##// END OF EJS Templates
api: fixed recursive permissions changes to repo group....
marcink -
r2858:4340ccf9 default
parent child Browse files
Show More
@@ -1,172 +1,174 b''
1 # -*- coding: utf-8 -*-
1 # -*- coding: utf-8 -*-
2
2
3 # Copyright (C) 2010-2018 RhodeCode GmbH
3 # Copyright (C) 2010-2018 RhodeCode GmbH
4 #
4 #
5 # This program is free software: you can redistribute it and/or modify
5 # This program is free software: you can redistribute it and/or modify
6 # it under the terms of the GNU Affero General Public License, version 3
6 # it under the terms of the GNU Affero General Public License, version 3
7 # (only), as published by the Free Software Foundation.
7 # (only), as published by the Free Software Foundation.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU Affero General Public License
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 #
16 #
17 # This program is dual-licensed. If you wish to learn more about the
17 # This program is dual-licensed. If you wish to learn more about the
18 # RhodeCode Enterprise Edition, including its added features, Support services,
18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20
20
21 import mock
21 import mock
22 import pytest
22 import pytest
23
23
24 from rhodecode.model.user import UserModel
24 from rhodecode.model.user import UserModel
25 from rhodecode.model.repo_group import RepoGroupModel
25 from rhodecode.model.repo_group import RepoGroupModel
26 from rhodecode.api.tests.utils import (
26 from rhodecode.api.tests.utils import (
27 build_data, api_call, assert_error, assert_ok, crash)
27 build_data, api_call, assert_error, assert_ok, crash)
28
28
29
29
30 @pytest.mark.usefixtures("testuser_api", "app")
30 @pytest.mark.usefixtures("testuser_api", "app")
31 class TestGrantUserGroupPermissionFromRepoGroup(object):
31 class TestGrantUserGroupPermissionFromRepoGroup(object):
32 @pytest.mark.parametrize("name, perm, apply_to_children", [
32 @pytest.mark.parametrize("name, perm, apply_to_children", [
33 ('none', 'group.none', 'none'),
33 ('none', 'group.none', 'none'),
34 ('read', 'group.read', 'none'),
34 ('read', 'group.read', 'none'),
35 ('write', 'group.write', 'none'),
35 ('write', 'group.write', 'none'),
36 ('admin', 'group.admin', 'none'),
36 ('admin', 'group.admin', 'none'),
37
37
38 ('none', 'group.none', 'all'),
38 ('none', 'group.none', 'all'),
39 ('read', 'group.read', 'all'),
39 ('read', 'group.read', 'all'),
40 ('write', 'group.write', 'all'),
40 ('write', 'group.write', 'all'),
41 ('admin', 'group.admin', 'all'),
41 ('admin', 'group.admin', 'all'),
42
42
43 ('none', 'group.none', 'repos'),
43 ('none', 'group.none', 'repos'),
44 ('read', 'group.read', 'repos'),
44 ('read', 'group.read', 'repos'),
45 ('write', 'group.write', 'repos'),
45 ('write', 'group.write', 'repos'),
46 ('admin', 'group.admin', 'repos'),
46 ('admin', 'group.admin', 'repos'),
47
47
48 ('none', 'group.none', 'groups'),
48 ('none', 'group.none', 'groups'),
49 ('read', 'group.read', 'groups'),
49 ('read', 'group.read', 'groups'),
50 ('write', 'group.write', 'groups'),
50 ('write', 'group.write', 'groups'),
51 ('admin', 'group.admin', 'groups'),
51 ('admin', 'group.admin', 'groups'),
52 ])
52 ])
53 def test_api_grant_user_group_permission_to_repo_group(
53 def test_api_grant_user_group_permission_to_repo_group(
54 self, name, perm, apply_to_children, user_util):
54 self, name, perm, apply_to_children, user_util):
55 user_group = user_util.create_user_group()
55 user_group = user_util.create_user_group()
56 repo_group = user_util.create_repo_group()
56 repo_group = user_util.create_repo_group()
57 user_util.create_repo(parent=repo_group)
58
57 id_, params = build_data(
59 id_, params = build_data(
58 self.apikey,
60 self.apikey,
59 'grant_user_group_permission_to_repo_group',
61 'grant_user_group_permission_to_repo_group',
60 repogroupid=repo_group.name,
62 repogroupid=repo_group.name,
61 usergroupid=user_group.users_group_name,
63 usergroupid=user_group.users_group_name,
62 perm=perm,
64 perm=perm,
63 apply_to_children=apply_to_children,)
65 apply_to_children=apply_to_children,)
64 response = api_call(self.app, params)
66 response = api_call(self.app, params)
65
67
66 ret = {
68 ret = {
67 'msg': (
69 'msg': (
68 'Granted perm: `%s` (recursive:%s) for user group: `%s`'
70 'Granted perm: `%s` (recursive:%s) for user group: `%s`'
69 ' in repo group: `%s`' % (
71 ' in repo group: `%s`' % (
70 perm, apply_to_children, user_group.users_group_name,
72 perm, apply_to_children, user_group.users_group_name,
71 repo_group.name
73 repo_group.name
72 )
74 )
73 ),
75 ),
74 'success': True
76 'success': True
75 }
77 }
76 expected = ret
78 expected = ret
77 try:
79 try:
78 assert_ok(id_, expected, given=response.body)
80 assert_ok(id_, expected, given=response.body)
79 finally:
81 finally:
80 RepoGroupModel().revoke_user_group_permission(
82 RepoGroupModel().revoke_user_group_permission(
81 repo_group.group_id, user_group.users_group_id)
83 repo_group.group_id, user_group.users_group_id)
82
84
83 @pytest.mark.parametrize(
85 @pytest.mark.parametrize(
84 "name, perm, apply_to_children, grant_admin, access_ok", [
86 "name, perm, apply_to_children, grant_admin, access_ok", [
85 ('none_fails', 'group.none', 'none', False, False),
87 ('none_fails', 'group.none', 'none', False, False),
86 ('read_fails', 'group.read', 'none', False, False),
88 ('read_fails', 'group.read', 'none', False, False),
87 ('write_fails', 'group.write', 'none', False, False),
89 ('write_fails', 'group.write', 'none', False, False),
88 ('admin_fails', 'group.admin', 'none', False, False),
90 ('admin_fails', 'group.admin', 'none', False, False),
89
91
90 # with granted perms
92 # with granted perms
91 ('none_ok', 'group.none', 'none', True, True),
93 ('none_ok', 'group.none', 'none', True, True),
92 ('read_ok', 'group.read', 'none', True, True),
94 ('read_ok', 'group.read', 'none', True, True),
93 ('write_ok', 'group.write', 'none', True, True),
95 ('write_ok', 'group.write', 'none', True, True),
94 ('admin_ok', 'group.admin', 'none', True, True),
96 ('admin_ok', 'group.admin', 'none', True, True),
95 ]
97 ]
96 )
98 )
97 def test_api_grant_user_group_permission_to_repo_group_by_regular_user(
99 def test_api_grant_user_group_permission_to_repo_group_by_regular_user(
98 self, name, perm, apply_to_children, grant_admin, access_ok,
100 self, name, perm, apply_to_children, grant_admin, access_ok,
99 user_util):
101 user_util):
100 user = UserModel().get_by_username(self.TEST_USER_LOGIN)
102 user = UserModel().get_by_username(self.TEST_USER_LOGIN)
101 user_group = user_util.create_user_group()
103 user_group = user_util.create_user_group()
102 repo_group = user_util.create_repo_group()
104 repo_group = user_util.create_repo_group()
103 if grant_admin:
105 if grant_admin:
104 user_util.grant_user_permission_to_repo_group(
106 user_util.grant_user_permission_to_repo_group(
105 repo_group, user, 'group.admin')
107 repo_group, user, 'group.admin')
106
108
107 id_, params = build_data(
109 id_, params = build_data(
108 self.apikey_regular,
110 self.apikey_regular,
109 'grant_user_group_permission_to_repo_group',
111 'grant_user_group_permission_to_repo_group',
110 repogroupid=repo_group.name,
112 repogroupid=repo_group.name,
111 usergroupid=user_group.users_group_name,
113 usergroupid=user_group.users_group_name,
112 perm=perm,
114 perm=perm,
113 apply_to_children=apply_to_children,)
115 apply_to_children=apply_to_children,)
114 response = api_call(self.app, params)
116 response = api_call(self.app, params)
115 if access_ok:
117 if access_ok:
116 ret = {
118 ret = {
117 'msg': (
119 'msg': (
118 'Granted perm: `%s` (recursive:%s) for user group: `%s`'
120 'Granted perm: `%s` (recursive:%s) for user group: `%s`'
119 ' in repo group: `%s`' % (
121 ' in repo group: `%s`' % (
120 perm, apply_to_children, user_group.users_group_name,
122 perm, apply_to_children, user_group.users_group_name,
121 repo_group.name
123 repo_group.name
122 )
124 )
123 ),
125 ),
124 'success': True
126 'success': True
125 }
127 }
126 expected = ret
128 expected = ret
127 try:
129 try:
128 assert_ok(id_, expected, given=response.body)
130 assert_ok(id_, expected, given=response.body)
129 finally:
131 finally:
130 RepoGroupModel().revoke_user_group_permission(
132 RepoGroupModel().revoke_user_group_permission(
131 repo_group.group_id, user_group.users_group_id)
133 repo_group.group_id, user_group.users_group_id)
132 else:
134 else:
133 expected = 'repository group `%s` does not exist' % (
135 expected = 'repository group `%s` does not exist' % (
134 repo_group.name,)
136 repo_group.name,)
135 assert_error(id_, expected, given=response.body)
137 assert_error(id_, expected, given=response.body)
136
138
137 def test_api_grant_user_group_permission_to_repo_group_wrong_permission(
139 def test_api_grant_user_group_permission_to_repo_group_wrong_permission(
138 self, user_util):
140 self, user_util):
139 user_group = user_util.create_user_group()
141 user_group = user_util.create_user_group()
140 repo_group = user_util.create_repo_group()
142 repo_group = user_util.create_repo_group()
141 perm = 'haha.no.permission'
143 perm = 'haha.no.permission'
142 id_, params = build_data(
144 id_, params = build_data(
143 self.apikey,
145 self.apikey,
144 'grant_user_group_permission_to_repo_group',
146 'grant_user_group_permission_to_repo_group',
145 repogroupid=repo_group.name,
147 repogroupid=repo_group.name,
146 usergroupid=user_group.users_group_name,
148 usergroupid=user_group.users_group_name,
147 perm=perm)
149 perm=perm)
148 response = api_call(self.app, params)
150 response = api_call(self.app, params)
149
151
150 expected = 'permission `%s` does not exist' % (perm,)
152 expected = 'permission `%s` does not exist' % (perm,)
151 assert_error(id_, expected, given=response.body)
153 assert_error(id_, expected, given=response.body)
152
154
153 @mock.patch.object(RepoGroupModel, 'grant_user_group_permission', crash)
155 @mock.patch.object(RepoGroupModel, 'grant_user_group_permission', crash)
154 def test_api_grant_user_group_permission_exception_when_adding_2(
156 def test_api_grant_user_group_permission_exception_when_adding_2(
155 self, user_util):
157 self, user_util):
156 user_group = user_util.create_user_group()
158 user_group = user_util.create_user_group()
157 repo_group = user_util.create_repo_group()
159 repo_group = user_util.create_repo_group()
158 perm = 'group.read'
160 perm = 'group.read'
159 id_, params = build_data(
161 id_, params = build_data(
160 self.apikey,
162 self.apikey,
161 'grant_user_group_permission_to_repo_group',
163 'grant_user_group_permission_to_repo_group',
162 repogroupid=repo_group.name,
164 repogroupid=repo_group.name,
163 usergroupid=user_group.users_group_name,
165 usergroupid=user_group.users_group_name,
164 perm=perm)
166 perm=perm)
165 response = api_call(self.app, params)
167 response = api_call(self.app, params)
166
168
167 expected = (
169 expected = (
168 'failed to edit permission for user group: `%s`'
170 'failed to edit permission for user group: `%s`'
169 ' in repo group: `%s`' % (
171 ' in repo group: `%s`' % (
170 user_group.users_group_name, repo_group.name)
172 user_group.users_group_name, repo_group.name)
171 )
173 )
172 assert_error(id_, expected, given=response.body)
174 assert_error(id_, expected, given=response.body)
@@ -1,719 +1,719 b''
1 # -*- coding: utf-8 -*-
1 # -*- coding: utf-8 -*-
2
2
3 # Copyright (C) 2011-2018 RhodeCode GmbH
3 # Copyright (C) 2011-2018 RhodeCode GmbH
4 #
4 #
5 # This program is free software: you can redistribute it and/or modify
5 # This program is free software: you can redistribute it and/or modify
6 # it under the terms of the GNU Affero General Public License, version 3
6 # it under the terms of the GNU Affero General Public License, version 3
7 # (only), as published by the Free Software Foundation.
7 # (only), as published by the Free Software Foundation.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU Affero General Public License
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 #
16 #
17 # This program is dual-licensed. If you wish to learn more about the
17 # This program is dual-licensed. If you wish to learn more about the
18 # RhodeCode Enterprise Edition, including its added features, Support services,
18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20
20
21
21
22 import logging
22 import logging
23
23
24 from rhodecode.api import JSONRPCValidationError
24 from rhodecode.api import JSONRPCValidationError
25 from rhodecode.api import jsonrpc_method, JSONRPCError
25 from rhodecode.api import jsonrpc_method, JSONRPCError
26 from rhodecode.api.utils import (
26 from rhodecode.api.utils import (
27 has_superadmin_permission, Optional, OAttr, get_user_or_error,
27 has_superadmin_permission, Optional, OAttr, get_user_or_error,
28 get_repo_group_or_error, get_perm_or_error, get_user_group_or_error,
28 get_repo_group_or_error, get_perm_or_error, get_user_group_or_error,
29 get_origin, validate_repo_group_permissions, validate_set_owner_permissions)
29 get_origin, validate_repo_group_permissions, validate_set_owner_permissions)
30 from rhodecode.lib import audit_logger
30 from rhodecode.lib import audit_logger
31 from rhodecode.lib.auth import (
31 from rhodecode.lib.auth import (
32 HasRepoGroupPermissionAnyApi, HasUserGroupPermissionAnyApi)
32 HasRepoGroupPermissionAnyApi, HasUserGroupPermissionAnyApi)
33 from rhodecode.model.db import Session
33 from rhodecode.model.db import Session
34 from rhodecode.model.repo_group import RepoGroupModel
34 from rhodecode.model.repo_group import RepoGroupModel
35 from rhodecode.model.scm import RepoGroupList
35 from rhodecode.model.scm import RepoGroupList
36 from rhodecode.model import validation_schema
36 from rhodecode.model import validation_schema
37 from rhodecode.model.validation_schema.schemas import repo_group_schema
37 from rhodecode.model.validation_schema.schemas import repo_group_schema
38
38
39
39
40 log = logging.getLogger(__name__)
40 log = logging.getLogger(__name__)
41
41
42
42
43 @jsonrpc_method()
43 @jsonrpc_method()
44 def get_repo_group(request, apiuser, repogroupid):
44 def get_repo_group(request, apiuser, repogroupid):
45 """
45 """
46 Return the specified |repo| group, along with permissions,
46 Return the specified |repo| group, along with permissions,
47 and repositories inside the group
47 and repositories inside the group
48
48
49 :param apiuser: This is filled automatically from the |authtoken|.
49 :param apiuser: This is filled automatically from the |authtoken|.
50 :type apiuser: AuthUser
50 :type apiuser: AuthUser
51 :param repogroupid: Specify the name of ID of the repository group.
51 :param repogroupid: Specify the name of ID of the repository group.
52 :type repogroupid: str or int
52 :type repogroupid: str or int
53
53
54
54
55 Example output:
55 Example output:
56
56
57 .. code-block:: bash
57 .. code-block:: bash
58
58
59 {
59 {
60 "error": null,
60 "error": null,
61 "id": repo-group-id,
61 "id": repo-group-id,
62 "result": {
62 "result": {
63 "group_description": "repo group description",
63 "group_description": "repo group description",
64 "group_id": 14,
64 "group_id": 14,
65 "group_name": "group name",
65 "group_name": "group name",
66 "permissions": [
66 "permissions": [
67 {
67 {
68 "name": "super-admin-username",
68 "name": "super-admin-username",
69 "origin": "super-admin",
69 "origin": "super-admin",
70 "permission": "group.admin",
70 "permission": "group.admin",
71 "type": "user"
71 "type": "user"
72 },
72 },
73 {
73 {
74 "name": "owner-name",
74 "name": "owner-name",
75 "origin": "owner",
75 "origin": "owner",
76 "permission": "group.admin",
76 "permission": "group.admin",
77 "type": "user"
77 "type": "user"
78 },
78 },
79 {
79 {
80 "name": "user-group-name",
80 "name": "user-group-name",
81 "origin": "permission",
81 "origin": "permission",
82 "permission": "group.write",
82 "permission": "group.write",
83 "type": "user_group"
83 "type": "user_group"
84 }
84 }
85 ],
85 ],
86 "owner": "owner-name",
86 "owner": "owner-name",
87 "parent_group": null,
87 "parent_group": null,
88 "repositories": [ repo-list ]
88 "repositories": [ repo-list ]
89 }
89 }
90 }
90 }
91 """
91 """
92
92
93 repo_group = get_repo_group_or_error(repogroupid)
93 repo_group = get_repo_group_or_error(repogroupid)
94 if not has_superadmin_permission(apiuser):
94 if not has_superadmin_permission(apiuser):
95 # check if we have at least read permission for this repo group !
95 # check if we have at least read permission for this repo group !
96 _perms = ('group.admin', 'group.write', 'group.read',)
96 _perms = ('group.admin', 'group.write', 'group.read',)
97 if not HasRepoGroupPermissionAnyApi(*_perms)(
97 if not HasRepoGroupPermissionAnyApi(*_perms)(
98 user=apiuser, group_name=repo_group.group_name):
98 user=apiuser, group_name=repo_group.group_name):
99 raise JSONRPCError(
99 raise JSONRPCError(
100 'repository group `%s` does not exist' % (repogroupid,))
100 'repository group `%s` does not exist' % (repogroupid,))
101
101
102 permissions = []
102 permissions = []
103 for _user in repo_group.permissions():
103 for _user in repo_group.permissions():
104 user_data = {
104 user_data = {
105 'name': _user.username,
105 'name': _user.username,
106 'permission': _user.permission,
106 'permission': _user.permission,
107 'origin': get_origin(_user),
107 'origin': get_origin(_user),
108 'type': "user",
108 'type': "user",
109 }
109 }
110 permissions.append(user_data)
110 permissions.append(user_data)
111
111
112 for _user_group in repo_group.permission_user_groups():
112 for _user_group in repo_group.permission_user_groups():
113 user_group_data = {
113 user_group_data = {
114 'name': _user_group.users_group_name,
114 'name': _user_group.users_group_name,
115 'permission': _user_group.permission,
115 'permission': _user_group.permission,
116 'origin': get_origin(_user_group),
116 'origin': get_origin(_user_group),
117 'type': "user_group",
117 'type': "user_group",
118 }
118 }
119 permissions.append(user_group_data)
119 permissions.append(user_group_data)
120
120
121 data = repo_group.get_api_data()
121 data = repo_group.get_api_data()
122 data["permissions"] = permissions
122 data["permissions"] = permissions
123 return data
123 return data
124
124
125
125
126 @jsonrpc_method()
126 @jsonrpc_method()
127 def get_repo_groups(request, apiuser):
127 def get_repo_groups(request, apiuser):
128 """
128 """
129 Returns all repository groups.
129 Returns all repository groups.
130
130
131 :param apiuser: This is filled automatically from the |authtoken|.
131 :param apiuser: This is filled automatically from the |authtoken|.
132 :type apiuser: AuthUser
132 :type apiuser: AuthUser
133 """
133 """
134
134
135 result = []
135 result = []
136 _perms = ('group.read', 'group.write', 'group.admin',)
136 _perms = ('group.read', 'group.write', 'group.admin',)
137 extras = {'user': apiuser}
137 extras = {'user': apiuser}
138 for repo_group in RepoGroupList(RepoGroupModel().get_all(),
138 for repo_group in RepoGroupList(RepoGroupModel().get_all(),
139 perm_set=_perms, extra_kwargs=extras):
139 perm_set=_perms, extra_kwargs=extras):
140 result.append(repo_group.get_api_data())
140 result.append(repo_group.get_api_data())
141 return result
141 return result
142
142
143
143
144 @jsonrpc_method()
144 @jsonrpc_method()
145 def create_repo_group(
145 def create_repo_group(
146 request, apiuser, group_name,
146 request, apiuser, group_name,
147 owner=Optional(OAttr('apiuser')),
147 owner=Optional(OAttr('apiuser')),
148 description=Optional(''),
148 description=Optional(''),
149 copy_permissions=Optional(False)):
149 copy_permissions=Optional(False)):
150 """
150 """
151 Creates a repository group.
151 Creates a repository group.
152
152
153 * If the repository group name contains "/", repository group will be
153 * If the repository group name contains "/", repository group will be
154 created inside a repository group or nested repository groups
154 created inside a repository group or nested repository groups
155
155
156 For example "foo/bar/group1" will create repository group called "group1"
156 For example "foo/bar/group1" will create repository group called "group1"
157 inside group "foo/bar". You have to have permissions to access and
157 inside group "foo/bar". You have to have permissions to access and
158 write to the last repository group ("bar" in this example)
158 write to the last repository group ("bar" in this example)
159
159
160 This command can only be run using an |authtoken| with at least
160 This command can only be run using an |authtoken| with at least
161 permissions to create repository groups, or admin permissions to
161 permissions to create repository groups, or admin permissions to
162 parent repository groups.
162 parent repository groups.
163
163
164 :param apiuser: This is filled automatically from the |authtoken|.
164 :param apiuser: This is filled automatically from the |authtoken|.
165 :type apiuser: AuthUser
165 :type apiuser: AuthUser
166 :param group_name: Set the repository group name.
166 :param group_name: Set the repository group name.
167 :type group_name: str
167 :type group_name: str
168 :param description: Set the |repo| group description.
168 :param description: Set the |repo| group description.
169 :type description: str
169 :type description: str
170 :param owner: Set the |repo| group owner.
170 :param owner: Set the |repo| group owner.
171 :type owner: str
171 :type owner: str
172 :param copy_permissions:
172 :param copy_permissions:
173 :type copy_permissions:
173 :type copy_permissions:
174
174
175 Example output:
175 Example output:
176
176
177 .. code-block:: bash
177 .. code-block:: bash
178
178
179 id : <id_given_in_input>
179 id : <id_given_in_input>
180 result : {
180 result : {
181 "msg": "Created new repo group `<repo_group_name>`"
181 "msg": "Created new repo group `<repo_group_name>`"
182 "repo_group": <repogroup_object>
182 "repo_group": <repogroup_object>
183 }
183 }
184 error : null
184 error : null
185
185
186
186
187 Example error output:
187 Example error output:
188
188
189 .. code-block:: bash
189 .. code-block:: bash
190
190
191 id : <id_given_in_input>
191 id : <id_given_in_input>
192 result : null
192 result : null
193 error : {
193 error : {
194 failed to create repo group `<repogroupid>`
194 failed to create repo group `<repogroupid>`
195 }
195 }
196
196
197 """
197 """
198
198
199 owner = validate_set_owner_permissions(apiuser, owner)
199 owner = validate_set_owner_permissions(apiuser, owner)
200
200
201 description = Optional.extract(description)
201 description = Optional.extract(description)
202 copy_permissions = Optional.extract(copy_permissions)
202 copy_permissions = Optional.extract(copy_permissions)
203
203
204 schema = repo_group_schema.RepoGroupSchema().bind(
204 schema = repo_group_schema.RepoGroupSchema().bind(
205 # user caller
205 # user caller
206 user=apiuser)
206 user=apiuser)
207
207
208 try:
208 try:
209 schema_data = schema.deserialize(dict(
209 schema_data = schema.deserialize(dict(
210 repo_group_name=group_name,
210 repo_group_name=group_name,
211 repo_group_owner=owner.username,
211 repo_group_owner=owner.username,
212 repo_group_description=description,
212 repo_group_description=description,
213 repo_group_copy_permissions=copy_permissions,
213 repo_group_copy_permissions=copy_permissions,
214 ))
214 ))
215 except validation_schema.Invalid as err:
215 except validation_schema.Invalid as err:
216 raise JSONRPCValidationError(colander_exc=err)
216 raise JSONRPCValidationError(colander_exc=err)
217
217
218 validated_group_name = schema_data['repo_group_name']
218 validated_group_name = schema_data['repo_group_name']
219
219
220 try:
220 try:
221 repo_group = RepoGroupModel().create(
221 repo_group = RepoGroupModel().create(
222 owner=owner,
222 owner=owner,
223 group_name=validated_group_name,
223 group_name=validated_group_name,
224 group_description=schema_data['repo_group_description'],
224 group_description=schema_data['repo_group_description'],
225 copy_permissions=schema_data['repo_group_copy_permissions'])
225 copy_permissions=schema_data['repo_group_copy_permissions'])
226 Session().flush()
226 Session().flush()
227
227
228 repo_group_data = repo_group.get_api_data()
228 repo_group_data = repo_group.get_api_data()
229 audit_logger.store_api(
229 audit_logger.store_api(
230 'repo_group.create', action_data={'data': repo_group_data},
230 'repo_group.create', action_data={'data': repo_group_data},
231 user=apiuser)
231 user=apiuser)
232
232
233 Session().commit()
233 Session().commit()
234 return {
234 return {
235 'msg': 'Created new repo group `%s`' % validated_group_name,
235 'msg': 'Created new repo group `%s`' % validated_group_name,
236 'repo_group': repo_group.get_api_data()
236 'repo_group': repo_group.get_api_data()
237 }
237 }
238 except Exception:
238 except Exception:
239 log.exception("Exception occurred while trying create repo group")
239 log.exception("Exception occurred while trying create repo group")
240 raise JSONRPCError(
240 raise JSONRPCError(
241 'failed to create repo group `%s`' % (validated_group_name,))
241 'failed to create repo group `%s`' % (validated_group_name,))
242
242
243
243
244 @jsonrpc_method()
244 @jsonrpc_method()
245 def update_repo_group(
245 def update_repo_group(
246 request, apiuser, repogroupid, group_name=Optional(''),
246 request, apiuser, repogroupid, group_name=Optional(''),
247 description=Optional(''), owner=Optional(OAttr('apiuser')),
247 description=Optional(''), owner=Optional(OAttr('apiuser')),
248 enable_locking=Optional(False)):
248 enable_locking=Optional(False)):
249 """
249 """
250 Updates repository group with the details given.
250 Updates repository group with the details given.
251
251
252 This command can only be run using an |authtoken| with admin
252 This command can only be run using an |authtoken| with admin
253 permissions.
253 permissions.
254
254
255 * If the group_name name contains "/", repository group will be updated
255 * If the group_name name contains "/", repository group will be updated
256 accordingly with a repository group or nested repository groups
256 accordingly with a repository group or nested repository groups
257
257
258 For example repogroupid=group-test group_name="foo/bar/group-test"
258 For example repogroupid=group-test group_name="foo/bar/group-test"
259 will update repository group called "group-test" and place it
259 will update repository group called "group-test" and place it
260 inside group "foo/bar".
260 inside group "foo/bar".
261 You have to have permissions to access and write to the last repository
261 You have to have permissions to access and write to the last repository
262 group ("bar" in this example)
262 group ("bar" in this example)
263
263
264 :param apiuser: This is filled automatically from the |authtoken|.
264 :param apiuser: This is filled automatically from the |authtoken|.
265 :type apiuser: AuthUser
265 :type apiuser: AuthUser
266 :param repogroupid: Set the ID of repository group.
266 :param repogroupid: Set the ID of repository group.
267 :type repogroupid: str or int
267 :type repogroupid: str or int
268 :param group_name: Set the name of the |repo| group.
268 :param group_name: Set the name of the |repo| group.
269 :type group_name: str
269 :type group_name: str
270 :param description: Set a description for the group.
270 :param description: Set a description for the group.
271 :type description: str
271 :type description: str
272 :param owner: Set the |repo| group owner.
272 :param owner: Set the |repo| group owner.
273 :type owner: str
273 :type owner: str
274 :param enable_locking: Enable |repo| locking. The default is false.
274 :param enable_locking: Enable |repo| locking. The default is false.
275 :type enable_locking: bool
275 :type enable_locking: bool
276 """
276 """
277
277
278 repo_group = get_repo_group_or_error(repogroupid)
278 repo_group = get_repo_group_or_error(repogroupid)
279
279
280 if not has_superadmin_permission(apiuser):
280 if not has_superadmin_permission(apiuser):
281 validate_repo_group_permissions(
281 validate_repo_group_permissions(
282 apiuser, repogroupid, repo_group, ('group.admin',))
282 apiuser, repogroupid, repo_group, ('group.admin',))
283
283
284 updates = dict(
284 updates = dict(
285 group_name=group_name
285 group_name=group_name
286 if not isinstance(group_name, Optional) else repo_group.group_name,
286 if not isinstance(group_name, Optional) else repo_group.group_name,
287
287
288 group_description=description
288 group_description=description
289 if not isinstance(description, Optional) else repo_group.group_description,
289 if not isinstance(description, Optional) else repo_group.group_description,
290
290
291 user=owner
291 user=owner
292 if not isinstance(owner, Optional) else repo_group.user.username,
292 if not isinstance(owner, Optional) else repo_group.user.username,
293
293
294 enable_locking=enable_locking
294 enable_locking=enable_locking
295 if not isinstance(enable_locking, Optional) else repo_group.enable_locking
295 if not isinstance(enable_locking, Optional) else repo_group.enable_locking
296 )
296 )
297
297
298 schema = repo_group_schema.RepoGroupSchema().bind(
298 schema = repo_group_schema.RepoGroupSchema().bind(
299 # user caller
299 # user caller
300 user=apiuser,
300 user=apiuser,
301 old_values=repo_group.get_api_data())
301 old_values=repo_group.get_api_data())
302
302
303 try:
303 try:
304 schema_data = schema.deserialize(dict(
304 schema_data = schema.deserialize(dict(
305 repo_group_name=updates['group_name'],
305 repo_group_name=updates['group_name'],
306 repo_group_owner=updates['user'],
306 repo_group_owner=updates['user'],
307 repo_group_description=updates['group_description'],
307 repo_group_description=updates['group_description'],
308 repo_group_enable_locking=updates['enable_locking'],
308 repo_group_enable_locking=updates['enable_locking'],
309 ))
309 ))
310 except validation_schema.Invalid as err:
310 except validation_schema.Invalid as err:
311 raise JSONRPCValidationError(colander_exc=err)
311 raise JSONRPCValidationError(colander_exc=err)
312
312
313 validated_updates = dict(
313 validated_updates = dict(
314 group_name=schema_data['repo_group']['repo_group_name_without_group'],
314 group_name=schema_data['repo_group']['repo_group_name_without_group'],
315 group_parent_id=schema_data['repo_group']['repo_group_id'],
315 group_parent_id=schema_data['repo_group']['repo_group_id'],
316 user=schema_data['repo_group_owner'],
316 user=schema_data['repo_group_owner'],
317 group_description=schema_data['repo_group_description'],
317 group_description=schema_data['repo_group_description'],
318 enable_locking=schema_data['repo_group_enable_locking'],
318 enable_locking=schema_data['repo_group_enable_locking'],
319 )
319 )
320
320
321 old_data = repo_group.get_api_data()
321 old_data = repo_group.get_api_data()
322 try:
322 try:
323 RepoGroupModel().update(repo_group, validated_updates)
323 RepoGroupModel().update(repo_group, validated_updates)
324 audit_logger.store_api(
324 audit_logger.store_api(
325 'repo_group.edit', action_data={'old_data': old_data},
325 'repo_group.edit', action_data={'old_data': old_data},
326 user=apiuser)
326 user=apiuser)
327
327
328 Session().commit()
328 Session().commit()
329 return {
329 return {
330 'msg': 'updated repository group ID:%s %s' % (
330 'msg': 'updated repository group ID:%s %s' % (
331 repo_group.group_id, repo_group.group_name),
331 repo_group.group_id, repo_group.group_name),
332 'repo_group': repo_group.get_api_data()
332 'repo_group': repo_group.get_api_data()
333 }
333 }
334 except Exception:
334 except Exception:
335 log.exception(
335 log.exception(
336 u"Exception occurred while trying update repo group %s",
336 u"Exception occurred while trying update repo group %s",
337 repogroupid)
337 repogroupid)
338 raise JSONRPCError('failed to update repository group `%s`'
338 raise JSONRPCError('failed to update repository group `%s`'
339 % (repogroupid,))
339 % (repogroupid,))
340
340
341
341
342 @jsonrpc_method()
342 @jsonrpc_method()
343 def delete_repo_group(request, apiuser, repogroupid):
343 def delete_repo_group(request, apiuser, repogroupid):
344 """
344 """
345 Deletes a |repo| group.
345 Deletes a |repo| group.
346
346
347 :param apiuser: This is filled automatically from the |authtoken|.
347 :param apiuser: This is filled automatically from the |authtoken|.
348 :type apiuser: AuthUser
348 :type apiuser: AuthUser
349 :param repogroupid: Set the name or ID of repository group to be
349 :param repogroupid: Set the name or ID of repository group to be
350 deleted.
350 deleted.
351 :type repogroupid: str or int
351 :type repogroupid: str or int
352
352
353 Example output:
353 Example output:
354
354
355 .. code-block:: bash
355 .. code-block:: bash
356
356
357 id : <id_given_in_input>
357 id : <id_given_in_input>
358 result : {
358 result : {
359 'msg': 'deleted repo group ID:<repogroupid> <repogroupname>'
359 'msg': 'deleted repo group ID:<repogroupid> <repogroupname>'
360 'repo_group': null
360 'repo_group': null
361 }
361 }
362 error : null
362 error : null
363
363
364 Example error output:
364 Example error output:
365
365
366 .. code-block:: bash
366 .. code-block:: bash
367
367
368 id : <id_given_in_input>
368 id : <id_given_in_input>
369 result : null
369 result : null
370 error : {
370 error : {
371 "failed to delete repo group ID:<repogroupid> <repogroupname>"
371 "failed to delete repo group ID:<repogroupid> <repogroupname>"
372 }
372 }
373
373
374 """
374 """
375
375
376 repo_group = get_repo_group_or_error(repogroupid)
376 repo_group = get_repo_group_or_error(repogroupid)
377 if not has_superadmin_permission(apiuser):
377 if not has_superadmin_permission(apiuser):
378 validate_repo_group_permissions(
378 validate_repo_group_permissions(
379 apiuser, repogroupid, repo_group, ('group.admin',))
379 apiuser, repogroupid, repo_group, ('group.admin',))
380
380
381 old_data = repo_group.get_api_data()
381 old_data = repo_group.get_api_data()
382 try:
382 try:
383 RepoGroupModel().delete(repo_group)
383 RepoGroupModel().delete(repo_group)
384 audit_logger.store_api(
384 audit_logger.store_api(
385 'repo_group.delete', action_data={'old_data': old_data},
385 'repo_group.delete', action_data={'old_data': old_data},
386 user=apiuser)
386 user=apiuser)
387 Session().commit()
387 Session().commit()
388 return {
388 return {
389 'msg': 'deleted repo group ID:%s %s' %
389 'msg': 'deleted repo group ID:%s %s' %
390 (repo_group.group_id, repo_group.group_name),
390 (repo_group.group_id, repo_group.group_name),
391 'repo_group': None
391 'repo_group': None
392 }
392 }
393 except Exception:
393 except Exception:
394 log.exception("Exception occurred while trying to delete repo group")
394 log.exception("Exception occurred while trying to delete repo group")
395 raise JSONRPCError('failed to delete repo group ID:%s %s' %
395 raise JSONRPCError('failed to delete repo group ID:%s %s' %
396 (repo_group.group_id, repo_group.group_name))
396 (repo_group.group_id, repo_group.group_name))
397
397
398
398
399 @jsonrpc_method()
399 @jsonrpc_method()
400 def grant_user_permission_to_repo_group(
400 def grant_user_permission_to_repo_group(
401 request, apiuser, repogroupid, userid, perm,
401 request, apiuser, repogroupid, userid, perm,
402 apply_to_children=Optional('none')):
402 apply_to_children=Optional('none')):
403 """
403 """
404 Grant permission for a user on the given repository group, or update
404 Grant permission for a user on the given repository group, or update
405 existing permissions if found.
405 existing permissions if found.
406
406
407 This command can only be run using an |authtoken| with admin
407 This command can only be run using an |authtoken| with admin
408 permissions.
408 permissions.
409
409
410 :param apiuser: This is filled automatically from the |authtoken|.
410 :param apiuser: This is filled automatically from the |authtoken|.
411 :type apiuser: AuthUser
411 :type apiuser: AuthUser
412 :param repogroupid: Set the name or ID of repository group.
412 :param repogroupid: Set the name or ID of repository group.
413 :type repogroupid: str or int
413 :type repogroupid: str or int
414 :param userid: Set the user name.
414 :param userid: Set the user name.
415 :type userid: str
415 :type userid: str
416 :param perm: (group.(none|read|write|admin))
416 :param perm: (group.(none|read|write|admin))
417 :type perm: str
417 :type perm: str
418 :param apply_to_children: 'none', 'repos', 'groups', 'all'
418 :param apply_to_children: 'none', 'repos', 'groups', 'all'
419 :type apply_to_children: str
419 :type apply_to_children: str
420
420
421 Example output:
421 Example output:
422
422
423 .. code-block:: bash
423 .. code-block:: bash
424
424
425 id : <id_given_in_input>
425 id : <id_given_in_input>
426 result: {
426 result: {
427 "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",
427 "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",
428 "success": true
428 "success": true
429 }
429 }
430 error: null
430 error: null
431
431
432 Example error output:
432 Example error output:
433
433
434 .. code-block:: bash
434 .. code-block:: bash
435
435
436 id : <id_given_in_input>
436 id : <id_given_in_input>
437 result : null
437 result : null
438 error : {
438 error : {
439 "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
439 "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
440 }
440 }
441
441
442 """
442 """
443
443
444 repo_group = get_repo_group_or_error(repogroupid)
444 repo_group = get_repo_group_or_error(repogroupid)
445
445
446 if not has_superadmin_permission(apiuser):
446 if not has_superadmin_permission(apiuser):
447 validate_repo_group_permissions(
447 validate_repo_group_permissions(
448 apiuser, repogroupid, repo_group, ('group.admin',))
448 apiuser, repogroupid, repo_group, ('group.admin',))
449
449
450 user = get_user_or_error(userid)
450 user = get_user_or_error(userid)
451 perm = get_perm_or_error(perm, prefix='group.')
451 perm = get_perm_or_error(perm, prefix='group.')
452 apply_to_children = Optional.extract(apply_to_children)
452 apply_to_children = Optional.extract(apply_to_children)
453
453
454 perm_additions = [[user.user_id, perm, "user"]]
454 perm_additions = [[user.user_id, perm.permission_name, "user"]]
455 try:
455 try:
456 RepoGroupModel().update_permissions(repo_group=repo_group,
456 RepoGroupModel().update_permissions(repo_group=repo_group,
457 perm_additions=perm_additions,
457 perm_additions=perm_additions,
458 recursive=apply_to_children,
458 recursive=apply_to_children,
459 cur_user=apiuser)
459 cur_user=apiuser)
460 Session().commit()
460 Session().commit()
461 return {
461 return {
462 'msg': 'Granted perm: `%s` (recursive:%s) for user: '
462 'msg': 'Granted perm: `%s` (recursive:%s) for user: '
463 '`%s` in repo group: `%s`' % (
463 '`%s` in repo group: `%s`' % (
464 perm.permission_name, apply_to_children, user.username,
464 perm.permission_name, apply_to_children, user.username,
465 repo_group.name
465 repo_group.name
466 ),
466 ),
467 'success': True
467 'success': True
468 }
468 }
469 except Exception:
469 except Exception:
470 log.exception("Exception occurred while trying to grant "
470 log.exception("Exception occurred while trying to grant "
471 "user permissions to repo group")
471 "user permissions to repo group")
472 raise JSONRPCError(
472 raise JSONRPCError(
473 'failed to edit permission for user: '
473 'failed to edit permission for user: '
474 '`%s` in repo group: `%s`' % (userid, repo_group.name))
474 '`%s` in repo group: `%s`' % (userid, repo_group.name))
475
475
476
476
477 @jsonrpc_method()
477 @jsonrpc_method()
478 def revoke_user_permission_from_repo_group(
478 def revoke_user_permission_from_repo_group(
479 request, apiuser, repogroupid, userid,
479 request, apiuser, repogroupid, userid,
480 apply_to_children=Optional('none')):
480 apply_to_children=Optional('none')):
481 """
481 """
482 Revoke permission for a user in a given repository group.
482 Revoke permission for a user in a given repository group.
483
483
484 This command can only be run using an |authtoken| with admin
484 This command can only be run using an |authtoken| with admin
485 permissions on the |repo| group.
485 permissions on the |repo| group.
486
486
487 :param apiuser: This is filled automatically from the |authtoken|.
487 :param apiuser: This is filled automatically from the |authtoken|.
488 :type apiuser: AuthUser
488 :type apiuser: AuthUser
489 :param repogroupid: Set the name or ID of the repository group.
489 :param repogroupid: Set the name or ID of the repository group.
490 :type repogroupid: str or int
490 :type repogroupid: str or int
491 :param userid: Set the user name to revoke.
491 :param userid: Set the user name to revoke.
492 :type userid: str
492 :type userid: str
493 :param apply_to_children: 'none', 'repos', 'groups', 'all'
493 :param apply_to_children: 'none', 'repos', 'groups', 'all'
494 :type apply_to_children: str
494 :type apply_to_children: str
495
495
496 Example output:
496 Example output:
497
497
498 .. code-block:: bash
498 .. code-block:: bash
499
499
500 id : <id_given_in_input>
500 id : <id_given_in_input>
501 result: {
501 result: {
502 "msg" : "Revoked perm (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",
502 "msg" : "Revoked perm (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",
503 "success": true
503 "success": true
504 }
504 }
505 error: null
505 error: null
506
506
507 Example error output:
507 Example error output:
508
508
509 .. code-block:: bash
509 .. code-block:: bash
510
510
511 id : <id_given_in_input>
511 id : <id_given_in_input>
512 result : null
512 result : null
513 error : {
513 error : {
514 "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
514 "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
515 }
515 }
516
516
517 """
517 """
518
518
519 repo_group = get_repo_group_or_error(repogroupid)
519 repo_group = get_repo_group_or_error(repogroupid)
520
520
521 if not has_superadmin_permission(apiuser):
521 if not has_superadmin_permission(apiuser):
522 validate_repo_group_permissions(
522 validate_repo_group_permissions(
523 apiuser, repogroupid, repo_group, ('group.admin',))
523 apiuser, repogroupid, repo_group, ('group.admin',))
524
524
525 user = get_user_or_error(userid)
525 user = get_user_or_error(userid)
526 apply_to_children = Optional.extract(apply_to_children)
526 apply_to_children = Optional.extract(apply_to_children)
527
527
528 perm_deletions = [[user.user_id, None, "user"]]
528 perm_deletions = [[user.user_id, None, "user"]]
529 try:
529 try:
530 RepoGroupModel().update_permissions(repo_group=repo_group,
530 RepoGroupModel().update_permissions(repo_group=repo_group,
531 perm_deletions=perm_deletions,
531 perm_deletions=perm_deletions,
532 recursive=apply_to_children,
532 recursive=apply_to_children,
533 cur_user=apiuser)
533 cur_user=apiuser)
534 Session().commit()
534 Session().commit()
535 return {
535 return {
536 'msg': 'Revoked perm (recursive:%s) for user: '
536 'msg': 'Revoked perm (recursive:%s) for user: '
537 '`%s` in repo group: `%s`' % (
537 '`%s` in repo group: `%s`' % (
538 apply_to_children, user.username, repo_group.name
538 apply_to_children, user.username, repo_group.name
539 ),
539 ),
540 'success': True
540 'success': True
541 }
541 }
542 except Exception:
542 except Exception:
543 log.exception("Exception occurred while trying revoke user "
543 log.exception("Exception occurred while trying revoke user "
544 "permission from repo group")
544 "permission from repo group")
545 raise JSONRPCError(
545 raise JSONRPCError(
546 'failed to edit permission for user: '
546 'failed to edit permission for user: '
547 '`%s` in repo group: `%s`' % (userid, repo_group.name))
547 '`%s` in repo group: `%s`' % (userid, repo_group.name))
548
548
549
549
550 @jsonrpc_method()
550 @jsonrpc_method()
551 def grant_user_group_permission_to_repo_group(
551 def grant_user_group_permission_to_repo_group(
552 request, apiuser, repogroupid, usergroupid, perm,
552 request, apiuser, repogroupid, usergroupid, perm,
553 apply_to_children=Optional('none'), ):
553 apply_to_children=Optional('none'), ):
554 """
554 """
555 Grant permission for a user group on given repository group, or update
555 Grant permission for a user group on given repository group, or update
556 existing permissions if found.
556 existing permissions if found.
557
557
558 This command can only be run using an |authtoken| with admin
558 This command can only be run using an |authtoken| with admin
559 permissions on the |repo| group.
559 permissions on the |repo| group.
560
560
561 :param apiuser: This is filled automatically from the |authtoken|.
561 :param apiuser: This is filled automatically from the |authtoken|.
562 :type apiuser: AuthUser
562 :type apiuser: AuthUser
563 :param repogroupid: Set the name or id of repository group
563 :param repogroupid: Set the name or id of repository group
564 :type repogroupid: str or int
564 :type repogroupid: str or int
565 :param usergroupid: id of usergroup
565 :param usergroupid: id of usergroup
566 :type usergroupid: str or int
566 :type usergroupid: str or int
567 :param perm: (group.(none|read|write|admin))
567 :param perm: (group.(none|read|write|admin))
568 :type perm: str
568 :type perm: str
569 :param apply_to_children: 'none', 'repos', 'groups', 'all'
569 :param apply_to_children: 'none', 'repos', 'groups', 'all'
570 :type apply_to_children: str
570 :type apply_to_children: str
571
571
572 Example output:
572 Example output:
573
573
574 .. code-block:: bash
574 .. code-block:: bash
575
575
576 id : <id_given_in_input>
576 id : <id_given_in_input>
577 result : {
577 result : {
578 "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",
578 "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",
579 "success": true
579 "success": true
580
580
581 }
581 }
582 error : null
582 error : null
583
583
584 Example error output:
584 Example error output:
585
585
586 .. code-block:: bash
586 .. code-block:: bash
587
587
588 id : <id_given_in_input>
588 id : <id_given_in_input>
589 result : null
589 result : null
590 error : {
590 error : {
591 "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
591 "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
592 }
592 }
593
593
594 """
594 """
595
595
596 repo_group = get_repo_group_or_error(repogroupid)
596 repo_group = get_repo_group_or_error(repogroupid)
597 perm = get_perm_or_error(perm, prefix='group.')
597 perm = get_perm_or_error(perm, prefix='group.')
598 user_group = get_user_group_or_error(usergroupid)
598 user_group = get_user_group_or_error(usergroupid)
599 if not has_superadmin_permission(apiuser):
599 if not has_superadmin_permission(apiuser):
600 validate_repo_group_permissions(
600 validate_repo_group_permissions(
601 apiuser, repogroupid, repo_group, ('group.admin',))
601 apiuser, repogroupid, repo_group, ('group.admin',))
602
602
603 # check if we have at least read permission for this user group !
603 # check if we have at least read permission for this user group !
604 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
604 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
605 if not HasUserGroupPermissionAnyApi(*_perms)(
605 if not HasUserGroupPermissionAnyApi(*_perms)(
606 user=apiuser, user_group_name=user_group.users_group_name):
606 user=apiuser, user_group_name=user_group.users_group_name):
607 raise JSONRPCError(
607 raise JSONRPCError(
608 'user group `%s` does not exist' % (usergroupid,))
608 'user group `%s` does not exist' % (usergroupid,))
609
609
610 apply_to_children = Optional.extract(apply_to_children)
610 apply_to_children = Optional.extract(apply_to_children)
611
611
612 perm_additions = [[user_group.users_group_id, perm, "user_group"]]
612 perm_additions = [[user_group.users_group_id, perm.permission_name, "user_group"]]
613 try:
613 try:
614 RepoGroupModel().update_permissions(repo_group=repo_group,
614 RepoGroupModel().update_permissions(repo_group=repo_group,
615 perm_additions=perm_additions,
615 perm_additions=perm_additions,
616 recursive=apply_to_children,
616 recursive=apply_to_children,
617 cur_user=apiuser)
617 cur_user=apiuser)
618 Session().commit()
618 Session().commit()
619 return {
619 return {
620 'msg': 'Granted perm: `%s` (recursive:%s) '
620 'msg': 'Granted perm: `%s` (recursive:%s) '
621 'for user group: `%s` in repo group: `%s`' % (
621 'for user group: `%s` in repo group: `%s`' % (
622 perm.permission_name, apply_to_children,
622 perm.permission_name, apply_to_children,
623 user_group.users_group_name, repo_group.name
623 user_group.users_group_name, repo_group.name
624 ),
624 ),
625 'success': True
625 'success': True
626 }
626 }
627 except Exception:
627 except Exception:
628 log.exception("Exception occurred while trying to grant user "
628 log.exception("Exception occurred while trying to grant user "
629 "group permissions to repo group")
629 "group permissions to repo group")
630 raise JSONRPCError(
630 raise JSONRPCError(
631 'failed to edit permission for user group: `%s` in '
631 'failed to edit permission for user group: `%s` in '
632 'repo group: `%s`' % (
632 'repo group: `%s`' % (
633 usergroupid, repo_group.name
633 usergroupid, repo_group.name
634 )
634 )
635 )
635 )
636
636
637
637
638 @jsonrpc_method()
638 @jsonrpc_method()
639 def revoke_user_group_permission_from_repo_group(
639 def revoke_user_group_permission_from_repo_group(
640 request, apiuser, repogroupid, usergroupid,
640 request, apiuser, repogroupid, usergroupid,
641 apply_to_children=Optional('none')):
641 apply_to_children=Optional('none')):
642 """
642 """
643 Revoke permission for user group on given repository.
643 Revoke permission for user group on given repository.
644
644
645 This command can only be run using an |authtoken| with admin
645 This command can only be run using an |authtoken| with admin
646 permissions on the |repo| group.
646 permissions on the |repo| group.
647
647
648 :param apiuser: This is filled automatically from the |authtoken|.
648 :param apiuser: This is filled automatically from the |authtoken|.
649 :type apiuser: AuthUser
649 :type apiuser: AuthUser
650 :param repogroupid: name or id of repository group
650 :param repogroupid: name or id of repository group
651 :type repogroupid: str or int
651 :type repogroupid: str or int
652 :param usergroupid:
652 :param usergroupid:
653 :param apply_to_children: 'none', 'repos', 'groups', 'all'
653 :param apply_to_children: 'none', 'repos', 'groups', 'all'
654 :type apply_to_children: str
654 :type apply_to_children: str
655
655
656 Example output:
656 Example output:
657
657
658 .. code-block:: bash
658 .. code-block:: bash
659
659
660 id : <id_given_in_input>
660 id : <id_given_in_input>
661 result: {
661 result: {
662 "msg" : "Revoked perm (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",
662 "msg" : "Revoked perm (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",
663 "success": true
663 "success": true
664 }
664 }
665 error: null
665 error: null
666
666
667 Example error output:
667 Example error output:
668
668
669 .. code-block:: bash
669 .. code-block:: bash
670
670
671 id : <id_given_in_input>
671 id : <id_given_in_input>
672 result : null
672 result : null
673 error : {
673 error : {
674 "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
674 "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
675 }
675 }
676
676
677
677
678 """
678 """
679
679
680 repo_group = get_repo_group_or_error(repogroupid)
680 repo_group = get_repo_group_or_error(repogroupid)
681 user_group = get_user_group_or_error(usergroupid)
681 user_group = get_user_group_or_error(usergroupid)
682 if not has_superadmin_permission(apiuser):
682 if not has_superadmin_permission(apiuser):
683 validate_repo_group_permissions(
683 validate_repo_group_permissions(
684 apiuser, repogroupid, repo_group, ('group.admin',))
684 apiuser, repogroupid, repo_group, ('group.admin',))
685
685
686 # check if we have at least read permission for this user group !
686 # check if we have at least read permission for this user group !
687 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
687 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
688 if not HasUserGroupPermissionAnyApi(*_perms)(
688 if not HasUserGroupPermissionAnyApi(*_perms)(
689 user=apiuser, user_group_name=user_group.users_group_name):
689 user=apiuser, user_group_name=user_group.users_group_name):
690 raise JSONRPCError(
690 raise JSONRPCError(
691 'user group `%s` does not exist' % (usergroupid,))
691 'user group `%s` does not exist' % (usergroupid,))
692
692
693 apply_to_children = Optional.extract(apply_to_children)
693 apply_to_children = Optional.extract(apply_to_children)
694
694
695 perm_deletions = [[user_group.users_group_id, None, "user_group"]]
695 perm_deletions = [[user_group.users_group_id, None, "user_group"]]
696 try:
696 try:
697 RepoGroupModel().update_permissions(repo_group=repo_group,
697 RepoGroupModel().update_permissions(repo_group=repo_group,
698 perm_deletions=perm_deletions,
698 perm_deletions=perm_deletions,
699 recursive=apply_to_children,
699 recursive=apply_to_children,
700 cur_user=apiuser)
700 cur_user=apiuser)
701 Session().commit()
701 Session().commit()
702 return {
702 return {
703 'msg': 'Revoked perm (recursive:%s) for user group: '
703 'msg': 'Revoked perm (recursive:%s) for user group: '
704 '`%s` in repo group: `%s`' % (
704 '`%s` in repo group: `%s`' % (
705 apply_to_children, user_group.users_group_name,
705 apply_to_children, user_group.users_group_name,
706 repo_group.name
706 repo_group.name
707 ),
707 ),
708 'success': True
708 'success': True
709 }
709 }
710 except Exception:
710 except Exception:
711 log.exception("Exception occurred while trying revoke user group "
711 log.exception("Exception occurred while trying revoke user group "
712 "permissions from repo group")
712 "permissions from repo group")
713 raise JSONRPCError(
713 raise JSONRPCError(
714 'failed to edit permission for user group: '
714 'failed to edit permission for user group: '
715 '`%s` in repo group: `%s`' % (
715 '`%s` in repo group: `%s`' % (
716 user_group.users_group_name, repo_group.name
716 user_group.users_group_name, repo_group.name
717 )
717 )
718 )
718 )
719
719
General Comments 0
You need to be logged in to leave comments. Login now