rhodecode-enterprise-ce Commit - r5358:2095c653

feat(login by email option): added ability to log in with user primary email. Fixes:

ilin.s -

r5358:2095c653 default

parent child

rhodecode/apps/login/tests/test_login.py

0 +12 0

             # Copyright (C) 2010-2023 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import urllib.parse
             import mock
             import pytest
             from rhodecode.lib.auth import check_password
             from rhodecode.lib import helpers as h
             from rhodecode.model.auth_token import AuthTokenModel
             from rhodecode.model.db import User, Notification, UserApiKeys
             from rhodecode.model.meta import Session
             from rhodecode.tests import (
                 assert_session_flash, HG_REPO, TEST_USER_ADMIN_LOGIN,
                 no_newline_id_generator)
             from rhodecode.tests.fixture import Fixture
             from rhodecode.tests.routes import route_path
             fixture = Fixture()
             whitelist_view = ['RepoCommitsView:repo_commit_raw']
             @pytest.mark.usefixtures('app')
             class TestLoginController(object):
                 destroy_users = set()
                 @classmethod
                 def teardown_class(cls):
                     fixture.destroy_users(cls.destroy_users)
                 def teardown_method(self, method):
                     for n in Notification.query().all():
                         Session().delete(n)
                     Session().commit()
                     assert Notification.query().all() == []
                 def test_index(self):
                     response = self.app.get(route_path('login'))
                     assert response.status == '200 OK'
                     # Test response...
                 def test_login_admin_ok(self):
                     response = self.app.post(route_path('login'),
                                              {'username': 'test_admin',
                                               'password': 'test12'}, status=302)
                     response = response.follow()
                     session = response.get_session_from_response()
                     username = session['rhodecode_user'].get('username')
                     assert username == 'test_admin'
                     response.mustcontain('logout')
                 def test_login_regular_ok(self):
                     response = self.app.post(route_path('login'),
                                              {'username': 'test_regular',
                                               'password': 'test12'}, status=302)
                     response = response.follow()
                     session = response.get_session_from_response()
                     username = session['rhodecode_user'].get('username')
                     assert username == 'test_regular'
                     response.mustcontain('logout')
+                def test_login_with_primary_email(self):
+                    user_email = 'test_regular@mail.com'
+                    response = self.app.post(route_path('login'),
+                                             {'username': user_email,
+                                              'password': 'test12'}, status=302)
+                    response = response.follow()
+                    session = response.get_session_from_response()
+                    user = session['rhodecode_user']
+                    assert user['username'] == user_email.split('@')[0]
+                    assert user['is_authenticated']
+                    response.mustcontain('logout')
                 def test_login_regular_forbidden_when_super_admin_restriction(self):
                     from rhodecode.authentication.plugins.auth_rhodecode import RhodeCodeAuthPlugin
                     with fixture.auth_restriction(self.app._pyramid_registry,
                                                   RhodeCodeAuthPlugin.AUTH_RESTRICTION_SUPER_ADMIN):
                         response = self.app.post(route_path('login'),
                                                  {'username': 'test_regular',
                                                   'password': 'test12'})
                         response.mustcontain('invalid user name')
                         response.mustcontain('invalid password')
                 def test_login_regular_forbidden_when_scope_restriction(self):
                     from rhodecode.authentication.plugins.auth_rhodecode import RhodeCodeAuthPlugin
                     with fixture.scope_restriction(self.app._pyramid_registry,
                                                    RhodeCodeAuthPlugin.AUTH_RESTRICTION_SCOPE_VCS):
                         response = self.app.post(route_path('login'),
                                                  {'username': 'test_regular',
                                                   'password': 'test12'})
                         response.mustcontain('invalid user name')
                         response.mustcontain('invalid password')
                 def test_login_ok_came_from(self):
                     test_came_from = '/_admin/users?branch=stable'
                     _url = '{}?came_from={}'.format(route_path('login'), test_came_from)
                     response = self.app.post(
                         _url, {'username': 'test_admin', 'password': 'test12'}, status=302)
                     assert 'branch=stable' in response.location
                     response = response.follow()
                     assert response.status == '200 OK'
                     response.mustcontain('Users administration')
                 def test_redirect_to_login_with_get_args(self):
                     with fixture.anon_access(False):
                         kwargs = {'branch': 'stable'}
                         response = self.app.get(
                             h.route_path('repo_summary', repo_name=HG_REPO, _query=kwargs),
                             status=302)
                         response_query = urllib.parse.parse_qsl(response.location)
                         assert 'branch=stable' in response_query[0][1]
                 def test_login_form_with_get_args(self):
                     _url = '{}?came_from=/_admin/users,branch=stable'.format(route_path('login'))
                     response = self.app.get(_url)
                     assert 'branch%3Dstable' in response.form.action
                 @pytest.mark.parametrize("url_came_from", [
                     'data:text/html,<script>window.alert("xss")</script>',
                     'mailto:test@rhodecode.org',
                     'file:///etc/passwd',
                     'ftp://some.ftp.server',
                     'http://other.domain',
                 ], ids=no_newline_id_generator)
                 def test_login_bad_came_froms(self, url_came_from):
                     _url = '{}?came_from={}'.format(route_path('login'), url_came_from)
                     response = self.app.post(
                         _url, {'username': 'test_admin', 'password': 'test12'}, status=302)
                     assert response.status == '302 Found'
                     response = response.follow()
                     assert response.status == '200 OK'
                     assert response.request.path == '/'
                 @pytest.mark.xfail(reason="newline params changed behaviour in python3")
                 @pytest.mark.parametrize("url_came_from", [
                     '/\r\nX-Forwarded-Host: \rhttp://example.org',
                 ], ids=no_newline_id_generator)
                 def test_login_bad_came_froms_404(self, url_came_from):
                     _url = '{}?came_from={}'.format(route_path('login'), url_came_from)
                     response = self.app.post(
                         _url, {'username': 'test_admin', 'password': 'test12'}, status=302)
                     response = response.follow()
                     assert response.status == '404 Not Found'
                 def test_login_short_password(self):
                     response = self.app.post(route_path('login'),
                                              {'username': 'test_admin',
                                               'password': 'as'})
                     assert response.status == '200 OK'
                     response.mustcontain('Enter 3 characters or more')
                 def test_login_wrong_non_ascii_password(self, user_regular):
                     response = self.app.post(
                         route_path('login'),
                         {'username': user_regular.username,
                          'password': 'invalid-non-asci\xe4'.encode('utf8')})
                     response.mustcontain('invalid user name')
                     response.mustcontain('invalid password')
                 def test_login_with_non_ascii_password(self, user_util):
                     password = u'valid-non-ascii\xe4'
                     user = user_util.create_user(password=password)
                     response = self.app.post(
                         route_path('login'),
                         {'username': user.username,
                          'password': password})
                     assert response.status_code == 302
                 def test_login_wrong_username_password(self):
                     response = self.app.post(route_path('login'),
                                              {'username': 'error',
                                               'password': 'test12'})
                     response.mustcontain('invalid user name')
                     response.mustcontain('invalid password')
                 def test_login_admin_ok_password_migration(self, real_crypto_backend):
                     from rhodecode.lib import auth
                     # create new user, with sha256 password
                     temp_user = 'test_admin_sha256'
                     user = fixture.create_user(temp_user)
                     user.password = auth._RhodeCodeCryptoSha256().hash_create(
                         b'test123')
                     Session().add(user)
                     Session().commit()
                     self.destroy_users.add(temp_user)
                     response = self.app.post(route_path('login'),
                                              {'username': temp_user,
                                               'password': 'test123'}, status=302)
                     response = response.follow()
                     session = response.get_session_from_response()
                     username = session['rhodecode_user'].get('username')
                     assert username == temp_user
                     response.mustcontain('logout')
                     # new password should be bcrypted, after log-in and transfer
                     user = User.get_by_username(temp_user)
                     assert user.password.startswith('$')
                 # REGISTRATIONS
                 def test_register(self):
                     response = self.app.get(route_path('register'))
                     response.mustcontain('Create an Account')
                 def test_register_err_same_username(self):
                     uname = 'test_admin'
                     response = self.app.post(
                         route_path('register'),
                         {
                             'username': uname,
                             'password': 'test12',
                             'password_confirmation': 'test12',
                             'email': 'goodmail@domain.com',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     assertr = response.assert_response()
                     msg = 'Username "%(username)s" already exists'
                     msg = msg % {'username': uname}
                     assertr.element_contains('#username+.error-message', msg)
                 def test_register_err_same_email(self):
                     response = self.app.post(
                         route_path('register'),
                         {
                             'username': 'test_admin_0',
                             'password': 'test12',
                             'password_confirmation': 'test12',
                             'email': 'test_admin@mail.com',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     assertr = response.assert_response()
                     msg = u'This e-mail address is already taken'
                     assertr.element_contains('#email+.error-message', msg)
                 def test_register_err_same_email_case_sensitive(self):
                     response = self.app.post(
                         route_path('register'),
                         {
                             'username': 'test_admin_1',
                             'password': 'test12',
                             'password_confirmation': 'test12',
                             'email': 'TesT_Admin@mail.COM',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     assertr = response.assert_response()
                     msg = u'This e-mail address is already taken'
                     assertr.element_contains('#email+.error-message', msg)
                 def test_register_err_wrong_data(self):
                     response = self.app.post(
                         route_path('register'),
                         {
                             'username': 'xs',
                             'password': 'test',
                             'password_confirmation': 'test',
                             'email': 'goodmailm',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     assert response.status == '200 OK'
                     response.mustcontain('An email address must contain a single @')
                     response.mustcontain('Enter a value 6 characters long or more')
                 def test_register_err_username(self):
                     response = self.app.post(
                         route_path('register'),
                         {
                             'username': 'error user',
                             'password': 'test12',
                             'password_confirmation': 'test12',
                             'email': 'goodmailm',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     response.mustcontain('An email address must contain a single @')
                     response.mustcontain(
                         'Username may only contain '
                         'alphanumeric characters underscores, '
                         'periods or dashes and must begin with '
                         'alphanumeric character')
                 def test_register_err_case_sensitive(self):
                     usr = 'Test_Admin'
                     response = self.app.post(
                         route_path('register'),
                         {
                             'username': usr,
                             'password': 'test12',
                             'password_confirmation': 'test12',
                             'email': 'goodmailm',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     assertr = response.assert_response()
                     msg = u'Username "%(username)s" already exists'
                     msg = msg % {'username': usr}
                     assertr.element_contains('#username+.error-message', msg)
                 def test_register_special_chars(self):
                     response = self.app.post(
                         route_path('register'),
                         {
                             'username': 'xxxaxn',
                             'password': 'ąćźżąśśśś',
                             'password_confirmation': 'ąćźżąśśśś',
                             'email': 'goodmailm@test.plx',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     msg = u'Invalid characters (non-ascii) in password'
                     response.mustcontain(msg)
                 def test_register_password_mismatch(self):
                     response = self.app.post(
                         route_path('register'),
                         {
                             'username': 'xs',
                             'password': '123qwe',
                             'password_confirmation': 'qwe123',
                             'email': 'goodmailm@test.plxa',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     msg = u'Passwords do not match'
                     response.mustcontain(msg)
                 def test_register_ok(self):
                     username = 'test_regular4'
                     password = 'qweqwe'
                     email = 'marcin@test.com'
                     name = 'testname'
                     lastname = 'testlastname'
                     # this initializes a session
                     response = self.app.get(route_path('register'))
                     response.mustcontain('Create an Account')
                     response = self.app.post(
                         route_path('register'),
                         {
                             'username': username,
                             'password': password,
                             'password_confirmation': password,
                             'email': email,
                             'firstname': name,
                             'lastname': lastname,
                             'admin': True
                         },
                         status=302
                     )  # This should be overridden
                     assert_session_flash(
                         response, 'You have successfully registered with RhodeCode. You can log-in now.')
                     ret = Session().query(User).filter(
                         User.username == 'test_regular4').one()
                     assert ret.username == username
                     assert check_password(password, ret.password)
                     assert ret.email == email
                     assert ret.name == name
                     assert ret.lastname == lastname
                     assert ret.auth_tokens is not None
                     assert not ret.admin
                 def test_forgot_password_wrong_mail(self):
                     bad_email = 'marcin@wrongmail.org'
                     # this initializes a session
                     self.app.get(route_path('reset_password'))
                     response = self.app.post(
                         route_path('reset_password'), {'email': bad_email, }
                     )
                     assert_session_flash(response,
                         'If such email exists, a password reset link was sent to it.')
                 def test_forgot_password(self, user_util):
                     # this initializes a session
                     self.app.get(route_path('reset_password'))
                     user = user_util.create_user()
                     user_id = user.user_id
                     email = user.email
                     response = self.app.post(route_path('reset_password'), {'email': email, })
                     assert_session_flash(response,
                         'If such email exists, a password reset link was sent to it.')
                     # BAD KEY
                     confirm_url = '{}?key={}'.format(route_path('reset_password_confirmation'), 'badkey')
                     response = self.app.get(confirm_url, status=302)
                     assert response.location.endswith(route_path('reset_password'))
                     assert_session_flash(response, 'Given reset token is invalid')
                     response.follow()  # cleanup flash
                     # GOOD KEY
                     key = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == user_id)\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_PASSWORD_RESET)\
                         .first()
                     assert key
                     confirm_url = '{}?key={}'.format(route_path('reset_password_confirmation'), key.api_key)
                     response = self.app.get(confirm_url)
                     assert response.status == '302 Found'
                     assert response.location.endswith(route_path('login'))
                     assert_session_flash(
                         response,
                         'Your password reset was successful, '
                         'a new password has been sent to your email')
                     response.follow()
                 def _get_api_whitelist(self, values=None):
                     config = {'api_access_controllers_whitelist': values or []}
                     return config
                 @pytest.mark.parametrize("test_name, auth_token", [
                     ('none', None),
                     ('empty_string', ''),
                     ('fake_number', '123456'),
                     ('proper_auth_token', None)
                 ])
                 def test_access_not_whitelisted_page_via_auth_token(
                         self, test_name, auth_token, user_admin):
                     whitelist = self._get_api_whitelist([])
                     with mock.patch.dict('rhodecode.CONFIG', whitelist):
                         assert [] == whitelist['api_access_controllers_whitelist']
                         if test_name == 'proper_auth_token':
                             # use builtin if api_key is None
                             auth_token = user_admin.api_key
                         with fixture.anon_access(False):
                             # webtest uses linter to check if response is bytes,
                             # and we use memoryview here as a wrapper, quick turn-off
                             self.app.lint = False
                             self.app.get(
                                 route_path('repo_commit_raw',
                                            repo_name=HG_REPO, commit_id='tip',
                                            params=dict(api_key=auth_token)),
                                 status=302)
                 @pytest.mark.parametrize("test_name, auth_token, code", [
                     ('none', None, 302),
                     ('empty_string', '', 302),
                     ('fake_number', '123456', 302),
                     ('proper_auth_token', None, 200)
                 ])
                 def test_access_whitelisted_page_via_auth_token(
                         self, test_name, auth_token, code, user_admin):
                     whitelist = self._get_api_whitelist(whitelist_view)
                     with mock.patch.dict('rhodecode.CONFIG', whitelist):
                         assert whitelist_view == whitelist['api_access_controllers_whitelist']
                         if test_name == 'proper_auth_token':
                             auth_token = user_admin.api_key
                             assert auth_token
                         with fixture.anon_access(False):
                             # webtest uses linter to check if response is bytes,
                             # and we use memoryview here as a wrapper, quick turn-off
                             self.app.lint = False
                             self.app.get(
                                 route_path('repo_commit_raw',
                                            repo_name=HG_REPO, commit_id='tip',
                                            params=dict(api_key=auth_token)),
                                 status=code)
                 @pytest.mark.parametrize("test_name, auth_token, code", [
                     ('proper_auth_token', None, 200),
                     ('wrong_auth_token', '123456', 302),
                 ])
                 def test_access_whitelisted_page_via_auth_token_bound_to_token(
                         self, test_name, auth_token, code, user_admin):
                     expected_token = auth_token
                     if test_name == 'proper_auth_token':
                         auth_token = user_admin.api_key
                         expected_token = auth_token
                         assert auth_token
                     whitelist = self._get_api_whitelist([
                         'RepoCommitsView:repo_commit_raw@{}'.format(expected_token)])
                     with mock.patch.dict('rhodecode.CONFIG', whitelist):
                         with fixture.anon_access(False):
                             # webtest uses linter to check if response is bytes,
                             # and we use memoryview here as a wrapper, quick turn-off
                             self.app.lint = False
                             self.app.get(
                                 route_path('repo_commit_raw',
                                            repo_name=HG_REPO, commit_id='tip',
                                            params=dict(api_key=auth_token)),
                                 status=code)
                 def test_access_page_via_extra_auth_token(self):
                     whitelist = self._get_api_whitelist(whitelist_view)
                     with mock.patch.dict('rhodecode.CONFIG', whitelist):
                         assert whitelist_view == \
                             whitelist['api_access_controllers_whitelist']
                         new_auth_token = AuthTokenModel().create(
                             TEST_USER_ADMIN_LOGIN, 'test')
                         Session().commit()
                         with fixture.anon_access(False):
                             # webtest uses linter to check if response is bytes,
                             # and we use memoryview here as a wrapper, quick turn-off
                             self.app.lint = False
                             self.app.get(
                                 route_path('repo_commit_raw',
                                            repo_name=HG_REPO, commit_id='tip',
                                            params=dict(api_key=new_auth_token.api_key)),
                                 status=200)
                 def test_access_page_via_expired_auth_token(self):
                     whitelist = self._get_api_whitelist(whitelist_view)
                     with mock.patch.dict('rhodecode.CONFIG', whitelist):
                         assert whitelist_view == \
                             whitelist['api_access_controllers_whitelist']
                         new_auth_token = AuthTokenModel().create(
                             TEST_USER_ADMIN_LOGIN, 'test')
                         Session().commit()
                         # patch the api key and make it expired
                         new_auth_token.expires = 0
                         Session().add(new_auth_token)
                         Session().commit()
                         with fixture.anon_access(False):
                             # webtest uses linter to check if response is bytes,
                             # and we use memoryview here as a wrapper, quick turn-off
                             self.app.lint = False
                             self.app.get(
                                 route_path('repo_commit_raw',
                                            repo_name=HG_REPO, commit_id='tip',
                                            params=dict(api_key=new_auth_token.api_key)),
                                 status=302)

rhodecode/apps/login/views.py

0 +4 -4

             # Copyright (C) 2016-2023 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import time
             import collections
             import datetime
             import formencode
             import formencode.htmlfill
             import logging
             import urllib.parse
             import requests
             from pyramid.httpexceptions import HTTPFound
             from rhodecode.apps._base import BaseAppView
             from rhodecode.authentication.base import authenticate, HTTP_TYPE
             from rhodecode.authentication.plugins import auth_rhodecode
             from rhodecode.events import UserRegistered, trigger
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import (
                 AuthUser, HasPermissionAnyDecorator, CSRFRequired)
             from rhodecode.lib.base import get_ip_addr
             from rhodecode.lib.exceptions import UserCreationError
             from rhodecode.lib.utils2 import safe_str
             from rhodecode.model.db import User, UserApiKeys
             from rhodecode.model.forms import LoginForm, RegisterForm, PasswordResetForm
             from rhodecode.model.meta import Session
             from rhodecode.model.auth_token import AuthTokenModel
             from rhodecode.model.settings import SettingsModel
             from rhodecode.model.user import UserModel
             from rhodecode.translation import _
             log = logging.getLogger(__name__)
             CaptchaData = collections.namedtuple(
                 'CaptchaData', 'active, private_key, public_key')
-            def store_user_in_session(session, username, remember=False):
+            def store_user_in_session(session, user_identifier, remember=False):
-                user = User.get_by_username(username, case_insensitive=True)
+                user = User.get_by_username_or_primary_email(user_identifier)
                 auth_user = AuthUser(user.user_id)
                 auth_user.set_authenticated()
                 cs = auth_user.get_cookie_store()
                 session['rhodecode_user'] = cs
                 user.update_lastlogin()
                 Session().commit()
                 # If they want to be remembered, update the cookie
                 if remember:
                     _year = (datetime.datetime.now() +
                              datetime.timedelta(seconds=60 * 60 * 24 * 365))
                     session._set_cookie_expires(_year)
                 session.save()
                 safe_cs = cs.copy()
                 safe_cs['password'] = '****'
                 log.info('user %s is now authenticated and stored in '
-                         'session, session attrs %s', username, safe_cs)
+                         'session, session attrs %s', user_identifier, safe_cs)
                 # dumps session attrs back to cookie
                 session._update_cookie_out()
                 # we set new cookie
                 headers = None
                 if session.request['set_cookie']:
                     # send set-cookie headers back to response to update cookie
                     headers = [('Set-Cookie', session.request['cookie_out'])]
                 return headers
             def get_came_from(request):
                 came_from = safe_str(request.GET.get('came_from', ''))
                 parsed = urllib.parse.urlparse(came_from)
                 allowed_schemes = ['http', 'https']
                 default_came_from = h.route_path('home')
                 if parsed.scheme and parsed.scheme not in allowed_schemes:
                     log.error('Suspicious URL scheme detected %s for url %s',
                               parsed.scheme, parsed)
                     came_from = default_came_from
                 elif parsed.netloc and request.host != parsed.netloc:
                     log.error('Suspicious NETLOC detected %s for url %s server url '
                               'is: %s', parsed.netloc, parsed, request.host)
                     came_from = default_came_from
                 elif any(bad_char in came_from for bad_char in ('\r', '\n')):
                     log.error('Header injection detected `%s` for url %s server url ',
                               parsed.path, parsed)
                     came_from = default_came_from
                 return came_from or default_came_from
             class LoginView(BaseAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     c.came_from = get_came_from(self.request)
                     return c
                 def _get_captcha_data(self):
                     settings = SettingsModel().get_all_settings()
                     private_key = settings.get('rhodecode_captcha_private_key')
                     public_key = settings.get('rhodecode_captcha_public_key')
                     active = bool(private_key)
                     return CaptchaData(
                         active=active, private_key=private_key, public_key=public_key)
                 def validate_captcha(self, private_key):
                     captcha_rs = self.request.POST.get('g-recaptcha-response')
                     url = "https://www.google.com/recaptcha/api/siteverify"
                     params = {
                         'secret': private_key,
                         'response': captcha_rs,
                         'remoteip': get_ip_addr(self.request.environ)
                     }
                     verify_rs = requests.get(url, params=params, verify=True, timeout=60)
                     verify_rs = verify_rs.json()
                     captcha_status = verify_rs.get('success', False)
                     captcha_errors = verify_rs.get('error-codes', [])
                     if not isinstance(captcha_errors, list):
                         captcha_errors = [captcha_errors]
                     captcha_errors = ', '.join(captcha_errors)
                     captcha_message = ''
                     if captcha_status is False:
                         captcha_message = "Bad captcha. Errors: {}".format(
                             captcha_errors)
                     return captcha_status, captcha_message
                 def login(self):
                     c = self.load_default_context()
                     auth_user = self._rhodecode_user
                     # redirect if already logged in
                     if (auth_user.is_authenticated and
                             not auth_user.is_default and auth_user.ip_allowed):
                         raise HTTPFound(c.came_from)
                     # check if we use headers plugin, and try to login using it.
                     try:
                         log.debug('Running PRE-AUTH for headers based authentication')
                         auth_info = authenticate(
                             '', '', self.request.environ, HTTP_TYPE, skip_missing=True)
                         if auth_info:
                             headers = store_user_in_session(
                                 self.session, auth_info.get('username'))
                             raise HTTPFound(c.came_from, headers=headers)
                     except UserCreationError as e:
                         log.error(e)
                         h.flash(e, category='error')
                     return self._get_template_context(c)
                 def login_post(self):
                     c = self.load_default_context()
                     login_form = LoginForm(self.request.translate)()
                     try:
                         self.session.invalidate()
                         form_result = login_form.to_python(self.request.POST)
                         # form checks for username/password, now we're authenticated
                         headers = store_user_in_session(
                             self.session,
-                            username=form_result['username'],
+                            user_identifier=form_result['username'],
                             remember=form_result['remember'])
                         log.debug('Redirecting to "%s" after login.', c.came_from)
                         audit_user = audit_logger.UserWrap(
                             username=self.request.POST.get('username'),
                             ip_addr=self.request.remote_addr)
                         action_data = {'user_agent': self.request.user_agent}
                         audit_logger.store_web(
                             'user.login.success', action_data=action_data,
                             user=audit_user, commit=True)
                         raise HTTPFound(c.came_from, headers=headers)
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         # remove password from filling in form again
                         defaults.pop('password', None)
                         render_ctx = {
                             'errors': errors.error_dict,
                             'defaults': defaults,
                         }
                         audit_user = audit_logger.UserWrap(
                             username=self.request.POST.get('username'),
                             ip_addr=self.request.remote_addr)
                         action_data = {'user_agent': self.request.user_agent}
                         audit_logger.store_web(
                             'user.login.failure', action_data=action_data,
                             user=audit_user, commit=True)
                         return self._get_template_context(c, **render_ctx)
                     except UserCreationError as e:
                         # headers auth or other auth functions that create users on
                         # the fly can throw this exception signaling that there's issue
                         # with user creation, explanation should be provided in
                         # Exception itself
                         h.flash(e, category='error')
                         return self._get_template_context(c)
                 @CSRFRequired()
                 def logout(self):
                     auth_user = self._rhodecode_user
                     log.info('Deleting session for user: `%s`', auth_user)
                     action_data = {'user_agent': self.request.user_agent}
                     audit_logger.store_web(
                         'user.logout', action_data=action_data,
                         user=auth_user, commit=True)
                     self.session.delete()
                     return HTTPFound(h.route_path('home'))
                 @HasPermissionAnyDecorator(
                     'hg.admin', 'hg.register.auto_activate', 'hg.register.manual_activate')
                 def register(self, defaults=None, errors=None):
                     c = self.load_default_context()
                     defaults = defaults or {}
                     errors = errors or {}
                     settings = SettingsModel().get_all_settings()
                     register_message = settings.get('rhodecode_register_message') or ''
                     captcha = self._get_captcha_data()
                     auto_active = 'hg.register.auto_activate' in User.get_default_user()\
                         .AuthUser().permissions['global']
                     render_ctx = self._get_template_context(c)
                     render_ctx.update({
                         'defaults': defaults,
                         'errors': errors,
                         'auto_active': auto_active,
                         'captcha_active': captcha.active,
                         'captcha_public_key': captcha.public_key,
                         'register_message': register_message,
                     })
                     return render_ctx
                 @HasPermissionAnyDecorator(
                     'hg.admin', 'hg.register.auto_activate', 'hg.register.manual_activate')
                 def register_post(self):
                     from rhodecode.authentication.plugins import auth_rhodecode
                     self.load_default_context()
                     captcha = self._get_captcha_data()
                     auto_active = 'hg.register.auto_activate' in User.get_default_user()\
                         .AuthUser().permissions['global']
                     extern_name = auth_rhodecode.RhodeCodeAuthPlugin.uid
                     extern_type = auth_rhodecode.RhodeCodeAuthPlugin.uid
                     register_form = RegisterForm(self.request.translate)()
                     try:
                         form_result = register_form.to_python(self.request.POST)
                         form_result['active'] = auto_active
                         external_identity = self.request.POST.get('external_identity')
                         if external_identity:
                             extern_name = external_identity
                             extern_type = external_identity
                         if captcha.active:
                             captcha_status, captcha_message = self.validate_captcha(
                                 captcha.private_key)
                             if not captcha_status:
                                 _value = form_result
                                 _msg = _('Bad captcha')
                                 error_dict = {'recaptcha_field': captcha_message}
                                 raise formencode.Invalid(
                                     _msg, _value, None, error_dict=error_dict)
                         new_user = UserModel().create_registration(
                             form_result, extern_name=extern_name, extern_type=extern_type)
                         action_data = {'data': new_user.get_api_data(),
                                        'user_agent': self.request.user_agent}
                         if external_identity:
                             action_data['external_identity'] = external_identity
                         audit_user = audit_logger.UserWrap(
                             username=new_user.username,
                             user_id=new_user.user_id,
                             ip_addr=self.request.remote_addr)
                         audit_logger.store_web(
                             'user.register', action_data=action_data,
                             user=audit_user)
                         event = UserRegistered(user=new_user, session=self.session)
                         trigger(event)
                         h.flash(
                             _('You have successfully registered with RhodeCode. You can log-in now.'),
                             category='success')
                         if external_identity:
                             h.flash(
                                 _('Please use the {identity} button to log-in').format(
                                     identity=external_identity),
                                 category='success')
                         Session().commit()
                         redirect_ro = self.request.route_path('login')
                         raise HTTPFound(redirect_ro)
                     except formencode.Invalid as errors:
                         errors.value.pop('password', None)
                         errors.value.pop('password_confirmation', None)
                         return self.register(
                             defaults=errors.value, errors=errors.error_dict)
                     except UserCreationError as e:
                         # container auth or other auth functions that create users on
                         # the fly can throw this exception signaling that there's issue
                         # with user creation, explanation should be provided in
                         # Exception itself
                         h.flash(e, category='error')
                         return self.register()
                 def password_reset(self):
                     c = self.load_default_context()
                     captcha = self._get_captcha_data()
                     template_context = {
                         'captcha_active': captcha.active,
                         'captcha_public_key': captcha.public_key,
                         'defaults': {},
                         'errors': {},
                     }
                     # always send implicit message to prevent from discovery of
                     # matching emails
                     msg = _('If such email exists, a password reset link was sent to it.')
                     def default_response():
                         log.debug('faking response on invalid password reset')
                         # make this take 2s, to prevent brute forcing.
                         time.sleep(2)
                         h.flash(msg, category='success')
                         return HTTPFound(self.request.route_path('reset_password'))
                     if self.request.POST:
                         if h.HasPermissionAny('hg.password_reset.disabled')():
                             _email = self.request.POST.get('email', '')
                             log.error('Failed attempt to reset password for `%s`.', _email)
                             h.flash(_('Password reset has been disabled.'), category='error')
                             return HTTPFound(self.request.route_path('reset_password'))
                         password_reset_form = PasswordResetForm(self.request.translate)()
                         description = 'Generated token for password reset from {}'.format(
                             datetime.datetime.now().isoformat())
                         try:
                             form_result = password_reset_form.to_python(
                                 self.request.POST)
                             user_email = form_result['email']
                             if captcha.active:
                                 captcha_status, captcha_message = self.validate_captcha(
                                     captcha.private_key)
                                 if not captcha_status:
                                     _value = form_result
                                     _msg = _('Bad captcha')
                                     error_dict = {'recaptcha_field': captcha_message}
                                     raise formencode.Invalid(
                                         _msg, _value, None, error_dict=error_dict)
                             # Generate reset URL and send mail.
                             user = User.get_by_email(user_email)
                             # only allow rhodecode based users to reset their password
                             # external auth shouldn't allow password reset
                             if user and user.extern_type != auth_rhodecode.RhodeCodeAuthPlugin.uid:
                                 log.warning('User %s with external type `%s` tried a password reset. '
                                             'This try was rejected', user, user.extern_type)
                                 return default_response()
                             # generate password reset token that expires in 10 minutes
                             reset_token = UserModel().add_auth_token(
                                 user=user, lifetime_minutes=10,
                                 role=UserModel.auth_token_role.ROLE_PASSWORD_RESET,
                                 description=description)
                             Session().commit()
                             log.debug('Successfully created password recovery token')
                             password_reset_url = self.request.route_url(
                                 'reset_password_confirmation',
                                 _query={'key': reset_token.api_key})
                             UserModel().reset_password_link(
                                 form_result, password_reset_url)
                             action_data = {'email': user_email,
                                            'user_agent': self.request.user_agent}
                             audit_logger.store_web(
                                 'user.password.reset_request', action_data=action_data,
                                 user=self._rhodecode_user, commit=True)
                             return default_response()
                         except formencode.Invalid as errors:
                             template_context.update({
                                 'defaults': errors.value,
                                 'errors': errors.error_dict,
                             })
                             if not self.request.POST.get('email'):
                                 # case of empty email, we want to report that
                                 return self._get_template_context(c, **template_context)
                             if 'recaptcha_field' in errors.error_dict:
                                 # case of failed captcha
                                 return self._get_template_context(c, **template_context)
                         return default_response()
                     return self._get_template_context(c, **template_context)
                 def password_reset_confirmation(self):
                     self.load_default_context()
                     if self.request.GET and self.request.GET.get('key'):
                         # make this take 2s, to prevent brute forcing.
                         time.sleep(2)
                         token = AuthTokenModel().get_auth_token(
                             self.request.GET.get('key'))
                         # verify token is the correct role
                         if token is None or token.role != UserApiKeys.ROLE_PASSWORD_RESET:
                             log.debug('Got token with role:%s expected is %s',
                                       getattr(token, 'role', 'EMPTY_TOKEN'),
                                       UserApiKeys.ROLE_PASSWORD_RESET)
                             h.flash(
                                 _('Given reset token is invalid'), category='error')
                             return HTTPFound(self.request.route_path('reset_password'))
                         try:
                             owner = token.user
                             data = {'email': owner.email, 'token': token.api_key}
                             UserModel().reset_password(data)
                             h.flash(
                                 _('Your password reset was successful, '
                                   'a new password has been sent to your email'),
                                 category='success')
                         except Exception as e:
                             log.error(e)
                             return HTTPFound(self.request.route_path('reset_password'))
                     return HTTPFound(self.request.route_path('login'))

rhodecode/authentication/base.py

0 +1 -5

             # Copyright (C) 2010-2023 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Authentication modules
             """
             import socket
             import string
             import colander
             import copy
             import logging
             import time
             import traceback
             import warnings
             import functools
             from pyramid.threadlocal import get_current_registry
             from rhodecode.authentication import AuthenticationPluginRegistry
             from rhodecode.authentication.interface import IAuthnPluginRegistry
             from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
             from rhodecode.lib import rc_cache
             from rhodecode.lib.statsd_client import StatsdClient
             from rhodecode.lib.auth import PasswordGenerator, _RhodeCodeCryptoBCrypt
             from rhodecode.lib.str_utils import safe_bytes
             from rhodecode.lib.utils2 import safe_int, safe_str
             from rhodecode.lib.exceptions import (LdapConnectionError, LdapUsernameError, LdapPasswordError)
             from rhodecode.model.db import User
             from rhodecode.model.meta import Session
             from rhodecode.model.settings import SettingsModel
             from rhodecode.model.user import UserModel
             from rhodecode.model.user_group import UserGroupModel
             log = logging.getLogger(__name__)
             # auth types that authenticate() function can receive
             VCS_TYPE = 'vcs'
             HTTP_TYPE = 'http'
             external_auth_session_key = 'rhodecode.external_auth'
             class hybrid_property(object):
                 """
                 a property decorator that works both for instance and class
                 """
                 def __init__(self, fget, fset=None, fdel=None, expr=None):
                     self.fget = fget
                     self.fset = fset
                     self.fdel = fdel
                     self.expr = expr or fget
                     functools.update_wrapper(self, fget)
                 def __get__(self, instance, owner):
                     if instance is None:
                         return self.expr(owner)
                     else:
                         return self.fget(instance)
                 def __set__(self, instance, value):
                     self.fset(instance, value)
                 def __delete__(self, instance):
                     self.fdel(instance)
             class LazyFormencode(object):
                 def __init__(self, formencode_obj, *args, **kwargs):
                     self.formencode_obj = formencode_obj
                     self.args = args
                     self.kwargs = kwargs
                 def __call__(self, *args, **kwargs):
                     from inspect import isfunction
                     formencode_obj = self.formencode_obj
                     if isfunction(formencode_obj):
                         # case we wrap validators into functions
                         formencode_obj = self.formencode_obj(*args, **kwargs)
                     return formencode_obj(*self.args, **self.kwargs)
             class RhodeCodeAuthPluginBase(object):
                 # UID is used to register plugin to the registry
                 uid = None
                 # cache the authentication request for N amount of seconds. Some kind
                 # of authentication methods are very heavy and it's very efficient to cache
                 # the result of a call. If it's set to None (default) cache is off
                 AUTH_CACHE_TTL = None
                 AUTH_CACHE = {}
                 auth_func_attrs = {
                     "username": "unique username",
                     "firstname": "first name",
                     "lastname": "last name",
                     "email": "email address",
                     "groups": '["list", "of", "groups"]',
                     "user_group_sync":
                         'True|False defines if returned user groups should be synced',
                     "extern_name": "name in external source of record",
                     "extern_type": "type of external source of record",
                     "admin": 'True|False defines if user should be RhodeCode super admin',
                     "active":
                         'True|False defines active state of user internally for RhodeCode',
                     "active_from_extern":
                         "True|False|None, active state from the external auth, "
                         "None means use definition from RhodeCode extern_type active value"
                 }
                 # set on authenticate() method and via set_auth_type func.
                 auth_type = None
                 # set on authenticate() method and via set_calling_scope_repo, this is a
                 # calling scope repository when doing authentication most likely on VCS
                 # operations
                 acl_repo_name = None
                 # List of setting names to store encrypted. Plugins may override this list
                 # to store settings encrypted.
                 _settings_encrypted = []
                 # Mapping of python to DB settings model types. Plugins may override or
                 # extend this mapping.
                 _settings_type_map = {
                     colander.String: 'unicode',
                     colander.Integer: 'int',
                     colander.Boolean: 'bool',
                     colander.List: 'list',
                 }
                 # list of keys in settings that are unsafe to be logged, should be passwords
                 # or other crucial credentials
                 _settings_unsafe_keys = []
                 def __init__(self, plugin_id):
                     self._plugin_id = plugin_id
                 def __str__(self):
                     return self.get_id()
                 def _get_setting_full_name(self, name):
                     """
                     Return the full setting name used for storing values in the database.
                     """
                     # TODO: johbo: Using the name here is problematic. It would be good to
                     # introduce either new models in the database to hold Plugin and
                     # PluginSetting or to use the plugin id here.
                     return f'auth_{self.name}_{name}'
                 def _get_setting_type(self, name):
                     """
                     Return the type of a setting. This type is defined by the SettingsModel
                     and determines how the setting is stored in DB. Optionally the suffix
                     `.encrypted` is appended to instruct SettingsModel to store it
                     encrypted.
                     """
                     schema_node = self.get_settings_schema().get(name)
                     db_type = self._settings_type_map.get(
                         type(schema_node.typ), 'unicode')
                     if name in self._settings_encrypted:
                         db_type = f'{db_type}.encrypted'
                     return db_type
                 @classmethod
                 def docs(cls):
                     """
                     Defines documentation url which helps with plugin setup
                     """
                     return ''
                 @classmethod
                 def icon(cls):
                     """
                     Defines ICON in SVG format for authentication method
                     """
                     return ''
                 def is_enabled(self):
                     """
                     Returns true if this plugin is enabled. An enabled plugin can be
                     configured in the admin interface but it is not consulted during
                     authentication.
                     """
                     auth_plugins = SettingsModel().get_auth_plugins()
                     return self.get_id() in auth_plugins
                 def is_active(self, plugin_cached_settings=None):
                     """
                     Returns true if the plugin is activated. An activated plugin is
                     consulted during authentication, assumed it is also enabled.
                     """
                     return self.get_setting_by_name(
                         'enabled', plugin_cached_settings=plugin_cached_settings)
                 def get_id(self):
                     """
                     Returns the plugin id.
                     """
                     return self._plugin_id
                 def get_display_name(self, load_from_settings=False):
                     """
                     Returns a translation string for displaying purposes.
                     if load_from_settings is set, plugin settings can override the display name
                     """
                     raise NotImplementedError('Not implemented in base class')
                 def get_settings_schema(self):
                     """
                     Returns a colander schema, representing the plugin settings.
                     """
                     return AuthnPluginSettingsSchemaBase()
                 def _propagate_settings(self, raw_settings):
                     settings = {}
                     for node in self.get_settings_schema():
                         settings[node.name] = self.get_setting_by_name(
                             node.name, plugin_cached_settings=raw_settings)
                     return settings
                 def get_settings(self, use_cache=True):
                     """
                     Returns the plugin settings as dictionary.
                     """
                     raw_settings = SettingsModel().get_all_settings(cache=use_cache)
                     settings = self._propagate_settings(raw_settings)
                     return settings
                 def get_setting_by_name(self, name, default=None, plugin_cached_settings=None):
                     """
                     Returns a plugin setting by name.
                     """
                     full_name = f'rhodecode_{self._get_setting_full_name(name)}'
                     if plugin_cached_settings:
                         plugin_settings = plugin_cached_settings
                     else:
                         plugin_settings = SettingsModel().get_all_settings()
                     if full_name in plugin_settings:
                         return plugin_settings[full_name]
                     else:
                         return default
                 def create_or_update_setting(self, name, value):
                     """
                     Create or update a setting for this plugin in the persistent storage.
                     """
                     full_name = self._get_setting_full_name(name)
                     type_ = self._get_setting_type(name)
                     db_setting = SettingsModel().create_or_update_setting(
                         full_name, value, type_)
                     return db_setting.app_settings_value
                 def log_safe_settings(self, settings):
                     """
                     returns a log safe representation of settings, without any secrets
                     """
                     settings_copy = copy.deepcopy(settings)
                     for k in self._settings_unsafe_keys:
                         if k in settings_copy:
                             del settings_copy[k]
                     return settings_copy
                 @hybrid_property
                 def name(self):
                     """
                     Returns the name of this authentication plugin.
                     :returns: string
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def get_url_slug(self):
                     """
                     Returns a slug which should be used when constructing URLs which refer
                     to this plugin. By default it returns the plugin name. If the name is
                     not suitable for using it in an URL the plugin should override this
                     method.
                     """
                     return self.name
                 @property
                 def is_headers_auth(self):
                     """
                     Returns True if this authentication plugin uses HTTP headers as
                     authentication method.
                     """
                     return False
                 @hybrid_property
                 def is_container_auth(self):
                     """
                     Deprecated method that indicates if this authentication plugin uses
                     HTTP headers as authentication method.
                     """
                     warnings.warn(
                         'Use is_headers_auth instead.', category=DeprecationWarning)
                     return self.is_headers_auth
                 @hybrid_property
                 def allows_creating_users(self):
                     """
                     Defines if Plugin allows users to be created on-the-fly when
                     authentication is called. Controls how external plugins should behave
                     in terms if they are allowed to create new users, or not. Base plugins
                     should not be allowed to, but External ones should be !
                     :return: bool
                     """
                     return False
                 def set_auth_type(self, auth_type):
                     self.auth_type = auth_type
                 def set_calling_scope_repo(self, acl_repo_name):
                     self.acl_repo_name = acl_repo_name
                 def allows_authentication_from(
                         self, user, allows_non_existing_user=True,
                         allowed_auth_plugins=None, allowed_auth_sources=None):
                     """
                     Checks if this authentication module should accept a request for
                     the current user.
                     :param user: user object fetched using plugin's get_user() method.
                     :param allows_non_existing_user: if True, don't allow the
                         user to be empty, meaning not existing in our database
                     :param allowed_auth_plugins: if provided, users extern_type will be
                         checked against a list of provided extern types, which are plugin
                         auth_names in the end
                     :param allowed_auth_sources: authentication type allowed,
                         `http` or `vcs` default is both.
                         defines if plugin will accept only http authentication vcs
                         authentication(git/hg) or both
                     :returns: boolean
                     """
                     if not user and not allows_non_existing_user:
                         log.debug('User is empty but plugin does not allow empty users,'
                                   'not allowed to authenticate')
                         return False
                     expected_auth_plugins = allowed_auth_plugins or [self.name]
                     if user and (user.extern_type and
                                  user.extern_type not in expected_auth_plugins):
                         log.debug(
                             'User `%s` is bound to `%s` auth type. Plugin allows only '
                             '%s, skipping', user, user.extern_type, expected_auth_plugins)
                         return False
                     # by default accept both
                     expected_auth_from = allowed_auth_sources or [HTTP_TYPE, VCS_TYPE]
                     if self.auth_type not in expected_auth_from:
                         log.debug('Current auth source is %s but plugin only allows %s',
                                   self.auth_type, expected_auth_from)
                         return False
                     return True
                 def get_user(self, username=None, **kwargs):
                     """
                     Helper method for user fetching in plugins, by default it's using
                     simple fetch by username, but this method can be customized in plugins
                     eg. headers auth plugin to fetch user by environ params
                     :param username: username if given to fetch from database
                     :param kwargs: extra arguments needed for user fetching.
                     """
                     user = None
                     log.debug(
                         'Trying to fetch user `%s` from RhodeCode database', username)
                     if username:
-                        user = User.get_by_username(username)
+                        user = User.get_by_username_or_primary_email(username)
-                        if not user:
-                            log.debug('User not found, fallback to fetch user in '
-                                      'case insensitive mode')
-                            user = User.get_by_username(username, case_insensitive=True)
                     else:
                         log.debug('provided username:`%s` is empty skipping...', username)
                     if not user:
                         log.debug('User `%s` not found in database', username)
                     else:
                         log.debug('Got DB user:%s', user)
                     return user
                 def user_activation_state(self):
                     """
                     Defines user activation state when creating new users
                     :returns: boolean
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def auth(self, userobj, username, passwd, settings, **kwargs):
                     """
                     Given a user object (which may be null), username, a plaintext
                     password, and a settings object (containing all the keys needed as
                     listed in settings()), authenticate this user's login attempt.
                     Return None on failure. On success, return a dictionary of the form:
                         see: RhodeCodeAuthPluginBase.auth_func_attrs
                     This is later validated for correctness
                     """
                     raise NotImplementedError("not implemented in base class")
                 def _authenticate(self, userobj, username, passwd, settings, **kwargs):
                     """
                     Wrapper to call self.auth() that validates call on it
                     :param userobj: userobj
                     :param username: username
                     :param passwd: plaintext password
                     :param settings: plugin settings
                     """
                     auth = self.auth(userobj, username, passwd, settings, **kwargs)
                     if auth:
                         auth['_plugin'] = self.name
                         auth['_ttl_cache'] = self.get_ttl_cache(settings)
                         # check if hash should be migrated ?
                         new_hash = auth.get('_hash_migrate')
                         if new_hash:
                             # new_hash is a newly encrypted destination hash
                             self._migrate_hash_to_bcrypt(username, passwd, new_hash)
                         if 'user_group_sync' not in auth:
                             auth['user_group_sync'] = False
                         return self._validate_auth_return(auth)
                     return auth
                 def _migrate_hash_to_bcrypt(self, username, password, new_hash):
                     new_hash_cypher = _RhodeCodeCryptoBCrypt()
                     # extra checks, so make sure new hash is correct.
                     password_as_bytes = safe_bytes(password)
                     if new_hash and new_hash_cypher.hash_check(password_as_bytes, new_hash):
                         cur_user = User.get_by_username(username)
                         cur_user.password = new_hash
                         Session().add(cur_user)
                         Session().flush()
                         log.info('Migrated user %s hash to bcrypt', cur_user)
                 def _validate_auth_return(self, ret):
                     if not isinstance(ret, dict):
                         raise Exception('returned value from auth must be a dict')
                     for k in self.auth_func_attrs:
                         if k not in ret:
                             raise Exception('Missing %s attribute from returned data' % k)
                     return ret
                 def get_ttl_cache(self, settings=None):
                     plugin_settings = settings or self.get_settings()
                     # we set default to 30, we make a compromise here,
                     # performance > security, mostly due to LDAP/SVN, majority
                     # of users pick cache_ttl to be enabled
                     from rhodecode.authentication import plugin_default_auth_ttl
                     cache_ttl = plugin_default_auth_ttl
                     if isinstance(self.AUTH_CACHE_TTL, int):
                         # plugin cache set inside is more important than the settings value
                         cache_ttl = self.AUTH_CACHE_TTL
                     elif 'cache_ttl' in plugin_settings:
                         cache_ttl = safe_int(plugin_settings.get('cache_ttl'), 0)
                     plugin_cache_active = bool(cache_ttl and cache_ttl > 0)
                     return plugin_cache_active, cache_ttl
             class RhodeCodeExternalAuthPlugin(RhodeCodeAuthPluginBase):
                 @hybrid_property
                 def allows_creating_users(self):
                     return True
                 def use_fake_password(self):
                     """
                     Return a boolean that indicates whether or not we should set the user's
                     password to a random value when it is authenticated by this plugin.
                     If your plugin provides authentication, then you will generally
                     want this.
                     :returns: boolean
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def _authenticate(self, userobj, username, passwd, settings, **kwargs):
                     # at this point _authenticate calls plugin's `auth()` function
                     auth = super()._authenticate(
                         userobj, username, passwd, settings, **kwargs)
                     if auth:
                         # maybe plugin will clean the username ?
                         # we should use the return value
                         username = auth['username']
                         # if external source tells us that user is not active, we should
                         # skip rest of the process. This can prevent from creating users in
                         # RhodeCode when using external authentication, but if it's
                         # inactive user we shouldn't create that user anyway
                         if auth['active_from_extern'] is False:
                             log.warning(
                                 "User %s authenticated against %s, but is inactive",
                                 username, self.__module__)
                             return None
                         cur_user = User.get_by_username(username, case_insensitive=True)
                         is_user_existing = cur_user is not None
                         if is_user_existing:
                             log.debug('Syncing user `%s` from '
                                       '`%s` plugin', username, self.name)
                         else:
                             log.debug('Creating non existing user `%s` from '
                                       '`%s` plugin', username, self.name)
                         if self.allows_creating_users:
                             log.debug('Plugin `%s` allows to '
                                       'create new users', self.name)
                         else:
                             log.debug('Plugin `%s` does not allow to '
                                       'create new users', self.name)
                         user_parameters = {
                             'username': username,
                             'email': auth["email"],
                             'firstname': auth["firstname"],
                             'lastname': auth["lastname"],
                             'active': auth["active"],
                             'admin': auth["admin"],
                             'extern_name': auth["extern_name"],
                             'extern_type': self.name,
                             'plugin': self,
                             'allow_to_create_user': self.allows_creating_users,
                         }
                         if not is_user_existing:
                             if self.use_fake_password():
                                 # Randomize the PW because we don't need it, but don't want
                                 # them blank either
                                 passwd = PasswordGenerator().gen_password(length=16)
                             user_parameters['password'] = passwd
                         else:
                             # Since the password is required by create_or_update method of
                             # UserModel, we need to set it explicitly.
                             # The create_or_update method is smart and recognises the
                             # password hashes as well.
                             user_parameters['password'] = cur_user.password
                         # we either create or update users, we also pass the flag
                         # that controls if this method can actually do that.
                         # raises NotAllowedToCreateUserError if it cannot, and we try to.
                         user = UserModel().create_or_update(**user_parameters)
                         Session().flush()
                         # enforce user is just in given groups, all of them has to be ones
                         # created from plugins. We store this info in _group_data JSON
                         # field
                         if auth['user_group_sync']:
                             try:
                                 groups = auth['groups'] or []
                                 log.debug(
                                     'Performing user_group sync based on set `%s` '
                                     'returned by `%s` plugin', groups, self.name)
                                 UserGroupModel().enforce_groups(user, groups, self.name)
                             except Exception:
                                 # for any reason group syncing fails, we should
                                 # proceed with login
                                 log.error(traceback.format_exc())
                         Session().commit()
                     return auth
             class AuthLdapBase(object):
                 @classmethod
                 def _build_servers(cls, ldap_server_type, ldap_server, port, use_resolver=True):
                     def host_resolver(host, port, full_resolve=True):
                         """
                         Main work for this function is to prevent ldap connection issues,
                         and detect them early using a "greenified" sockets
                         """
                         host = host.strip()
                         if not full_resolve:
                             return f'{host}:{port}'
                         log.debug('LDAP: Resolving IP for LDAP host `%s`', host)
                         try:
                             ip = socket.gethostbyname(host)
                             log.debug('LDAP: Got LDAP host `%s` ip %s', host, ip)
                         except Exception:
                             raise LdapConnectionError(f'Failed to resolve host: `{host}`')
                         log.debug('LDAP: Checking if IP %s is accessible', ip)
                         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                         try:
                             s.connect((ip, int(port)))
                             s.shutdown(socket.SHUT_RD)
                             log.debug('LDAP: connection to %s successful', ip)
                         except Exception:
                             raise LdapConnectionError(
                                 f'Failed to connect to host: `{host}:{port}`')
                         return f'{host}:{port}'
                     if len(ldap_server) == 1:
                         # in case of single server use resolver to detect potential
                         # connection issues
                         full_resolve = True
                     else:
                         full_resolve = False
                     return ', '.join(
                         ["{}://{}".format(
                             ldap_server_type,
                             host_resolver(host, port, full_resolve=use_resolver and full_resolve))
                          for host in ldap_server])
                 @classmethod
                 def _get_server_list(cls, servers):
                     return [s.strip() for s in servers.split(',')]
                 @classmethod
                 def get_uid(cls, username, server_addresses):
                     uid = username
                     for server_addr in server_addresses:
                         uid = chop_at(username, "@%s" % server_addr)
                     return uid
                 @classmethod
                 def validate_username(cls, username):
                     if "," in username:
                         raise LdapUsernameError(
                             f"invalid character `,` in username: `{username}`")
                 @classmethod
                 def validate_password(cls, username, password):
                     if not password:
                         msg = "Authenticating user %s with blank password not allowed"
                         log.warning(msg, username)
                         raise LdapPasswordError(msg)
             def loadplugin(plugin_id):
                 """
                 Loads and returns an instantiated authentication plugin.
                 Returns the RhodeCodeAuthPluginBase subclass on success,
                 or None on failure.
                 """
                 # TODO: Disusing pyramids thread locals to retrieve the registry.
                 authn_registry = get_authn_registry()
                 plugin = authn_registry.get_plugin(plugin_id)
                 if plugin is None:
                     log.error('Authentication plugin not found: "%s"', plugin_id)
                 return plugin
             def get_authn_registry(registry=None) -> AuthenticationPluginRegistry:
                 registry = registry or get_current_registry()
                 authn_registry = registry.queryUtility(IAuthnPluginRegistry)
                 return authn_registry
             def authenticate(username, password, environ=None, auth_type=None,
                              skip_missing=False, registry=None, acl_repo_name=None):
                 """
                 Authentication function used for access control,
                 It tries to authenticate based on enabled authentication modules.
                 :param username: username can be empty for headers auth
                 :param password: password can be empty for headers auth
                 :param environ: environ headers passed for headers auth
                 :param auth_type: type of authentication, either `HTTP_TYPE` or `VCS_TYPE`
                 :param skip_missing: ignores plugins that are in db but not in environment
                 :param registry: pyramid registry
                 :param acl_repo_name: name of repo for ACL checks
                 :returns: None if auth failed, plugin_user dict if auth is correct
                 """
                 if not auth_type or auth_type not in [HTTP_TYPE, VCS_TYPE]:
                     raise ValueError(f'auth type must be on of http, vcs got "{auth_type}" instead')
                 auth_credentials = (username and password)
                 headers_only = environ and not auth_credentials
                 authn_registry = get_authn_registry(registry)
                 plugins_to_check = authn_registry.get_plugins_for_authentication()
                 log.debug('authentication: headers=%s, username_and_passwd=%s', headers_only, bool(auth_credentials))
                 log.debug('Starting ordered authentication chain using %s plugins',
                           [x.name for x in plugins_to_check])
                 for plugin in plugins_to_check:
                     plugin.set_auth_type(auth_type)
                     plugin.set_calling_scope_repo(acl_repo_name)
                     if headers_only and not plugin.is_headers_auth:
                         log.debug('Auth type is for headers only and plugin `%s` is not '
                                   'headers plugin, skipping...', plugin.get_id())
                         continue
                     log.debug('Trying authentication using ** %s **', plugin.get_id())
                     # load plugin settings from RhodeCode database
                     plugin_settings = plugin.get_settings()
                     plugin_sanitized_settings = plugin.log_safe_settings(plugin_settings)
                     log.debug('Plugin `%s` settings:%s', plugin.get_id(), plugin_sanitized_settings)
                     # use plugin's method of user extraction.
                     user = plugin.get_user(username, environ=environ,
                                            settings=plugin_settings)
                     display_user = user.username if user else username
                     log.debug(
                         'Plugin %s extracted user is `%s`', plugin.get_id(), display_user)
                     if not plugin.allows_authentication_from(user):
                         log.debug('Plugin %s does not accept user `%s` for authentication',
                                   plugin.get_id(), display_user)
                         continue
                     else:
                         log.debug('Plugin %s accepted user `%s` for authentication',
                                   plugin.get_id(), display_user)
                     log.info('Authenticating user `%s` using %s plugin',
                              display_user, plugin.get_id())
                     plugin_cache_active, cache_ttl = plugin.get_ttl_cache(plugin_settings)
                     log.debug('AUTH_CACHE_TTL for plugin `%s` active: %s (TTL: %s)',
                               plugin.get_id(), plugin_cache_active, cache_ttl)
                     user_id = user.user_id if user else 'no-user'
                     # don't cache for empty users
                     plugin_cache_active = plugin_cache_active and user_id
                     cache_namespace_uid = f'cache_user_auth.{rc_cache.PERMISSIONS_CACHE_VER}.{user_id}'
                     region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
                                                            expiration_time=cache_ttl,
                                                            condition=plugin_cache_active)
                     def compute_auth(
                             cache_name, plugin_name, username, password):
                         # _authenticate is a wrapper for .auth() method of plugin.
                         # it checks if .auth() sends proper data.
                         # For RhodeCodeExternalAuthPlugin it also maps users to
                         # Database and maps the attributes returned from .auth()
                         # to RhodeCode database. If this function returns data
                         # then auth is correct.
                         log.debug('Running plugin `%s` _authenticate method '
                                   'using username and password', plugin.get_id())
                         return plugin._authenticate(
                             user, username, password, plugin_settings,
                             environ=environ or {})
                     start = time.time()
                     # for environ based auth, password can be empty, but then the validation is
                     # on the server that fills in the env data needed for authentication
                     plugin_user = compute_auth('auth', plugin.name, username, (password or ''))
                     auth_time = time.time() - start
                     log.debug('Authentication for plugin `%s` completed in %.4fs, '
                               'expiration time of fetched cache %.1fs.',
                               plugin.get_id(), auth_time, cache_ttl,
                               extra={"plugin": plugin.get_id(), "time": auth_time})
                     log.debug('PLUGIN USER DATA: %s', plugin_user)
                     statsd = StatsdClient.statsd
                     if plugin_user:
                         log.debug('Plugin returned proper authentication data')
                         if statsd:
                             elapsed_time_ms = round(1000.0 * auth_time)  # use ms only
                             statsd.incr('rhodecode_login_success_total')
                             statsd.timing("rhodecode_login_timing.histogram", elapsed_time_ms,
                                           tags=[f"plugin:{plugin.get_id()}"],
                                           use_decimals=False
                             )
                         return plugin_user
                     # we failed to Auth because .auth() method didn't return proper user
                     log.debug("User `%s` failed to authenticate against %s",
                               display_user, plugin.get_id())
                     if statsd:
                         statsd.incr('rhodecode_login_fail_total')
                 # case when we failed to authenticate against all defined plugins
                 return None
             def chop_at(s, sub, inclusive=False):
                 """Truncate string ``s`` at the first occurrence of ``sub``.
                 If ``inclusive`` is true, truncate just after ``sub`` rather than at it.
                 >>> chop_at("plutocratic brats", "rat")
                 'plutoc'
                 >>> chop_at("plutocratic brats", "rat", True)
                 'plutocrat'
                 """
                 pos = s.find(sub)
                 if pos == -1:
                     return s
                 if inclusive:
                     return s[:pos+len(sub)]
                 return s[:pos]

rhodecode/authentication/plugins/auth_rhodecode.py

0 +1 -1

             # Copyright (C) 2012-2023 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             RhodeCode authentication plugin for built in internal auth
             """
             import logging
             import colander
             from rhodecode.translation import _
             from rhodecode.lib.utils2 import safe_bytes
             from rhodecode.model.db import User
             from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
             from rhodecode.authentication.base import (
                 RhodeCodeAuthPluginBase, hybrid_property, HTTP_TYPE, VCS_TYPE)
             from rhodecode.authentication.routes import AuthnPluginResourceBase
             log = logging.getLogger(__name__)
             def plugin_factory(plugin_id, *args, **kwargs):
                 plugin = RhodeCodeAuthPlugin(plugin_id)
                 return plugin
             class RhodecodeAuthnResource(AuthnPluginResourceBase):
                 pass
             class RhodeCodeAuthPlugin(RhodeCodeAuthPluginBase):
                 uid = 'rhodecode'
                 AUTH_RESTRICTION_NONE = 'user_all'
                 AUTH_RESTRICTION_SUPER_ADMIN = 'user_super_admin'
                 AUTH_RESTRICTION_SCOPE_ALL = 'scope_all'
                 AUTH_RESTRICTION_SCOPE_HTTP = 'scope_http'
                 AUTH_RESTRICTION_SCOPE_VCS = 'scope_vcs'
                 def includeme(self, config):
                     config.add_authn_plugin(self)
                     config.add_authn_resource(self.get_id(), RhodecodeAuthnResource(self))
                     config.add_view(
                         'rhodecode.authentication.views.AuthnPluginViewBase',
                         attr='settings_get',
                         renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
                         request_method='GET',
                         route_name='auth_home',
                         context=RhodecodeAuthnResource)
                     config.add_view(
                         'rhodecode.authentication.views.AuthnPluginViewBase',
                         attr='settings_post',
                         renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
                         request_method='POST',
                         route_name='auth_home',
                         context=RhodecodeAuthnResource)
                 def get_settings_schema(self):
                     return RhodeCodeSettingsSchema()
                 def get_display_name(self, load_from_settings=False):
                     return _('RhodeCode Internal')
                 @classmethod
                 def docs(cls):
                     return "https://docs.rhodecode.com/RhodeCode-Enterprise/auth/auth.html"
                 @hybrid_property
                 def name(self):
                     return "rhodecode"
                 def user_activation_state(self):
                     def_user_perms = User.get_default_user().AuthUser().permissions['global']
                     return 'hg.register.auto_activate' in def_user_perms
                 def allows_authentication_from(
                         self, user, allows_non_existing_user=True,
                         allowed_auth_plugins=None, allowed_auth_sources=None):
                     """
                     Custom method for this auth that doesn't accept non existing users.
                     We know that user exists in our database.
                     """
                     allows_non_existing_user = False
                     return super().allows_authentication_from(
                         user, allows_non_existing_user=allows_non_existing_user)
                 def auth(self, userobj, username, password, settings, **kwargs):
                     if not userobj:
                         log.debug('userobj was:%s skipping', userobj)
                         return None
                     if userobj.extern_type != self.name:
                         log.warning("userobj:%s extern_type mismatch got:`%s` expected:`%s`",
                                     userobj, userobj.extern_type, self.name)
                         return None
                     # check scope of auth
                     scope_restriction = settings.get('scope_restriction', '')
                     if scope_restriction == self.AUTH_RESTRICTION_SCOPE_HTTP \
                             and self.auth_type != HTTP_TYPE:
                         log.warning("userobj:%s tried scope type %s and scope restriction is set to %s",
                                     userobj, self.auth_type, scope_restriction)
                         return None
                     if scope_restriction == self.AUTH_RESTRICTION_SCOPE_VCS \
                             and self.auth_type != VCS_TYPE:
                         log.warning("userobj:%s tried scope type %s and scope restriction is set to %s",
                                     userobj, self.auth_type, scope_restriction)
                         return None
                     # check super-admin restriction
                     auth_restriction = settings.get('auth_restriction', '')
                     if auth_restriction == self.AUTH_RESTRICTION_SUPER_ADMIN \
                             and userobj.admin is False:
                         log.warning("userobj:%s is not super-admin and auth restriction is set to %s",
                                     userobj, auth_restriction)
                         return None
                     user_attrs = {
                         "username": userobj.username,
                         "firstname": userobj.firstname,
                         "lastname": userobj.lastname,
                         "groups": [],
                         'user_group_sync': False,
                         "email": userobj.email,
                         "admin": userobj.admin,
                         "active": userobj.active,
                         "active_from_extern": userobj.active,
                         "extern_name": userobj.user_id,
                         "extern_type": userobj.extern_type,
                     }
                     log.debug("User attributes:%s", user_attrs)
                     if userobj.active:
                         from rhodecode.lib import auth
                         crypto_backend = auth.crypto_backend()
                         password_encoded = safe_bytes(password)
                         password_match, new_hash = crypto_backend.hash_check_with_upgrade(
                             password_encoded, userobj.password or '')
                         if password_match and new_hash:
                             log.debug('user %s properly authenticated, but '
                                       'requires hash change to bcrypt', userobj)
                             # if password match, and we use OLD deprecated hash,
                             # we should migrate this user hash password to the new hash
                             # we store the new returned by hash_check_with_upgrade function
                             user_attrs['_hash_migrate'] = new_hash
                         if userobj.username == User.DEFAULT_USER and userobj.active:
                             log.info('user `%s` authenticated correctly as anonymous user',
                                      userobj.username,
                                      extra={"action": "user_auth_ok", "auth_module": "auth_rhodecode_anon", "username": userobj.username})
                             return user_attrs
-                        elif userobj.username == username and password_match:
+                        elif (userobj.username == username or userobj.email == username) and password_match:
                             log.info('user `%s` authenticated correctly', userobj.username,
                                      extra={"action": "user_auth_ok", "auth_module": "auth_rhodecode", "username": userobj.username})
                             return user_attrs
                         log.warning("user `%s` used a wrong password when "
                                     "authenticating on this plugin", userobj.username)
                         return None
                     else:
                         log.warning('user `%s` failed to authenticate via %s, reason: account not '
                                     'active.', username, self.name)
                         return None
             class RhodeCodeSettingsSchema(AuthnPluginSettingsSchemaBase):
                 auth_restriction_choices = [
                     (RhodeCodeAuthPlugin.AUTH_RESTRICTION_NONE, 'All users'),
                     (RhodeCodeAuthPlugin.AUTH_RESTRICTION_SUPER_ADMIN, 'Super admins only'),
                 ]
                 auth_scope_choices = [
                     (RhodeCodeAuthPlugin.AUTH_RESTRICTION_SCOPE_ALL, 'HTTP and VCS'),
                     (RhodeCodeAuthPlugin.AUTH_RESTRICTION_SCOPE_HTTP, 'HTTP only'),
                 ]
                 auth_restriction = colander.SchemaNode(
                     colander.String(),
                     default=auth_restriction_choices[0],
                     description=_('Allowed user types for authentication using this plugin.'),
                     title=_('User restriction'),
                     validator=colander.OneOf([x[0] for x in auth_restriction_choices]),
                     widget='select_with_labels',
                     choices=auth_restriction_choices
                 )
                 scope_restriction = colander.SchemaNode(
                     colander.String(),
                     default=auth_scope_choices[0],
                     description=_('Allowed protocols for authentication using this plugin. '
                                   'VCS means GIT/HG/SVN. HTTP is web based login.'),
                     title=_('Scope restriction'),
                     validator=colander.OneOf([x[0] for x in auth_scope_choices]),
                     widget='select_with_labels',
                     choices=auth_scope_choices
                 )
             def includeme(config):
                 plugin_id = f'egg:rhodecode-enterprise-ce#{RhodeCodeAuthPlugin.uid}'
                 plugin_factory(plugin_id).includeme(config)

rhodecode/model/db.py

0 +7 -1

             # Copyright (C) 2010-2023 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Database Models for RhodeCode Enterprise
             """
             import re
             import os
             import time
             import string
             import logging
             import datetime
             import uuid
             import warnings
             import ipaddress
             import functools
             import traceback
             import collections
             from sqlalchemy import (
                 or_, and_, not_, func, cast, TypeDecorator, event, select,
-                true, false, null,
+                true, false, null, union_all,
                 Index, Sequence, UniqueConstraint, ForeignKey, CheckConstraint, Column,
                 Boolean, String, Unicode, UnicodeText, DateTime, Integer, LargeBinary,
                 Text, Float, PickleType, BigInteger)
             from sqlalchemy.sql.expression import case
             from sqlalchemy.sql.functions import coalesce, count  # pragma: no cover
             from sqlalchemy.orm import (
                 relationship, lazyload, joinedload, class_mapper, validates, aliased, load_only)
             from sqlalchemy.ext.declarative import declared_attr
             from sqlalchemy.ext.hybrid import hybrid_property
             from sqlalchemy.exc import IntegrityError  # pragma: no cover
             from sqlalchemy.dialects.mysql import LONGTEXT
             from zope.cachedescriptors.property import Lazy as LazyProperty
             from pyramid.threadlocal import get_current_request
             from webhelpers2.text import remove_formatting
             from rhodecode.lib.str_utils import safe_bytes
             from rhodecode.translation import _
             from rhodecode.lib.vcs import get_vcs_instance, VCSError
             from rhodecode.lib.vcs.backends.base import (
                 EmptyCommit, Reference, unicode_to_reference, reference_to_unicode)
             from rhodecode.lib.utils2 import (
                 str2bool, safe_str, get_commit_safe, sha1_safe,
                 time_to_datetime, aslist, Optional, safe_int, get_clone_url, AttributeDict,
                 glob2re, StrictAttributeDict, cleaned_uri, datetime_to_time)
             from rhodecode.lib.jsonalchemy import (
                 MutationObj, MutationList, JsonType, JsonRaw)
             from rhodecode.lib.hash_utils import sha1
             from rhodecode.lib import ext_json
             from rhodecode.lib import enc_utils
             from rhodecode.lib.ext_json import json, str_json
             from rhodecode.lib.caching_query import FromCache
             from rhodecode.lib.exceptions import (
                 ArtifactMetadataDuplicate, ArtifactMetadataBadValueType)
             from rhodecode.model.meta import Base, Session
             URL_SEP = '/'
             log = logging.getLogger(__name__)
             # =============================================================================
             # BASE CLASSES
             # =============================================================================
             # this is propagated from .ini file rhodecode.encrypted_values.secret or
             # beaker.session.secret if first is not set.
             # and initialized at environment.py
             ENCRYPTION_KEY: bytes = b''
             # used to sort permissions by types, '#' used here is not allowed to be in
             # usernames, and it's very early in sorted string.printable table.
             PERMISSION_TYPE_SORT = {
                 'admin': '####',
                 'write': '###',
                 'read':  '##',
                 'none':  '#',
             }
             def display_user_sort(obj):
                 """
                 Sort function used to sort permissions in .permissions() function of
                 Repository, RepoGroup, UserGroup. Also it put the default user in front
                 of all other resources
                 """
                 if obj.username == User.DEFAULT_USER:
                     return '#####'
                 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
                 extra_sort_num = '1'  # default
                 # NOTE(dan): inactive duplicates goes last
                 if getattr(obj, 'duplicate_perm', None):
                     extra_sort_num = '9'
                 return prefix + extra_sort_num + obj.username
             def display_user_group_sort(obj):
                 """
                 Sort function used to sort permissions in .permissions() function of
                 Repository, RepoGroup, UserGroup. Also it put the default user in front
                 of all other resources
                 """
                 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
                 return prefix + obj.users_group_name
             def _hash_key(k):
                 return sha1_safe(k)
             def in_filter_generator(qry, items, limit=500):
                 """
                 Splits IN() into multiple with OR
                 e.g.::
                 cnt = Repository.query().filter(
                     or_(
                         *in_filter_generator(Repository.repo_id, range(100000))
                     )).count()
                 """
                 if not items:
                     # empty list will cause empty query which might cause security issues
                     # this can lead to hidden unpleasant results
                     items = [-1]
                 parts = []
                 for chunk in range(0, len(items), limit):
                     parts.append(
                         qry.in_(items[chunk: chunk + limit])
                     )
                 return parts
             base_table_args = {
                 'extend_existing': True,
                 'mysql_engine': 'InnoDB',
                 'mysql_charset': 'utf8',
                 'sqlite_autoincrement': True
             }
             class EncryptedTextValue(TypeDecorator):
                 """
                 Special column for encrypted long text data, use like::
                     value = Column("encrypted_value", EncryptedValue(), nullable=False)
                 This column is intelligent so if value is in unencrypted form it return
                 unencrypted form, but on save it always encrypts
                 """
                 cache_ok = True
                 impl = Text
                 def process_bind_param(self, value, dialect):
                     """
                     Setter for storing value
                     """
                     import rhodecode
                     if not value:
                         return value
                     # protect against double encrypting if values is already encrypted
                     if value.startswith('enc$aes$') \
                             or value.startswith('enc$aes_hmac$') \
                             or value.startswith('enc2$'):
                         raise ValueError('value needs to be in unencrypted format, '
                                          'ie. not starting with enc$ or enc2$')
                     algo = rhodecode.CONFIG.get('rhodecode.encrypted_values.algorithm') or 'aes'
                     bytes_val = enc_utils.encrypt_value(value, enc_key=ENCRYPTION_KEY, algo=algo)
                     return safe_str(bytes_val)
                 def process_result_value(self, value, dialect):
                     """
                     Getter for retrieving value
                     """
                     import rhodecode
                     if not value:
                         return value
                     enc_strict_mode = rhodecode.ConfigGet().get_bool('rhodecode.encrypted_values.strict', missing=True)
                     bytes_val = enc_utils.decrypt_value(value, enc_key=ENCRYPTION_KEY, strict_mode=enc_strict_mode)
                     return safe_str(bytes_val)
             class BaseModel(object):
                 """
                 Base Model for all classes
                 """
                 @classmethod
                 def _get_keys(cls):
                     """return column names for this model """
                     return class_mapper(cls).c.keys()
                 def get_dict(self):
                     """
                     return dict with keys and values corresponding
                     to this model data """
                     d = {}
                     for k in self._get_keys():
                         d[k] = getattr(self, k)
                     # also use __json__() if present to get additional fields
                     _json_attr = getattr(self, '__json__', None)
                     if _json_attr:
                         # update with attributes from __json__
                         if callable(_json_attr):
                             _json_attr = _json_attr()
                         for k, val in _json_attr.items():
                             d[k] = val
                     return d
                 def get_appstruct(self):
                     """return list with keys and values tuples corresponding
                     to this model data """
                     lst = []
                     for k in self._get_keys():
                         lst.append((k, getattr(self, k),))
                     return lst
                 def populate_obj(self, populate_dict):
                     """populate model with data from given populate_dict"""
                     for k in self._get_keys():
                         if k in populate_dict:
                             setattr(self, k, populate_dict[k])
                 @classmethod
                 def query(cls):
                     return Session().query(cls)
                 @classmethod
                 def select(cls, custom_cls=None):
                     """
                     stmt = cls.select().where(cls.user_id==1)
                     # optionally
                     stmt = cls.select(User.user_id).where(cls.user_id==1)
                     result = cls.execute(stmt) | cls.scalars(stmt)
                     """
                     if custom_cls:
                         stmt = select(custom_cls)
                     else:
                         stmt = select(cls)
                     return stmt
                 @classmethod
                 def execute(cls, stmt):
                     return Session().execute(stmt)
                 @classmethod
                 def scalars(cls, stmt):
                     return Session().scalars(stmt)
                 @classmethod
                 def get(cls, id_):
                     if id_:
                         return cls.query().get(id_)
                 @classmethod
                 def get_or_404(cls, id_):
                     from pyramid.httpexceptions import HTTPNotFound
                     try:
                         id_ = int(id_)
                     except (TypeError, ValueError):
                         raise HTTPNotFound()
                     res = cls.query().get(id_)
                     if not res:
                         raise HTTPNotFound()
                     return res
                 @classmethod
                 def getAll(cls):
                     # deprecated and left for backward compatibility
                     return cls.get_all()
                 @classmethod
                 def get_all(cls):
                     return cls.query().all()
                 @classmethod
                 def delete(cls, id_):
                     obj = cls.query().get(id_)
                     Session().delete(obj)
                 @classmethod
                 def identity_cache(cls, session, attr_name, value):
                     exist_in_session = []
                     for (item_cls, pkey), instance in session.identity_map.items():
                         if cls == item_cls and getattr(instance, attr_name) == value:
                             exist_in_session.append(instance)
                     if exist_in_session:
                         if len(exist_in_session) == 1:
                             return exist_in_session[0]
                         log.exception(
                             'multiple objects with attr %s and '
                             'value %s found with same name: %r',
                             attr_name, value, exist_in_session)
                 @property
                 def cls_name(self):
                     return self.__class__.__name__
                 def __repr__(self):
                     return f'<DB:{self.cls_name}>'
             class RhodeCodeSetting(Base, BaseModel):
                 __tablename__ = 'rhodecode_settings'
                 __table_args__ = (
                     UniqueConstraint('app_settings_name'),
                     base_table_args
                 )
                 SETTINGS_TYPES = {
                     'str': safe_str,
                     'int': safe_int,
                     'unicode': safe_str,
                     'bool': str2bool,
                     'list': functools.partial(aslist, sep=',')
                 }
                 DEFAULT_UPDATE_URL = 'https://rhodecode.com/api/v1/info/versions'
                 GLOBAL_CONF_KEY = 'app_settings'
                 app_settings_id = Column("app_settings_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 app_settings_name = Column("app_settings_name", String(255), nullable=True, unique=None, default=None)
                 _app_settings_value = Column("app_settings_value", String(4096), nullable=True, unique=None, default=None)
                 _app_settings_type = Column("app_settings_type", String(255), nullable=True, unique=None, default=None)
                 def __init__(self, key='', val='', type='unicode'):
                     self.app_settings_name = key
                     self.app_settings_type = type
                     self.app_settings_value = val
                 @validates('_app_settings_value')
                 def validate_settings_value(self, key, val):
                     assert type(val) == str
                     return val
                 @hybrid_property
                 def app_settings_value(self):
                     v = self._app_settings_value
                     _type = self.app_settings_type
                     if _type:
                         _type = self.app_settings_type.split('.')[0]
                         # decode the encrypted value
                         if 'encrypted' in self.app_settings_type:
                             cipher = EncryptedTextValue()
                             v = safe_str(cipher.process_result_value(v, None))
                     converter = self.SETTINGS_TYPES.get(_type) or \
                         self.SETTINGS_TYPES['unicode']
                     return converter(v)
                 @app_settings_value.setter
                 def app_settings_value(self, val):
                     """
                     Setter that will always make sure we use unicode in app_settings_value
                     :param val:
                     """
                     val = safe_str(val)
                     # encode the encrypted value
                     if 'encrypted' in self.app_settings_type:
                         cipher = EncryptedTextValue()
                         val = safe_str(cipher.process_bind_param(val, None))
                     self._app_settings_value = val
                 @hybrid_property
                 def app_settings_type(self):
                     return self._app_settings_type
                 @app_settings_type.setter
                 def app_settings_type(self, val):
                     if val.split('.')[0] not in self.SETTINGS_TYPES:
                         raise Exception('type must be one of %s got %s'
                                         % (self.SETTINGS_TYPES.keys(), val))
                     self._app_settings_type = val
                 @classmethod
                 def get_by_prefix(cls, prefix):
                     return RhodeCodeSetting.query()\
                         .filter(RhodeCodeSetting.app_settings_name.startswith(prefix))\
                         .all()
                 def __repr__(self):
                     return "<%s('%s:%s[%s]')>" % (
                         self.cls_name,
                         self.app_settings_name, self.app_settings_value,
                         self.app_settings_type
                     )
             class RhodeCodeUi(Base, BaseModel):
                 __tablename__ = 'rhodecode_ui'
                 __table_args__ = (
                     UniqueConstraint('ui_key'),
                     base_table_args
                 )
                 # Sync those values with vcsserver.config.hooks
                 HOOK_REPO_SIZE = 'changegroup.repo_size'
                 # HG
                 HOOK_PRE_PULL = 'preoutgoing.pre_pull'
                 HOOK_PULL = 'outgoing.pull_logger'
                 HOOK_PRE_PUSH = 'prechangegroup.pre_push'
                 HOOK_PRETX_PUSH = 'pretxnchangegroup.pre_push'
                 HOOK_PUSH = 'changegroup.push_logger'
                 HOOK_PUSH_KEY = 'pushkey.key_push'
                 HOOKS_BUILTIN = [
                     HOOK_PRE_PULL,
                     HOOK_PULL,
                     HOOK_PRE_PUSH,
                     HOOK_PRETX_PUSH,
                     HOOK_PUSH,
                     HOOK_PUSH_KEY,
                 ]
                 # TODO: johbo: Unify way how hooks are configured for git and hg,
                 # git part is currently hardcoded.
                 # SVN PATTERNS
                 SVN_BRANCH_ID = 'vcs_svn_branch'
                 SVN_TAG_ID = 'vcs_svn_tag'
                 ui_id = Column(
                     "ui_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 ui_section = Column(
                     "ui_section", String(255), nullable=True, unique=None, default=None)
                 ui_key = Column(
                     "ui_key", String(255), nullable=True, unique=None, default=None)
                 ui_value = Column(
                     "ui_value", String(255), nullable=True, unique=None, default=None)
                 ui_active = Column(
                     "ui_active", Boolean(), nullable=True, unique=None, default=True)
                 def __repr__(self):
                     return '<%s[%s]%s=>%s]>' % (self.cls_name, self.ui_section,
                                                 self.ui_key, self.ui_value)
             class RepoRhodeCodeSetting(Base, BaseModel):
                 __tablename__ = 'repo_rhodecode_settings'
                 __table_args__ = (
                     UniqueConstraint(
                         'app_settings_name', 'repository_id',
                         name='uq_repo_rhodecode_setting_name_repo_id'),
                     base_table_args
                 )
                 repository_id = Column(
                     "repository_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=False)
                 app_settings_id = Column(
                     "app_settings_id", Integer(), nullable=False, unique=True,
                     default=None, primary_key=True)
                 app_settings_name = Column(
                     "app_settings_name", String(255), nullable=True, unique=None,
                     default=None)
                 _app_settings_value = Column(
                     "app_settings_value", String(4096), nullable=True, unique=None,
                     default=None)
                 _app_settings_type = Column(
                     "app_settings_type", String(255), nullable=True, unique=None,
                     default=None)
                 repository = relationship('Repository', viewonly=True)
                 def __init__(self, repository_id, key='', val='', type='unicode'):
                     self.repository_id = repository_id
                     self.app_settings_name = key
                     self.app_settings_type = type
                     self.app_settings_value = val
                 @validates('_app_settings_value')
                 def validate_settings_value(self, key, val):
                     assert type(val) == str
                     return val
                 @hybrid_property
                 def app_settings_value(self):
                     v = self._app_settings_value
                     type_ = self.app_settings_type
                     SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
                     converter = SETTINGS_TYPES.get(type_) or SETTINGS_TYPES['unicode']
                     return converter(v)
                 @app_settings_value.setter
                 def app_settings_value(self, val):
                     """
                     Setter that will always make sure we use unicode in app_settings_value
                     :param val:
                     """
                     self._app_settings_value = safe_str(val)
                 @hybrid_property
                 def app_settings_type(self):
                     return self._app_settings_type
                 @app_settings_type.setter
                 def app_settings_type(self, val):
                     SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
                     if val not in SETTINGS_TYPES:
                         raise Exception('type must be one of %s got %s'
                                         % (SETTINGS_TYPES.keys(), val))
                     self._app_settings_type = val
                 def __repr__(self):
                     return "<%s('%s:%s:%s[%s]')>" % (
                         self.cls_name, self.repository.repo_name,
                         self.app_settings_name, self.app_settings_value,
                         self.app_settings_type
                     )
             class RepoRhodeCodeUi(Base, BaseModel):
                 __tablename__ = 'repo_rhodecode_ui'
                 __table_args__ = (
                     UniqueConstraint(
                         'repository_id', 'ui_section', 'ui_key',
                         name='uq_repo_rhodecode_ui_repository_id_section_key'),
                     base_table_args
                 )
                 repository_id = Column(
                     "repository_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=False)
                 ui_id = Column(
                     "ui_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 ui_section = Column(
                     "ui_section", String(255), nullable=True, unique=None, default=None)
                 ui_key = Column(
                     "ui_key", String(255), nullable=True, unique=None, default=None)
                 ui_value = Column(
                     "ui_value", String(255), nullable=True, unique=None, default=None)
                 ui_active = Column(
                     "ui_active", Boolean(), nullable=True, unique=None, default=True)
                 repository = relationship('Repository', viewonly=True)
                 def __repr__(self):
                     return '<%s[%s:%s]%s=>%s]>' % (
                         self.cls_name, self.repository.repo_name,
                         self.ui_section, self.ui_key, self.ui_value)
             class User(Base, BaseModel):
                 __tablename__ = 'users'
                 __table_args__ = (
                     UniqueConstraint('username'), UniqueConstraint('email'),
                     Index('u_username_idx', 'username'),
                     Index('u_email_idx', 'email'),
                     base_table_args
                 )
                 DEFAULT_USER = 'default'
                 DEFAULT_USER_EMAIL = 'anonymous@rhodecode.org'
                 DEFAULT_GRAVATAR_URL = 'https://secure.gravatar.com/avatar/{md5email}?d=identicon&s={size}'
                 user_id = Column("user_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 username = Column("username", String(255), nullable=True, unique=None, default=None)
                 password = Column("password", String(255), nullable=True, unique=None, default=None)
                 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 admin = Column("admin", Boolean(), nullable=True, unique=None, default=False)
                 name = Column("firstname", String(255), nullable=True, unique=None, default=None)
                 lastname = Column("lastname", String(255), nullable=True, unique=None, default=None)
                 _email = Column("email", String(255), nullable=True, unique=None, default=None)
                 last_login = Column("last_login", DateTime(timezone=False), nullable=True, unique=None, default=None)
                 last_activity = Column('last_activity', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 extern_type = Column("extern_type", String(255), nullable=True, unique=None, default=None)
                 extern_name = Column("extern_name", String(255), nullable=True, unique=None, default=None)
                 _api_key = Column("api_key", String(255), nullable=True, unique=None, default=None)
                 inherit_default_permissions = Column("inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 _user_data = Column("user_data", LargeBinary(), nullable=True)  # JSON data
                 user_log = relationship('UserLog', back_populates='user')
                 user_perms = relationship('UserToPerm', primaryjoin="User.user_id==UserToPerm.user_id", cascade='all, delete-orphan')
                 repositories = relationship('Repository', back_populates='user')
                 repository_groups = relationship('RepoGroup', back_populates='user')
                 user_groups = relationship('UserGroup', back_populates='user')
                 user_followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_user_id==User.user_id', cascade='all', back_populates='follows_user')
                 followings = relationship('UserFollowing', primaryjoin='UserFollowing.user_id==User.user_id', cascade='all', back_populates='user')
                 repo_to_perm = relationship('UserRepoToPerm', primaryjoin='UserRepoToPerm.user_id==User.user_id', cascade='all, delete-orphan')
                 repo_group_to_perm = relationship('UserRepoGroupToPerm', primaryjoin='UserRepoGroupToPerm.user_id==User.user_id', cascade='all, delete-orphan', back_populates='user')
                 user_group_to_perm = relationship('UserUserGroupToPerm', primaryjoin='UserUserGroupToPerm.user_id==User.user_id', cascade='all, delete-orphan', back_populates='user')
                 group_member = relationship('UserGroupMember', cascade='all', back_populates='user')
                 notifications = relationship('UserNotification', cascade='all', back_populates='user')
                 # notifications assigned to this user
                 user_created_notifications = relationship('Notification', cascade='all', back_populates='created_by_user')
                 # comments created by this user
                 user_comments = relationship('ChangesetComment', cascade='all', back_populates='author')
                 # user profile extra info
                 user_emails = relationship('UserEmailMap', cascade='all', back_populates='user')
                 user_ip_map = relationship('UserIpMap', cascade='all', back_populates='user')
                 user_auth_tokens = relationship('UserApiKeys', cascade='all', back_populates='user')
                 user_ssh_keys = relationship('UserSshKeys', cascade='all', back_populates='user')
                 # gists
                 user_gists = relationship('Gist', cascade='all', back_populates='owner')
                 # user pull requests
                 user_pull_requests = relationship('PullRequest', cascade='all', back_populates='author')
                 # external identities
                 external_identities = relationship('ExternalIdentity', primaryjoin="User.user_id==ExternalIdentity.local_user_id", cascade='all')
                 # review rules
                 user_review_rules = relationship('RepoReviewRuleUser', cascade='all', back_populates='user')
                 # artifacts owned
                 artifacts = relationship('FileStore', primaryjoin='FileStore.user_id==User.user_id', back_populates='upload_user')
                 # no cascade, set NULL
                 scope_artifacts = relationship('FileStore', primaryjoin='FileStore.scope_user_id==User.user_id', cascade='', back_populates='user')
                 def __repr__(self):
                     return f"<{self.cls_name}('id={self.user_id}, username={self.username}')>"
                 @hybrid_property
                 def email(self):
                     return self._email
                 @email.setter
                 def email(self, val):
                     self._email = val.lower() if val else None
                 @hybrid_property
                 def first_name(self):
                     from rhodecode.lib import helpers as h
                     if self.name:
                         return h.escape(self.name)
                     return self.name
                 @hybrid_property
                 def last_name(self):
                     from rhodecode.lib import helpers as h
                     if self.lastname:
                         return h.escape(self.lastname)
                     return self.lastname
                 @hybrid_property
                 def api_key(self):
                     """
                     Fetch if exist an auth-token with role ALL connected to this user
                     """
                     user_auth_token = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == self.user_id)\
                         .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_ALL).first()
                     if user_auth_token:
                         user_auth_token = user_auth_token.api_key
                     return user_auth_token
                 @api_key.setter
                 def api_key(self, val):
                     # don't allow to set API key this is deprecated for now
                     self._api_key = None
                 @property
                 def reviewer_pull_requests(self):
                     return PullRequestReviewers.query() \
                         .options(joinedload(PullRequestReviewers.pull_request)) \
                         .filter(PullRequestReviewers.user_id == self.user_id) \
                         .all()
                 @property
                 def firstname(self):
                     # alias for future
                     return self.name
                 @property
                 def emails(self):
                     other = UserEmailMap.query()\
                         .filter(UserEmailMap.user == self) \
                         .order_by(UserEmailMap.email_id.asc()) \
                         .all()
                     return [self.email] + [x.email for x in other]
                 def emails_cached(self):
                     emails = []
                     if self.user_id != self.get_default_user_id():
                         emails = UserEmailMap.query()\
                             .filter(UserEmailMap.user == self) \
                             .order_by(UserEmailMap.email_id.asc())
                         emails = emails.options(
                             FromCache("sql_cache_short", f"get_user_{self.user_id}_emails")
                         )
                     return [self.email] + [x.email for x in emails]
                 @property
                 def auth_tokens(self):
                     auth_tokens = self.get_auth_tokens()
                     return [x.api_key for x in auth_tokens]
                 def get_auth_tokens(self):
                     return UserApiKeys.query()\
                         .filter(UserApiKeys.user == self)\
                         .order_by(UserApiKeys.user_api_key_id.asc())\
                         .all()
                 @LazyProperty
                 def feed_token(self):
                     return self.get_feed_token()
                 def get_feed_token(self, cache=True):
                     feed_tokens = UserApiKeys.query()\
                         .filter(UserApiKeys.user == self)\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_FEED)
                     if cache:
                         feed_tokens = feed_tokens.options(
                             FromCache("sql_cache_short", f"get_user_feed_token_{self.user_id}"))
                     feed_tokens = feed_tokens.all()
                     if feed_tokens:
                         return feed_tokens[0].api_key
                     return 'NO_FEED_TOKEN_AVAILABLE'
                 @LazyProperty
                 def artifact_token(self):
                     return self.get_artifact_token()
                 def get_artifact_token(self, cache=True):
                     artifacts_tokens = UserApiKeys.query()\
                         .filter(UserApiKeys.user == self) \
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time())) \
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_ARTIFACT_DOWNLOAD)
                     if cache:
                         artifacts_tokens = artifacts_tokens.options(
                             FromCache("sql_cache_short", f"get_user_artifact_token_{self.user_id}"))
                     artifacts_tokens = artifacts_tokens.all()
                     if artifacts_tokens:
                         return artifacts_tokens[0].api_key
                     return 'NO_ARTIFACT_TOKEN_AVAILABLE'
                 def get_or_create_artifact_token(self):
                     artifacts_tokens = UserApiKeys.query()\
                         .filter(UserApiKeys.user == self) \
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time())) \
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_ARTIFACT_DOWNLOAD)
                     artifacts_tokens = artifacts_tokens.all()
                     if artifacts_tokens:
                         return artifacts_tokens[0].api_key
                     else:
                         from rhodecode.model.auth_token import AuthTokenModel
                         artifact_token = AuthTokenModel().create(
                             self, 'auto-generated-artifact-token',
                             lifetime=-1, role=UserApiKeys.ROLE_ARTIFACT_DOWNLOAD)
                         Session.commit()
                         return artifact_token.api_key
                 @classmethod
                 def get(cls, user_id, cache=False):
                     if not user_id:
                         return
                     user = cls.query()
                     if cache:
                         user = user.options(
                             FromCache("sql_cache_short", f"get_users_{user_id}"))
                     return user.get(user_id)
                 @classmethod
                 def extra_valid_auth_tokens(cls, user, role=None):
                     tokens = UserApiKeys.query().filter(UserApiKeys.user == user)\
                             .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))
                     if role:
                         tokens = tokens.filter(or_(UserApiKeys.role == role,
                                                    UserApiKeys.role == UserApiKeys.ROLE_ALL))
                     return tokens.all()
                 def authenticate_by_token(self, auth_token, roles=None, scope_repo_id=None):
                     from rhodecode.lib import auth
                     log.debug('Trying to authenticate user: %s via auth-token, '
                               'and roles: %s', self, roles)
                     if not auth_token:
                         return False
                     roles = (roles or []) + [UserApiKeys.ROLE_ALL]
                     tokens_q = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == self.user_id)\
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time()))
                     tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles))
                     crypto_backend = auth.crypto_backend()
                     enc_token_map = {}
                     plain_token_map = {}
                     for token in tokens_q:
                         if token.api_key.startswith(crypto_backend.ENC_PREF):
                             enc_token_map[token.api_key] = token
                         else:
                             plain_token_map[token.api_key] = token
                     log.debug(
                         'Found %s plain and %s encrypted tokens to check for authentication for this user',
                         len(plain_token_map), len(enc_token_map))
                     # plain token match comes first
                     match = plain_token_map.get(auth_token)
                     # check encrypted tokens now
                     if not match:
                         for token_hash, token in enc_token_map.items():
                             # NOTE(marcink): this is expensive to calculate, but most secure
                             if crypto_backend.hash_check(auth_token, token_hash):
                                 match = token
                                 break
                     if match:
                         log.debug('Found matching token %s', match)
                         if match.repo_id:
                             log.debug('Found scope, checking for scope match of token %s', match)
                             if match.repo_id == scope_repo_id:
                                 return True
                             else:
                                 log.debug(
                                     'AUTH_TOKEN: scope mismatch, token has a set repo scope: %s, '
                                     'and calling scope is:%s, skipping further checks',
                                      match.repo, scope_repo_id)
                                 return False
                         else:
                             return True
                     return False
                 @property
                 def ip_addresses(self):
                     ret = UserIpMap.query().filter(UserIpMap.user == self).all()
                     return [x.ip_addr for x in ret]
                 @property
                 def username_and_name(self):
                     return f'{self.username} ({self.first_name} {self.last_name})'
                 @property
                 def username_or_name_or_email(self):
                     full_name = self.full_name if self.full_name != ' ' else None
                     return self.username or full_name or self.email
                 @property
                 def full_name(self):
                     return f'{self.first_name} {self.last_name}'
                 @property
                 def full_name_or_username(self):
                     return (f'{self.first_name} {self.last_name}'
                             if (self.first_name and self.last_name) else self.username)
                 @property
                 def full_contact(self):
                     return f'{self.first_name} {self.last_name} <{self.email}>'
                 @property
                 def short_contact(self):
                     return f'{self.first_name} {self.last_name}'
                 @property
                 def is_admin(self):
                     return self.admin
                 @property
                 def language(self):
                     return self.user_data.get('language')
                 def AuthUser(self, **kwargs):
                     """
                     Returns instance of AuthUser for this user
                     """
                     from rhodecode.lib.auth import AuthUser
                     return AuthUser(user_id=self.user_id, username=self.username, **kwargs)
                 @hybrid_property
                 def user_data(self):
                     if not self._user_data:
                         return {}
                     try:
                         return json.loads(self._user_data) or {}
                     except TypeError:
                         return {}
                 @user_data.setter
                 def user_data(self, val):
                     if not isinstance(val, dict):
                         raise Exception('user_data must be dict, got %s' % type(val))
                     try:
                         self._user_data = safe_bytes(json.dumps(val))
                     except Exception:
                         log.error(traceback.format_exc())
                 @classmethod
                 def get_by_username(cls, username, case_insensitive=False,
                                     cache=False):
                     if case_insensitive:
                         q = cls.select().where(
                             func.lower(cls.username) == func.lower(username))
                     else:
                         q = cls.select().where(cls.username == username)
                     if cache:
                         hash_key = _hash_key(username)
                         q = q.options(
                             FromCache("sql_cache_short", f"get_user_by_name_{hash_key}"))
                     return cls.execute(q).scalar_one_or_none()
                 @classmethod
+                def get_by_username_or_primary_email(cls, user_identifier):
+                    qs = union_all(cls.select().where(func.lower(cls.username) == func.lower(user_identifier)),
+                                   cls.select().where(func.lower(cls.email) == func.lower(user_identifier)))
+                    return cls.execute(cls.select(User).from_statement(qs)).scalar_one_or_none()
+                @classmethod
                 def get_by_auth_token(cls, auth_token, cache=False):
                     q = cls.select(User)\
                         .join(UserApiKeys)\
                         .where(UserApiKeys.api_key == auth_token)\
                         .where(or_(UserApiKeys.expires == -1,
                                    UserApiKeys.expires >= time.time()))
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", f"get_auth_token_{auth_token}"))
                     matched_user = cls.execute(q).scalar_one_or_none()
                     return matched_user
                 @classmethod
                 def get_by_email(cls, email, case_insensitive=False, cache=False):
                     if case_insensitive:
                         q = cls.select().where(func.lower(cls.email) == func.lower(email))
                     else:
                         q = cls.select().where(cls.email == email)
                     if cache:
                         email_key = _hash_key(email)
                         q = q.options(
                             FromCache("sql_cache_short", f"get_email_key_{email_key}"))
                     ret = cls.execute(q).scalar_one_or_none()
                     if ret is None:
                         q = cls.select(UserEmailMap)
                         # try fetching in alternate email map
                         if case_insensitive:
                             q = q.where(func.lower(UserEmailMap.email) == func.lower(email))
                         else:
                             q = q.where(UserEmailMap.email == email)
                         q = q.options(joinedload(UserEmailMap.user))
                         if cache:
                             q = q.options(
                                 FromCache("sql_cache_short", f"get_email_map_key_{email_key}"))
                         result = cls.execute(q).scalar_one_or_none()
                         ret = getattr(result, 'user', None)
                     return ret
                 @classmethod
                 def get_from_cs_author(cls, author):
                     """
                     Tries to get User objects out of commit author string
                     :param author:
                     """
                     from rhodecode.lib.helpers import email, author_name
                     # Valid email in the attribute passed, see if they're in the system
                     _email = email(author)
                     if _email:
                         user = cls.get_by_email(_email, case_insensitive=True)
                         if user:
                             return user
                     # Maybe we can match by username?
                     _author = author_name(author)
                     user = cls.get_by_username(_author, case_insensitive=True)
                     if user:
                         return user
                 def update_userdata(self, **kwargs):
                     usr = self
                     old = usr.user_data
                     old.update(**kwargs)
                     usr.user_data = old
                     Session().add(usr)
                     log.debug('updated userdata with %s', kwargs)
                 def update_lastlogin(self):
                     """Update user lastlogin"""
                     self.last_login = datetime.datetime.now()
                     Session().add(self)
                     log.debug('updated user %s lastlogin', self.username)
                 def update_password(self, new_password):
                     from rhodecode.lib.auth import get_crypt_password
                     self.password = get_crypt_password(new_password)
                     Session().add(self)
                 @classmethod
                 def get_first_super_admin(cls):
                     stmt = cls.select().where(User.admin == true()).order_by(User.user_id.asc())
                     user = cls.scalars(stmt).first()
                     if user is None:
                         raise Exception('FATAL: Missing administrative account!')
                     return user
                 @classmethod
                 def get_all_super_admins(cls, only_active=False):
                     """
                     Returns all admin accounts sorted by username
                     """
                     qry = User.query().filter(User.admin == true()).order_by(User.username.asc())
                     if only_active:
                         qry = qry.filter(User.active == true())
                     return qry.all()
                 @classmethod
                 def get_all_user_ids(cls, only_active=True):
                     """
                     Returns all users IDs
                     """
                     qry = Session().query(User.user_id)
                     if only_active:
                         qry = qry.filter(User.active == true())
                     return [x.user_id for x in qry]
                 @classmethod
                 def get_default_user(cls, cache=False, refresh=False):
                     user = User.get_by_username(User.DEFAULT_USER, cache=cache)
                     if user is None:
                         raise Exception('FATAL: Missing default account!')
                     if refresh:
                         # The default user might be based on outdated state which
                         # has been loaded from the cache.
                         # A call to refresh() ensures that the
                         # latest state from the database is used.
                         Session().refresh(user)
                     return user
                 @classmethod
                 def get_default_user_id(cls):
                     import rhodecode
                     return rhodecode.CONFIG['default_user_id']
                 def _get_default_perms(self, user, suffix=''):
                     from rhodecode.model.permission import PermissionModel
                     return PermissionModel().get_default_perms(user.user_perms, suffix)
                 def get_default_perms(self, suffix=''):
                     return self._get_default_perms(self, suffix)
                 def get_api_data(self, include_secrets=False, details='full'):
                     """
                     Common function for generating user related data for API
                     :param include_secrets: By default secrets in the API data will be replaced
                        by a placeholder value to prevent exposing this data by accident. In case
                        this data shall be exposed, set this flag to ``True``.
                     :param details: details can be 'basic|full' basic gives only a subset of
                        the available user information that includes user_id, name and emails.
                     """
                     user = self
                     user_data = self.user_data
                     data = {
                         'user_id': user.user_id,
                         'username': user.username,
                         'firstname': user.name,
                         'lastname': user.lastname,
                         'description': user.description,
                         'email': user.email,
                         'emails': user.emails,
                     }
                     if details == 'basic':
                         return data
                     auth_token_length = 40
                     auth_token_replacement = '*' * auth_token_length
                     extras = {
                         'auth_tokens': [auth_token_replacement],
                         'active': user.active,
                         'admin': user.admin,
                         'extern_type': user.extern_type,
                         'extern_name': user.extern_name,
                         'last_login': user.last_login,
                         'last_activity': user.last_activity,
                         'ip_addresses': user.ip_addresses,
                         'language': user_data.get('language')
                     }
                     data.update(extras)
                     if include_secrets:
                         data['auth_tokens'] = user.auth_tokens
                     return data
                 def __json__(self):
                     data = {
                         'full_name': self.full_name,
                         'full_name_or_username': self.full_name_or_username,
                         'short_contact': self.short_contact,
                         'full_contact': self.full_contact,
                     }
                     data.update(self.get_api_data())
                     return data
             class UserApiKeys(Base, BaseModel):
                 __tablename__ = 'user_api_keys'
                 __table_args__ = (
                     Index('uak_api_key_idx', 'api_key'),
                     Index('uak_api_key_expires_idx', 'api_key', 'expires'),
                     base_table_args
                 )
                 # ApiKey role
                 ROLE_ALL = 'token_role_all'
                 ROLE_VCS = 'token_role_vcs'
                 ROLE_API = 'token_role_api'
                 ROLE_HTTP = 'token_role_http'
                 ROLE_FEED = 'token_role_feed'
                 ROLE_ARTIFACT_DOWNLOAD = 'role_artifact_download'
                 # The last one is ignored in the list as we only
                 # use it for one action, and cannot be created by users
                 ROLE_PASSWORD_RESET = 'token_password_reset'
                 ROLES = [ROLE_ALL, ROLE_VCS, ROLE_API, ROLE_HTTP, ROLE_FEED, ROLE_ARTIFACT_DOWNLOAD]
                 user_api_key_id = Column("user_api_key_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 api_key = Column("api_key", String(255), nullable=False, unique=True)
                 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 expires = Column('expires', Float(53), nullable=False)
                 role = Column('role', String(255), nullable=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 # scope columns
                 repo_id = Column(
                     'repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined', back_populates='scoped_tokens')
                 repo_group_id = Column(
                     'repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 user = relationship('User', lazy='joined', back_populates='user_auth_tokens')
                 def __repr__(self):
                     return f"<{self.cls_name}('{self.role}')>"
                 def __json__(self):
                     data = {
                         'auth_token': self.api_key,
                         'role': self.role,
                         'scope': self.scope_humanized,
                         'expired': self.expired
                     }
                     return data
                 def get_api_data(self, include_secrets=False):
                     data = self.__json__()
                     if include_secrets:
                         return data
                     else:
                         data['auth_token'] = self.token_obfuscated
                         return data
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @property
                 def expired(self):
                     if self.expires == -1:
                         return False
                     return time.time() > self.expires
                 @classmethod
                 def _get_role_name(cls, role):
                     return {
                         cls.ROLE_ALL: _('all'),
                         cls.ROLE_HTTP: _('http/web interface'),
                         cls.ROLE_VCS: _('vcs (git/hg/svn protocol)'),
                         cls.ROLE_API: _('api calls'),
                         cls.ROLE_FEED: _('feed access'),
                         cls.ROLE_ARTIFACT_DOWNLOAD: _('artifacts downloads'),
                     }.get(role, role)
                 @classmethod
                 def _get_role_description(cls, role):
                     return {
                         cls.ROLE_ALL: _('Token for all actions.'),
                         cls.ROLE_HTTP: _('Token to access RhodeCode pages via web interface without '
                                          'login using `api_access_controllers_whitelist` functionality.'),
                         cls.ROLE_VCS: _('Token to interact over git/hg/svn protocols. '
                                         'Requires auth_token authentication plugin to be active. <br/>'
                                         'Such Token should be used then instead of a password to '
                                         'interact with a repository, and additionally can be '
                                         'limited to single repository using repo scope.'),
                         cls.ROLE_API: _('Token limited to api calls.'),
                         cls.ROLE_FEED: _('Token to read RSS/ATOM feed.'),
                         cls.ROLE_ARTIFACT_DOWNLOAD: _('Token for artifacts downloads.'),
                     }.get(role, role)
                 @property
                 def role_humanized(self):
                     return self._get_role_name(self.role)
                 def _get_scope(self):
                     if self.repo:
                         return 'Repository: {}'.format(self.repo.repo_name)
                     if self.repo_group:
                         return 'RepositoryGroup: {} (recursive)'.format(self.repo_group.group_name)
                     return 'Global'
                 @property
                 def scope_humanized(self):
                     return self._get_scope()
                 @property
                 def token_obfuscated(self):
                     if self.api_key:
                         return self.api_key[:4] + "****"
             class UserEmailMap(Base, BaseModel):
                 __tablename__ = 'user_email_map'
                 __table_args__ = (
                     Index('uem_email_idx', 'email'),
                     Index('uem_user_id_idx', 'user_id'),
                     UniqueConstraint('email'),
                     base_table_args
                 )
                 email_id = Column("email_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 _email = Column("email", String(255), nullable=True, unique=False, default=None)
                 user = relationship('User', lazy='joined', back_populates='user_emails')
                 @validates('_email')
                 def validate_email(self, key, email):
                     # check if this email is not main one
                     main_email = Session().query(User).filter(User.email == email).scalar()
                     if main_email is not None:
                         raise AttributeError('email %s is present is user table' % email)
                     return email
                 @hybrid_property
                 def email(self):
                     return self._email
                 @email.setter
                 def email(self, val):
                     self._email = val.lower() if val else None
             class UserIpMap(Base, BaseModel):
                 __tablename__ = 'user_ip_map'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'ip_addr'),
                     base_table_args
                 )
                 ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 ip_addr = Column("ip_addr", String(255), nullable=True, unique=False, default=None)
                 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 description = Column("description", String(10000), nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined', back_populates='user_ip_map')
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @classmethod
                 def _get_ip_range(cls, ip_addr):
                     net = ipaddress.ip_network(safe_str(ip_addr), strict=False)
                     return [str(net.network_address), str(net.broadcast_address)]
                 def __json__(self):
                     return {
                       'ip_addr': self.ip_addr,
                       'ip_range': self._get_ip_range(self.ip_addr),
                     }
                 def __repr__(self):
                     return f"<{self.cls_name}('user_id={self.user_id} => ip={self.ip_addr}')>"
             class UserSshKeys(Base, BaseModel):
                 __tablename__ = 'user_ssh_keys'
                 __table_args__ = (
                     Index('usk_ssh_key_fingerprint_idx', 'ssh_key_fingerprint'),
                     UniqueConstraint('ssh_key_fingerprint'),
                     base_table_args
                 )
                 ssh_key_id = Column('ssh_key_id', Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 ssh_key_data = Column('ssh_key_data', String(10240), nullable=False, unique=None, default=None)
                 ssh_key_fingerprint = Column('ssh_key_fingerprint', String(255), nullable=False, unique=None, default=None)
                 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 accessed_on = Column('accessed_on', DateTime(timezone=False), nullable=True, default=None)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined', back_populates='user_ssh_keys')
                 def __json__(self):
                     data = {
                         'ssh_fingerprint': self.ssh_key_fingerprint,
                         'description': self.description,
                         'created_on': self.created_on
                     }
                     return data
                 def get_api_data(self):
                     data = self.__json__()
                     return data
             class UserLog(Base, BaseModel):
                 __tablename__ = 'user_logs'
                 __table_args__ = (
                     base_table_args,
                 )
                 VERSION_1 = 'v1'
                 VERSION_2 = 'v2'
                 VERSIONS = [VERSION_1, VERSION_2]
                 user_log_id = Column("user_log_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id',ondelete='SET NULL'), nullable=True, unique=None, default=None)
                 username = Column("username", String(255), nullable=True, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id', ondelete='SET NULL'), nullable=True, unique=None, default=None)
                 repository_name = Column("repository_name", String(255), nullable=True, unique=None, default=None)
                 user_ip = Column("user_ip", String(255), nullable=True, unique=None, default=None)
                 action = Column("action", Text().with_variant(Text(1200000), 'mysql'), nullable=True, unique=None, default=None)
                 action_date = Column("action_date", DateTime(timezone=False), nullable=True, unique=None, default=None)
                 version = Column("version", String(255), nullable=True, default=VERSION_1)
                 user_data = Column('user_data_json', MutationObj.as_mutable(JsonType(dialect_map=dict(mysql=LONGTEXT()))))
                 action_data = Column('action_data_json', MutationObj.as_mutable(JsonType(dialect_map=dict(mysql=LONGTEXT()))))
                 user = relationship('User', cascade='', back_populates='user_log')
                 repository = relationship('Repository', cascade='', back_populates='logs')
                 def __repr__(self):
                     return f"<{self.cls_name}('id:{self.repository_name}:{self.action}')>"
                 def __json__(self):
                     return {
                         'user_id': self.user_id,
                         'username': self.username,
                         'repository_id': self.repository_id,
                         'repository_name': self.repository_name,
                         'user_ip': self.user_ip,
                         'action_date': self.action_date,
                         'action': self.action,
                     }
                 @hybrid_property
                 def entry_id(self):
                     return self.user_log_id
                 @property
                 def action_as_day(self):
                     return datetime.date(*self.action_date.timetuple()[:3])
             class UserGroup(Base, BaseModel):
                 __tablename__ = 'users_groups'
                 __table_args__ = (
                     base_table_args,
                 )
                 users_group_id = Column("users_group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_name = Column("users_group_name", String(255), nullable=False, unique=True, default=None)
                 user_group_description = Column("user_group_description", String(10000), nullable=True, unique=None, default=None)
                 users_group_active = Column("users_group_active", Boolean(), nullable=True, unique=None, default=None)
                 inherit_default_permissions = Column("users_group_inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 _group_data = Column("group_data", LargeBinary(), nullable=True)  # JSON data
                 members = relationship('UserGroupMember', cascade="all, delete-orphan", lazy="joined", back_populates='users_group')
                 users_group_to_perm = relationship('UserGroupToPerm', cascade='all', back_populates='users_group')
                 users_group_repo_to_perm = relationship('UserGroupRepoToPerm', cascade='all', back_populates='users_group')
                 users_group_repo_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all', back_populates='users_group')
                 user_user_group_to_perm = relationship('UserUserGroupToPerm', cascade='all', back_populates='user_group')
                 user_group_user_group_to_perm = relationship('UserGroupUserGroupToPerm', primaryjoin="UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id", cascade='all', back_populates='target_user_group')
                 user_group_review_rules = relationship('RepoReviewRuleUserGroup', cascade='all', back_populates='users_group')
                 user = relationship('User', primaryjoin="User.user_id==UserGroup.user_id", back_populates='user_groups')
                 @classmethod
                 def _load_group_data(cls, column):
                     if not column:
                         return {}
                     try:
                         return json.loads(column) or {}
                     except TypeError:
                         return {}
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.user_group_description)
                 @hybrid_property
                 def group_data(self):
                     return self._load_group_data(self._group_data)
                 @group_data.expression
                 def group_data(self, **kwargs):
                     return self._group_data
                 @group_data.setter
                 def group_data(self, val):
                     try:
                         self._group_data = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @classmethod
                 def _load_sync(cls, group_data):
                     if group_data:
                         return group_data.get('extern_type')
                 @property
                 def sync(self):
                     return self._load_sync(self.group_data)
                 def __repr__(self):
                     return f"<{self.cls_name}('id:{self.users_group_id}:{self.users_group_name}')>"
                 @classmethod
                 def get_by_group_name(cls, group_name, cache=False,
                                       case_insensitive=False):
                     if case_insensitive:
                         q = cls.query().filter(func.lower(cls.users_group_name) ==
                                                func.lower(group_name))
                     else:
                         q = cls.query().filter(cls.users_group_name == group_name)
                     if cache:
                         name_key = _hash_key(group_name)
                         q = q.options(
                             FromCache("sql_cache_short", f"get_group_{name_key}"))
                     return q.scalar()
                 @classmethod
                 def get(cls, user_group_id, cache=False):
                     if not user_group_id:
                         return
                     user_group = cls.query()
                     if cache:
                         user_group = user_group.options(
                             FromCache("sql_cache_short", "get_users_group_%s" % user_group_id))
                     return user_group.get(user_group_id)
                 def permissions(self, with_admins=True, with_owner=True,
                                 expand_from_user_groups=False):
                     """
                     Permissions for user groups
                     """
                     _admin_perm = 'usergroup.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     q = UserUserGroupToPerm.query().filter(UserUserGroupToPerm.user_group == self)
                     q = q.options(joinedload(UserUserGroupToPerm.user_group),
                                   joinedload(UserUserGroupToPerm.user),
                                   joinedload(UserUserGroupToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     user_groups_rows = []
                     if expand_from_user_groups:
                         for ug in self.permission_user_groups(with_members=True):
                             for user_data in ug.members:
                                 user_groups_rows.append(user_data)
                     return super_admin_rows + owner_row + perm_rows + user_groups_rows
                 def permission_user_groups(self, with_members=False):
                     q = UserGroupUserGroupToPerm.query()\
                         .filter(UserGroupUserGroupToPerm.target_user_group == self)
                     q = q.options(joinedload(UserGroupUserGroupToPerm.user_group),
                                   joinedload(UserGroupUserGroupToPerm.target_user_group),
                                   joinedload(UserGroupUserGroupToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         entry = AttributeDict(_user_group.user_group.get_dict())
                         entry.permission = _user_group.permission.permission_name
                         if with_members:
                             entry.members = [x.user.get_dict()
                                              for x in _user_group.user_group.members]
                         perm_rows.append(entry)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def _get_default_perms(self, user_group, suffix=''):
                     from rhodecode.model.permission import PermissionModel
                     return PermissionModel().get_default_perms(user_group.users_group_to_perm, suffix)
                 def get_default_perms(self, suffix=''):
                     return self._get_default_perms(self, suffix)
                 def get_api_data(self, with_group_members=True, include_secrets=False):
                     """
                     :param include_secrets: See :meth:`User.get_api_data`, this parameter is
                        basically forwarded.
                     """
                     user_group = self
                     data = {
                         'users_group_id': user_group.users_group_id,
                         'group_name': user_group.users_group_name,
                         'group_description': user_group.user_group_description,
                         'active': user_group.users_group_active,
                         'owner': user_group.user.username,
                         'sync': user_group.sync,
                         'owner_email': user_group.user.email,
                     }
                     if with_group_members:
                         users = []
                         for user in user_group.members:
                             user = user.user
                             users.append(user.get_api_data(include_secrets=include_secrets))
                         data['users'] = users
                     return data
             class UserGroupMember(Base, BaseModel):
                 __tablename__ = 'users_groups_members'
                 __table_args__ = (
                     base_table_args,
                 )
                 users_group_member_id = Column("users_group_member_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 user = relationship('User', lazy='joined', back_populates='group_member')
                 users_group = relationship('UserGroup', back_populates='members')
                 def __init__(self, gr_id='', u_id=''):
                     self.users_group_id = gr_id
                     self.user_id = u_id
             class RepositoryField(Base, BaseModel):
                 __tablename__ = 'repositories_fields'
                 __table_args__ = (
                     UniqueConstraint('repository_id', 'field_key'),  # no-multi field
                     base_table_args,
                 )
                 PREFIX = 'ex_'  # prefix used in form to not conflict with already existing fields
                 repo_field_id = Column("repo_field_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 field_key = Column("field_key", String(250))
                 field_label = Column("field_label", String(1024), nullable=False)
                 field_value = Column("field_value", String(10000), nullable=False)
                 field_desc = Column("field_desc", String(1024), nullable=False)
                 field_type = Column("field_type", String(255), nullable=False, unique=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 repository = relationship('Repository', back_populates='extra_fields')
                 @property
                 def field_key_prefixed(self):
                     return 'ex_%s' % self.field_key
                 @classmethod
                 def un_prefix_key(cls, key):
                     if key.startswith(cls.PREFIX):
                         return key[len(cls.PREFIX):]
                     return key
                 @classmethod
                 def get_by_key_name(cls, key, repo):
                     row = cls.query()\
                             .filter(cls.repository == repo)\
                             .filter(cls.field_key == key).scalar()
                     return row
             class Repository(Base, BaseModel):
                 __tablename__ = 'repositories'
                 __table_args__ = (
                     Index('r_repo_name_idx', 'repo_name', mysql_length=255),
                     base_table_args,
                 )
                 DEFAULT_CLONE_URI = '{scheme}://{user}@{netloc}/{repo}'
                 DEFAULT_CLONE_URI_ID = '{scheme}://{user}@{netloc}/_{repoid}'
                 DEFAULT_CLONE_URI_SSH = 'ssh://{sys_user}@{hostname}/{repo}'
                 STATE_CREATED = 'repo_state_created'
                 STATE_PENDING = 'repo_state_pending'
                 STATE_ERROR = 'repo_state_error'
                 LOCK_AUTOMATIC = 'lock_auto'
                 LOCK_API = 'lock_api'
                 LOCK_WEB = 'lock_web'
                 LOCK_PULL = 'lock_pull'
                 NAME_SEP = URL_SEP
                 repo_id = Column(
                     "repo_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 _repo_name = Column(
                     "repo_name", Text(), nullable=False, default=None)
                 repo_name_hash = Column(
                     "repo_name_hash", String(255), nullable=False, unique=True)
                 repo_state = Column("repo_state", String(255), nullable=True)
                 clone_uri = Column(
                     "clone_uri", EncryptedTextValue(), nullable=True, unique=False,
                     default=None)
                 push_uri = Column(
                     "push_uri", EncryptedTextValue(), nullable=True, unique=False,
                     default=None)
                 repo_type = Column(
                     "repo_type", String(255), nullable=False, unique=False, default=None)
                 user_id = Column(
                     "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
                     unique=False, default=None)
                 private = Column(
                     "private", Boolean(), nullable=True, unique=None, default=None)
                 archived = Column(
                     "archived", Boolean(), nullable=True, unique=None, default=None)
                 enable_statistics = Column(
                     "statistics", Boolean(), nullable=True, unique=None, default=True)
                 enable_downloads = Column(
                     "downloads", Boolean(), nullable=True, unique=None, default=True)
                 description = Column(
                     "description", String(10000), nullable=True, unique=None, default=None)
                 created_on = Column(
                     'created_on', DateTime(timezone=False), nullable=True, unique=None,
                     default=datetime.datetime.now)
                 updated_on = Column(
                     'updated_on', DateTime(timezone=False), nullable=True, unique=None,
                     default=datetime.datetime.now)
                 _landing_revision = Column(
                     "landing_revision", String(255), nullable=False, unique=False,
                     default=None)
                 enable_locking = Column(
                     "enable_locking", Boolean(), nullable=False, unique=None,
                     default=False)
                 _locked = Column(
                     "locked", String(255), nullable=True, unique=False, default=None)
                 _changeset_cache = Column(
                     "changeset_cache", LargeBinary(), nullable=True)  # JSON data
                 fork_id = Column(
                     "fork_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=False, default=None)
                 group_id = Column(
                     "group_id", Integer(), ForeignKey('groups.group_id'), nullable=True,
                     unique=False, default=None)
                 user = relationship('User', lazy='joined', back_populates='repositories')
                 fork = relationship('Repository', remote_side=repo_id, lazy='joined')
                 group = relationship('RepoGroup', lazy='joined')
                 repo_to_perm = relationship('UserRepoToPerm', cascade='all', order_by='UserRepoToPerm.repo_to_perm_id')
                 users_group_to_perm = relationship('UserGroupRepoToPerm', cascade='all', back_populates='repository')
                 stats = relationship('Statistics', cascade='all', uselist=False)
                 followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_repo_id==Repository.repo_id', cascade='all', back_populates='follows_repository')
                 extra_fields = relationship('RepositoryField', cascade="all, delete-orphan", back_populates='repository')
                 logs = relationship('UserLog', back_populates='repository')
                 comments = relationship('ChangesetComment', cascade="all, delete-orphan", back_populates='repo')
                 pull_requests_source = relationship(
                     'PullRequest',
                     primaryjoin='PullRequest.source_repo_id==Repository.repo_id',
                     cascade="all, delete-orphan",
                     overlaps="source_repo"
                 )
                 pull_requests_target = relationship(
                     'PullRequest',
                     primaryjoin='PullRequest.target_repo_id==Repository.repo_id',
                     cascade="all, delete-orphan",
                     overlaps="target_repo"
                 )
                 ui = relationship('RepoRhodeCodeUi', cascade="all")
                 settings = relationship('RepoRhodeCodeSetting', cascade="all")
                 integrations = relationship('Integration', cascade="all, delete-orphan", back_populates='repo')
                 scoped_tokens = relationship('UserApiKeys', cascade="all", back_populates='repo')
                 # no cascade, set NULL
                 artifacts = relationship('FileStore', primaryjoin='FileStore.scope_repo_id==Repository.repo_id', viewonly=True)
                 review_rules = relationship('RepoReviewRule')
                 user_branch_perms = relationship('UserToRepoBranchPermission')
                 user_group_branch_perms = relationship('UserGroupToRepoBranchPermission')
                 def __repr__(self):
                     return "<%s('%s:%s')>" % (self.cls_name, self.repo_id, self.repo_name)
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @hybrid_property
                 def landing_rev(self):
                     # always should return [rev_type, rev], e.g ['branch', 'master']
                     if self._landing_revision:
                         _rev_info = self._landing_revision.split(':')
                         if len(_rev_info) < 2:
                             _rev_info.insert(0, 'rev')
                         return [_rev_info[0], _rev_info[1]]
                     return [None, None]
                 @property
                 def landing_ref_type(self):
                     return self.landing_rev[0]
                 @property
                 def landing_ref_name(self):
                     return self.landing_rev[1]
                 @landing_rev.setter
                 def landing_rev(self, val):
                     if ':' not in val:
                         raise ValueError('value must be delimited with `:` and consist '
                                          'of <rev_type>:<rev>, got %s instead' % val)
                     self._landing_revision = val
                 @hybrid_property
                 def locked(self):
                     if self._locked:
                         user_id, timelocked, reason = self._locked.split(':')
                         lock_values = int(user_id), timelocked, reason
                     else:
                         lock_values = [None, None, None]
                     return lock_values
                 @locked.setter
                 def locked(self, val):
                     if val and isinstance(val, (list, tuple)):
                         self._locked = ':'.join(map(str, val))
                     else:
                         self._locked = None
                 @classmethod
                 def _load_changeset_cache(cls, repo_id, changeset_cache_raw):
                     from rhodecode.lib.vcs.backends.base import EmptyCommit
                     dummy = EmptyCommit().__json__()
                     if not changeset_cache_raw:
                         dummy['source_repo_id'] = repo_id
                         return json.loads(json.dumps(dummy))
                     try:
                         return json.loads(changeset_cache_raw)
                     except TypeError:
                         return dummy
                     except Exception:
                         log.error(traceback.format_exc())
                         return dummy
                 @hybrid_property
                 def changeset_cache(self):
                     return self._load_changeset_cache(self.repo_id, self._changeset_cache)
                 @changeset_cache.setter
                 def changeset_cache(self, val):
                     try:
                         self._changeset_cache = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @hybrid_property
                 def repo_name(self):
                     return self._repo_name
                 @repo_name.setter
                 def repo_name(self, value):
                     self._repo_name = value
                     self.repo_name_hash = sha1(safe_bytes(value))
                 @classmethod
                 def normalize_repo_name(cls, repo_name):
                     """
                     Normalizes os specific repo_name to the format internally stored inside
                     database using URL_SEP
                     :param cls:
                     :param repo_name:
                     """
                     return cls.NAME_SEP.join(repo_name.split(os.sep))
                 @classmethod
                 def get_by_repo_name(cls, repo_name, cache=False, identity_cache=False):
                     session = Session()
                     q = session.query(cls).filter(cls.repo_name == repo_name)
                     if cache:
                         if identity_cache:
                             val = cls.identity_cache(session, 'repo_name', repo_name)
                             if val:
                                 return val
                         else:
                             cache_key = "get_repo_by_name_%s" % _hash_key(repo_name)
                             q = q.options(
                                 FromCache("sql_cache_short", cache_key))
                     return q.scalar()
                 @classmethod
                 def get_by_id_or_repo_name(cls, repoid):
                     if isinstance(repoid, int):
                         try:
                             repo = cls.get(repoid)
                         except ValueError:
                             repo = None
                     else:
                         repo = cls.get_by_repo_name(repoid)
                     return repo
                 @classmethod
                 def get_by_full_path(cls, repo_full_path):
                     repo_name = repo_full_path.split(cls.base_path(), 1)[-1]
                     repo_name = cls.normalize_repo_name(repo_name)
                     return cls.get_by_repo_name(repo_name.strip(URL_SEP))
                 @classmethod
                 def get_repo_forks(cls, repo_id):
                     return cls.query().filter(Repository.fork_id == repo_id)
                 @classmethod
                 def base_path(cls):
                     """
                     Returns base path when all repos are stored
                     :param cls:
                     """
                     from rhodecode.lib.utils import get_rhodecode_repo_store_path
                     return get_rhodecode_repo_store_path()
                 @classmethod
                 def get_all_repos(cls, user_id=Optional(None), group_id=Optional(None),
                                   case_insensitive=True, archived=False):
                     q = Repository.query()
                     if not archived:
                         q = q.filter(Repository.archived.isnot(true()))
                     if not isinstance(user_id, Optional):
                         q = q.filter(Repository.user_id == user_id)
                     if not isinstance(group_id, Optional):
                         q = q.filter(Repository.group_id == group_id)
                     if case_insensitive:
                         q = q.order_by(func.lower(Repository.repo_name))
                     else:
                         q = q.order_by(Repository.repo_name)
                     return q.all()
                 @property
                 def repo_uid(self):
                     return '_{}'.format(self.repo_id)
                 @property
                 def forks(self):
                     """
                     Return forks of this repo
                     """
                     return Repository.get_repo_forks(self.repo_id)
                 @property
                 def parent(self):
                     """
                     Returns fork parent
                     """
                     return self.fork
                 @property
                 def just_name(self):
                     return self.repo_name.split(self.NAME_SEP)[-1]
                 @property
                 def groups_with_parents(self):
                     groups = []
                     if self.group is None:
                         return groups
                     cur_gr = self.group
                     groups.insert(0, cur_gr)
                     while 1:
                         gr = getattr(cur_gr, 'parent_group', None)
                         cur_gr = cur_gr.parent_group
                         if gr is None:
                             break
                         groups.insert(0, gr)
                     return groups
                 @property
                 def groups_and_repo(self):
                     return self.groups_with_parents, self
                 @property
                 def repo_path(self):
                     """
                     Returns base full path for that repository means where it actually
                     exists on a filesystem
                     """
                     return self.base_path()
                 @property
                 def repo_full_path(self):
                     p = [self.repo_path]
                     # we need to split the name by / since this is how we store the
                     # names in the database, but that eventually needs to be converted
                     # into a valid system path
                     p += self.repo_name.split(self.NAME_SEP)
                     return os.path.join(*map(safe_str, p))
                 @property
                 def cache_keys(self):
                     """
                     Returns associated cache keys for that repo
                     """
                     repo_namespace_key = CacheKey.REPO_INVALIDATION_NAMESPACE.format(repo_id=self.repo_id)
                     return CacheKey.query()\
                         .filter(CacheKey.cache_key == repo_namespace_key)\
                         .order_by(CacheKey.cache_key)\
                         .all()
                 @property
                 def cached_diffs_relative_dir(self):
                     """
                     Return a relative to the repository store path of cached diffs
                     used for safe display for users, who shouldn't know the absolute store
                     path
                     """
                     return os.path.join(
                         os.path.dirname(self.repo_name),
                         self.cached_diffs_dir.split(os.path.sep)[-1])
                 @property
                 def cached_diffs_dir(self):
                     path = self.repo_full_path
                     return os.path.join(
                         os.path.dirname(path),
                         f'.__shadow_diff_cache_repo_{self.repo_id}')
                 def cached_diffs(self):
                     diff_cache_dir = self.cached_diffs_dir
                     if os.path.isdir(diff_cache_dir):
                         return os.listdir(diff_cache_dir)
                     return []
                 def shadow_repos(self):
                     shadow_repos_pattern = f'.__shadow_repo_{self.repo_id}'
                     return [
                         x for x in os.listdir(os.path.dirname(self.repo_full_path))
                         if x.startswith(shadow_repos_pattern)
                     ]
                 def get_new_name(self, repo_name):
                     """
                     returns new full repository name based on assigned group and new new
                     :param repo_name:
                     """
                     path_prefix = self.group.full_path_splitted if self.group else []
                     return self.NAME_SEP.join(path_prefix + [repo_name])
                 @property
                 def _config(self):
                     """
                     Returns db based config object.
                     """
                     from rhodecode.lib.utils import make_db_config
                     return make_db_config(clear_session=False, repo=self)
                 def permissions(self, with_admins=True, with_owner=True,
                                 expand_from_user_groups=False):
                     """
                     Permissions for repositories
                     """
                     _admin_perm = 'repository.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         usr.permission_id = None
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 usr.permission_id = None
                                 super_admin_rows.append(usr)
                     q = UserRepoToPerm.query().filter(UserRepoToPerm.repository == self)
                     q = q.options(joinedload(UserRepoToPerm.repository),
                                   joinedload(UserRepoToPerm.user),
                                   joinedload(UserRepoToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         # also check if this permission is maybe used by branch_permissions
                         if _usr.branch_perm_entry:
                             usr.branch_rules = [x.branch_rule_id for x in _usr.branch_perm_entry]
                         usr.permission = _usr.permission.permission_name
                         usr.permission_id = _usr.repo_to_perm_id
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     user_groups_rows = []
                     if expand_from_user_groups:
                         for ug in self.permission_user_groups(with_members=True):
                             for user_data in ug.members:
                                 user_groups_rows.append(user_data)
                     return super_admin_rows + owner_row + perm_rows + user_groups_rows
                 def permission_user_groups(self, with_members=True):
                     q = UserGroupRepoToPerm.query()\
                         .filter(UserGroupRepoToPerm.repository == self)
                     q = q.options(joinedload(UserGroupRepoToPerm.repository),
                                   joinedload(UserGroupRepoToPerm.users_group),
                                   joinedload(UserGroupRepoToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         entry = AttributeDict(_user_group.users_group.get_dict())
                         entry.permission = _user_group.permission.permission_name
                         if with_members:
                             entry.members = [x.user.get_dict()
                                              for x in _user_group.users_group.members]
                         perm_rows.append(entry)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def get_api_data(self, include_secrets=False):
                     """
                     Common function for generating repo api data
                     :param include_secrets: See :meth:`User.get_api_data`.
                     """
                     # TODO: mikhail: Here there is an anti-pattern, we probably need to
                     # move this methods on models level.
                     from rhodecode.model.settings import SettingsModel
                     from rhodecode.model.repo import RepoModel
                     repo = self
                     _user_id, _time, _reason = self.locked
                     data = {
                         'repo_id': repo.repo_id,
                         'repo_name': repo.repo_name,
                         'repo_type': repo.repo_type,
                         'clone_uri': repo.clone_uri or '',
                         'push_uri': repo.push_uri or '',
                         'url': RepoModel().get_url(self),
                         'private': repo.private,
                         'created_on': repo.created_on,
                         'description': repo.description_safe,
                         'landing_rev': repo.landing_rev,
                         'owner': repo.user.username,
                         'fork_of': repo.fork.repo_name if repo.fork else None,
                         'fork_of_id': repo.fork.repo_id if repo.fork else None,
                         'enable_statistics': repo.enable_statistics,
                         'enable_locking': repo.enable_locking,
                         'enable_downloads': repo.enable_downloads,
                         'last_changeset': repo.changeset_cache,
                         'locked_by': User.get(_user_id).get_api_data(
                             include_secrets=include_secrets) if _user_id else None,
                         'locked_date': time_to_datetime(_time) if _time else None,
                         'lock_reason': _reason if _reason else None,
                     }
                     # TODO: mikhail: should be per-repo settings here
                     rc_config = SettingsModel().get_all_settings()
                     repository_fields = str2bool(
                         rc_config.get('rhodecode_repository_fields'))
                     if repository_fields:
                         for f in self.extra_fields:
                             data[f.field_key_prefixed] = f.field_value
                     return data
                 @classmethod
                 def lock(cls, repo, user_id, lock_time=None, lock_reason=None):
                     if not lock_time:
                         lock_time = time.time()
                     if not lock_reason:
                         lock_reason = cls.LOCK_AUTOMATIC
                     repo.locked = [user_id, lock_time, lock_reason]
                     Session().add(repo)
                     Session().commit()
                 @classmethod
                 def unlock(cls, repo):
                     repo.locked = None
                     Session().add(repo)
                     Session().commit()
                 @classmethod
                 def getlock(cls, repo):
                     return repo.locked
                 def get_locking_state(self, action, user_id, only_when_enabled=True):
                     """
                     Checks locking on this repository, if locking is enabled and lock is
                     present returns a tuple of make_lock, locked, locked_by.
                     make_lock can have 3 states None (do nothing) True, make lock
                     False release lock, This value is later propagated to hooks, which
                     do the locking. Think about this as signals passed to hooks what to do.
                     """
                     # TODO: johbo: This is part of the business logic and should be moved
                     # into the RepositoryModel.
                     if action not in ('push', 'pull'):
                         raise ValueError("Invalid action value: %s" % repr(action))
                     # defines if locked error should be thrown to user
                     currently_locked = False
                     # defines if new lock should be made, tri-state
                     make_lock = None
                     repo = self
                     user = User.get(user_id)
                     lock_info = repo.locked
                     if repo and (repo.enable_locking or not only_when_enabled):
                         if action == 'push':
                             # check if it's already locked !, if it is compare users
                             locked_by_user_id = lock_info[0]
                             if user.user_id == locked_by_user_id:
                                 log.debug(
                                     'Got `push` action from user %s, now unlocking', user)
                                 # unlock if we have push from user who locked
                                 make_lock = False
                             else:
                                 # we're not the same user who locked, ban with
                                 # code defined in settings (default is 423 HTTP Locked) !
                                 log.debug('Repo %s is currently locked by %s', repo, user)
                                 currently_locked = True
                         elif action == 'pull':
                             # [0] user [1] date
                             if lock_info[0] and lock_info[1]:
                                 log.debug('Repo %s is currently locked by %s', repo, user)
                                 currently_locked = True
                             else:
                                 log.debug('Setting lock on repo %s by %s', repo, user)
                                 make_lock = True
                     else:
                         log.debug('Repository %s do not have locking enabled', repo)
                     log.debug('FINAL locking values make_lock:%s,locked:%s,locked_by:%s',
                               make_lock, currently_locked, lock_info)
                     from rhodecode.lib.auth import HasRepoPermissionAny
                     perm_check = HasRepoPermissionAny('repository.write', 'repository.admin')
                     if make_lock and not perm_check(repo_name=repo.repo_name, user=user):
                         # if we don't have at least write permission we cannot make a lock
                         log.debug('lock state reset back to FALSE due to lack '
                                   'of at least read permission')
                         make_lock = False
                     return make_lock, currently_locked, lock_info
                 @property
                 def last_commit_cache_update_diff(self):
                     return time.time() - (safe_int(self.changeset_cache.get('updated_on')) or 0)
                 @classmethod
                 def _load_commit_change(cls, last_commit_cache):
                     from rhodecode.lib.vcs.utils.helpers import parse_datetime
                     empty_date = datetime.datetime.fromtimestamp(0)
                     date_latest = last_commit_cache.get('date', empty_date)
                     try:
                         return parse_datetime(date_latest)
                     except Exception:
                         return empty_date
                 @property
                 def last_commit_change(self):
                     return self._load_commit_change(self.changeset_cache)
                 @property
                 def last_db_change(self):
                     return self.updated_on
                 @property
                 def clone_uri_hidden(self):
                     clone_uri = self.clone_uri
                     if clone_uri:
                         import urlobject
                         url_obj = urlobject.URLObject(cleaned_uri(clone_uri))
                         if url_obj.password:
                             clone_uri = url_obj.with_password('*****')
                     return clone_uri
                 @property
                 def push_uri_hidden(self):
                     push_uri = self.push_uri
                     if push_uri:
                         import urlobject
                         url_obj = urlobject.URLObject(cleaned_uri(push_uri))
                         if url_obj.password:
                             push_uri = url_obj.with_password('*****')
                     return push_uri
                 def clone_url(self, **override):
                     from rhodecode.model.settings import SettingsModel
                     uri_tmpl = None
                     if 'with_id' in override:
                         uri_tmpl = self.DEFAULT_CLONE_URI_ID
                         del override['with_id']
                     if 'uri_tmpl' in override:
                         uri_tmpl = override['uri_tmpl']
                         del override['uri_tmpl']
                     ssh = False
                     if 'ssh' in override:
                         ssh = True
                         del override['ssh']
                     # we didn't override our tmpl from **overrides
                     request = get_current_request()
                     if not uri_tmpl:
                         if hasattr(request, 'call_context') and hasattr(request.call_context, 'rc_config'):
                             rc_config = request.call_context.rc_config
                         else:
                             rc_config = SettingsModel().get_all_settings(cache=True)
                         if ssh:
                             uri_tmpl = rc_config.get(
                                 'rhodecode_clone_uri_ssh_tmpl') or self.DEFAULT_CLONE_URI_SSH
                         else:
                             uri_tmpl = rc_config.get(
                                 'rhodecode_clone_uri_tmpl') or self.DEFAULT_CLONE_URI
                     return get_clone_url(request=request,
                                          uri_tmpl=uri_tmpl,
                                          repo_name=self.repo_name,
                                          repo_id=self.repo_id,
                                          repo_type=self.repo_type,
                                          **override)
                 def set_state(self, state):
                     self.repo_state = state
                     Session().add(self)
                 #==========================================================================
                 # SCM PROPERTIES
                 #==========================================================================
                 def get_commit(self, commit_id=None, commit_idx=None, pre_load=None, maybe_unreachable=False, reference_obj=None):
                     return get_commit_safe(
                         self.scm_instance(), commit_id, commit_idx, pre_load=pre_load,
                         maybe_unreachable=maybe_unreachable, reference_obj=reference_obj)
                 def get_changeset(self, rev=None, pre_load=None):
                     warnings.warn("Use get_commit", DeprecationWarning)
                     commit_id = None
                     commit_idx = None
                     if isinstance(rev, str):
                         commit_id = rev
                     else:
                         commit_idx = rev
                     return self.get_commit(commit_id=commit_id, commit_idx=commit_idx,
                                            pre_load=pre_load)
                 def get_landing_commit(self):
                     """
                     Returns landing commit, or if that doesn't exist returns the tip
                     """
                     _rev_type, _rev = self.landing_rev
                     commit = self.get_commit(_rev)
                     if isinstance(commit, EmptyCommit):
                         return self.get_commit()
                     return commit
                 def flush_commit_cache(self):
                     self.update_commit_cache(cs_cache={'raw_id':'0'})
                     self.update_commit_cache()
                 def update_commit_cache(self, cs_cache=None, config=None):
                     """
                     Update cache of last commit for repository
                     cache_keys should be::
                         source_repo_id
                         short_id
                         raw_id
                         revision
                         parents
                         message
                         date
                         author
                         updated_on
                     """
                     from rhodecode.lib.vcs.backends.base import BaseCommit
                     from rhodecode.lib.vcs.utils.helpers import parse_datetime
                     empty_date = datetime.datetime.fromtimestamp(0)
                     repo_commit_count = 0
                     if cs_cache is None:
                         # use no-cache version here
                         try:
                             scm_repo = self.scm_instance(cache=False, config=config)
                         except VCSError:
                             scm_repo = None
                         empty = scm_repo is None or scm_repo.is_empty()
                         if not empty:
                             cs_cache = scm_repo.get_commit(
                                 pre_load=["author", "date", "message", "parents", "branch"])
                             repo_commit_count = scm_repo.count()
                         else:
                             cs_cache = EmptyCommit()
                     if isinstance(cs_cache, BaseCommit):
                         cs_cache = cs_cache.__json__()
                     def is_outdated(new_cs_cache):
                         if (new_cs_cache['raw_id'] != self.changeset_cache['raw_id'] or
                             new_cs_cache['revision'] != self.changeset_cache['revision']):
                             return True
                         return False
                     # check if we have maybe already latest cached revision
                     if is_outdated(cs_cache) or not self.changeset_cache:
                         _current_datetime = datetime.datetime.utcnow()
                         last_change = cs_cache.get('date') or _current_datetime
                         # we check if last update is newer than the new value
                         # if yes, we use the current timestamp instead. Imagine you get
                         # old commit pushed 1y ago, we'd set last update 1y to ago.
                         last_change_timestamp = datetime_to_time(last_change)
                         current_timestamp = datetime_to_time(last_change)
                         if last_change_timestamp > current_timestamp and not empty:
                             cs_cache['date'] = _current_datetime
                         # also store size of repo
                         cs_cache['repo_commit_count'] = repo_commit_count
                         _date_latest = parse_datetime(cs_cache.get('date') or empty_date)
                         cs_cache['updated_on'] = time.time()
                         self.changeset_cache = cs_cache
                         self.updated_on = last_change
                         Session().add(self)
                         Session().commit()
                     else:
                         if empty:
                             cs_cache = EmptyCommit().__json__()
                         else:
                             cs_cache = self.changeset_cache
                         _date_latest = parse_datetime(cs_cache.get('date') or empty_date)
                         cs_cache['updated_on'] = time.time()
                         self.changeset_cache = cs_cache
                         self.updated_on = _date_latest
                         Session().add(self)
                         Session().commit()
                     log.debug('updated repo `%s` with new commit cache %s, and last update_date: %s',
                               self.repo_name, cs_cache, _date_latest)
                 @property
                 def tip(self):
                     return self.get_commit('tip')
                 @property
                 def author(self):
                     return self.tip.author
                 @property
                 def last_change(self):
                     return self.scm_instance().last_change
                 def get_comments(self, revisions=None):
                     """
                     Returns comments for this repository grouped by revisions
                     :param revisions: filter query by revisions only
                     """
                     cmts = ChangesetComment.query()\
                         .filter(ChangesetComment.repo == self)
                     if revisions:
                         cmts = cmts.filter(ChangesetComment.revision.in_(revisions))
                     grouped = collections.defaultdict(list)
                     for cmt in cmts.all():
                         grouped[cmt.revision].append(cmt)
                     return grouped
                 def statuses(self, revisions=None):
                     """
                     Returns statuses for this repository
                     :param revisions: list of revisions to get statuses for
                     """
                     statuses = ChangesetStatus.query()\
                         .filter(ChangesetStatus.repo == self)\
                         .filter(ChangesetStatus.version == 0)
                     if revisions:
                         # Try doing the filtering in chunks to avoid hitting limits
                         size = 500
                         status_results = []
                         for chunk in range(0, len(revisions), size):
                             status_results += statuses.filter(
                                 ChangesetStatus.revision.in_(
                                     revisions[chunk: chunk+size])
                             ).all()
                     else:
                         status_results = statuses.all()
                     grouped = {}
                     # maybe we have open new pullrequest without a status?
                     stat = ChangesetStatus.STATUS_UNDER_REVIEW
                     status_lbl = ChangesetStatus.get_status_lbl(stat)
                     for pr in PullRequest.query().filter(PullRequest.source_repo == self).all():
                         for rev in pr.revisions:
                             pr_id = pr.pull_request_id
                             pr_repo = pr.target_repo.repo_name
                             grouped[rev] = [stat, status_lbl, pr_id, pr_repo]
                     for stat in status_results:
                         pr_id = pr_repo = None
                         if stat.pull_request:
                             pr_id = stat.pull_request.pull_request_id
                             pr_repo = stat.pull_request.target_repo.repo_name
                         grouped[stat.revision] = [str(stat.status), stat.status_lbl,
                                                   pr_id, pr_repo]
                     return grouped
                 # ==========================================================================
                 # SCM CACHE INSTANCE
                 # ==========================================================================
                 def scm_instance(self, **kwargs):
                     import rhodecode
                     # Passing a config will not hit the cache currently only used
                     # for repo2dbmapper
                     config = kwargs.pop('config', None)
                     cache = kwargs.pop('cache', None)
                     vcs_full_cache = kwargs.pop('vcs_full_cache', None)
                     if vcs_full_cache is not None:
                         # allows override global config
                         full_cache = vcs_full_cache
                     else:
                         full_cache = rhodecode.ConfigGet().get_bool('vcs_full_cache')
                     # if cache is NOT defined use default global, else we have a full
                     # control over cache behaviour
                     if cache is None and full_cache and not config:
                         log.debug('Initializing pure cached instance for %s', self.repo_path)
                         return self._get_instance_cached()
                     # cache here is sent to the "vcs server"
                     return self._get_instance(cache=bool(cache), config=config)
                 def _get_instance_cached(self):
                     from rhodecode.lib import rc_cache
                     cache_namespace_uid = f'repo_instance.{self.repo_id}'
                     region = rc_cache.get_or_create_region('cache_repo_longterm', cache_namespace_uid)
                     # we must use thread scoped cache here,
                     # because each thread of gevent needs it's own not shared connection and cache
                     # we also alter `args` so the cache key is individual for every green thread.
                     repo_namespace_key = CacheKey.REPO_INVALIDATION_NAMESPACE.format(repo_id=self.repo_id)
                     inv_context_manager = rc_cache.InvalidationContext(key=repo_namespace_key, thread_scoped=True)
                     # our wrapped caching function that takes state_uid to save the previous state in
                     def cache_generator(_state_uid):
                         @region.conditional_cache_on_arguments(namespace=cache_namespace_uid)
                         def get_instance_cached(_repo_id, _process_context_id):
                             # we save in cached func the generation state so we can detect a change and invalidate caches
                             return _state_uid, self._get_instance(repo_state_uid=_state_uid)
                         return get_instance_cached
                     with inv_context_manager as invalidation_context:
                         cache_state_uid = invalidation_context.state_uid
                         cache_func = cache_generator(cache_state_uid)
                         args = self.repo_id, inv_context_manager.proc_key
                         previous_state_uid, instance = cache_func(*args)
                         # now compare keys, the "cache" state vs expected state.
                         if previous_state_uid != cache_state_uid:
                             log.warning('Cached state uid %s is different than current state uid %s',
                                         previous_state_uid, cache_state_uid)
                             _, instance = cache_func.refresh(*args)
                         log.debug('Repo instance fetched in %.4fs', inv_context_manager.compute_time)
                         return instance
                 def _get_instance(self, cache=True, config=None, repo_state_uid=None):
                     log.debug('Initializing %s instance `%s` with cache flag set to: %s',
                               self.repo_type, self.repo_path, cache)
                     config = config or self._config
                     custom_wire = {
                         'cache': cache,  # controls the vcs.remote cache
                         'repo_state_uid': repo_state_uid
                     }
                     repo = get_vcs_instance(
                         repo_path=safe_str(self.repo_full_path),
                         config=config,
                         with_wire=custom_wire,
                         create=False,
                         _vcs_alias=self.repo_type)
                     if repo is not None:
                         repo.count()  # cache rebuild
                     return repo
                 def get_shadow_repository_path(self, workspace_id):
                     from rhodecode.lib.vcs.backends.base import BaseRepository
                     shadow_repo_path = BaseRepository._get_shadow_repository_path(
                         self.repo_full_path, self.repo_id, workspace_id)
                     return shadow_repo_path
                 def __json__(self):
                     return {'landing_rev': self.landing_rev}
                 def get_dict(self):
                     # Since we transformed `repo_name` to a hybrid property, we need to
                     # keep compatibility with the code which uses `repo_name` field.
                     result = super(Repository, self).get_dict()
                     result['repo_name'] = result.pop('_repo_name', None)
                     result.pop('_changeset_cache', '')
                     return result
             class RepoGroup(Base, BaseModel):
                 __tablename__ = 'groups'
                 __table_args__ = (
                     UniqueConstraint('group_name', 'group_parent_id'),
                     base_table_args,
                 )
                 CHOICES_SEPARATOR = '/'  # used to generate select2 choices for nested groups
                 group_id = Column("group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 _group_name = Column("group_name", String(255), nullable=False, unique=True, default=None)
                 group_name_hash = Column("repo_group_name_hash", String(1024), nullable=False, unique=False)
                 group_parent_id = Column("group_parent_id", Integer(), ForeignKey('groups.group_id'), nullable=True, unique=None, default=None)
                 group_description = Column("group_description", String(10000), nullable=True, unique=None, default=None)
                 enable_locking = Column("enable_locking", Boolean(), nullable=False, unique=None, default=False)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 updated_on = Column('updated_on', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
                 personal = Column('personal', Boolean(), nullable=True, unique=None, default=None)
                 _changeset_cache = Column("changeset_cache", LargeBinary(), nullable=True)  # JSON data
                 repo_group_to_perm = relationship('UserRepoGroupToPerm', cascade='all', order_by='UserRepoGroupToPerm.group_to_perm_id', back_populates='group')
                 users_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all', back_populates='group')
                 parent_group = relationship('RepoGroup', remote_side=group_id)
                 user = relationship('User', back_populates='repository_groups')
                 integrations = relationship('Integration', cascade="all, delete-orphan", back_populates='repo_group')
                 # no cascade, set NULL
                 scope_artifacts = relationship('FileStore', primaryjoin='FileStore.scope_repo_group_id==RepoGroup.group_id', viewonly=True)
                 def __init__(self, group_name='', parent_group=None):
                     self.group_name = group_name
                     self.parent_group = parent_group
                 def __repr__(self):
                     return f"<{self.cls_name}('id:{self.group_id}:{self.group_name}')>"
                 @hybrid_property
                 def group_name(self):
                     return self._group_name
                 @group_name.setter
                 def group_name(self, value):
                     self._group_name = value
                     self.group_name_hash = self.hash_repo_group_name(value)
                 @classmethod
                 def _load_changeset_cache(cls, repo_id, changeset_cache_raw):
                     from rhodecode.lib.vcs.backends.base import EmptyCommit
                     dummy = EmptyCommit().__json__()
                     if not changeset_cache_raw:
                         dummy['source_repo_id'] = repo_id
                         return json.loads(json.dumps(dummy))
                     try:
                         return json.loads(changeset_cache_raw)
                     except TypeError:
                         return dummy
                     except Exception:
                         log.error(traceback.format_exc())
                         return dummy
                 @hybrid_property
                 def changeset_cache(self):
                     return self._load_changeset_cache('', self._changeset_cache)
                 @changeset_cache.setter
                 def changeset_cache(self, val):
                     try:
                         self._changeset_cache = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @validates('group_parent_id')
                 def validate_group_parent_id(self, key, val):
                     """
                     Check cycle references for a parent group to self
                     """
                     if self.group_id and val:
                         assert val != self.group_id
                     return val
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.group_description)
                 @classmethod
                 def hash_repo_group_name(cls, repo_group_name):
                     val = remove_formatting(repo_group_name)
                     val = safe_str(val).lower()
                     chars = []
                     for c in val:
                         if c not in string.ascii_letters:
                             c = str(ord(c))
                         chars.append(c)
                     return ''.join(chars)
                 @classmethod
                 def _generate_choice(cls, repo_group):
                     from webhelpers2.html import literal as _literal
                     def _name(k):
                         return _literal(cls.CHOICES_SEPARATOR.join(k))
                     return repo_group.group_id, _name(repo_group.full_path_splitted)
                 @classmethod
                 def groups_choices(cls, groups=None, show_empty_group=True):
                     if not groups:
                         groups = cls.query().all()
                     repo_groups = []
                     if show_empty_group:
                         repo_groups = [(-1, '-- %s --' % _('No parent'))]
                     repo_groups.extend([cls._generate_choice(x) for x in groups])
                     repo_groups = sorted(
                         repo_groups, key=lambda t: t[1].split(cls.CHOICES_SEPARATOR)[0])
                     return repo_groups
                 @classmethod
                 def url_sep(cls):
                     return URL_SEP
                 @classmethod
                 def get_by_group_name(cls, group_name, cache=False, case_insensitive=False):
                     if case_insensitive:
                         gr = cls.query().filter(func.lower(cls.group_name)
                                                 == func.lower(group_name))
                     else:
                         gr = cls.query().filter(cls.group_name == group_name)
                     if cache:
                         name_key = _hash_key(group_name)
                         gr = gr.options(
                             FromCache("sql_cache_short", f"get_group_{name_key}"))
                     return gr.scalar()
                 @classmethod
                 def get_user_personal_repo_group(cls, user_id):
                     user = User.get(user_id)
                     if user.username == User.DEFAULT_USER:
                         return None
                     return cls.query()\
                         .filter(cls.personal == true()) \
                         .filter(cls.user == user) \
                         .order_by(cls.group_id.asc()) \
                         .first()
                 @classmethod
                 def get_all_repo_groups(cls, user_id=Optional(None), group_id=Optional(None),
                                         case_insensitive=True):
                     q = RepoGroup.query()
                     if not isinstance(user_id, Optional):
                         q = q.filter(RepoGroup.user_id == user_id)
                     if not isinstance(group_id, Optional):
                         q = q.filter(RepoGroup.group_parent_id == group_id)
                     if case_insensitive:
                         q = q.order_by(func.lower(RepoGroup.group_name))
                     else:
                         q = q.order_by(RepoGroup.group_name)
                     return q.all()
                 @property
                 def parents(self, parents_recursion_limit=10):
                     groups = []
                     if self.parent_group is None:
                         return groups
                     cur_gr = self.parent_group
                     groups.insert(0, cur_gr)
                     cnt = 0
                     while 1:
                         cnt += 1
                         gr = getattr(cur_gr, 'parent_group', None)
                         cur_gr = cur_gr.parent_group
                         if gr is None:
                             break
                         if cnt == parents_recursion_limit:
                             # this will prevent accidental infinit loops
                             log.error('more than %s parents found for group %s, stopping '
                                       'recursive parent fetching', parents_recursion_limit, self)
                             break
                         groups.insert(0, gr)
                     return groups
                 @property
                 def last_commit_cache_update_diff(self):
                     return time.time() - (safe_int(self.changeset_cache.get('updated_on')) or 0)
                 @classmethod
                 def _load_commit_change(cls, last_commit_cache):
                     from rhodecode.lib.vcs.utils.helpers import parse_datetime
                     empty_date = datetime.datetime.fromtimestamp(0)
                     date_latest = last_commit_cache.get('date', empty_date)
                     try:
                         return parse_datetime(date_latest)
                     except Exception:
                         return empty_date
                 @property
                 def last_commit_change(self):
                     return self._load_commit_change(self.changeset_cache)
                 @property
                 def last_db_change(self):
                     return self.updated_on
                 @property
                 def children(self):
                     return RepoGroup.query().filter(RepoGroup.parent_group == self)
                 @property
                 def name(self):
                     return self.group_name.split(RepoGroup.url_sep())[-1]
                 @property
                 def full_path(self):
                     return self.group_name
                 @property
                 def full_path_splitted(self):
                     return self.group_name.split(RepoGroup.url_sep())
                 @property
                 def repositories(self):
                     return Repository.query()\
                             .filter(Repository.group == self)\
                             .order_by(Repository.repo_name)
                 @property
                 def repositories_recursive_count(self):
                     cnt = self.repositories.count()
                     def children_count(group):
                         cnt = 0
                         for child in group.children:
                             cnt += child.repositories.count()
                             cnt += children_count(child)
                         return cnt
                     return cnt + children_count(self)
                 def _recursive_objects(self, include_repos=True, include_groups=True):
                     all_ = []
                     def _get_members(root_gr):
                         if include_repos:
                             for r in root_gr.repositories:
                                 all_.append(r)
                         childs = root_gr.children.all()
                         if childs:
                             for gr in childs:
                                 if include_groups:
                                     all_.append(gr)
                                 _get_members(gr)
                     root_group = []
                     if include_groups:
                         root_group = [self]
                     _get_members(self)
                     return root_group + all_
                 def recursive_groups_and_repos(self):
                     """
                     Recursive return all groups, with repositories in those groups
                     """
                     return self._recursive_objects()
                 def recursive_groups(self):
                     """
                     Returns all children groups for this group including children of children
                     """
                     return self._recursive_objects(include_repos=False)
                 def recursive_repos(self):
                     """
                     Returns all children repositories for this group
                     """
                     return self._recursive_objects(include_groups=False)
                 def get_new_name(self, group_name):
                     """
                     returns new full group name based on parent and new name
                     :param group_name:
                     """
                     path_prefix = (self.parent_group.full_path_splitted if
                                    self.parent_group else [])
                     return RepoGroup.url_sep().join(path_prefix + [group_name])
                 def update_commit_cache(self, config=None):
                     """
                     Update cache of last commit for newest repository inside this repository group.
                     cache_keys should be::
                         source_repo_id
                         short_id
                         raw_id
                         revision
                         parents
                         message
                         date
                         author
                     """
                     from rhodecode.lib.vcs.utils.helpers import parse_datetime
                     empty_date = datetime.datetime.fromtimestamp(0)
                     def repo_groups_and_repos(root_gr):
                         for _repo in root_gr.repositories:
                             yield _repo
                         for child_group in root_gr.children.all():
                             yield child_group
                     latest_repo_cs_cache = {}
                     for obj in repo_groups_and_repos(self):
                         repo_cs_cache = obj.changeset_cache
                         date_latest = latest_repo_cs_cache.get('date', empty_date)
                         date_current = repo_cs_cache.get('date', empty_date)
                         current_timestamp = datetime_to_time(parse_datetime(date_latest))
                         if current_timestamp < datetime_to_time(parse_datetime(date_current)):
                             latest_repo_cs_cache = repo_cs_cache
                             if hasattr(obj, 'repo_id'):
                                 latest_repo_cs_cache['source_repo_id'] = obj.repo_id
                             else:
                                 latest_repo_cs_cache['source_repo_id'] = repo_cs_cache.get('source_repo_id')
                     _date_latest = parse_datetime(latest_repo_cs_cache.get('date') or empty_date)
                     latest_repo_cs_cache['updated_on'] = time.time()
                     self.changeset_cache = latest_repo_cs_cache
                     self.updated_on = _date_latest
                     Session().add(self)
                     Session().commit()
                     log.debug('updated repo group `%s` with new commit cache %s, and last update_date: %s',
                               self.group_name, latest_repo_cs_cache, _date_latest)
                 def permissions(self, with_admins=True, with_owner=True,
                                 expand_from_user_groups=False):
                     """
                     Permissions for repository groups
                     """
                     _admin_perm = 'group.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     q = UserRepoGroupToPerm.query().filter(UserRepoGroupToPerm.group == self)
                     q = q.options(joinedload(UserRepoGroupToPerm.group),
                                   joinedload(UserRepoGroupToPerm.user),
                                   joinedload(UserRepoGroupToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     user_groups_rows = []
                     if expand_from_user_groups:
                         for ug in self.permission_user_groups(with_members=True):
                             for user_data in ug.members:
                                 user_groups_rows.append(user_data)
                     return super_admin_rows + owner_row + perm_rows + user_groups_rows
                 def permission_user_groups(self, with_members=False):
                     q = UserGroupRepoGroupToPerm.query()\
                         .filter(UserGroupRepoGroupToPerm.group == self)
                     q = q.options(joinedload(UserGroupRepoGroupToPerm.group),
                                   joinedload(UserGroupRepoGroupToPerm.users_group),
                                   joinedload(UserGroupRepoGroupToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         entry = AttributeDict(_user_group.users_group.get_dict())
                         entry.permission = _user_group.permission.permission_name
                         if with_members:
                             entry.members = [x.user.get_dict()
                                              for x in _user_group.users_group.members]
                         perm_rows.append(entry)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def get_api_data(self):
                     """
                     Common function for generating api data
                     """
                     group = self
                     data = {
                         'group_id': group.group_id,
                         'group_name': group.group_name,
                         'group_description': group.description_safe,
                         'parent_group': group.parent_group.group_name if group.parent_group else None,
                         'repositories': [x.repo_name for x in group.repositories],
                         'owner': group.user.username,
                     }
                     return data
                 def get_dict(self):
                     # Since we transformed `group_name` to a hybrid property, we need to
                     # keep compatibility with the code which uses `group_name` field.
                     result = super(RepoGroup, self).get_dict()
                     result['group_name'] = result.pop('_group_name', None)
                     result.pop('_changeset_cache', '')
                     return result
             class Permission(Base, BaseModel):
                 __tablename__ = 'permissions'
                 __table_args__ = (
                     Index('p_perm_name_idx', 'permission_name'),
                     base_table_args,
                 )
                 PERMS = [
                     ('hg.admin', _('RhodeCode Super Administrator')),
                     ('repository.none', _('Repository no access')),
                     ('repository.read', _('Repository read access')),
                     ('repository.write', _('Repository write access')),
                     ('repository.admin', _('Repository admin access')),
                     ('group.none', _('Repository group no access')),
                     ('group.read', _('Repository group read access')),
                     ('group.write', _('Repository group write access')),
                     ('group.admin', _('Repository group admin access')),
                     ('usergroup.none', _('User group no access')),
                     ('usergroup.read', _('User group read access')),
                     ('usergroup.write', _('User group write access')),
                     ('usergroup.admin', _('User group admin access')),
                     ('branch.none', _('Branch no permissions')),
                     ('branch.merge', _('Branch access by web merge')),
                     ('branch.push', _('Branch access by push')),
                     ('branch.push_force', _('Branch access by push with force')),
                     ('hg.repogroup.create.false', _('Repository Group creation disabled')),
                     ('hg.repogroup.create.true', _('Repository Group creation enabled')),
                     ('hg.usergroup.create.false', _('User Group creation disabled')),
                     ('hg.usergroup.create.true', _('User Group creation enabled')),
                     ('hg.create.none', _('Repository creation disabled')),
                     ('hg.create.repository', _('Repository creation enabled')),
                     ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')),
                     ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')),
                     ('hg.fork.none', _('Repository forking disabled')),
                     ('hg.fork.repository', _('Repository forking enabled')),
                     ('hg.register.none', _('Registration disabled')),
                     ('hg.register.manual_activate', _('User Registration with manual account activation')),
                     ('hg.register.auto_activate', _('User Registration with automatic account activation')),
                     ('hg.password_reset.enabled', _('Password reset enabled')),
                     ('hg.password_reset.hidden', _('Password reset hidden')),
                     ('hg.password_reset.disabled', _('Password reset disabled')),
                     ('hg.extern_activate.manual', _('Manual activation of external account')),
                     ('hg.extern_activate.auto', _('Automatic activation of external account')),
                     ('hg.inherit_default_perms.false', _('Inherit object permissions from default user disabled')),
                     ('hg.inherit_default_perms.true', _('Inherit object permissions from default user enabled')),
                 ]
                 # definition of system default permissions for DEFAULT user, created on
                 # system setup
                 DEFAULT_USER_PERMISSIONS = [
                     # object perms
                     'repository.read',
                     'group.read',
                     'usergroup.read',
                     # branch, for backward compat we need same value as before so forced pushed
                     'branch.push_force',
                     # global
                     'hg.create.repository',
                     'hg.repogroup.create.false',
                     'hg.usergroup.create.false',
                     'hg.create.write_on_repogroup.true',
                     'hg.fork.repository',
                     'hg.register.manual_activate',
                     'hg.password_reset.enabled',
                     'hg.extern_activate.auto',
                     'hg.inherit_default_perms.true',
                 ]
                 # defines which permissions are more important higher the more important
                 # Weight defines which permissions are more important.
                 # The higher number the more important.
                 PERM_WEIGHTS = {
                     'repository.none': 0,
                     'repository.read': 1,
                     'repository.write': 3,
                     'repository.admin': 4,
                     'group.none': 0,
                     'group.read': 1,
                     'group.write': 3,
                     'group.admin': 4,
                     'usergroup.none': 0,
                     'usergroup.read': 1,
                     'usergroup.write': 3,
                     'usergroup.admin': 4,
                     'branch.none': 0,
                     'branch.merge': 1,
                     'branch.push': 3,
                     'branch.push_force': 4,
                     'hg.repogroup.create.false': 0,
                     'hg.repogroup.create.true': 1,
                     'hg.usergroup.create.false': 0,
                     'hg.usergroup.create.true': 1,
                     'hg.fork.none': 0,
                     'hg.fork.repository': 1,
                     'hg.create.none': 0,
                     'hg.create.repository': 1
                 }
                 permission_id = Column("permission_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 permission_name = Column("permission_name", String(255), nullable=True, unique=None, default=None)
                 permission_longname = Column("permission_longname", String(255), nullable=True, unique=None, default=None)
                 def __repr__(self):
                     return "<%s('%s:%s')>" % (
                         self.cls_name, self.permission_id, self.permission_name
                     )
                 @classmethod
                 def get_by_key(cls, key):
                     return cls.query().filter(cls.permission_name == key).scalar()
                 @classmethod
                 def get_default_repo_perms(cls, user_id, repo_id=None):
                     q = Session().query(UserRepoToPerm, Repository, Permission)\
                         .join((Permission, UserRepoToPerm.permission_id == Permission.permission_id))\
                         .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\
                         .filter(UserRepoToPerm.user_id == user_id)
                     if repo_id:
                         q = q.filter(UserRepoToPerm.repository_id == repo_id)
                     return q.all()
                 @classmethod
                 def get_default_repo_branch_perms(cls, user_id, repo_id=None):
                     q = Session().query(UserToRepoBranchPermission, UserRepoToPerm, Permission) \
                         .join(
                             Permission,
                             UserToRepoBranchPermission.permission_id == Permission.permission_id) \
                         .join(
                             UserRepoToPerm,
                             UserToRepoBranchPermission.rule_to_perm_id == UserRepoToPerm.repo_to_perm_id) \
                         .filter(UserRepoToPerm.user_id == user_id)
                     if repo_id:
                         q = q.filter(UserToRepoBranchPermission.repository_id == repo_id)
                     return q.order_by(UserToRepoBranchPermission.rule_order).all()
                 @classmethod
                 def get_default_repo_perms_from_user_group(cls, user_id, repo_id=None):
                     q = Session().query(UserGroupRepoToPerm, Repository, Permission)\
                         .join(
                             Permission,
                             UserGroupRepoToPerm.permission_id == Permission.permission_id)\
                         .join(
                             Repository,
                             UserGroupRepoToPerm.repository_id == Repository.repo_id)\
                         .join(
                             UserGroup,
                             UserGroupRepoToPerm.users_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupRepoToPerm.users_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_id:
                         q = q.filter(UserGroupRepoToPerm.repository_id == repo_id)
                     return q.all()
                 @classmethod
                 def get_default_repo_branch_perms_from_user_group(cls, user_id, repo_id=None):
                     q = Session().query(UserGroupToRepoBranchPermission, UserGroupRepoToPerm, Permission) \
                         .join(
                             Permission,
                             UserGroupToRepoBranchPermission.permission_id == Permission.permission_id) \
                         .join(
                             UserGroupRepoToPerm,
                             UserGroupToRepoBranchPermission.rule_to_perm_id == UserGroupRepoToPerm.users_group_to_perm_id) \
                         .join(
                             UserGroup,
                             UserGroupRepoToPerm.users_group_id == UserGroup.users_group_id) \
                         .join(
                             UserGroupMember,
                             UserGroupRepoToPerm.users_group_id == UserGroupMember.users_group_id) \
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_id:
                         q = q.filter(UserGroupToRepoBranchPermission.repository_id == repo_id)
                     return q.order_by(UserGroupToRepoBranchPermission.rule_order).all()
                 @classmethod
                 def get_default_group_perms(cls, user_id, repo_group_id=None):
                     q = Session().query(UserRepoGroupToPerm, RepoGroup, Permission)\
                         .join(
                             Permission,
                             UserRepoGroupToPerm.permission_id == Permission.permission_id)\
                         .join(
                             RepoGroup,
                             UserRepoGroupToPerm.group_id == RepoGroup.group_id)\
                         .filter(UserRepoGroupToPerm.user_id == user_id)
                     if repo_group_id:
                         q = q.filter(UserRepoGroupToPerm.group_id == repo_group_id)
                     return q.all()
                 @classmethod
                 def get_default_group_perms_from_user_group(
                         cls, user_id, repo_group_id=None):
                     q = Session().query(UserGroupRepoGroupToPerm, RepoGroup, Permission)\
                         .join(
                             Permission,
                             UserGroupRepoGroupToPerm.permission_id ==
                             Permission.permission_id)\
                         .join(
                             RepoGroup,
                             UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id)\
                         .join(
                             UserGroup,
                             UserGroupRepoGroupToPerm.users_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupRepoGroupToPerm.users_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_group_id:
                         q = q.filter(UserGroupRepoGroupToPerm.group_id == repo_group_id)
                     return q.all()
                 @classmethod
                 def get_default_user_group_perms(cls, user_id, user_group_id=None):
                     q = Session().query(UserUserGroupToPerm, UserGroup, Permission)\
                         .join((Permission, UserUserGroupToPerm.permission_id == Permission.permission_id))\
                         .join((UserGroup, UserUserGroupToPerm.user_group_id == UserGroup.users_group_id))\
                         .filter(UserUserGroupToPerm.user_id == user_id)
                     if user_group_id:
                         q = q.filter(UserUserGroupToPerm.user_group_id == user_group_id)
                     return q.all()
                 @classmethod
                 def get_default_user_group_perms_from_user_group(
                         cls, user_id, user_group_id=None):
                     TargetUserGroup = aliased(UserGroup, name='target_user_group')
                     q = Session().query(UserGroupUserGroupToPerm, UserGroup, Permission)\
                         .join(
                             Permission,
                             UserGroupUserGroupToPerm.permission_id ==
                             Permission.permission_id)\
                         .join(
                             TargetUserGroup,
                             UserGroupUserGroupToPerm.target_user_group_id ==
                             TargetUserGroup.users_group_id)\
                         .join(
                             UserGroup,
                             UserGroupUserGroupToPerm.user_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupUserGroupToPerm.user_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if user_group_id:
                         q = q.filter(
                             UserGroupUserGroupToPerm.user_group_id == user_group_id)
                     return q.all()
             class UserRepoToPerm(Base, BaseModel):
                 __tablename__ = 'repo_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'repository_id', 'permission_id'),
                     base_table_args
                 )
                 repo_to_perm_id = Column("repo_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 user = relationship('User', back_populates="repo_to_perm")
                 repository = relationship('Repository', back_populates="repo_to_perm")
                 permission = relationship('Permission')
                 branch_perm_entry = relationship('UserToRepoBranchPermission', cascade="all, delete-orphan", lazy='joined', back_populates='user_repo_to_perm')
                 @classmethod
                 def create(cls, user, repository, permission):
                     n = cls()
                     n.user = user
                     n.repository = repository
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __repr__(self):
                     return f'<{self.user} => {self.repository} >'
             class UserUserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_user_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'user_group_id', 'permission_id'),
                     base_table_args
                 )
                 user_user_group_to_perm_id = Column("user_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 user = relationship('User', back_populates='user_group_to_perm')
                 user_group = relationship('UserGroup', back_populates='user_user_group_to_perm')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, user_group, permission):
                     n = cls()
                     n.user = user
                     n.user_group = user_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __repr__(self):
                     return f'<{self.user} => {self.user_group} >'
             class UserToPerm(Base, BaseModel):
                 __tablename__ = 'user_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'permission_id'),
                     base_table_args
                 )
                 user_to_perm_id = Column("user_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user = relationship('User', back_populates='user_perms')
                 permission = relationship('Permission', lazy='joined')
                 def __repr__(self):
                     return f'<{self.user} => {self.permission} >'
             class UserGroupRepoToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_repo_to_perm'
                 __table_args__ = (
                     UniqueConstraint('repository_id', 'users_group_id', 'permission_id'),
                     base_table_args
                 )
                 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup', back_populates='users_group_repo_to_perm')
                 permission = relationship('Permission')
                 repository = relationship('Repository', back_populates='users_group_to_perm')
                 user_group_branch_perms = relationship('UserGroupToRepoBranchPermission', cascade='all', back_populates='user_group_repo_to_perm')
                 @classmethod
                 def create(cls, users_group, repository, permission):
                     n = cls()
                     n.users_group = users_group
                     n.repository = repository
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __repr__(self):
                     return f'<UserGroupRepoToPerm:{self.users_group} => {self.repository} >'
             class UserGroupUserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_group_user_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('target_user_group_id', 'user_group_id', 'permission_id'),
                     CheckConstraint('target_user_group_id != user_group_id'),
                     base_table_args
                 )
                 user_group_user_group_to_perm_id = Column("user_group_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 target_user_group_id = Column("target_user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 target_user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id', back_populates='user_group_user_group_to_perm')
                 user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.user_group_id==UserGroup.users_group_id')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, target_user_group, user_group, permission):
                     n = cls()
                     n.target_user_group = target_user_group
                     n.user_group = user_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __repr__(self):
                     return f'<UserGroupUserGroup:{self.target_user_group} => {self.user_group} >'
             class UserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('users_group_id', 'permission_id',),
                     base_table_args
                 )
                 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup', back_populates='users_group_to_perm')
                 permission = relationship('Permission')
             class UserRepoGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_repo_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'group_id', 'permission_id'),
                     base_table_args
                 )
                 group_to_perm_id = Column("group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user = relationship('User', back_populates='repo_group_to_perm')
                 group = relationship('RepoGroup', back_populates='repo_group_to_perm')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, repository_group, permission):
                     n = cls()
                     n.user = user
                     n.group = repository_group
                     n.permission = permission
                     Session().add(n)
                     return n
             class UserGroupRepoGroupToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_repo_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('users_group_id', 'group_id'),
                     base_table_args
                 )
                 users_group_repo_group_to_perm_id = Column("users_group_repo_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup', back_populates='users_group_repo_group_to_perm')
                 permission = relationship('Permission')
                 group = relationship('RepoGroup', back_populates='users_group_to_perm')
                 @classmethod
                 def create(cls, user_group, repository_group, permission):
                     n = cls()
                     n.users_group = user_group
                     n.group = repository_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __repr__(self):
                     return '<UserGroupRepoGroupToPerm:%s => %s >' % (self.users_group, self.group)
             class Statistics(Base, BaseModel):
                 __tablename__ = 'statistics'
                 __table_args__ = (
                      base_table_args
                 )
                 stat_id = Column("stat_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=True, default=None)
                 stat_on_revision = Column("stat_on_revision", Integer(), nullable=False)
                 commit_activity = Column("commit_activity", LargeBinary(1000000), nullable=False)  #JSON data
                 commit_activity_combined = Column("commit_activity_combined", LargeBinary(), nullable=False)  #JSON data
                 languages = Column("languages", LargeBinary(1000000), nullable=False)  #JSON data
                 repository = relationship('Repository', single_parent=True, viewonly=True)
             class UserFollowing(Base, BaseModel):
                 __tablename__ = 'user_followings'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'follows_repository_id'),
                     UniqueConstraint('user_id', 'follows_user_id'),
                     base_table_args
                 )
                 user_following_id = Column("user_following_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 follows_repo_id = Column("follows_repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=None, default=None)
                 follows_user_id = Column("follows_user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 follows_from = Column('follows_from', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
                 user = relationship('User', primaryjoin='User.user_id==UserFollowing.user_id', back_populates='followings')
                 follows_user = relationship('User', primaryjoin='User.user_id==UserFollowing.follows_user_id')
                 follows_repository = relationship('Repository', order_by='Repository.repo_name', back_populates='followers')
                 @classmethod
                 def get_repo_followers(cls, repo_id):
                     return cls.query().filter(cls.follows_repo_id == repo_id)
             class CacheKey(Base, BaseModel):
                 __tablename__ = 'cache_invalidation'
                 __table_args__ = (
                     UniqueConstraint('cache_key'),
                     Index('key_idx', 'cache_key'),
                     Index('cache_args_idx', 'cache_args'),
                     base_table_args,
                 )
                 CACHE_TYPE_FEED = 'FEED'
                 # namespaces used to register process/thread aware caches
                 REPO_INVALIDATION_NAMESPACE = 'repo_cache.v1:{repo_id}'
                 cache_id = Column("cache_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 cache_key = Column("cache_key", String(255), nullable=True, unique=None, default=None)
                 cache_args = Column("cache_args", String(255), nullable=True, unique=None, default=None)
                 cache_state_uid = Column("cache_state_uid", String(255), nullable=True, unique=None, default=None)
                 cache_active = Column("cache_active", Boolean(), nullable=True, unique=None, default=False)
                 def __init__(self, cache_key, cache_args='', cache_state_uid=None, cache_active=False):
                     self.cache_key = cache_key
                     self.cache_args = cache_args
                     self.cache_active = cache_active
                     # first key should be same for all entries, since all workers should share it
                     self.cache_state_uid = cache_state_uid or self.generate_new_state_uid()
                 def __repr__(self):
                     return "<%s('%s:%s[%s]')>" % (
                         self.cls_name,
                         self.cache_id, self.cache_key, self.cache_active)
                 def _cache_key_partition(self):
                     prefix, repo_name, suffix = self.cache_key.partition(self.cache_args)
                     return prefix, repo_name, suffix
                 def get_prefix(self):
                     """
                     Try to extract prefix from existing cache key. The key could consist
                     of prefix, repo_name, suffix
                     """
                     # this returns prefix, repo_name, suffix
                     return self._cache_key_partition()[0]
                 def get_suffix(self):
                     """
                     get suffix that might have been used in _get_cache_key to
                     generate self.cache_key. Only used for informational purposes
                     in repo_edit.mako.
                     """
                     # prefix, repo_name, suffix
                     return self._cache_key_partition()[2]
                 @classmethod
                 def generate_new_state_uid(cls, based_on=None):
                     if based_on:
                         return str(uuid.uuid5(uuid.NAMESPACE_URL, safe_str(based_on)))
                     else:
                         return str(uuid.uuid4())
                 @classmethod
                 def delete_all_cache(cls):
                     """
                     Delete all cache keys from database.
                     Should only be run when all instances are down and all entries
                     thus stale.
                     """
                     cls.query().delete()
                     Session().commit()
                 @classmethod
                 def set_invalidate(cls, cache_uid, delete=False):
                     """
                     Mark all caches of a repo as invalid in the database.
                     """
                     try:
                         qry = Session().query(cls).filter(cls.cache_key == cache_uid)
                         if delete:
                             qry.delete()
                             log.debug('cache objects deleted for cache args %s',
                                       safe_str(cache_uid))
                         else:
                             new_uid = cls.generate_new_state_uid()
                             qry.update({"cache_state_uid": new_uid,
                                         "cache_args": f"repo_state:{time.time()}"})
                             log.debug('cache object %s set new UID %s',
                                       safe_str(cache_uid), new_uid)
                         Session().commit()
                     except Exception:
                         log.exception(
                             'Cache key invalidation failed for cache args %s',
                             safe_str(cache_uid))
                         Session().rollback()
                 @classmethod
                 def get_active_cache(cls, cache_key):
                     inv_obj = cls.query().filter(cls.cache_key == cache_key).scalar()
                     if inv_obj:
                         return inv_obj
                     return None
                 @classmethod
                 def get_namespace_map(cls, namespace):
                     return {
                         x.cache_key: x
                         for x in cls.query().filter(cls.cache_args == namespace)}
             class ChangesetComment(Base, BaseModel):
                 __tablename__ = 'changeset_comments'
                 __table_args__ = (
                     Index('cc_revision_idx', 'revision'),
                     base_table_args,
                 )
                 COMMENT_OUTDATED = 'comment_outdated'
                 COMMENT_TYPE_NOTE = 'note'
                 COMMENT_TYPE_TODO = 'todo'
                 COMMENT_TYPES = [COMMENT_TYPE_NOTE, COMMENT_TYPE_TODO]
                 OP_IMMUTABLE = 'immutable'
                 OP_CHANGEABLE = 'changeable'
                 comment_id = Column('comment_id', Integer(), nullable=False, primary_key=True)
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
                 revision = Column('revision', String(40), nullable=True)
                 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
                 pull_request_version_id = Column("pull_request_version_id", Integer(), ForeignKey('pull_request_versions.pull_request_version_id'), nullable=True)
                 line_no = Column('line_no', Unicode(10), nullable=True)
                 hl_lines = Column('hl_lines', Unicode(512), nullable=True)
                 f_path = Column('f_path', Unicode(1000), nullable=True)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
                 text = Column('text', UnicodeText().with_variant(UnicodeText(25000), 'mysql'), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 renderer = Column('renderer', Unicode(64), nullable=True)
                 display_state = Column('display_state',  Unicode(128), nullable=True)
                 immutable_state = Column('immutable_state', Unicode(128), nullable=True, default=OP_CHANGEABLE)
                 draft = Column('draft', Boolean(), nullable=True, default=False)
                 comment_type = Column('comment_type',  Unicode(128), nullable=True, default=COMMENT_TYPE_NOTE)
                 resolved_comment_id = Column('resolved_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'), nullable=True)
                 resolved_comment = relationship('ChangesetComment', remote_side=comment_id, back_populates='resolved_by')
                 resolved_by = relationship('ChangesetComment', back_populates='resolved_comment')
                 author = relationship('User', lazy='select', back_populates='user_comments')
                 repo = relationship('Repository', back_populates='comments')
                 status_change = relationship('ChangesetStatus', cascade="all, delete-orphan", lazy='select', back_populates='comment')
                 pull_request = relationship('PullRequest', lazy='select', back_populates='comments')
                 pull_request_version = relationship('PullRequestVersion', lazy='select')
                 history = relationship('ChangesetCommentHistory', cascade='all, delete-orphan', lazy='select', order_by='ChangesetCommentHistory.version', back_populates="comment")
                 @classmethod
                 def get_users(cls, revision=None, pull_request_id=None):
                     """
                     Returns user associated with this ChangesetComment. ie those
                     who actually commented
                     :param cls:
                     :param revision:
                     """
                     q = Session().query(User).join(ChangesetComment.author)
                     if revision:
                         q = q.filter(cls.revision == revision)
                     elif pull_request_id:
                         q = q.filter(cls.pull_request_id == pull_request_id)
                     return q.all()
                 @classmethod
                 def get_index_from_version(cls, pr_version, versions=None, num_versions=None) -> int:
                     if pr_version is None:
                         return 0
                     if versions is not None:
                         num_versions = [x.pull_request_version_id for x in versions]
                     num_versions = num_versions or []
                     try:
                         return num_versions.index(pr_version) + 1
                     except (IndexError, ValueError):
                         return 0
                 @property
                 def outdated(self):
                     return self.display_state == self.COMMENT_OUTDATED
                 @property
                 def outdated_js(self):
                     return str_json(self.display_state == self.COMMENT_OUTDATED)
                 @property
                 def immutable(self):
                     return self.immutable_state == self.OP_IMMUTABLE
                 def outdated_at_version(self, version: int) -> bool:
                     """
                     Checks if comment is outdated for given pull request version
                     """
                     def version_check():
                         return self.pull_request_version_id and self.pull_request_version_id != version
                     if self.is_inline:
                         return self.outdated and version_check()
                     else:
                         # general comments don't have .outdated set, also latest don't have a version
                         return version_check()
                 def outdated_at_version_js(self, version):
                     """
                     Checks if comment is outdated for given pull request version
                     """
                     return str_json(self.outdated_at_version(version))
                 def older_than_version(self, version: int) -> bool:
                     """
                     Checks if comment is made from a previous version than given.
                     Assumes self.pull_request_version.pull_request_version_id is an integer if not None.
                     """
                     # If version is None, return False as the current version cannot be less than None
                     if version is None:
                         return False
                     # Ensure that the version is an integer to prevent TypeError on comparison
                     if not isinstance(version, int):
                         raise ValueError("The provided version must be an integer.")
                     # Initialize current version to 0 or pull_request_version_id if it's available
                     cur_ver = 0
                     if self.pull_request_version and self.pull_request_version.pull_request_version_id is not None:
                         cur_ver = self.pull_request_version.pull_request_version_id
                     # Return True if the current version is less than the given version
                     return cur_ver < version
                 def older_than_version_js(self, version):
                     """
                     Checks if comment is made from previous version than given
                     """
                     return str_json(self.older_than_version(version))
                 @property
                 def commit_id(self):
                     """New style naming to stop using .revision"""
                     return self.revision
                 @property
                 def resolved(self):
                     return self.resolved_by[0] if self.resolved_by else None
                 @property
                 def is_todo(self):
                     return self.comment_type == self.COMMENT_TYPE_TODO
                 @property
                 def is_inline(self):
                     if self.line_no and self.f_path:
                         return True
                     return False
                 @property
                 def last_version(self):
                     version = 0
                     if self.history:
                         version = self.history[-1].version
                     return version
                 def get_index_version(self, versions):
                     return self.get_index_from_version(
                         self.pull_request_version_id, versions)
                 @property
                 def review_status(self):
                     if self.status_change:
                         return self.status_change[0].status
                 @property
                 def review_status_lbl(self):
                     if self.status_change:
                         return self.status_change[0].status_lbl
                 def __repr__(self):
                     if self.comment_id:
                         return f'<DB:Comment #{self.comment_id}>'
                     else:
                         return f'<DB:Comment at {id(self)!r}>'
                 def get_api_data(self):
                     comment = self
                     data = {
                         'comment_id': comment.comment_id,
                         'comment_type': comment.comment_type,
                         'comment_text': comment.text,
                         'comment_status': comment.status_change,
                         'comment_f_path': comment.f_path,
                         'comment_lineno': comment.line_no,
                         'comment_author': comment.author,
                         'comment_created_on': comment.created_on,
                         'comment_resolved_by': self.resolved,
                         'comment_commit_id': comment.revision,
                         'comment_pull_request_id': comment.pull_request_id,
                         'comment_last_version': self.last_version
                     }
                     return data
                 def __json__(self):
                     data = dict()
                     data.update(self.get_api_data())
                     return data
             class ChangesetCommentHistory(Base, BaseModel):
                 __tablename__ = 'changeset_comments_history'
                 __table_args__ = (
                     Index('cch_comment_id_idx', 'comment_id'),
                     base_table_args,
                 )
                 comment_history_id = Column('comment_history_id', Integer(), nullable=False, primary_key=True)
                 comment_id = Column('comment_id', Integer(), ForeignKey('changeset_comments.comment_id'), nullable=False)
                 version = Column("version", Integer(), nullable=False, default=0)
                 created_by_user_id = Column('created_by_user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
                 text = Column('text', UnicodeText().with_variant(UnicodeText(25000), 'mysql'), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 deleted = Column('deleted', Boolean(), default=False)
                 author = relationship('User', lazy='joined')
                 comment = relationship('ChangesetComment', cascade="all, delete", back_populates="history")
                 @classmethod
                 def get_version(cls, comment_id):
                     q = Session().query(ChangesetCommentHistory).filter(
                         ChangesetCommentHistory.comment_id == comment_id).order_by(ChangesetCommentHistory.version.desc())
                     if q.count() == 0:
                         return 1
                     elif q.count() >= q[0].version:
                         return q.count() + 1
                     else:
                         return q[0].version + 1
             class ChangesetStatus(Base, BaseModel):
                 __tablename__ = 'changeset_statuses'
                 __table_args__ = (
                     Index('cs_revision_idx', 'revision'),
                     Index('cs_version_idx', 'version'),
                     UniqueConstraint('repo_id', 'revision', 'version'),
                     base_table_args
                 )
                 STATUS_NOT_REVIEWED = DEFAULT = 'not_reviewed'
                 STATUS_APPROVED = 'approved'
                 STATUS_REJECTED = 'rejected'
                 STATUS_UNDER_REVIEW = 'under_review'
                 STATUSES = [
                     (STATUS_NOT_REVIEWED, _("Not Reviewed")),  # (no icon) and default
                     (STATUS_APPROVED, _("Approved")),
                     (STATUS_REJECTED, _("Rejected")),
                     (STATUS_UNDER_REVIEW, _("Under Review")),
                 ]
                 changeset_status_id = Column('changeset_status_id', Integer(), nullable=False, primary_key=True)
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None)
                 revision = Column('revision', String(40), nullable=False)
                 status = Column('status', String(128), nullable=False, default=DEFAULT)
                 changeset_comment_id = Column('changeset_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'))
                 modified_at = Column('modified_at', DateTime(), nullable=False, default=datetime.datetime.now)
                 version = Column('version', Integer(), nullable=False, default=0)
                 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
                 author = relationship('User', lazy='select')
                 repo = relationship('Repository', lazy='select')
                 comment = relationship('ChangesetComment', lazy='select', back_populates='status_change')
                 pull_request = relationship('PullRequest', lazy='select', back_populates='statuses')
                 def __repr__(self):
                     return f"<{self.cls_name}('{self.status}[v{self.version}]:{self.author}')>"
                 @classmethod
                 def get_status_lbl(cls, value):
                     return dict(cls.STATUSES).get(value)
                 @property
                 def status_lbl(self):
                     return ChangesetStatus.get_status_lbl(self.status)
                 def get_api_data(self):
                     status = self
                     data = {
                         'status_id': status.changeset_status_id,
                         'status': status.status,
                     }
                     return data
                 def __json__(self):
                     data = dict()
                     data.update(self.get_api_data())
                     return data
             class _SetState(object):
                 """
                 Context processor allowing changing state for sensitive operation such as
                 pull request update or merge
                 """
                 def __init__(self, pull_request, pr_state, back_state=None):
                     self._pr = pull_request
                     self._org_state = back_state or pull_request.pull_request_state
                     self._pr_state = pr_state
                     self._current_state = None
                 def __enter__(self):
                     log.debug('StateLock: entering set state context of pr %s, setting state to: `%s`',
                               self._pr, self._pr_state)
                     self.set_pr_state(self._pr_state)
                     return self
                 def __exit__(self, exc_type, exc_val, exc_tb):
                     if exc_val is not None or exc_type is not None:
                         log.error(traceback.format_tb(exc_tb))
                         return None
                     self.set_pr_state(self._org_state)
                     log.debug('StateLock: exiting set state context of pr %s, setting state to: `%s`',
                               self._pr, self._org_state)
                 @property
                 def state(self):
                     return self._current_state
                 def set_pr_state(self, pr_state):
                     try:
                         self._pr.pull_request_state = pr_state
                         Session().add(self._pr)
                         Session().commit()
                         self._current_state = pr_state
                     except Exception:
                         log.exception('Failed to set PullRequest %s state to %s', self._pr, pr_state)
                         raise
             class _PullRequestBase(BaseModel):
                 """
                 Common attributes of pull request and version entries.
                 """
                 # .status values
                 STATUS_NEW = 'new'
                 STATUS_OPEN = 'open'
                 STATUS_CLOSED = 'closed'
                 # available states
                 STATE_CREATING = 'creating'
                 STATE_UPDATING = 'updating'
                 STATE_MERGING = 'merging'
                 STATE_CREATED = 'created'
                 title = Column('title', Unicode(255), nullable=True)
                 description = Column(
                     'description', UnicodeText().with_variant(UnicodeText(10240), 'mysql'),
                     nullable=True)
                 description_renderer = Column('description_renderer', Unicode(64), nullable=True)
                 # new/open/closed status of pull request (not approve/reject/etc)
                 status = Column('status', Unicode(255), nullable=False, default=STATUS_NEW)
                 created_on = Column(
                     'created_on', DateTime(timezone=False), nullable=False,
                     default=datetime.datetime.now)
                 updated_on = Column(
                     'updated_on', DateTime(timezone=False), nullable=False,
                     default=datetime.datetime.now)
                 pull_request_state = Column("pull_request_state", String(255), nullable=True)
                 @declared_attr
                 def user_id(cls):
                     return Column(
                         "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
                         unique=None)
                 # 500 revisions max
                 _revisions = Column(
                     'revisions', UnicodeText().with_variant(UnicodeText(20500), 'mysql'))
                 common_ancestor_id = Column('common_ancestor_id', Unicode(255), nullable=True)
                 @declared_attr
                 def source_repo_id(cls):
                     # TODO: dan: rename column to source_repo_id
                     return Column(
                         'org_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                         nullable=False)
                 @declared_attr
                 def pr_source(cls):
                     return relationship(
                         'Repository',
                         primaryjoin=f'{cls.__name__}.source_repo_id==Repository.repo_id',
                         overlaps="pull_requests_source"
                     )
                 _source_ref = Column('org_ref', Unicode(255), nullable=False)
                 @hybrid_property
                 def source_ref(self):
                     return self._source_ref
                 @source_ref.setter
                 def source_ref(self, val):
                     parts = (val or '').split(':')
                     if len(parts) != 3:
                         raise ValueError(
                             'Invalid reference format given: {}, expected X:Y:Z'.format(val))
                     self._source_ref = safe_str(val)
                 _target_ref = Column('other_ref', Unicode(255), nullable=False)
                 @hybrid_property
                 def target_ref(self):
                     return self._target_ref
                 @target_ref.setter
                 def target_ref(self, val):
                     parts = (val or '').split(':')
                     if len(parts) != 3:
                         raise ValueError(
                             'Invalid reference format given: {}, expected X:Y:Z'.format(val))
                     self._target_ref = safe_str(val)
                 @declared_attr
                 def target_repo_id(cls):
                     # TODO: dan: rename column to target_repo_id
                     return Column(
                         'other_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                         nullable=False)
                 @declared_attr
                 def pr_target(cls):
                     return relationship(
                         'Repository',
                         primaryjoin=f'{cls.__name__}.target_repo_id==Repository.repo_id',
                         overlaps="pull_requests_target"
                     )
                 _shadow_merge_ref = Column('shadow_merge_ref', Unicode(255), nullable=True)
                 # TODO: dan: rename column to last_merge_source_rev
                 _last_merge_source_rev = Column(
                     'last_merge_org_rev', String(40), nullable=True)
                 # TODO: dan: rename column to last_merge_target_rev
                 _last_merge_target_rev = Column(
                     'last_merge_other_rev', String(40), nullable=True)
                 _last_merge_status = Column('merge_status', Integer(), nullable=True)
                 last_merge_metadata = Column(
                     'last_merge_metadata', MutationObj.as_mutable(
                         JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
                 merge_rev = Column('merge_rev', String(40), nullable=True)
                 reviewer_data = Column(
                     'reviewer_data_json', MutationObj.as_mutable(
                         JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
                 @property
                 def reviewer_data_json(self):
                     return str_json(self.reviewer_data)
                 @property
                 def last_merge_metadata_parsed(self):
                     metadata = {}
                     if not self.last_merge_metadata:
                         return metadata
                     if hasattr(self.last_merge_metadata, 'de_coerce'):
                         for k, v in self.last_merge_metadata.de_coerce().items():
                             if k in ['target_ref', 'source_ref']:
                                 metadata[k] = Reference(v['type'], v['name'], v['commit_id'])
                             else:
                                 if hasattr(v, 'de_coerce'):
                                     metadata[k] = v.de_coerce()
                                 else:
                                     metadata[k] = v
                     return metadata
                 @property
                 def work_in_progress(self):
                     """checks if pull request is work in progress by checking the title"""
                     title = self.title.upper()
                     if re.match(r'^(\[WIP\]\s*|WIP:\s*|WIP\s+)', title):
                         return True
                     return False
                 @property
                 def title_safe(self):
                     return self.title\
                         .replace('{', '{{')\
                         .replace('}', '}}')
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @hybrid_property
                 def revisions(self):
                     return self._revisions.split(':') if self._revisions else []
                 @revisions.setter
                 def revisions(self, val):
                     self._revisions = ':'.join(val)
                 @hybrid_property
                 def last_merge_status(self):
                     return safe_int(self._last_merge_status)
                 @last_merge_status.setter
                 def last_merge_status(self, val):
                     self._last_merge_status = val
                 @declared_attr
                 def author(cls):
                     return relationship(
                         'User', lazy='joined',
                         #TODO, problem that is somehow :?
                         #back_populates='user_pull_requests'
                         )
                 @declared_attr
                 def source_repo(cls):
                     return relationship(
                         'Repository',
                         primaryjoin=f'{cls.__name__}.source_repo_id==Repository.repo_id',
                         overlaps="pr_source"
                     )
                 @property
                 def source_ref_parts(self):
                     return self.unicode_to_reference(self.source_ref)
                 @declared_attr
                 def target_repo(cls):
                     return relationship(
                         'Repository',
                         primaryjoin=f'{cls.__name__}.target_repo_id==Repository.repo_id',
                         overlaps="pr_target"
                     )
                 @property
                 def target_ref_parts(self):
                     return self.unicode_to_reference(self.target_ref)
                 @property
                 def shadow_merge_ref(self):
                     return self.unicode_to_reference(self._shadow_merge_ref)
                 @shadow_merge_ref.setter
                 def shadow_merge_ref(self, ref):
                     self._shadow_merge_ref = self.reference_to_unicode(ref)
                 @staticmethod
                 def unicode_to_reference(raw):
                     return unicode_to_reference(raw)
                 @staticmethod
                 def reference_to_unicode(ref):
                     return reference_to_unicode(ref)
                 def get_api_data(self, with_merge_state=True):
                     from rhodecode.model.pull_request import PullRequestModel
                     pull_request = self
                     if with_merge_state:
                         merge_response, merge_status, msg = \
                             PullRequestModel().merge_status(pull_request)
                         merge_state = {
                             'status': merge_status,
                             'message': safe_str(msg),
                         }
                     else:
                         merge_state = {'status': 'not_available',
                                        'message': 'not_available'}
                     merge_data = {
                         'clone_url': PullRequestModel().get_shadow_clone_url(pull_request),
                         'reference': (
                             pull_request.shadow_merge_ref.asdict()
                             if pull_request.shadow_merge_ref else None),
                     }
                     data = {
                         'pull_request_id': pull_request.pull_request_id,
                         'url': PullRequestModel().get_url(pull_request),
                         'title': pull_request.title,
                         'description': pull_request.description,
                         'status': pull_request.status,
                         'state': pull_request.pull_request_state,
                         'created_on': pull_request.created_on,
                         'updated_on': pull_request.updated_on,
                         'commit_ids': pull_request.revisions,
                         'review_status': pull_request.calculated_review_status(),
                         'mergeable': merge_state,
                         'source': {
                             'clone_url': pull_request.source_repo.clone_url(),
                             'repository': pull_request.source_repo.repo_name,
                             'reference': {
                                 'name': pull_request.source_ref_parts.name,
                                 'type': pull_request.source_ref_parts.type,
                                 'commit_id': pull_request.source_ref_parts.commit_id,
                             },
                         },
                         'target': {
                             'clone_url': pull_request.target_repo.clone_url(),
                             'repository': pull_request.target_repo.repo_name,
                             'reference': {
                                 'name': pull_request.target_ref_parts.name,
                                 'type': pull_request.target_ref_parts.type,
                                 'commit_id': pull_request.target_ref_parts.commit_id,
                             },
                         },
                         'merge': merge_data,
                         'author': pull_request.author.get_api_data(include_secrets=False,
                                                                    details='basic'),
                         'reviewers': [
                             {
                                 'user': reviewer.get_api_data(include_secrets=False,
                                                               details='basic'),
                                 'reasons': reasons,
                                 'review_status': st[0][1].status if st else 'not_reviewed',
                             }
                             for obj, reviewer, reasons, mandatory, st in
                             pull_request.reviewers_statuses()
                         ]
                     }
                     return data
                 def set_state(self, pull_request_state, final_state=None):
                     """
                     # goes from initial state to updating to initial state.
                     # initial state can be changed by specifying back_state=
                     with pull_request_obj.set_state(PullRequest.STATE_UPDATING):
                        pull_request.merge()
                     :param pull_request_state:
                     :param final_state:
                     """
                     return _SetState(self, pull_request_state, back_state=final_state)
             class PullRequest(Base, _PullRequestBase):
                 __tablename__ = 'pull_requests'
                 __table_args__ = (
                     base_table_args,
                 )
                 LATEST_VER = 'latest'
                 pull_request_id = Column(
                     'pull_request_id', Integer(), nullable=False, primary_key=True)
                 def __repr__(self):
                     if self.pull_request_id:
                         return f'<DB:PullRequest #{self.pull_request_id}>'
                     else:
                         return f'<DB:PullRequest at {id(self)!r}>'
                 reviewers = relationship('PullRequestReviewers', cascade="all, delete-orphan", back_populates='pull_request')
                 statuses = relationship('ChangesetStatus', cascade="all, delete-orphan", back_populates='pull_request')
                 comments = relationship('ChangesetComment', cascade="all, delete-orphan", back_populates='pull_request')
                 versions = relationship('PullRequestVersion', cascade="all, delete-orphan", lazy='dynamic', back_populates='pull_request')
                 @classmethod
                 def get_pr_display_object(cls, pull_request_obj, org_pull_request_obj,
                                           internal_methods=None):
                     class PullRequestDisplay(object):
                         """
                         Special object wrapper for showing PullRequest data via Versions
                         It mimics PR object as close as possible. This is read only object
                         just for display
                         """
                         def __init__(self, attrs, internal=None):
                             self.attrs = attrs
                             # internal have priority over the given ones via attrs
                             self.internal = internal or ['versions']
                         def __getattr__(self, item):
                             if item in self.internal:
                                 return getattr(self, item)
                             try:
                                 return self.attrs[item]
                             except KeyError:
                                 raise AttributeError(
                                     '%s object has no attribute %s' % (self, item))
                         def __repr__(self):
                             pr_id = self.attrs.get('pull_request_id')
                             return f'<DB:PullRequestDisplay #{pr_id}>'
                         def versions(self):
                             return pull_request_obj.versions.order_by(
                                 PullRequestVersion.pull_request_version_id).all()
                         def is_closed(self):
                             return pull_request_obj.is_closed()
                         def is_state_changing(self):
                             return pull_request_obj.is_state_changing()
                         @property
                         def pull_request_version_id(self):
                             return getattr(pull_request_obj, 'pull_request_version_id', None)
                         @property
                         def pull_request_last_version(self):
                             return pull_request_obj.pull_request_last_version
                     attrs = StrictAttributeDict(pull_request_obj.get_api_data(with_merge_state=False))
                     attrs.author = StrictAttributeDict(
                         pull_request_obj.author.get_api_data())
                     if pull_request_obj.target_repo:
                         attrs.target_repo = StrictAttributeDict(
                             pull_request_obj.target_repo.get_api_data())
                         attrs.target_repo.clone_url = pull_request_obj.target_repo.clone_url
                     if pull_request_obj.source_repo:
                         attrs.source_repo = StrictAttributeDict(
                             pull_request_obj.source_repo.get_api_data())
                         attrs.source_repo.clone_url = pull_request_obj.source_repo.clone_url
                     attrs.source_ref_parts = pull_request_obj.source_ref_parts
                     attrs.target_ref_parts = pull_request_obj.target_ref_parts
                     attrs.revisions = pull_request_obj.revisions
                     attrs.common_ancestor_id = pull_request_obj.common_ancestor_id
                     attrs.shadow_merge_ref = org_pull_request_obj.shadow_merge_ref
                     attrs.reviewer_data = org_pull_request_obj.reviewer_data
                     attrs.reviewer_data_json = org_pull_request_obj.reviewer_data_json
                     return PullRequestDisplay(attrs, internal=internal_methods)
                 def is_closed(self):
                     return self.status == self.STATUS_CLOSED
                 def is_state_changing(self):
                     return self.pull_request_state != PullRequest.STATE_CREATED
                 def __json__(self):
                     return {
                         'revisions': self.revisions,
                         'versions': self.versions_count
                     }
                 def calculated_review_status(self):
                     from rhodecode.model.changeset_status import ChangesetStatusModel
                     return ChangesetStatusModel().calculated_review_status(self)
                 def reviewers_statuses(self, user=None):
                     from rhodecode.model.changeset_status import ChangesetStatusModel
                     return ChangesetStatusModel().reviewers_statuses(self, user=user)
                 def get_pull_request_reviewers(self, role=None):
                     qry = PullRequestReviewers.query()\
                         .filter(PullRequestReviewers.pull_request_id == self.pull_request_id)
                     if role:
                         qry = qry.filter(PullRequestReviewers.role == role)
                     return qry.all()
                 @property
                 def reviewers_count(self):
                     qry = PullRequestReviewers.query()\
                         .filter(PullRequestReviewers.pull_request_id == self.pull_request_id)\
                         .filter(PullRequestReviewers.role == PullRequestReviewers.ROLE_REVIEWER)
                     return qry.count()
                 @property
                 def observers_count(self):
                     qry = PullRequestReviewers.query()\
                         .filter(PullRequestReviewers.pull_request_id == self.pull_request_id)\
                         .filter(PullRequestReviewers.role == PullRequestReviewers.ROLE_OBSERVER)
                     return qry.count()
                 def observers(self):
                     qry = PullRequestReviewers.query()\
                         .filter(PullRequestReviewers.pull_request_id == self.pull_request_id)\
                         .filter(PullRequestReviewers.role == PullRequestReviewers.ROLE_OBSERVER)\
                         .all()
                     for entry in qry:
                         yield entry, entry.user
                 @property
                 def workspace_id(self):
                     from rhodecode.model.pull_request import PullRequestModel
                     return PullRequestModel()._workspace_id(self)
                 def get_shadow_repo(self):
                     workspace_id = self.workspace_id
                     shadow_repository_path = self.target_repo.get_shadow_repository_path(workspace_id)
                     if os.path.isdir(shadow_repository_path):
                         vcs_obj = self.target_repo.scm_instance()
                         return vcs_obj.get_shadow_instance(shadow_repository_path)
                 @property
                 def versions_count(self):
                     """
                     return number of versions this PR have, e.g a PR that once been
                     updated will have 2 versions
                     """
                     return self.versions.count() + 1
                 @property
                 def pull_request_last_version(self):
                     return self.versions_count
             class PullRequestVersion(Base, _PullRequestBase):
                 __tablename__ = 'pull_request_versions'
                 __table_args__ = (
                     base_table_args,
                 )
                 pull_request_version_id = Column('pull_request_version_id', Integer(), nullable=False, primary_key=True)
                 pull_request_id = Column('pull_request_id', Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=False)
                 pull_request = relationship('PullRequest',  back_populates='versions')
                 def __repr__(self):
                     if self.pull_request_version_id:
                         return f'<DB:PullRequestVersion #{self.pull_request_version_id}>'
                     else:
                         return f'<DB:PullRequestVersion at {id(self)!r}>'
                 @property
                 def reviewers(self):
                     return self.pull_request.reviewers
                 @property
                 def versions(self):
                     return self.pull_request.versions
                 def is_closed(self):
                     # calculate from original
                     return self.pull_request.status == self.STATUS_CLOSED
                 def is_state_changing(self):
                     return self.pull_request.pull_request_state != PullRequest.STATE_CREATED
                 def calculated_review_status(self):
                     return self.pull_request.calculated_review_status()
                 def reviewers_statuses(self):
                     return self.pull_request.reviewers_statuses()
                 def observers(self):
                     return self.pull_request.observers()
             class PullRequestReviewers(Base, BaseModel):
                 __tablename__ = 'pull_request_reviewers'
                 __table_args__ = (
                     base_table_args,
                 )
                 ROLE_REVIEWER = 'reviewer'
                 ROLE_OBSERVER = 'observer'
                 ROLES = [ROLE_REVIEWER, ROLE_OBSERVER]
                 @hybrid_property
                 def reasons(self):
                     if not self._reasons:
                         return []
                     return self._reasons
                 @reasons.setter
                 def reasons(self, val):
                     val = val or []
                     if any(not isinstance(x, str) for x in val):
                         raise Exception('invalid reasons type, must be list of strings')
                     self._reasons = val
                 pull_requests_reviewers_id = Column(
                     'pull_requests_reviewers_id', Integer(), nullable=False,
                     primary_key=True)
                 pull_request_id = Column(
                     "pull_request_id", Integer(),
                     ForeignKey('pull_requests.pull_request_id'), nullable=False)
                 user_id = Column(
                     "user_id", Integer(), ForeignKey('users.user_id'), nullable=True)
                 _reasons = Column(
                     'reason', MutationList.as_mutable(
                         JsonType('list', dialect_map=dict(mysql=UnicodeText(16384)))))
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 role = Column('role', Unicode(255), nullable=True, default=ROLE_REVIEWER)
                 user = relationship('User')
                 pull_request = relationship('PullRequest', back_populates='reviewers')
                 rule_data = Column(
                     'rule_data_json',
                     JsonType(dialect_map=dict(mysql=UnicodeText(16384))))
                 def rule_user_group_data(self):
                     """
                     Returns the voting user group rule data for this reviewer
                     """
                     if self.rule_data and 'vote_rule' in self.rule_data:
                         user_group_data = {}
                         if 'rule_user_group_entry_id' in self.rule_data:
                             # means a group with voting rules !
                             user_group_data['id'] = self.rule_data['rule_user_group_entry_id']
                             user_group_data['name'] = self.rule_data['rule_name']
                             user_group_data['vote_rule'] = self.rule_data['vote_rule']
                         return user_group_data
                 @classmethod
                 def get_pull_request_reviewers(cls, pull_request_id, role=None):
                     qry = PullRequestReviewers.query()\
                         .filter(PullRequestReviewers.pull_request_id == pull_request_id)
                     if role:
                         qry = qry.filter(PullRequestReviewers.role == role)
                     return qry.all()
                 def __repr__(self):
                     return f"<{self.cls_name}('id:{self.pull_requests_reviewers_id}')>"
             class Notification(Base, BaseModel):
                 __tablename__ = 'notifications'
                 __table_args__ = (
                     Index('notification_type_idx', 'type'),
                     base_table_args,
                 )
                 TYPE_CHANGESET_COMMENT = 'cs_comment'
                 TYPE_MESSAGE = 'message'
                 TYPE_MENTION = 'mention'
                 TYPE_REGISTRATION = 'registration'
                 TYPE_PULL_REQUEST = 'pull_request'
                 TYPE_PULL_REQUEST_COMMENT = 'pull_request_comment'
                 TYPE_PULL_REQUEST_UPDATE = 'pull_request_update'
                 notification_id = Column('notification_id', Integer(), nullable=False, primary_key=True)
                 subject = Column('subject', Unicode(512), nullable=True)
                 body = Column('body', UnicodeText().with_variant(UnicodeText(50000), 'mysql'), nullable=True)
                 created_by = Column("created_by", Integer(), ForeignKey('users.user_id'), nullable=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 type_ = Column('type', Unicode(255))
                 created_by_user = relationship('User', back_populates='user_created_notifications')
                 notifications_to_users = relationship('UserNotification', lazy='joined', cascade="all, delete-orphan", back_populates='notification')
                 @property
                 def recipients(self):
                     return [x.user for x in UserNotification.query()\
                             .filter(UserNotification.notification == self)\
                             .order_by(UserNotification.user_id.asc()).all()]
                 @classmethod
                 def create(cls, created_by, subject, body, recipients, type_=None):
                     if type_ is None:
                         type_ = Notification.TYPE_MESSAGE
                     notification = cls()
                     notification.created_by_user = created_by
                     notification.subject = subject
                     notification.body = body
                     notification.type_ = type_
                     notification.created_on = datetime.datetime.now()
                     # For each recipient link the created notification to his account
                     for u in recipients:
                         assoc = UserNotification()
                         assoc.user_id = u.user_id
                         assoc.notification = notification
                         # if created_by is inside recipients mark his notification
                         # as read
                         if u.user_id == created_by.user_id:
                             assoc.read = True
                         Session().add(assoc)
                     Session().add(notification)
                     return notification
             class UserNotification(Base, BaseModel):
                 __tablename__ = 'user_to_notification'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'notification_id'),
                     base_table_args
                 )
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
                 notification_id = Column("notification_id", Integer(), ForeignKey('notifications.notification_id'), primary_key=True)
                 read = Column('read', Boolean, default=False)
                 sent_on = Column('sent_on', DateTime(timezone=False), nullable=True, unique=None)
                 user = relationship('User', lazy="joined", back_populates='notifications')
                 notification = relationship('Notification', lazy="joined", order_by=lambda: Notification.created_on.desc(), back_populates='notifications_to_users')
                 def mark_as_read(self):
                     self.read = True
                     Session().add(self)
             class UserNotice(Base, BaseModel):
                 __tablename__ = 'user_notices'
                 __table_args__ = (
                     base_table_args
                 )
                 NOTIFICATION_TYPE_MESSAGE = 'message'
                 NOTIFICATION_TYPE_NOTICE = 'notice'
                 NOTIFICATION_LEVEL_INFO = 'info'
                 NOTIFICATION_LEVEL_WARNING = 'warning'
                 NOTIFICATION_LEVEL_ERROR = 'error'
                 user_notice_id = Column('gist_id', Integer(), primary_key=True)
                 notice_subject = Column('notice_subject', Unicode(512), nullable=True)
                 notice_body = Column('notice_body', UnicodeText().with_variant(UnicodeText(50000), 'mysql'), nullable=True)
                 notice_read = Column('notice_read', Boolean, default=False)
                 notification_level = Column('notification_level', String(1024), default=NOTIFICATION_LEVEL_INFO)
                 notification_type = Column('notification_type', String(1024), default=NOTIFICATION_TYPE_NOTICE)
                 notice_created_by = Column('notice_created_by', Integer(), ForeignKey('users.user_id'), nullable=True)
                 notice_created_on = Column('notice_created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'))
                 user = relationship('User', lazy="joined", primaryjoin='User.user_id==UserNotice.user_id')
                 @classmethod
                 def create_for_user(cls, user, subject, body, notice_level=NOTIFICATION_LEVEL_INFO, allow_duplicate=False):
                     if notice_level not in [cls.NOTIFICATION_LEVEL_ERROR,
                                             cls.NOTIFICATION_LEVEL_WARNING,
                                             cls.NOTIFICATION_LEVEL_INFO]:
                         return
                     from rhodecode.model.user import UserModel
                     user = UserModel().get_user(user)
                     new_notice = UserNotice()
                     if not allow_duplicate:
                         existing_msg = UserNotice().query() \
                             .filter(UserNotice.user == user) \
                             .filter(UserNotice.notice_body == body) \
                             .filter(UserNotice.notice_read == false()) \
                             .scalar()
                         if existing_msg:
                             log.warning('Ignoring duplicate notice for user %s', user)
                             return
                     new_notice.user = user
                     new_notice.notice_subject = subject
                     new_notice.notice_body = body
                     new_notice.notification_level = notice_level
                     Session().add(new_notice)
                     Session().commit()
             class Gist(Base, BaseModel):
                 __tablename__ = 'gists'
                 __table_args__ = (
                     Index('g_gist_access_id_idx', 'gist_access_id'),
                     Index('g_created_on_idx', 'created_on'),
                     base_table_args
                 )
                 GIST_PUBLIC = 'public'
                 GIST_PRIVATE = 'private'
                 DEFAULT_FILENAME = 'gistfile1.txt'
                 ACL_LEVEL_PUBLIC = 'acl_public'
                 ACL_LEVEL_PRIVATE = 'acl_private'
                 gist_id = Column('gist_id', Integer(), primary_key=True)
                 gist_access_id = Column('gist_access_id', Unicode(250))
                 gist_description = Column('gist_description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 gist_owner = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True)
                 gist_expires = Column('gist_expires', Float(53), nullable=False)
                 gist_type = Column('gist_type', Unicode(128), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 acl_level = Column('acl_level', Unicode(128), nullable=True)
                 owner = relationship('User', back_populates='user_gists')
                 def __repr__(self):
                     return f'<Gist:[{self.gist_type}]{self.gist_access_id}>'
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.gist_description)
                 @classmethod
                 def get_or_404(cls, id_):
                     from pyramid.httpexceptions import HTTPNotFound
                     res = cls.query().filter(cls.gist_access_id == id_).scalar()
                     if not res:
                         log.debug('WARN: No DB entry with id %s', id_)
                         raise HTTPNotFound()
                     return res
                 @classmethod
                 def get_by_access_id(cls, gist_access_id):
                     return cls.query().filter(cls.gist_access_id == gist_access_id).scalar()
                 def gist_url(self):
                     from rhodecode.model.gist import GistModel
                     return GistModel().get_url(self)
                 @classmethod
                 def base_path(cls):
                     """
                     Returns base path when all gists are stored
                     :param cls:
                     """
                     from rhodecode.model.gist import GIST_STORE_LOC
                     q = Session().query(RhodeCodeUi)\
                         .filter(RhodeCodeUi.ui_key == URL_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return os.path.join(q.one().ui_value, GIST_STORE_LOC)
                 def get_api_data(self):
                     """
                     Common function for generating gist related data for API
                     """
                     gist = self
                     data = {
                         'gist_id': gist.gist_id,
                         'type': gist.gist_type,
                         'access_id': gist.gist_access_id,
                         'description': gist.gist_description,
                         'url': gist.gist_url(),
                         'expires': gist.gist_expires,
                         'created_on': gist.created_on,
                         'modified_at': gist.modified_at,
                         'content': None,
                         'acl_level': gist.acl_level,
                     }
                     return data
                 def __json__(self):
                     data = dict(
                     )
                     data.update(self.get_api_data())
                     return data
                 # SCM functions
                 def scm_instance(self, **kwargs):
                     """
                     Get an instance of VCS Repository
                     :param kwargs:
                     """
                     from rhodecode.model.gist import GistModel
                     full_repo_path = os.path.join(self.base_path(), self.gist_access_id)
                     return get_vcs_instance(
                         repo_path=safe_str(full_repo_path), create=False,
                         _vcs_alias=GistModel.vcs_backend)
             class ExternalIdentity(Base, BaseModel):
                 __tablename__ = 'external_identities'
                 __table_args__ = (
                     Index('local_user_id_idx', 'local_user_id'),
                     Index('external_id_idx', 'external_id'),
                     base_table_args
                 )
                 external_id = Column('external_id', Unicode(255), default='', primary_key=True)
                 external_username = Column('external_username', Unicode(1024), default='')
                 local_user_id = Column('local_user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
                 provider_name = Column('provider_name', Unicode(255), default='', primary_key=True)
                 access_token = Column('access_token', String(1024), default='')
                 alt_token = Column('alt_token', String(1024), default='')
                 token_secret = Column('token_secret', String(1024), default='')
                 @classmethod
                 def by_external_id_and_provider(cls, external_id, provider_name, local_user_id=None):
                     """
                     Returns ExternalIdentity instance based on search params
                     :param external_id:
                     :param provider_name:
                     :return: ExternalIdentity
                     """
                     query = cls.query()
                     query = query.filter(cls.external_id == external_id)
                     query = query.filter(cls.provider_name == provider_name)
                     if local_user_id:
                         query = query.filter(cls.local_user_id == local_user_id)
                     return query.first()
                 @classmethod
                 def user_by_external_id_and_provider(cls, external_id, provider_name):
                     """
                     Returns User instance based on search params
                     :param external_id:
                     :param provider_name:
                     :return: User
                     """
                     query = User.query()
                     query = query.filter(cls.external_id == external_id)
                     query = query.filter(cls.provider_name == provider_name)
                     query = query.filter(User.user_id == cls.local_user_id)
                     return query.first()
                 @classmethod
                 def by_local_user_id(cls, local_user_id):
                     """
                     Returns all tokens for user
                     :param local_user_id:
                     :return: ExternalIdentity
                     """
                     query = cls.query()
                     query = query.filter(cls.local_user_id == local_user_id)
                     return query
                 @classmethod
                 def load_provider_plugin(cls, plugin_id):
                     from rhodecode.authentication.base import loadplugin
                     _plugin_id = 'egg:rhodecode-enterprise-ee#{}'.format(plugin_id)
                     auth_plugin = loadplugin(_plugin_id)
                     return auth_plugin
             class Integration(Base, BaseModel):
                 __tablename__ = 'integrations'
                 __table_args__ = (
                     base_table_args
                 )
                 integration_id = Column('integration_id', Integer(), primary_key=True)
                 integration_type = Column('integration_type', String(255))
                 enabled = Column('enabled', Boolean(), nullable=False)
                 name = Column('name', String(255), nullable=False)
                 child_repos_only = Column('child_repos_only', Boolean(), nullable=False, default=False)
                 settings = Column(
                     'settings_json', MutationObj.as_mutable(
                         JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined', back_populates='integrations')
                 repo_group_id = Column('repo_group_id', Integer(), ForeignKey('groups.group_id'), nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined', back_populates='integrations')
                 @property
                 def scope(self):
                     if self.repo:
                         return repr(self.repo)
                     if self.repo_group:
                         if self.child_repos_only:
                             return repr(self.repo_group) + ' (child repos only)'
                         else:
                             return repr(self.repo_group) + ' (recursive)'
                     if self.child_repos_only:
                         return 'root_repos'
                     return 'global'
                 def __repr__(self):
                     return '<Integration(%r, %r)>' % (self.integration_type, self.scope)
             class RepoReviewRuleUser(Base, BaseModel):
                 __tablename__ = 'repo_review_rules_users'
                 __table_args__ = (
                     base_table_args
                 )
                 ROLE_REVIEWER = 'reviewer'
                 ROLE_OBSERVER = 'observer'
                 ROLES = [ROLE_REVIEWER, ROLE_OBSERVER]
                 repo_review_rule_user_id = Column('repo_review_rule_user_id', Integer(), primary_key=True)
                 repo_review_rule_id = Column("repo_review_rule_id", Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False)
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 role = Column('role', Unicode(255), nullable=True, default=ROLE_REVIEWER)
                 user = relationship('User', back_populates='user_review_rules')
                 def rule_data(self):
                     return {
                         'mandatory': self.mandatory,
                         'role': self.role,
                     }
             class RepoReviewRuleUserGroup(Base, BaseModel):
                 __tablename__ = 'repo_review_rules_users_groups'
                 __table_args__ = (
                     base_table_args
                 )
                 VOTE_RULE_ALL = -1
                 ROLE_REVIEWER = 'reviewer'
                 ROLE_OBSERVER = 'observer'
                 ROLES = [ROLE_REVIEWER, ROLE_OBSERVER]
                 repo_review_rule_users_group_id = Column('repo_review_rule_users_group_id', Integer(), primary_key=True)
                 repo_review_rule_id = Column("repo_review_rule_id", Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False)
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 role = Column('role', Unicode(255), nullable=True, default=ROLE_REVIEWER)
                 vote_rule = Column("vote_rule", Integer(), nullable=True, default=VOTE_RULE_ALL)
                 users_group = relationship('UserGroup')
                 def rule_data(self):
                     return {
                         'mandatory': self.mandatory,
                         'role': self.role,
                         'vote_rule': self.vote_rule
                     }
                 @property
                 def vote_rule_label(self):
                     if not self.vote_rule or self.vote_rule == self.VOTE_RULE_ALL:
                         return 'all must vote'
                     else:
                         return 'min. vote {}'.format(self.vote_rule)
             class RepoReviewRule(Base, BaseModel):
                 __tablename__ = 'repo_review_rules'
                 __table_args__ = (
                     base_table_args
                 )
                 repo_review_rule_id = Column(
                     'repo_review_rule_id', Integer(), primary_key=True)
                 repo_id = Column(
                     "repo_id", Integer(), ForeignKey('repositories.repo_id'))
                 repo = relationship('Repository', back_populates='review_rules')
                 review_rule_name = Column('review_rule_name', String(255))
                 _branch_pattern = Column("branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default='*')  # glob
                 _target_branch_pattern = Column("target_branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default='*')  # glob
                 _file_pattern = Column("file_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default='*')  # glob
                 use_authors_for_review = Column("use_authors_for_review", Boolean(), nullable=False, default=False)
                 # Legacy fields, just for backward compat
                 _forbid_author_to_review = Column("forbid_author_to_review", Boolean(), nullable=False, default=False)
                 _forbid_commit_author_to_review = Column("forbid_commit_author_to_review", Boolean(), nullable=False, default=False)
                 pr_author = Column("pr_author", UnicodeText().with_variant(UnicodeText(255), 'mysql'), nullable=True)
                 commit_author = Column("commit_author", UnicodeText().with_variant(UnicodeText(255), 'mysql'), nullable=True)
                 forbid_adding_reviewers = Column("forbid_adding_reviewers", Boolean(), nullable=False, default=False)
                 rule_users = relationship('RepoReviewRuleUser')
                 rule_user_groups = relationship('RepoReviewRuleUserGroup')
                 def _validate_pattern(self, value):
                     re.compile('^' + glob2re(value) + '$')
                 @hybrid_property
                 def source_branch_pattern(self):
                     return self._branch_pattern or '*'
                 @source_branch_pattern.setter
                 def source_branch_pattern(self, value):
                     self._validate_pattern(value)
                     self._branch_pattern = value or '*'
                 @hybrid_property
                 def target_branch_pattern(self):
                     return self._target_branch_pattern or '*'
                 @target_branch_pattern.setter
                 def target_branch_pattern(self, value):
                     self._validate_pattern(value)
                     self._target_branch_pattern = value or '*'
                 @hybrid_property
                 def file_pattern(self):
                     return self._file_pattern or '*'
                 @file_pattern.setter
                 def file_pattern(self, value):
                     self._validate_pattern(value)
                     self._file_pattern = value or '*'
                 @hybrid_property
                 def forbid_pr_author_to_review(self):
                     return self.pr_author == 'forbid_pr_author'
                 @hybrid_property
                 def include_pr_author_to_review(self):
                     return self.pr_author == 'include_pr_author'
                 @hybrid_property
                 def forbid_commit_author_to_review(self):
                     return self.commit_author == 'forbid_commit_author'
                 @hybrid_property
                 def include_commit_author_to_review(self):
                     return self.commit_author == 'include_commit_author'
                 def matches(self, source_branch, target_branch, files_changed):
                     """
                     Check if this review rule matches a branch/files in a pull request
                     :param source_branch: source branch name for the commit
                     :param target_branch: target branch name for the commit
                     :param files_changed: list of file paths changed in the pull request
                     """
                     source_branch = source_branch or ''
                     target_branch = target_branch or ''
                     files_changed = files_changed or []
                     branch_matches = True
                     if source_branch or target_branch:
                         if self.source_branch_pattern == '*':
                             source_branch_match = True
                         else:
                             if self.source_branch_pattern.startswith('re:'):
                                 source_pattern = self.source_branch_pattern[3:]
                             else:
                                 source_pattern = '^' + glob2re(self.source_branch_pattern) + '$'
                             source_branch_regex = re.compile(source_pattern)
                             source_branch_match = bool(source_branch_regex.search(source_branch))
                         if self.target_branch_pattern == '*':
                             target_branch_match = True
                         else:
                             if self.target_branch_pattern.startswith('re:'):
                                 target_pattern = self.target_branch_pattern[3:]
                             else:
                                 target_pattern = '^' + glob2re(self.target_branch_pattern) + '$'
                             target_branch_regex = re.compile(target_pattern)
                             target_branch_match = bool(target_branch_regex.search(target_branch))
                         branch_matches = source_branch_match and target_branch_match
                     files_matches = True
                     if self.file_pattern != '*':
                         files_matches = False
                         if self.file_pattern.startswith('re:'):
                             file_pattern = self.file_pattern[3:]
                         else:
                             file_pattern = glob2re(self.file_pattern)
                         file_regex = re.compile(file_pattern)
                         for file_data in files_changed:
                             filename = file_data.get('filename')
                             if file_regex.search(filename):
                                 files_matches = True
                                 break
                     return branch_matches and files_matches
                 @property
                 def review_users(self):
                     """ Returns the users which this rule applies to """
                     users = collections.OrderedDict()
                     for rule_user in self.rule_users:
                         if rule_user.user.active:
                             if rule_user.user not in users:
                                 users[rule_user.user.username] = {
                                     'user': rule_user.user,
                                     'source': 'user',
                                     'source_data': {},
                                     'data': rule_user.rule_data()
                                 }
                     for rule_user_group in self.rule_user_groups:
                         source_data = {
                             'user_group_id': rule_user_group.users_group.users_group_id,
                             'name': rule_user_group.users_group.users_group_name,
                             'members': len(rule_user_group.users_group.members)
                         }
                         for member in rule_user_group.users_group.members:
                             if member.user.active:
                                 key = member.user.username
                                 if key in users:
                                     # skip this member as we have him already
                                     # this prevents from override the "first" matched
                                     # users with duplicates in multiple groups
                                     continue
                                 users[key] = {
                                     'user': member.user,
                                     'source': 'user_group',
                                     'source_data': source_data,
                                     'data': rule_user_group.rule_data()
                                 }
                     return users
                 def user_group_vote_rule(self, user_id):
                     rules = []
                     if not self.rule_user_groups:
                         return rules
                     for user_group in self.rule_user_groups:
                         user_group_members = [x.user_id for x in user_group.users_group.members]
                         if user_id in user_group_members:
                             rules.append(user_group)
                     return rules
                 def __repr__(self):
                     return f'<RepoReviewerRule(id={self.repo_review_rule_id}, repo={self.repo!r})>'
             class ScheduleEntry(Base, BaseModel):
                 __tablename__ = 'schedule_entries'
                 __table_args__ = (
                     UniqueConstraint('schedule_name', name='s_schedule_name_idx'),
                     UniqueConstraint('task_uid', name='s_task_uid_idx'),
                     base_table_args,
                 )
                 SCHEDULE_TYPE_INTEGER = "integer"
                 SCHEDULE_TYPE_CRONTAB = "crontab"
                 schedule_types = [SCHEDULE_TYPE_CRONTAB, SCHEDULE_TYPE_INTEGER]
                 schedule_entry_id = Column('schedule_entry_id', Integer(), primary_key=True)
                 schedule_name = Column("schedule_name", String(255), nullable=False, unique=None, default=None)
                 schedule_description = Column("schedule_description", String(10000), nullable=True, unique=None, default=None)
                 schedule_enabled = Column("schedule_enabled", Boolean(), nullable=False, unique=None, default=True)
                 _schedule_type = Column("schedule_type", String(255), nullable=False, unique=None, default=None)
                 schedule_definition = Column('schedule_definition_json', MutationObj.as_mutable(JsonType(default=lambda: "", dialect_map=dict(mysql=LONGTEXT()))))
                 schedule_last_run = Column('schedule_last_run', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 schedule_total_run_count = Column('schedule_total_run_count', Integer(), nullable=True, unique=None, default=0)
                 # task
                 task_uid = Column("task_uid", String(255), nullable=False, unique=None, default=None)
                 task_dot_notation = Column("task_dot_notation", String(4096), nullable=False, unique=None, default=None)
                 task_args = Column('task_args_json', MutationObj.as_mutable(JsonType(default=list, dialect_map=dict(mysql=LONGTEXT()))))
                 task_kwargs = Column('task_kwargs_json', MutationObj.as_mutable(JsonType(default=dict, dialect_map=dict(mysql=LONGTEXT()))))
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 updated_on = Column('updated_on', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 @hybrid_property
                 def schedule_type(self):
                     return self._schedule_type
                 @schedule_type.setter
                 def schedule_type(self, val):
                     if val not in self.schedule_types:
                         raise ValueError('Value must be on of `{}` and got `{}`'.format(
                             val, self.schedule_type))
                     self._schedule_type = val
                 @classmethod
                 def get_uid(cls, obj):
                     args = obj.task_args
                     kwargs = obj.task_kwargs
                     if isinstance(args, JsonRaw):
                         try:
                             args = json.loads(args)
                         except ValueError:
                             args = tuple()
                     if isinstance(kwargs, JsonRaw):
                         try:
                             kwargs = json.loads(kwargs)
                         except ValueError:
                             kwargs = dict()
                     dot_notation = obj.task_dot_notation
                     val = '.'.join(map(safe_str, [
                         sorted(dot_notation), args, sorted(kwargs.items())]))
                     return sha1(safe_bytes(val))
                 @classmethod
                 def get_by_schedule_name(cls, schedule_name):
                     return cls.query().filter(cls.schedule_name == schedule_name).scalar()
                 @classmethod
                 def get_by_schedule_id(cls, schedule_id):
                     return cls.query().filter(cls.schedule_entry_id == schedule_id).scalar()
                 @property
                 def task(self):
                     return self.task_dot_notation
                 @property
                 def schedule(self):
                     from rhodecode.lib.celerylib.utils import raw_2_schedule
                     schedule = raw_2_schedule(self.schedule_definition, self.schedule_type)
                     return schedule
                 @property
                 def args(self):
                     try:
                         return list(self.task_args or [])
                     except ValueError:
                         return list()
                 @property
                 def kwargs(self):
                     try:
                         return dict(self.task_kwargs or {})
                     except ValueError:
                         return dict()
                 def _as_raw(self, val, indent=False):
                     if hasattr(val, 'de_coerce'):
                         val = val.de_coerce()
                         if val:
                             if indent:
                                 val = ext_json.formatted_str_json(val)
                             else:
                                 val = ext_json.str_json(val)
                     return val
                 @property
                 def schedule_definition_raw(self):
                     return self._as_raw(self.schedule_definition)
                 def args_raw(self, indent=False):
                     return self._as_raw(self.task_args, indent)
                 def kwargs_raw(self, indent=False):
                     return self._as_raw(self.task_kwargs, indent)
                 def __repr__(self):
                     return f'<DB:ScheduleEntry({self.schedule_entry_id}:{self.schedule_name})>'
             @event.listens_for(ScheduleEntry, 'before_update')
             def update_task_uid(mapper, connection, target):
                 target.task_uid = ScheduleEntry.get_uid(target)
             @event.listens_for(ScheduleEntry, 'before_insert')
             def set_task_uid(mapper, connection, target):
                 target.task_uid = ScheduleEntry.get_uid(target)
             class _BaseBranchPerms(BaseModel):
                 @classmethod
                 def compute_hash(cls, value):
                     return sha1_safe(value)
                 @hybrid_property
                 def branch_pattern(self):
                     return self._branch_pattern or '*'
                 @hybrid_property
                 def branch_hash(self):
                     return self._branch_hash
                 def _validate_glob(self, value):
                     re.compile('^' + glob2re(value) + '$')
                 @branch_pattern.setter
                 def branch_pattern(self, value):
                     self._validate_glob(value)
                     self._branch_pattern = value or '*'
                     # set the Hash when setting the branch pattern
                     self._branch_hash = self.compute_hash(self._branch_pattern)
                 def matches(self, branch):
                     """
                     Check if this the branch matches entry
                     :param branch: branch name for the commit
                     """
                     branch = branch or ''
                     branch_matches = True
                     if branch:
                         branch_regex = re.compile('^' + glob2re(self.branch_pattern) + '$')
                         branch_matches = bool(branch_regex.search(branch))
                     return branch_matches
             class UserToRepoBranchPermission(Base, _BaseBranchPerms):
                 __tablename__ = 'user_to_repo_branch_permissions'
                 __table_args__ = (
                     base_table_args
                 )
                 branch_rule_id = Column('branch_rule_id', Integer(), primary_key=True)
                 repository_id = Column('repository_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 repo = relationship('Repository', back_populates='user_branch_perms')
                 permission_id = Column('permission_id', Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 permission = relationship('Permission')
                 rule_to_perm_id = Column('rule_to_perm_id', Integer(), ForeignKey('repo_to_perm.repo_to_perm_id'), nullable=False, unique=None, default=None)
                 user_repo_to_perm = relationship('UserRepoToPerm', back_populates='branch_perm_entry')
                 rule_order = Column('rule_order', Integer(), nullable=False)
                 _branch_pattern = Column('branch_pattern', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), default='*')  # glob
                 _branch_hash = Column('branch_hash', UnicodeText().with_variant(UnicodeText(2048), 'mysql'))
                 def __repr__(self):
                     return f'<UserBranchPermission({self.user_repo_to_perm} => {self.branch_pattern!r})>'
             class UserGroupToRepoBranchPermission(Base, _BaseBranchPerms):
                 __tablename__ = 'user_group_to_repo_branch_permissions'
                 __table_args__ = (
                     base_table_args
                 )
                 branch_rule_id = Column('branch_rule_id', Integer(), primary_key=True)
                 repository_id = Column('repository_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 repo = relationship('Repository', back_populates='user_group_branch_perms')
                 permission_id = Column('permission_id', Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 permission = relationship('Permission')
                 rule_to_perm_id = Column('rule_to_perm_id', Integer(), ForeignKey('users_group_repo_to_perm.users_group_to_perm_id'), nullable=False, unique=None, default=None)
                 user_group_repo_to_perm = relationship('UserGroupRepoToPerm', back_populates='user_group_branch_perms')
                 rule_order = Column('rule_order', Integer(), nullable=False)
                 _branch_pattern = Column('branch_pattern', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), default='*')  # glob
                 _branch_hash = Column('branch_hash', UnicodeText().with_variant(UnicodeText(2048), 'mysql'))
                 def __repr__(self):
                     return f'<UserBranchPermission({self.user_group_repo_to_perm} => {self.branch_pattern!r})>'
             class UserBookmark(Base, BaseModel):
                 __tablename__ = 'user_bookmarks'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'bookmark_repo_id'),
                     UniqueConstraint('user_id', 'bookmark_repo_group_id'),
                     UniqueConstraint('user_id', 'bookmark_position'),
                     base_table_args
                 )
                 user_bookmark_id = Column("user_bookmark_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 position = Column("bookmark_position", Integer(), nullable=False)
                 title = Column("bookmark_title", String(255), nullable=True, unique=None, default=None)
                 redirect_url = Column("bookmark_redirect_url", String(10240), nullable=True, unique=None, default=None)
                 created_on = Column("created_on", DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 bookmark_repo_id = Column("bookmark_repo_id", Integer(), ForeignKey("repositories.repo_id"), nullable=True, unique=None, default=None)
                 bookmark_repo_group_id = Column("bookmark_repo_group_id", Integer(), ForeignKey("groups.group_id"), nullable=True, unique=None, default=None)
                 user = relationship("User")
                 repository = relationship("Repository")
                 repository_group = relationship("RepoGroup")
                 @classmethod
                 def get_by_position_for_user(cls, position, user_id):
                     return cls.query() \
                         .filter(UserBookmark.user_id == user_id) \
                         .filter(UserBookmark.position == position).scalar()
                 @classmethod
                 def get_bookmarks_for_user(cls, user_id, cache=True):
                     bookmarks = cls.query() \
                         .filter(UserBookmark.user_id == user_id) \
                         .options(joinedload(UserBookmark.repository)) \
                         .options(joinedload(UserBookmark.repository_group)) \
                         .order_by(UserBookmark.position.asc())
                     if cache:
                         bookmarks = bookmarks.options(
                             FromCache("sql_cache_short", "get_user_{}_bookmarks".format(user_id))
                         )
                     return bookmarks.all()
                 def __repr__(self):
                     return f'<UserBookmark({self.position} @ {self.redirect_url!r})>'
             class FileStore(Base, BaseModel):
                 __tablename__ = 'file_store'
                 __table_args__ = (
                     base_table_args
                 )
                 file_store_id = Column('file_store_id', Integer(), primary_key=True)
                 file_uid = Column('file_uid', String(1024), nullable=False)
                 file_display_name = Column('file_display_name', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), nullable=True)
                 file_description = Column('file_description', UnicodeText().with_variant(UnicodeText(10240), 'mysql'), nullable=True)
                 file_org_name = Column('file_org_name', UnicodeText().with_variant(UnicodeText(10240), 'mysql'), nullable=False)
                 # sha256 hash
                 file_hash = Column('file_hash', String(512), nullable=False)
                 file_size = Column('file_size', BigInteger(), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 accessed_on = Column('accessed_on', DateTime(timezone=False), nullable=True)
                 accessed_count = Column('accessed_count', Integer(), default=0)
                 enabled = Column('enabled', Boolean(), nullable=False, default=True)
                 # if repo/repo_group reference is set, check for permissions
                 check_acl = Column('check_acl', Boolean(), nullable=False, default=True)
                 # hidden defines an attachment that should be hidden from showing in artifact listing
                 hidden = Column('hidden', Boolean(), nullable=False, default=False)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
                 upload_user = relationship('User', lazy='joined', primaryjoin='User.user_id==FileStore.user_id', back_populates='artifacts')
                 file_metadata = relationship('FileStoreMetadata', lazy='joined')
                 # scope limited to user, which requester have access to
                 scope_user_id = Column(
                     'scope_user_id', Integer(), ForeignKey('users.user_id'),
                     nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined', primaryjoin='User.user_id==FileStore.scope_user_id', back_populates='scope_artifacts')
                 # scope limited to user group, which requester have access to
                 scope_user_group_id = Column(
                     'scope_user_group_id', Integer(), ForeignKey('users_groups.users_group_id'),
                     nullable=True, unique=None, default=None)
                 user_group = relationship('UserGroup', lazy='joined')
                 # scope limited to repo, which requester have access to
                 scope_repo_id = Column(
                     'scope_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 # scope limited to repo group, which requester have access to
                 scope_repo_group_id = Column(
                     'scope_repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 @classmethod
                 def get_scope(cls, scope_type, scope_id):
                     if scope_type == 'repo':
                         return f'repo:{scope_id}'
                     elif scope_type == 'repo-group':
                         return f'repo-group:{scope_id}'
                     elif scope_type == 'user':
                         return f'user:{scope_id}'
                     elif scope_type == 'user-group':
                         return f'user-group:{scope_id}'
                     else:
                         return scope_type
                 @classmethod
                 def get_by_store_uid(cls, file_store_uid, safe=False):
                     if safe:
                         return FileStore.query().filter(FileStore.file_uid == file_store_uid).first()
                     else:
                         return FileStore.query().filter(FileStore.file_uid == file_store_uid).scalar()
                 @classmethod
                 def create(cls, file_uid, filename, file_hash, file_size, file_display_name='',
                            file_description='', enabled=True, hidden=False, check_acl=True,
                            user_id=None, scope_user_id=None, scope_repo_id=None, scope_repo_group_id=None):
                     store_entry = FileStore()
                     store_entry.file_uid = file_uid
                     store_entry.file_display_name = file_display_name
                     store_entry.file_org_name = filename
                     store_entry.file_size = file_size
                     store_entry.file_hash = file_hash
                     store_entry.file_description = file_description
                     store_entry.check_acl = check_acl
                     store_entry.enabled = enabled
                     store_entry.hidden = hidden
                     store_entry.user_id = user_id
                     store_entry.scope_user_id = scope_user_id
                     store_entry.scope_repo_id = scope_repo_id
                     store_entry.scope_repo_group_id = scope_repo_group_id
                     return store_entry
                 @classmethod
                 def store_metadata(cls, file_store_id, args, commit=True):
                     file_store = FileStore.get(file_store_id)
                     if file_store is None:
                         return
                     for section, key, value, value_type in args:
                         has_key = FileStoreMetadata().query() \
                             .filter(FileStoreMetadata.file_store_id == file_store.file_store_id) \
                             .filter(FileStoreMetadata.file_store_meta_section == section) \
                             .filter(FileStoreMetadata.file_store_meta_key == key) \
                             .scalar()
                         if has_key:
                             msg = 'key `{}` already defined under section `{}` for this file.'\
                                 .format(key, section)
                             raise ArtifactMetadataDuplicate(msg, err_section=section, err_key=key)
                         # NOTE(marcink): raises ArtifactMetadataBadValueType
                         FileStoreMetadata.valid_value_type(value_type)
                         meta_entry = FileStoreMetadata()
                         meta_entry.file_store = file_store
                         meta_entry.file_store_meta_section = section
                         meta_entry.file_store_meta_key = key
                         meta_entry.file_store_meta_value_type = value_type
                         meta_entry.file_store_meta_value = value
                         Session().add(meta_entry)
                     try:
                         if commit:
                             Session().commit()
                     except IntegrityError:
                         Session().rollback()
                         raise ArtifactMetadataDuplicate('Duplicate section/key found for this file.')
                 @classmethod
                 def bump_access_counter(cls, file_uid, commit=True):
                     FileStore().query()\
                         .filter(FileStore.file_uid == file_uid)\
                         .update({FileStore.accessed_count: (FileStore.accessed_count + 1),
                                  FileStore.accessed_on: datetime.datetime.now()})
                     if commit:
                         Session().commit()
                 def __json__(self):
                     data = {
                         'filename': self.file_display_name,
                         'filename_org': self.file_org_name,
                         'file_uid': self.file_uid,
                         'description': self.file_description,
                         'hidden': self.hidden,
                         'size': self.file_size,
                         'created_on': self.created_on,
                         'uploaded_by': self.upload_user.get_api_data(details='basic'),
                         'downloaded_times': self.accessed_count,
                         'sha256': self.file_hash,
                         'metadata': self.file_metadata,
                     }
                     return data
                 def __repr__(self):
                     return f'<FileStore({self.file_store_id})>'
             class FileStoreMetadata(Base, BaseModel):
                 __tablename__ = 'file_store_metadata'
                 __table_args__ = (
                     UniqueConstraint('file_store_id', 'file_store_meta_section_hash', 'file_store_meta_key_hash'),
                     Index('file_store_meta_section_idx', 'file_store_meta_section', mysql_length=255),
                     Index('file_store_meta_key_idx', 'file_store_meta_key', mysql_length=255),
                     base_table_args
                 )
                 SETTINGS_TYPES = {
                     'str': safe_str,
                     'int': safe_int,
                     'unicode': safe_str,
                     'bool': str2bool,
                     'list': functools.partial(aslist, sep=',')
                 }
                 file_store_meta_id = Column(
                     "file_store_meta_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 _file_store_meta_section = Column(
                     "file_store_meta_section", UnicodeText().with_variant(UnicodeText(1024), 'mysql'),
                     nullable=True, unique=None, default=None)
                 _file_store_meta_section_hash = Column(
                     "file_store_meta_section_hash", String(255),
                     nullable=True, unique=None, default=None)
                 _file_store_meta_key = Column(
                     "file_store_meta_key", UnicodeText().with_variant(UnicodeText(1024), 'mysql'),
                     nullable=True, unique=None, default=None)
                 _file_store_meta_key_hash = Column(
                     "file_store_meta_key_hash", String(255), nullable=True, unique=None, default=None)
                 _file_store_meta_value = Column(
                     "file_store_meta_value", UnicodeText().with_variant(UnicodeText(20480), 'mysql'),
                     nullable=True, unique=None, default=None)
                 _file_store_meta_value_type = Column(
                     "file_store_meta_value_type", String(255), nullable=True, unique=None,
                     default='unicode')
                 file_store_id = Column(
                     'file_store_id', Integer(), ForeignKey('file_store.file_store_id'),
                     nullable=True, unique=None, default=None)
                 file_store = relationship('FileStore', lazy='joined', viewonly=True)
                 @classmethod
                 def valid_value_type(cls, value):
                     if value.split('.')[0] not in cls.SETTINGS_TYPES:
                         raise ArtifactMetadataBadValueType(
                             'value_type must be one of %s got %s' % (cls.SETTINGS_TYPES.keys(), value))
                 @hybrid_property
                 def file_store_meta_section(self):
                     return self._file_store_meta_section
                 @file_store_meta_section.setter
                 def file_store_meta_section(self, value):
                     self._file_store_meta_section = value
                     self._file_store_meta_section_hash = _hash_key(value)
                 @hybrid_property
                 def file_store_meta_key(self):
                     return self._file_store_meta_key
                 @file_store_meta_key.setter
                 def file_store_meta_key(self, value):
                     self._file_store_meta_key = value
                     self._file_store_meta_key_hash = _hash_key(value)
                 @hybrid_property
                 def file_store_meta_value(self):
                     val = self._file_store_meta_value
                     if self._file_store_meta_value_type:
                         # e.g unicode.encrypted == unicode
                         _type = self._file_store_meta_value_type.split('.')[0]
                         # decode the encrypted value if it's encrypted field type
                         if '.encrypted' in self._file_store_meta_value_type:
                             cipher = EncryptedTextValue()
                             val = safe_str(cipher.process_result_value(val, None))
                         # do final type conversion
                         converter = self.SETTINGS_TYPES.get(_type) or self.SETTINGS_TYPES['unicode']
                         val = converter(val)
                     return val
                 @file_store_meta_value.setter
                 def file_store_meta_value(self, val):
                     val = safe_str(val)
                     # encode the encrypted value
                     if '.encrypted' in self.file_store_meta_value_type:
                         cipher = EncryptedTextValue()
                         val = safe_str(cipher.process_bind_param(val, None))
                     self._file_store_meta_value = val
                 @hybrid_property
                 def file_store_meta_value_type(self):
                     return self._file_store_meta_value_type
                 @file_store_meta_value_type.setter
                 def file_store_meta_value_type(self, val):
                     # e.g unicode.encrypted
                     self.valid_value_type(val)
                     self._file_store_meta_value_type = val
                 def __json__(self):
                     data = {
                         'artifact': self.file_store.file_uid,
                         'section': self.file_store_meta_section,
                         'key': self.file_store_meta_key,
                         'value': self.file_store_meta_value,
                     }
                     return data
                 def __repr__(self):
                     return '<%s[%s]%s=>%s]>' % (self.cls_name, self.file_store_meta_section,
                                                 self.file_store_meta_key, self.file_store_meta_value)
             class DbMigrateVersion(Base, BaseModel):
                 __tablename__ = 'db_migrate_version'
                 __table_args__ = (
                     base_table_args,
                 )
                 repository_id = Column('repository_id', String(250), primary_key=True)
                 repository_path = Column('repository_path', Text)
                 version = Column('version', Integer)
                 @classmethod
                 def set_version(cls, version):
                     """
                     Helper for forcing a different version, usually for debugging purposes via ishell.
                     """
                     ver = DbMigrateVersion.query().first()
                     ver.version = version
                     Session().commit()
             class DbSession(Base, BaseModel):
                 __tablename__ = 'db_session'
                 __table_args__ = (
                     base_table_args,
                 )
                 def __repr__(self):
                     return f'<DB:DbSession({self.id})>'
                 id = Column('id', Integer())
                 namespace = Column('namespace', String(255), primary_key=True)
                 accessed = Column('accessed', DateTime, nullable=False)
                 created = Column('created', DateTime, nullable=False)
                 data = Column('data', PickleType, nullable=False)

rhodecode/model/validators.py

0 +1 -1

             # Copyright (C) 2010-2023 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Set of generic validators
             """
             import os
             import re
             import logging
             import collections
             import formencode
             import ipaddress
             from formencode.validators import (
                 UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set,
                 NotEmpty, IPAddress, CIDR, String, FancyValidator
             )
             from sqlalchemy.sql.expression import true
             from sqlalchemy.util import OrderedSet
             from rhodecode.authentication import (
                 legacy_plugin_prefix, _import_legacy_plugin)
             from rhodecode.authentication.base import loadplugin
             from rhodecode.apps._base import ADMIN_PREFIX
             from rhodecode.lib.auth import HasRepoGroupPermissionAny, HasPermissionAny
             from rhodecode.lib.utils import repo_name_slug, make_db_config
             from rhodecode.lib.utils2 import safe_int, str2bool, aslist
             from rhodecode.lib.str_utils import safe_str
             from rhodecode.lib.hash_utils import md5_safe
             from rhodecode.lib.vcs.backends.git.repository import GitRepository
             from rhodecode.lib.vcs.backends.hg.repository import MercurialRepository
             from rhodecode.lib.vcs.backends.svn.repository import SubversionRepository
             from rhodecode.model.db import (
                 RepoGroup, Repository, UserGroup, User, ChangesetStatus, Gist)
             from rhodecode.model.settings import VcsSettingsModel
             # silence warnings and pylint
             UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set, \
                 NotEmpty, IPAddress, CIDR, String, FancyValidator
             log = logging.getLogger(__name__)
             class _Missing(object):
                 pass
             Missing = _Missing()
             def M(self, key, state, **kwargs):
                 """
                 returns string from self.message based on given key,
                 passed kw params are used to substitute %(named)s params inside
                 translated strings
                 :param msg:
                 :param state:
                 """
                 #state._ = staticmethod(_)
                 # inject validator into state object
                 return self.message(key, state, **kwargs)
             def UniqueList(localizer, convert=None):
                 _ = localizer
                 class _validator(formencode.FancyValidator):
                     """
                     Unique List !
                     """
                     accept_iterator = True
                     messages = {
                         'empty': _('Value cannot be an empty list'),
                         'missing_value': _('Value cannot be an empty list'),
                     }
                     def _convert_to_python(self, value, state):
                         def make_unique(_value):
                             seen = []
                             return [c for c in _value if not (c in seen or seen.append(c))]
                         if isinstance(value, list):
                             ret_val = make_unique(value)
                         elif isinstance(value, set):
                             ret_val = make_unique(list(value))
                         elif isinstance(value, tuple):
                             ret_val = make_unique(list(value))
                         elif value is None:
                             ret_val = []
                         else:
                             ret_val = [value]
                         if convert:
                             ret_val = list(map(convert, ret_val))
                         return ret_val
                     def empty_value(self, value):
                         return []
                 return _validator
             def UniqueListFromString(localizer):
                 _ = localizer
                 class _validator(UniqueList(localizer)):
                     def _convert_to_python(self, value, state):
                         if isinstance(value, str):
                             value = aslist(value, ',')
                         return super()._convert_to_python(value, state)
                 return _validator
             def ValidSvnPattern(localizer, section, repo_name=None):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'pattern_exists': _('Pattern already exists'),
                     }
                     def _validate_python(self, value, state):
                         if not value:
                             return
                         model = VcsSettingsModel(repo=repo_name)
                         ui_settings = model.get_svn_patterns(section=section)
                         for entry in ui_settings:
                             if value == entry.value:
                                 msg = M(self, 'pattern_exists', state)
                                 raise formencode.Invalid(msg, value, state)
                 return _validator
             def ValidUsername(localizer, edit=False, old_data=None):
                 _ = localizer
                 old_data = old_data or {}
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'username_exists': _('Username "%(username)s" already exists'),
                         'system_invalid_username':
                             _('Username "%(username)s" is forbidden'),
                         'invalid_username':
                             _('Username may only contain alphanumeric characters '
                               'underscores, periods or dashes and must begin with '
                               'alphanumeric character or underscore')
                     }
                     def _validate_python(self, value, state):
                         if value in ['default', 'new_user']:
                             msg = M(self, 'system_invalid_username', state, username=value)
                             raise formencode.Invalid(msg, value, state)
                         # check if user is unique
                         old_un = None
                         if edit:
                             old_un = User.get(old_data.get('user_id')).username
                         if old_un != value or not edit:
                             if User.get_by_username(value, case_insensitive=True):
                                 msg = M(self, 'username_exists', state, username=value)
                                 raise formencode.Invalid(msg, value, state)
                         if (re.match(r'^[\w]{1}[\w\-\.]{0,254}$', value)
                                 is None):
                             msg = M(self, 'invalid_username', state)
                             raise formencode.Invalid(msg, value, state)
                 return _validator
             def ValidRepoUser(localizer, allow_disabled=False):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_username': _('Username %(username)s is not valid'),
                         'disabled_username': _('Username %(username)s is disabled')
                     }
                     def _validate_python(self, value, state):
                         try:
                             user = User.query().filter(User.username == value).one()
                         except Exception:
                             msg = M(self, 'invalid_username', state, username=value)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'username': msg}
                             )
                         if user and (not allow_disabled and not user.active):
                             msg = M(self, 'disabled_username', state, username=value)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'username': msg}
                             )
                 return _validator
             def ValidUserGroup(localizer, edit=False, old_data=None):
                 _ = localizer
                 old_data = old_data or {}
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_group': _('Invalid user group name'),
                         'group_exist': _('User group `%(usergroup)s` already exists'),
                         'invalid_usergroup_name':
                             _('User group name may only contain alphanumeric '
                               'characters underscores, periods or dashes and must begin '
                               'with alphanumeric character')
                     }
                     def _validate_python(self, value, state):
                         if value in ['default']:
                             msg = M(self, 'invalid_group', state)
                             raise formencode.Invalid(msg, value, state)
                         # check if group is unique
                         old_ugname = None
                         if edit:
                             old_id = old_data.get('users_group_id')
                             old_ugname = UserGroup.get(old_id).users_group_name
                         if old_ugname != value or not edit:
                             is_existing_group = UserGroup.get_by_group_name(
                                 value, case_insensitive=True)
                             if is_existing_group:
                                 msg = M(self, 'group_exist', state, usergroup=value)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'users_group_name': msg}
                                 )
                         if re.match(r'^[a-zA-Z0-9]{1}[a-zA-Z0-9\-\_\.]+$', value) is None:
                             msg = M(self, 'invalid_usergroup_name', state)
                             raise formencode.Invalid(msg, value, state)
                 return _validator
             def ValidRepoGroup(localizer, edit=False, old_data=None, can_create_in_root=False):
                 _ = localizer
                 old_data = old_data or {}
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'group_parent_id': _('Cannot assign this group as parent'),
                         'group_exists': _('Group "%(group_name)s" already exists'),
                         'repo_exists': _('Repository with name "%(group_name)s" '
                                          'already exists'),
                         'permission_denied': _("no permission to store repository group"
                                                "in this location"),
                         'permission_denied_root': _(
                             "no permission to store repository group "
                             "in root location")
                     }
                     def _convert_to_python(self, value, state):
                         group_name = repo_name_slug(value.get('group_name', ''))
                         group_parent_id = safe_int(value.get('group_parent_id'))
                         gr = RepoGroup.get(group_parent_id)
                         if gr:
                             parent_group_path = gr.full_path
                             # value needs to be aware of group name in order to check
                             # db key This is an actual just the name to store in the
                             # database
                             group_name_full = (
                                 parent_group_path + RepoGroup.url_sep() + group_name)
                         else:
                             group_name_full = group_name
                         value['group_name'] = group_name
                         value['group_name_full'] = group_name_full
                         value['group_parent_id'] = group_parent_id
                         return value
                     def _validate_python(self, value, state):
                         old_group_name = None
                         group_name = value.get('group_name')
                         group_name_full = value.get('group_name_full')
                         group_parent_id = safe_int(value.get('group_parent_id'))
                         if group_parent_id == -1:
                             group_parent_id = None
                         group_obj = RepoGroup.get(old_data.get('group_id'))
                         parent_group_changed = False
                         if edit:
                             old_group_name = group_obj.group_name
                             old_group_parent_id = group_obj.group_parent_id
                             if group_parent_id != old_group_parent_id:
                                 parent_group_changed = True
                             # TODO: mikhail: the following if statement is not reached
                             # since group_parent_id's OneOf validation fails before.
                             # Can be removed.
                             # check against setting a parent of self
                             parent_of_self = (
                                 old_data['group_id'] == group_parent_id
                                 if group_parent_id else False
                             )
                             if parent_of_self:
                                 msg = M(self, 'group_parent_id', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'group_parent_id': msg}
                                 )
                         # group we're moving current group inside
                         child_group = None
                         if group_parent_id:
                             child_group = RepoGroup.query().filter(
                                 RepoGroup.group_id == group_parent_id).scalar()
                         # do a special check that we cannot move a group to one of
                         # it's children
                         if edit and child_group:
                             parents = [x.group_id for x in child_group.parents]
                             move_to_children = old_data['group_id'] in parents
                             if move_to_children:
                                 msg = M(self, 'group_parent_id', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'group_parent_id': msg})
                         # Check if we have permission to store in the parent.
                         # Only check if the parent group changed.
                         if parent_group_changed:
                             if child_group is None:
                                 if not can_create_in_root:
                                     msg = M(self, 'permission_denied_root', state)
                                     raise formencode.Invalid(
                                         msg, value, state,
                                         error_dict={'group_parent_id': msg})
                             else:
                                 valid = HasRepoGroupPermissionAny('group.admin')
                                 forbidden = not valid(
                                     child_group.group_name, 'can create group validator')
                                 if forbidden:
                                     msg = M(self, 'permission_denied', state)
                                     raise formencode.Invalid(
                                         msg, value, state,
                                         error_dict={'group_parent_id': msg})
                         # if we change the name or it's new group, check for existing names
                         # or repositories with the same name
                         if old_group_name != group_name_full or not edit:
                             # check group
                             gr = RepoGroup.get_by_group_name(group_name_full)
                             if gr:
                                 msg = M(self, 'group_exists', state, group_name=group_name)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'group_name': msg})
                             # check for same repo
                             repo = Repository.get_by_repo_name(group_name_full)
                             if repo:
                                 msg = M(self, 'repo_exists', state, group_name=group_name)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'group_name': msg})
                 return _validator
             def ValidPassword(localizer):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_password':
                             _('Invalid characters (non-ascii) in password')
                     }
                     def _validate_python(self, value, state):
                         if value and not value.isascii():
                             msg = M(self, 'invalid_password', state)
                             raise formencode.Invalid(msg, value, state,)
                 return _validator
             def ValidPasswordsMatch(
                     localizer, passwd='new_password',
                     passwd_confirmation='password_confirmation'):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'password_mismatch': _('Passwords do not match'),
                     }
                     def _validate_python(self, value, state):
                         pass_val = value.get('password') or value.get(passwd)
                         if pass_val != value[passwd_confirmation]:
                             msg = M(self, 'password_mismatch', state)
                             raise formencode.Invalid(
                                 msg, value, state,
                                 error_dict={passwd: msg, passwd_confirmation: msg}
                             )
                 return _validator
             def ValidAuth(localizer):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_password': _('invalid password'),
                         'invalid_username': _('invalid user name'),
                         'disabled_account': _('Your account is disabled')
                     }
                     def _validate_python(self, value, state):
                         from rhodecode.authentication.base import authenticate, HTTP_TYPE
                         password = value['password']
                         username = value['username']
                         if not authenticate(username, password, '', HTTP_TYPE,
                                             skip_missing=True):
-                            user = User.get_by_username(username)
+                            user = User.get_by_username_or_primary_email(username)
                             if user and not user.active:
                                 log.warning('user %s is disabled', username)
                                 msg = M(self, 'disabled_account', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'username': msg}
                                 )
                             else:
                                 log.warning('user `%s` failed to authenticate', username)
                                 msg = M(self, 'invalid_username', state)
                                 msg2 = M(self, 'invalid_password', state)
                                 raise formencode.Invalid(
                                     msg, value, state,
                                     error_dict={'username': msg, 'password': msg2}
                                 )
                 return _validator
             def ValidRepoName(localizer, edit=False, old_data=None):
                 old_data = old_data or {}
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_repo_name':
                             _('Repository name %(repo)s is disallowed'),
                         # top level
                         'repository_exists': _('Repository with name %(repo)s '
                                                'already exists'),
                         'group_exists': _('Repository group with name "%(repo)s" '
                                           'already exists'),
                         # inside a group
                         'repository_in_group_exists': _('Repository with name %(repo)s '
                                                         'exists in group "%(group)s"'),
                         'group_in_group_exists': _(
                             'Repository group with name "%(repo)s" '
                             'exists in group "%(group)s"'),
                     }
                     def _convert_to_python(self, value, state):
                         repo_name = repo_name_slug(value.get('repo_name', ''))
                         repo_group = value.get('repo_group')
                         if repo_group:
                             gr = RepoGroup.get(repo_group)
                             group_path = gr.full_path
                             group_name = gr.group_name
                             # value needs to be aware of group name in order to check
                             # db key This is an actual just the name to store in the
                             # database
                             repo_name_full = group_path + RepoGroup.url_sep() + repo_name
                         else:
                             group_name = group_path = ''
                             repo_name_full = repo_name
                         value['repo_name'] = repo_name
                         value['repo_name_full'] = repo_name_full
                         value['group_path'] = group_path
                         value['group_name'] = group_name
                         return value
                     def _validate_python(self, value, state):
                         repo_name = value.get('repo_name')
                         repo_name_full = value.get('repo_name_full')
                         group_path = value.get('group_path')
                         group_name = value.get('group_name')
                         if repo_name in [ADMIN_PREFIX, '']:
                             msg = M(self, 'invalid_repo_name', state, repo=repo_name)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'repo_name': msg})
                         rename = old_data.get('repo_name') != repo_name_full
                         create = not edit
                         if rename or create:
                             if group_path:
                                 if Repository.get_by_repo_name(repo_name_full):
                                     msg = M(self, 'repository_in_group_exists', state,
                                             repo=repo_name, group=group_name)
                                     raise formencode.Invalid(
                                         msg, value, state, error_dict={'repo_name': msg})
                                 if RepoGroup.get_by_group_name(repo_name_full):
                                     msg = M(self, 'group_in_group_exists', state,
                                             repo=repo_name, group=group_name)
                                     raise formencode.Invalid(
                                         msg, value, state, error_dict={'repo_name': msg})
                             else:
                                 if RepoGroup.get_by_group_name(repo_name_full):
                                     msg = M(self, 'group_exists', state, repo=repo_name)
                                     raise formencode.Invalid(
                                         msg, value, state, error_dict={'repo_name': msg})
                                 if Repository.get_by_repo_name(repo_name_full):
                                     msg = M(
                                         self, 'repository_exists', state, repo=repo_name)
                                     raise formencode.Invalid(
                                         msg, value, state, error_dict={'repo_name': msg})
                         return value
                 return _validator
             def ValidForkName(localizer, *args, **kwargs):
                 _ = localizer
                 return ValidRepoName(localizer, *args, **kwargs)
             def SlugifyName(localizer):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     def _convert_to_python(self, value, state):
                         return repo_name_slug(value)
                     def _validate_python(self, value, state):
                         pass
                 return _validator
             def CannotHaveGitSuffix(localizer):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'has_git_suffix':
                             _('Repository name cannot end with .git'),
                     }
                     def _convert_to_python(self, value, state):
                         return value
                     def _validate_python(self, value, state):
                         if value and value.endswith('.git'):
                             msg = M(
                                 self, 'has_git_suffix', state)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'repo_name': msg})
                 return _validator
             def ValidCloneUri(localizer):
                 _ = localizer
                 class InvalidCloneUrl(Exception):
                     allowed_prefixes = ()
                 def url_handler(repo_type, url):
                     config = make_db_config(clear_session=False)
                     if repo_type == 'hg':
                         allowed_prefixes = ('http', 'svn+http', 'git+http')
                         if 'http' in url[:4]:
                             # initially check if it's at least the proper URL
                             # or does it pass basic auth
                             MercurialRepository.check_url(url, config)
                         elif 'svn+http' in url[:8]:  # svn->hg import
                             SubversionRepository.check_url(url, config)
                         elif 'git+http' in url[:8]:  # git->hg import
                             raise NotImplementedError()
                         else:
                             exc = InvalidCloneUrl('Clone from URI %s not allowed. '
                                                   'Allowed url must start with one of %s'
                                                   % (url, ','.join(allowed_prefixes)))
                             exc.allowed_prefixes = allowed_prefixes
                             raise exc
                     elif repo_type == 'git':
                         allowed_prefixes = ('http', 'svn+http', 'hg+http')
                         if 'http' in url[:4]:
                             # initially check if it's at least the proper URL
                             # or does it pass basic auth
                             GitRepository.check_url(url, config)
                         elif 'svn+http' in url[:8]:  # svn->git import
                             raise NotImplementedError()
                         elif 'hg+http' in url[:8]:  # hg->git import
                             raise NotImplementedError()
                         else:
                             exc = InvalidCloneUrl('Clone from URI %s not allowed. '
                                                   'Allowed url must start with one of %s'
                                                   % (url, ','.join(allowed_prefixes)))
                             exc.allowed_prefixes = allowed_prefixes
                             raise exc
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'clone_uri': _('invalid clone url or credentials for %(rtype)s repository'),
                         'invalid_clone_uri': _(
                             'Invalid clone url, provide a valid clone '
                             'url starting with one of %(allowed_prefixes)s')
                     }
                     def _validate_python(self, value, state):
                         repo_type = value.get('repo_type')
                         url = value.get('clone_uri')
                         if url:
                             try:
                                 url_handler(repo_type, url)
                             except InvalidCloneUrl as e:
                                 log.warning(e)
                                 msg = M(self, 'invalid_clone_uri', state, rtype=repo_type,
                                         allowed_prefixes=','.join(e.allowed_prefixes))
                                 raise formencode.Invalid(msg, value, state,
                                                          error_dict={'clone_uri': msg})
                             except Exception:
                                 log.exception('Url validation failed')
                                 msg = M(self, 'clone_uri', state, rtype=repo_type)
                                 raise formencode.Invalid(msg, value, state,
                                                          error_dict={'clone_uri': msg})
                 return _validator
             def ValidForkType(localizer, old_data=None):
                 _ = localizer
                 old_data = old_data or {}
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_fork_type': _('Fork have to be the same type as parent')
                     }
                     def _validate_python(self, value, state):
                         if old_data['repo_type'] != value:
                             msg = M(self, 'invalid_fork_type', state)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'repo_type': msg}
                             )
                 return _validator
             def CanWriteGroup(localizer, old_data=None):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'permission_denied': _(
                             "You do not have the permission "
                             "to create repositories in this group."),
                         'permission_denied_root': _(
                             "You do not have the permission to store repositories in "
                             "the root location.")
                     }
                     def _convert_to_python(self, value, state):
                         # root location
                         if value in [-1, "-1"]:
                             return None
                         return value
                     def _validate_python(self, value, state):
                         gr = RepoGroup.get(value)
                         gr_name = gr.group_name if gr else None  # None means ROOT location
                         # create repositories with write permission on group is set to true
                         create_on_write = HasPermissionAny(
                             'hg.create.write_on_repogroup.true')()
                         group_admin = HasRepoGroupPermissionAny('group.admin')(
                             gr_name, 'can write into group validator')
                         group_write = HasRepoGroupPermissionAny('group.write')(
                             gr_name, 'can write into group validator')
                         forbidden = not (group_admin or (group_write and create_on_write))
                         can_create_repos = HasPermissionAny(
                             'hg.admin', 'hg.create.repository')
                         gid = (old_data['repo_group'].get('group_id')
                                if (old_data and 'repo_group' in old_data) else None)
                         value_changed = gid != safe_int(value)
                         new = not old_data
                         # do check if we changed the value, there's a case that someone got
                         # revoked write permissions to a repository, he still created, we
                         # don't need to check permission if he didn't change the value of
                         # groups in form box
                         if value_changed or new:
                             # parent group need to be existing
                             if gr and forbidden:
                                 msg = M(self, 'permission_denied', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'repo_type': msg}
                                 )
                             # check if we can write to root location !
                             elif gr is None and not can_create_repos():
                                 msg = M(self, 'permission_denied_root', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'repo_type': msg}
                                 )
                 return _validator
             def ValidPerms(localizer, type_='repo'):
                 _ = localizer
                 if type_ == 'repo_group':
                     EMPTY_PERM = 'group.none'
                 elif type_ == 'repo':
                     EMPTY_PERM = 'repository.none'
                 elif type_ == 'user_group':
                     EMPTY_PERM = 'usergroup.none'
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'perm_new_member_name':
                             _('This username or user group name is not valid')
                     }
                     def _convert_to_python(self, value, state):
                         perm_updates = OrderedSet()
                         perm_additions = OrderedSet()
                         perm_deletions = OrderedSet()
                         # build a list of permission to update/delete and new permission
                         # Read the perm_new_member/perm_del_member attributes and group
                         # them by they IDs
                         new_perms_group = collections.defaultdict(dict)
                         del_perms_group = collections.defaultdict(dict)
                         for k, v in list(value.copy().items()):
                             if k.startswith('perm_del_member'):
                                 # delete from org storage so we don't process that later
                                 del value[k]
                                 # part is `id`, `type`
                                 _type, part = k.split('perm_del_member_')
                                 args = part.split('_')
                                 if len(args) == 2:
                                     _key, pos = args
                                     del_perms_group[pos][_key] = v
                             if k.startswith('perm_new_member'):
                                 # delete from org storage so we don't process that later
                                 del value[k]
                                 # part is `id`, `type`, `perm`
                                 _type, part = k.split('perm_new_member_')
                                 args = part.split('_')
                                 if len(args) == 2:
                                     _key, pos = args
                                     new_perms_group[pos][_key] = v
                         # store the deletes
                         for k in sorted(del_perms_group.keys()):
                             perm_dict = del_perms_group[k]
                             del_member = perm_dict.get('id')
                             del_type = perm_dict.get('type')
                             if del_member and del_type:
                                 perm_deletions.add(
                                     (del_member, None, del_type))
                         # store additions in order of how they were added in web form
                         for k in sorted(new_perms_group.keys()):
                             perm_dict = new_perms_group[k]
                             new_member = perm_dict.get('id')
                             new_type = perm_dict.get('type')
                             new_perm = perm_dict.get('perm')
                             if new_member and new_perm and new_type:
                                 perm_additions.add(
                                     (new_member, new_perm, new_type))
                         # get updates of permissions
                         # (read the existing radio button states)
                         default_user_id = User.get_default_user_id()
                         for k, update_value in list(value.items()):
                             if k.startswith('u_perm_') or k.startswith('g_perm_'):
                                 obj_type = k[0]
                                 obj_id = k[7:]
                                 update_type = {'u': 'user',
                                                'g': 'user_group'}[obj_type]
                                 if obj_type == 'u' and safe_int(obj_id) == default_user_id:
                                     if str2bool(value.get('repo_private')):
                                         # prevent from updating default user permissions
                                         # when this repository is marked as private
                                         update_value = EMPTY_PERM
                                 perm_updates.add(
                                     (obj_id, update_value, update_type))
                         value['perm_additions'] = []  # propagated later
                         value['perm_updates'] = list(perm_updates)
                         value['perm_deletions'] = list(perm_deletions)
                         updates_map = dict(
                             (x[0], (x[1], x[2])) for x in value['perm_updates'])
                         # make sure Additions don't override updates.
                         for member_id, perm, member_type in list(perm_additions):
                             if member_id in updates_map:
                                 perm = updates_map[member_id][0]
                             value['perm_additions'].append((member_id, perm, member_type))
                             # on new entries validate users they exist and they are active !
                             # this leaves feedback to the form
                             try:
                                 if member_type == 'user':
                                     User.query()\
                                         .filter(User.active == true())\
                                         .filter(User.user_id == member_id).one()
                                 if member_type == 'user_group':
                                     UserGroup.query()\
                                         .filter(UserGroup.users_group_active == true())\
                                         .filter(UserGroup.users_group_id == member_id)\
                                         .one()
                             except Exception:
                                 log.exception('Updated permission failed: org_exc:')
                                 msg = M(self, 'perm_new_member_type', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={
                                         'perm_new_member_name': msg}
                                 )
                         return value
                 return _validator
             def ValidPath(localizer):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'invalid_path': _('This is not a valid path')
                     }
                     def _validate_python(self, value, state):
                         if not os.path.isdir(value):
                             msg = M(self, 'invalid_path', state)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'paths_root_path': msg}
                             )
                 return _validator
             def UniqSystemEmail(localizer, old_data=None):
                 _ = localizer
                 old_data = old_data or {}
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'email_taken': _('This e-mail address is already taken')
                     }
                     def _convert_to_python(self, value, state):
                         return value.lower()
                     def _validate_python(self, value, state):
                         if (old_data.get('email') or '').lower() != value:
                             user = User.get_by_email(value, case_insensitive=True)
                             if user:
                                 msg = M(self, 'email_taken', state)
                                 raise formencode.Invalid(
                                     msg, value, state, error_dict={'email': msg}
                                 )
                 return _validator
             def ValidSystemEmail(localizer):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'non_existing_email': _('e-mail "%(email)s" does not exist.')
                     }
                     def _convert_to_python(self, value, state):
                         return value.lower()
                     def _validate_python(self, value, state):
                         user = User.get_by_email(value, case_insensitive=True)
                         if user is None:
                             msg = M(self, 'non_existing_email', state, email=value)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'email': msg}
                             )
                 return _validator
             def NotReviewedRevisions(localizer, repo_id):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'rev_already_reviewed':
                             _('Revisions %(revs)s are already part of pull request '
                               'or have set status'),
                     }
                     def _validate_python(self, value, state):
                         # check revisions if they are not reviewed, or a part of another
                         # pull request
                         statuses = ChangesetStatus.query()\
                             .filter(ChangesetStatus.revision.in_(value))\
                             .filter(ChangesetStatus.repo_id == repo_id)\
                             .all()
                         errors = []
                         for status in statuses:
                             if status.pull_request_id:
                                 errors.append(['pull_req', status.revision[:12]])
                             elif status.status:
                                 errors.append(['status', status.revision[:12]])
                         if errors:
                             revs = ','.join([x[1] for x in errors])
                             msg = M(self, 'rev_already_reviewed', state, revs=revs)
                             raise formencode.Invalid(
                                 msg, value, state, error_dict={'revisions': revs})
                 return _validator
             def ValidIp(localizer):
                 _ = localizer
                 class _validator(CIDR):
                     messages = {
                         'badFormat': _('Please enter a valid IPv4 or IpV6 address'),
                         'illegalBits': _(
                             'The network size (bits) must be within the range '
                             'of 0-32 (not %(bits)r)'),
                     }
                     # we override the default to_python() call
                     def to_python(self, value, state):
                         v = super().to_python(value, state)
                         v = safe_str(v.strip())
                         net = ipaddress.ip_network(address=v, strict=False)
                         return str(net)
                     def _validate_python(self, value, state):
                         try:
                             addr = safe_str(value.strip())
                             # this raises an ValueError if address is not IpV4 or IpV6
                             ipaddress.ip_network(addr, strict=False)
                         except ValueError:
                             raise formencode.Invalid(self.message('badFormat', state),
                                                      value, state)
                 return _validator
             def FieldKey(localizer):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'badFormat': _(
                             'Key name can only consist of letters, '
                             'underscore, dash or numbers'),
                     }
                     def _validate_python(self, value, state):
                         if not re.match('[a-zA-Z0-9_-]+$', value):
                             raise formencode.Invalid(self.message('badFormat', state),
                                                      value, state)
                 return _validator
             def ValidAuthPlugins(localizer):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'import_duplicate': _(
                             'Plugins %(loaded)s and %(next_to_load)s '
                             'both export the same name'),
                         'missing_includeme': _(
                             'The plugin "%(plugin_id)s" is missing an includeme '
                             'function.'),
                         'import_error': _(
                             'Can not load plugin "%(plugin_id)s"'),
                         'no_plugin': _(
                             'No plugin available with ID "%(plugin_id)s"'),
                     }
                     def _convert_to_python(self, value, state):
                         # filter empty values
                         return [s for s in value if s not in [None, '']]
                     def _validate_legacy_plugin_id(self, plugin_id, value, state):
                         """
                         Validates that the plugin import works. It also checks that the
                         plugin has an includeme attribute.
                         """
                         try:
                             plugin = _import_legacy_plugin(plugin_id)
                         except Exception as e:
                             log.exception(
                                 'Exception during import of auth legacy plugin "{}"'
                                 .format(plugin_id))
                             msg = M(self, 'import_error', state, plugin_id=plugin_id)
                             raise formencode.Invalid(msg, value, state)
                         if not hasattr(plugin, 'includeme'):
                             msg = M(self, 'missing_includeme', state, plugin_id=plugin_id)
                             raise formencode.Invalid(msg, value, state)
                         return plugin
                     def _validate_plugin_id(self, plugin_id, value, state):
                         """
                         Plugins are already imported during app start up. Therefore this
                         validation only retrieves the plugin from the plugin registry and
                         if it returns something not None everything is OK.
                         """
                         plugin = loadplugin(plugin_id)
                         if plugin is None:
                             msg = M(self, 'no_plugin', state, plugin_id=plugin_id)
                             raise formencode.Invalid(msg, value, state)
                         return plugin
                     def _validate_python(self, value, state):
                         unique_names = {}
                         for plugin_id in value:
                             # Validate legacy or normal plugin.
                             if plugin_id.startswith(legacy_plugin_prefix):
                                 plugin = self._validate_legacy_plugin_id(
                                     plugin_id, value, state)
                             else:
                                 plugin = self._validate_plugin_id(plugin_id, value, state)
                             # Only allow unique plugin names.
                             if plugin.name in unique_names:
                                 msg = M(self, 'import_duplicate', state,
                                         loaded=unique_names[plugin.name],
                                         next_to_load=plugin)
                                 raise formencode.Invalid(msg, value, state)
                             unique_names[plugin.name] = plugin
                 return _validator
             def ValidPattern(localizer):
                 _ = localizer
                 class _validator(formencode.validators.FancyValidator):
                     messages = {
                         'bad_format': _('Url must start with http or /'),
                     }
                     def _convert_to_python(self, value, state):
                         patterns = []
                         prefix = 'new_pattern'
                         for name, v in list(value.items()):
                             pattern_name = '_'.join((prefix, 'pattern'))
                             if name.startswith(pattern_name):
                                 new_item_id = name[len(pattern_name)+1:]
                                 def _field(name):
                                     return '{}_{}_{}'.format(prefix, name, new_item_id)
                                 values = {
                                     'issuetracker_pat': value.get(_field('pattern')),
                                     'issuetracker_url': value.get(_field('url')),
                                     'issuetracker_pref': value.get(_field('prefix')),
                                     'issuetracker_desc': value.get(_field('description'))
                                 }
                                 new_uid = md5_safe(values['issuetracker_pat'])
                                 has_required_fields = (
                                     values['issuetracker_pat']
                                     and values['issuetracker_url'])
                                 if has_required_fields:
                                     # validate url that it starts with http or /
                                     # otherwise it can lead to JS injections
                                     # e.g specifig javascript:<malicios code>
                                     if not values['issuetracker_url'].startswith(('http', '/')):
                                         raise formencode.Invalid(
                                             self.message('bad_format', state),
                                             value, state)
                                     settings = [
                                         ('_'.join((key, new_uid)), values[key], 'unicode')
                                         for key in values]
                                     patterns.append(settings)
                         value['patterns'] = patterns
                         delete_patterns = value.get('uid') or []
                         if not isinstance(delete_patterns, (list, tuple)):
                             delete_patterns = [delete_patterns]
                         value['delete_patterns'] = delete_patterns
                         return value
                 return _validator

rhodecode/templates/login.mako

0 +2 -2

             <%inherit file="base/root.mako"/>
             <%def name="title()">
                 ${_('Sign In')}
                 %if c.rhodecode_name:
                     &middot; ${h.branding(c.rhodecode_name)}
                 %endif
             </%def>
             <style>body{background-color:#eeeeee;}</style>
             <div class="loginbox">
                 <div class="header-account">
                     <div id="header-inner" class="title">
                         <div id="logo">
                             <div class="logo-wrapper">
                                 <a href="${h.route_path('home')}"><img src="${h.asset('images/rhodecode-logo-white-60x60.png')}" alt="RhodeCode"/></a>
                             </div>
                             % if c.rhodecode_name:
                             <div class="branding">
                                <a href="${h.route_path('home')}">${h.branding(c.rhodecode_name)}</a>
                             </div>
                             % endif
                         </div>
                     </div>
                 </div>
                 <div class="loginwrapper">
                     <rhodecode-toast id="notifications"></rhodecode-toast>
                     <div class="auth-image-wrapper">
                         <img class="sign-in-image" src="${h.asset('images/sign-in.png')}" alt="RhodeCode"/>
                     </div>
                     <div id="login">
                         <%block name="above_login_button" />
                         <!-- login -->
                         <div class="sign-in-title">
-                            <h1>${_('Sign In using username/password')}</h1>
+                            <h1>${_('Sign In using credentials')}</h1>
                         </div>
                         <div class="inner form">
                             ${h.form(request.route_path('login', _query={'came_from': c.came_from}), needs_csrf_token=False)}
-                                <label for="username">${_('Username')}:</label>
+                                <label for="username">${_('Username or email address')}:</label>
                                 ${h.text('username', class_='focus', value=defaults.get('username'))}
                                 %if 'username' in errors:
                                 <span class="error-message">${errors.get('username')}</span>
                                 <br />
                                 %endif
                                 <label for="password">${_('Password')}:
                                 %if h.HasPermissionAny('hg.password_reset.enabled')():
                                     <div class="pull-right">${h.link_to(_('Forgot your password?'), h.route_path('reset_password'), class_='pwd_reset', tabindex="-1")}</div>
                                 %endif
                                 </label>
                                 ${h.password('password', class_='focus')}
                                 %if 'password' in errors:
                                 <span class="error-message">${errors.get('password')}</span>
                                 <br />
                                 %endif
                                 ${h.checkbox('remember', value=True, checked=defaults.get('remember'))}
                                 <% timeout = request.registry.settings.get('beaker.session.timeout', '0') %>
                                 % if timeout == '0':
                                     <% remember_label = _('Remember my indefinitely') %>
                                 % else:
                                     <% remember_label = _('Remember me for {}').format(h.age_from_seconds(timeout)) %>
                                 % endif
                                 <label class="checkbox" for="remember">${remember_label}</label>
                                 <p class="links">
                                 %if h.HasPermissionAny('hg.admin', 'hg.register.auto_activate', 'hg.register.manual_activate')():
                                     ${h.link_to(_("Create a new account."), request.route_path('register'), class_='new_account')}
                                 %endif
                                 </p>
                                 %if not h.HasPermissionAny('hg.password_reset.enabled')():
                                     ## password reset hidden or disabled.
                                     <p class="help-block">
                                         ${_('Password reset is disabled.')} <br/>
                                         ${_('Please contact ')}
                                         % if c.visual.rhodecode_support_url:
                                             <a href="${c.visual.rhodecode_support_url}" target="_blank">${_('Support')}</a>
                                             ${_('or')}
                                         % endif
                                         ${_('an administrator if you need help.')}
                                     </p>
                                 %endif
                                 ${h.submit('sign_in', _('Sign In'), class_="btn sign-in", title=_('Sign in to {}').format(c.rhodecode_edition))}
                             ${h.end_form()}
                             <script type="text/javascript">
                                 $(document).ready(function(){
                                     $('#username').focus();
                                 })
                             </script>
                         </div>
                         <!-- end login -->
                         <%block name="below_login_button" />
                     </div>
                 </div>
             </div>

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages