = User.get_by_email(value, case_insensitive=True)
                         if user is None:
                             msg = M(self, 'non_existing_email', state, email=value)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'email': msg}
                             )
                 return _validator
             def NotReviewedRevisions(repo_id):
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'rev_already_reviewed':
                             _(u'Revisions %(revs)s are already part of pull request '
                               u'or have set status'),
                     }
                     def validate_python(self, value, state):
                         # check revisions if they are not reviewed, or a part of another
                         # pull request
                         statuses = ChangesetStatus.query()\
                             .filter(ChangesetStatus.revision.in_(value))\
                             .filter(ChangesetStatus.repo_id == repo_id)\
                             .all()
                         errors = []
                         for status in statuses:
                             if status.pull_request_id:
                                 errors.append(['pull_req', status.revision[:12]])
                             elif status.status:
                                 errors.append(['status', status.revision[:12]])
                         if errors:
                             revs = ','.join([x[1] for x in errors])
                             msg = M(self, 'rev_already_reviewed', state, revs=revs)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'revisions': revs})
                 return _validator
             def ValidIp():
                 class _validator(CIDR):
                     messages = {
                         'badFormat': _(u'Please enter a valid IPv4 or IpV6 address'),
                         'illegalBits': _(
                             u'The network size (bits) must be within the range '
                             u'of 0-32 (not %(bits)r)'),
                     }
                     # we ovveride the default to_python() call
                     def to_python(self, value, state):
                         v = super(_validator, self).to_python(value, state)
                         v = v.strip()
                         net = ipaddress.ip_network(address=v, strict=False)
                         return str(net)
                     def validate_python(self, value, state):
                         try:
                             addr = value.strip()
                             # this raises an ValueError if address is not IpV4 or IpV6
                             ipaddress.ip_network(addr, strict=False)
                         except ValueError:
                             raise formencode.Invalid(self.message('badFormat', state),
                                                      value, state)
                 return _validator
             def FieldKey():
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'badFormat': _(
                             u'Key name can only consist of letters, '
                             u'underscore, dash or numbers'),
                     }
                     def validate_python(self, value, state):
                         if not re.match('[a-zA-Z0-9_-]+$', value):
                             raise formencode.Invalid(self.message('badFormat', state),
                                                      value, state)
                 return _validator
             def BasePath():
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'badPath': _(u'Filename cannot be inside a directory'),
                     }
                     def _to_python(self, value, state):
                         return value
                     def validate_python(self, value, state):
                         if value != os.path.basename(value):
                             raise formencode.Invalid(self.message('badPath', state),
                                                      value, state)
                 return _validator
             def ValidAuthPlugins():
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'import_duplicate': _(
                             u'Plugins %(loaded)s and %(next_to_load)s '
                             u'both export the same name'),
                     }
                     def _to_python(self, value, state):
                         # filter empty values
                         return filter(lambda s: s not in [None, ''], value)
                     def validate_python(self, value, state):
                         from rhodecode.authentication.base import loadplugin
                         module_list = value
                         unique_names = {}
-                        try:
+                        for module in module_list:
-                            for module in module_list:
+                            plugin = loadplugin(module)
-                                plugin = loadplugin(module)
+                            if plugin is None:
-                                plugin_name = plugin.name
+                                raise formencode.Invalid(
-                                if plugin_name in unique_names:
+                                    _("Can't find plugin with id '{}'".format(module)),
-                                    msg = M(self, 'import_duplicate', state,
+                                    value, state)
-                                            loaded=unique_names[plugin_name],
+                            plugin_name = plugin.name
-                                            next_to_load=plugin_name)
+                            if plugin_name in unique_names:
-                                    raise formencode.Invalid(msg, value, state)
+                                msg = M(self, 'import_duplicate', state,
-                                unique_names[plugin_name] = plugin
+                                        loaded=unique_names[plugin_name],
-                        except (KeyError, AttributeError, TypeError) as e:
+                                        next_to_load=plugin_name)
-                            raise formencode.Invalid(str(e), value, state)
+                                raise formencode.Invalid(msg, value, state)
+                            unique_names[plugin_name] = plugin
                 return _validator
             def UniqGistId():
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'gistid_taken': _(u'This gistid is already in use')
                     }
                     def _to_python(self, value, state):
                         return repo_name_slug(value.lower())
                     def validate_python(self, value, state):
                         existing = Gist.get_by_access_id(value)
                         if existing:
                             msg = M(self, 'gistid_taken', state)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'gistid': msg}
                             )
                 return _validator
             def ValidPattern():
                 class _Validator(formencode.validators.FancyValidator):
                     def _to_python(self, value, state):
                         patterns = []
                         prefix = 'new_pattern'
                         for name, v in value.iteritems():
                             pattern_name = '_'.join((prefix, 'pattern'))
                             if name.startswith(pattern_name):
                                 new_item_id = name[len(pattern_name)+1:]
                                 def _field(name):
                                     return '%s_%s_%s' % (prefix, name, new_item_id)
                                 values = {
                                     'issuetracker_pat': value.get(_field('pattern')),
                                     'issuetracker_pat': value.get(_field('pattern')),
                                     'issuetracker_url': value.get(_field('url')),
                                     'issuetracker_pref': value.get(_field('prefix')),
                                     'issuetracker_desc': value.get(_field('description'))
                                 }
                                 new_uid = md5(values['issuetracker_pat'])
                                 has_required_fields = (
                                     values['issuetracker_pat']
                                     and values['issuetracker_url'])
                                 if has_required_fields:
                                     settings = [
                                         ('_'.join((key, new_uid)), values[key], 'unicode')
                                         for key in values]
                                     patterns.append(settings)
                         value['patterns'] = patterns
                         delete_patterns = value.get('uid') or []
                         if not isinstance(delete_patterns, (list, tuple)):
                             delete_patterns = [delete_patterns]
                         value['delete_patterns'] = delete_patterns
                         return value
                 return _Validator

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages