##// END OF EJS Templates
api: fixed recursive permissions changes to repo group....
marcink -
r2858:4340ccf9 default
parent child Browse files
Show More
@@ -1,172 +1,174 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2010-2018 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 import mock
22 22 import pytest
23 23
24 24 from rhodecode.model.user import UserModel
25 25 from rhodecode.model.repo_group import RepoGroupModel
26 26 from rhodecode.api.tests.utils import (
27 27 build_data, api_call, assert_error, assert_ok, crash)
28 28
29 29
30 30 @pytest.mark.usefixtures("testuser_api", "app")
31 31 class TestGrantUserGroupPermissionFromRepoGroup(object):
32 32 @pytest.mark.parametrize("name, perm, apply_to_children", [
33 33 ('none', 'group.none', 'none'),
34 34 ('read', 'group.read', 'none'),
35 35 ('write', 'group.write', 'none'),
36 36 ('admin', 'group.admin', 'none'),
37 37
38 38 ('none', 'group.none', 'all'),
39 39 ('read', 'group.read', 'all'),
40 40 ('write', 'group.write', 'all'),
41 41 ('admin', 'group.admin', 'all'),
42 42
43 43 ('none', 'group.none', 'repos'),
44 44 ('read', 'group.read', 'repos'),
45 45 ('write', 'group.write', 'repos'),
46 46 ('admin', 'group.admin', 'repos'),
47 47
48 48 ('none', 'group.none', 'groups'),
49 49 ('read', 'group.read', 'groups'),
50 50 ('write', 'group.write', 'groups'),
51 51 ('admin', 'group.admin', 'groups'),
52 52 ])
53 53 def test_api_grant_user_group_permission_to_repo_group(
54 54 self, name, perm, apply_to_children, user_util):
55 55 user_group = user_util.create_user_group()
56 56 repo_group = user_util.create_repo_group()
57 user_util.create_repo(parent=repo_group)
58
57 59 id_, params = build_data(
58 60 self.apikey,
59 61 'grant_user_group_permission_to_repo_group',
60 62 repogroupid=repo_group.name,
61 63 usergroupid=user_group.users_group_name,
62 64 perm=perm,
63 65 apply_to_children=apply_to_children,)
64 66 response = api_call(self.app, params)
65 67
66 68 ret = {
67 69 'msg': (
68 70 'Granted perm: `%s` (recursive:%s) for user group: `%s`'
69 71 ' in repo group: `%s`' % (
70 72 perm, apply_to_children, user_group.users_group_name,
71 73 repo_group.name
72 74 )
73 75 ),
74 76 'success': True
75 77 }
76 78 expected = ret
77 79 try:
78 80 assert_ok(id_, expected, given=response.body)
79 81 finally:
80 82 RepoGroupModel().revoke_user_group_permission(
81 83 repo_group.group_id, user_group.users_group_id)
82 84
83 85 @pytest.mark.parametrize(
84 86 "name, perm, apply_to_children, grant_admin, access_ok", [
85 87 ('none_fails', 'group.none', 'none', False, False),
86 88 ('read_fails', 'group.read', 'none', False, False),
87 89 ('write_fails', 'group.write', 'none', False, False),
88 90 ('admin_fails', 'group.admin', 'none', False, False),
89 91
90 92 # with granted perms
91 93 ('none_ok', 'group.none', 'none', True, True),
92 94 ('read_ok', 'group.read', 'none', True, True),
93 95 ('write_ok', 'group.write', 'none', True, True),
94 96 ('admin_ok', 'group.admin', 'none', True, True),
95 97 ]
96 98 )
97 99 def test_api_grant_user_group_permission_to_repo_group_by_regular_user(
98 100 self, name, perm, apply_to_children, grant_admin, access_ok,
99 101 user_util):
100 102 user = UserModel().get_by_username(self.TEST_USER_LOGIN)
101 103 user_group = user_util.create_user_group()
102 104 repo_group = user_util.create_repo_group()
103 105 if grant_admin:
104 106 user_util.grant_user_permission_to_repo_group(
105 107 repo_group, user, 'group.admin')
106 108
107 109 id_, params = build_data(
108 110 self.apikey_regular,
109 111 'grant_user_group_permission_to_repo_group',
110 112 repogroupid=repo_group.name,
111 113 usergroupid=user_group.users_group_name,
112 114 perm=perm,
113 115 apply_to_children=apply_to_children,)
114 116 response = api_call(self.app, params)
115 117 if access_ok:
116 118 ret = {
117 119 'msg': (
118 120 'Granted perm: `%s` (recursive:%s) for user group: `%s`'
119 121 ' in repo group: `%s`' % (
120 122 perm, apply_to_children, user_group.users_group_name,
121 123 repo_group.name
122 124 )
123 125 ),
124 126 'success': True
125 127 }
126 128 expected = ret
127 129 try:
128 130 assert_ok(id_, expected, given=response.body)
129 131 finally:
130 132 RepoGroupModel().revoke_user_group_permission(
131 133 repo_group.group_id, user_group.users_group_id)
132 134 else:
133 135 expected = 'repository group `%s` does not exist' % (
134 136 repo_group.name,)
135 137 assert_error(id_, expected, given=response.body)
136 138
137 139 def test_api_grant_user_group_permission_to_repo_group_wrong_permission(
138 140 self, user_util):
139 141 user_group = user_util.create_user_group()
140 142 repo_group = user_util.create_repo_group()
141 143 perm = 'haha.no.permission'
142 144 id_, params = build_data(
143 145 self.apikey,
144 146 'grant_user_group_permission_to_repo_group',
145 147 repogroupid=repo_group.name,
146 148 usergroupid=user_group.users_group_name,
147 149 perm=perm)
148 150 response = api_call(self.app, params)
149 151
150 152 expected = 'permission `%s` does not exist' % (perm,)
151 153 assert_error(id_, expected, given=response.body)
152 154
153 155 @mock.patch.object(RepoGroupModel, 'grant_user_group_permission', crash)
154 156 def test_api_grant_user_group_permission_exception_when_adding_2(
155 157 self, user_util):
156 158 user_group = user_util.create_user_group()
157 159 repo_group = user_util.create_repo_group()
158 160 perm = 'group.read'
159 161 id_, params = build_data(
160 162 self.apikey,
161 163 'grant_user_group_permission_to_repo_group',
162 164 repogroupid=repo_group.name,
163 165 usergroupid=user_group.users_group_name,
164 166 perm=perm)
165 167 response = api_call(self.app, params)
166 168
167 169 expected = (
168 170 'failed to edit permission for user group: `%s`'
169 171 ' in repo group: `%s`' % (
170 172 user_group.users_group_name, repo_group.name)
171 173 )
172 174 assert_error(id_, expected, given=response.body)
@@ -1,719 +1,719 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2011-2018 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21
22 22 import logging
23 23
24 24 from rhodecode.api import JSONRPCValidationError
25 25 from rhodecode.api import jsonrpc_method, JSONRPCError
26 26 from rhodecode.api.utils import (
27 27 has_superadmin_permission, Optional, OAttr, get_user_or_error,
28 28 get_repo_group_or_error, get_perm_or_error, get_user_group_or_error,
29 29 get_origin, validate_repo_group_permissions, validate_set_owner_permissions)
30 30 from rhodecode.lib import audit_logger
31 31 from rhodecode.lib.auth import (
32 32 HasRepoGroupPermissionAnyApi, HasUserGroupPermissionAnyApi)
33 33 from rhodecode.model.db import Session
34 34 from rhodecode.model.repo_group import RepoGroupModel
35 35 from rhodecode.model.scm import RepoGroupList
36 36 from rhodecode.model import validation_schema
37 37 from rhodecode.model.validation_schema.schemas import repo_group_schema
38 38
39 39
40 40 log = logging.getLogger(__name__)
41 41
42 42
43 43 @jsonrpc_method()
44 44 def get_repo_group(request, apiuser, repogroupid):
45 45 """
46 46 Return the specified |repo| group, along with permissions,
47 47 and repositories inside the group
48 48
49 49 :param apiuser: This is filled automatically from the |authtoken|.
50 50 :type apiuser: AuthUser
51 51 :param repogroupid: Specify the name of ID of the repository group.
52 52 :type repogroupid: str or int
53 53
54 54
55 55 Example output:
56 56
57 57 .. code-block:: bash
58 58
59 59 {
60 60 "error": null,
61 61 "id": repo-group-id,
62 62 "result": {
63 63 "group_description": "repo group description",
64 64 "group_id": 14,
65 65 "group_name": "group name",
66 66 "permissions": [
67 67 {
68 68 "name": "super-admin-username",
69 69 "origin": "super-admin",
70 70 "permission": "group.admin",
71 71 "type": "user"
72 72 },
73 73 {
74 74 "name": "owner-name",
75 75 "origin": "owner",
76 76 "permission": "group.admin",
77 77 "type": "user"
78 78 },
79 79 {
80 80 "name": "user-group-name",
81 81 "origin": "permission",
82 82 "permission": "group.write",
83 83 "type": "user_group"
84 84 }
85 85 ],
86 86 "owner": "owner-name",
87 87 "parent_group": null,
88 88 "repositories": [ repo-list ]
89 89 }
90 90 }
91 91 """
92 92
93 93 repo_group = get_repo_group_or_error(repogroupid)
94 94 if not has_superadmin_permission(apiuser):
95 95 # check if we have at least read permission for this repo group !
96 96 _perms = ('group.admin', 'group.write', 'group.read',)
97 97 if not HasRepoGroupPermissionAnyApi(*_perms)(
98 98 user=apiuser, group_name=repo_group.group_name):
99 99 raise JSONRPCError(
100 100 'repository group `%s` does not exist' % (repogroupid,))
101 101
102 102 permissions = []
103 103 for _user in repo_group.permissions():
104 104 user_data = {
105 105 'name': _user.username,
106 106 'permission': _user.permission,
107 107 'origin': get_origin(_user),
108 108 'type': "user",
109 109 }
110 110 permissions.append(user_data)
111 111
112 112 for _user_group in repo_group.permission_user_groups():
113 113 user_group_data = {
114 114 'name': _user_group.users_group_name,
115 115 'permission': _user_group.permission,
116 116 'origin': get_origin(_user_group),
117 117 'type': "user_group",
118 118 }
119 119 permissions.append(user_group_data)
120 120
121 121 data = repo_group.get_api_data()
122 122 data["permissions"] = permissions
123 123 return data
124 124
125 125
126 126 @jsonrpc_method()
127 127 def get_repo_groups(request, apiuser):
128 128 """
129 129 Returns all repository groups.
130 130
131 131 :param apiuser: This is filled automatically from the |authtoken|.
132 132 :type apiuser: AuthUser
133 133 """
134 134
135 135 result = []
136 136 _perms = ('group.read', 'group.write', 'group.admin',)
137 137 extras = {'user': apiuser}
138 138 for repo_group in RepoGroupList(RepoGroupModel().get_all(),
139 139 perm_set=_perms, extra_kwargs=extras):
140 140 result.append(repo_group.get_api_data())
141 141 return result
142 142
143 143
144 144 @jsonrpc_method()
145 145 def create_repo_group(
146 146 request, apiuser, group_name,
147 147 owner=Optional(OAttr('apiuser')),
148 148 description=Optional(''),
149 149 copy_permissions=Optional(False)):
150 150 """
151 151 Creates a repository group.
152 152
153 153 * If the repository group name contains "/", repository group will be
154 154 created inside a repository group or nested repository groups
155 155
156 156 For example "foo/bar/group1" will create repository group called "group1"
157 157 inside group "foo/bar". You have to have permissions to access and
158 158 write to the last repository group ("bar" in this example)
159 159
160 160 This command can only be run using an |authtoken| with at least
161 161 permissions to create repository groups, or admin permissions to
162 162 parent repository groups.
163 163
164 164 :param apiuser: This is filled automatically from the |authtoken|.
165 165 :type apiuser: AuthUser
166 166 :param group_name: Set the repository group name.
167 167 :type group_name: str
168 168 :param description: Set the |repo| group description.
169 169 :type description: str
170 170 :param owner: Set the |repo| group owner.
171 171 :type owner: str
172 172 :param copy_permissions:
173 173 :type copy_permissions:
174 174
175 175 Example output:
176 176
177 177 .. code-block:: bash
178 178
179 179 id : <id_given_in_input>
180 180 result : {
181 181 "msg": "Created new repo group `<repo_group_name>`"
182 182 "repo_group": <repogroup_object>
183 183 }
184 184 error : null
185 185
186 186
187 187 Example error output:
188 188
189 189 .. code-block:: bash
190 190
191 191 id : <id_given_in_input>
192 192 result : null
193 193 error : {
194 194 failed to create repo group `<repogroupid>`
195 195 }
196 196
197 197 """
198 198
199 199 owner = validate_set_owner_permissions(apiuser, owner)
200 200
201 201 description = Optional.extract(description)
202 202 copy_permissions = Optional.extract(copy_permissions)
203 203
204 204 schema = repo_group_schema.RepoGroupSchema().bind(
205 205 # user caller
206 206 user=apiuser)
207 207
208 208 try:
209 209 schema_data = schema.deserialize(dict(
210 210 repo_group_name=group_name,
211 211 repo_group_owner=owner.username,
212 212 repo_group_description=description,
213 213 repo_group_copy_permissions=copy_permissions,
214 214 ))
215 215 except validation_schema.Invalid as err:
216 216 raise JSONRPCValidationError(colander_exc=err)
217 217
218 218 validated_group_name = schema_data['repo_group_name']
219 219
220 220 try:
221 221 repo_group = RepoGroupModel().create(
222 222 owner=owner,
223 223 group_name=validated_group_name,
224 224 group_description=schema_data['repo_group_description'],
225 225 copy_permissions=schema_data['repo_group_copy_permissions'])
226 226 Session().flush()
227 227
228 228 repo_group_data = repo_group.get_api_data()
229 229 audit_logger.store_api(
230 230 'repo_group.create', action_data={'data': repo_group_data},
231 231 user=apiuser)
232 232
233 233 Session().commit()
234 234 return {
235 235 'msg': 'Created new repo group `%s`' % validated_group_name,
236 236 'repo_group': repo_group.get_api_data()
237 237 }
238 238 except Exception:
239 239 log.exception("Exception occurred while trying create repo group")
240 240 raise JSONRPCError(
241 241 'failed to create repo group `%s`' % (validated_group_name,))
242 242
243 243
244 244 @jsonrpc_method()
245 245 def update_repo_group(
246 246 request, apiuser, repogroupid, group_name=Optional(''),
247 247 description=Optional(''), owner=Optional(OAttr('apiuser')),
248 248 enable_locking=Optional(False)):
249 249 """
250 250 Updates repository group with the details given.
251 251
252 252 This command can only be run using an |authtoken| with admin
253 253 permissions.
254 254
255 255 * If the group_name name contains "/", repository group will be updated
256 256 accordingly with a repository group or nested repository groups
257 257
258 258 For example repogroupid=group-test group_name="foo/bar/group-test"
259 259 will update repository group called "group-test" and place it
260 260 inside group "foo/bar".
261 261 You have to have permissions to access and write to the last repository
262 262 group ("bar" in this example)
263 263
264 264 :param apiuser: This is filled automatically from the |authtoken|.
265 265 :type apiuser: AuthUser
266 266 :param repogroupid: Set the ID of repository group.
267 267 :type repogroupid: str or int
268 268 :param group_name: Set the name of the |repo| group.
269 269 :type group_name: str
270 270 :param description: Set a description for the group.
271 271 :type description: str
272 272 :param owner: Set the |repo| group owner.
273 273 :type owner: str
274 274 :param enable_locking: Enable |repo| locking. The default is false.
275 275 :type enable_locking: bool
276 276 """
277 277
278 278 repo_group = get_repo_group_or_error(repogroupid)
279 279
280 280 if not has_superadmin_permission(apiuser):
281 281 validate_repo_group_permissions(
282 282 apiuser, repogroupid, repo_group, ('group.admin',))
283 283
284 284 updates = dict(
285 285 group_name=group_name
286 286 if not isinstance(group_name, Optional) else repo_group.group_name,
287 287
288 288 group_description=description
289 289 if not isinstance(description, Optional) else repo_group.group_description,
290 290
291 291 user=owner
292 292 if not isinstance(owner, Optional) else repo_group.user.username,
293 293
294 294 enable_locking=enable_locking
295 295 if not isinstance(enable_locking, Optional) else repo_group.enable_locking
296 296 )
297 297
298 298 schema = repo_group_schema.RepoGroupSchema().bind(
299 299 # user caller
300 300 user=apiuser,
301 301 old_values=repo_group.get_api_data())
302 302
303 303 try:
304 304 schema_data = schema.deserialize(dict(
305 305 repo_group_name=updates['group_name'],
306 306 repo_group_owner=updates['user'],
307 307 repo_group_description=updates['group_description'],
308 308 repo_group_enable_locking=updates['enable_locking'],
309 309 ))
310 310 except validation_schema.Invalid as err:
311 311 raise JSONRPCValidationError(colander_exc=err)
312 312
313 313 validated_updates = dict(
314 314 group_name=schema_data['repo_group']['repo_group_name_without_group'],
315 315 group_parent_id=schema_data['repo_group']['repo_group_id'],
316 316 user=schema_data['repo_group_owner'],
317 317 group_description=schema_data['repo_group_description'],
318 318 enable_locking=schema_data['repo_group_enable_locking'],
319 319 )
320 320
321 321 old_data = repo_group.get_api_data()
322 322 try:
323 323 RepoGroupModel().update(repo_group, validated_updates)
324 324 audit_logger.store_api(
325 325 'repo_group.edit', action_data={'old_data': old_data},
326 326 user=apiuser)
327 327
328 328 Session().commit()
329 329 return {
330 330 'msg': 'updated repository group ID:%s %s' % (
331 331 repo_group.group_id, repo_group.group_name),
332 332 'repo_group': repo_group.get_api_data()
333 333 }
334 334 except Exception:
335 335 log.exception(
336 336 u"Exception occurred while trying update repo group %s",
337 337 repogroupid)
338 338 raise JSONRPCError('failed to update repository group `%s`'
339 339 % (repogroupid,))
340 340
341 341
342 342 @jsonrpc_method()
343 343 def delete_repo_group(request, apiuser, repogroupid):
344 344 """
345 345 Deletes a |repo| group.
346 346
347 347 :param apiuser: This is filled automatically from the |authtoken|.
348 348 :type apiuser: AuthUser
349 349 :param repogroupid: Set the name or ID of repository group to be
350 350 deleted.
351 351 :type repogroupid: str or int
352 352
353 353 Example output:
354 354
355 355 .. code-block:: bash
356 356
357 357 id : <id_given_in_input>
358 358 result : {
359 359 'msg': 'deleted repo group ID:<repogroupid> <repogroupname>'
360 360 'repo_group': null
361 361 }
362 362 error : null
363 363
364 364 Example error output:
365 365
366 366 .. code-block:: bash
367 367
368 368 id : <id_given_in_input>
369 369 result : null
370 370 error : {
371 371 "failed to delete repo group ID:<repogroupid> <repogroupname>"
372 372 }
373 373
374 374 """
375 375
376 376 repo_group = get_repo_group_or_error(repogroupid)
377 377 if not has_superadmin_permission(apiuser):
378 378 validate_repo_group_permissions(
379 379 apiuser, repogroupid, repo_group, ('group.admin',))
380 380
381 381 old_data = repo_group.get_api_data()
382 382 try:
383 383 RepoGroupModel().delete(repo_group)
384 384 audit_logger.store_api(
385 385 'repo_group.delete', action_data={'old_data': old_data},
386 386 user=apiuser)
387 387 Session().commit()
388 388 return {
389 389 'msg': 'deleted repo group ID:%s %s' %
390 390 (repo_group.group_id, repo_group.group_name),
391 391 'repo_group': None
392 392 }
393 393 except Exception:
394 394 log.exception("Exception occurred while trying to delete repo group")
395 395 raise JSONRPCError('failed to delete repo group ID:%s %s' %
396 396 (repo_group.group_id, repo_group.group_name))
397 397
398 398
399 399 @jsonrpc_method()
400 400 def grant_user_permission_to_repo_group(
401 401 request, apiuser, repogroupid, userid, perm,
402 402 apply_to_children=Optional('none')):
403 403 """
404 404 Grant permission for a user on the given repository group, or update
405 405 existing permissions if found.
406 406
407 407 This command can only be run using an |authtoken| with admin
408 408 permissions.
409 409
410 410 :param apiuser: This is filled automatically from the |authtoken|.
411 411 :type apiuser: AuthUser
412 412 :param repogroupid: Set the name or ID of repository group.
413 413 :type repogroupid: str or int
414 414 :param userid: Set the user name.
415 415 :type userid: str
416 416 :param perm: (group.(none|read|write|admin))
417 417 :type perm: str
418 418 :param apply_to_children: 'none', 'repos', 'groups', 'all'
419 419 :type apply_to_children: str
420 420
421 421 Example output:
422 422
423 423 .. code-block:: bash
424 424
425 425 id : <id_given_in_input>
426 426 result: {
427 427 "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",
428 428 "success": true
429 429 }
430 430 error: null
431 431
432 432 Example error output:
433 433
434 434 .. code-block:: bash
435 435
436 436 id : <id_given_in_input>
437 437 result : null
438 438 error : {
439 439 "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
440 440 }
441 441
442 442 """
443 443
444 444 repo_group = get_repo_group_or_error(repogroupid)
445 445
446 446 if not has_superadmin_permission(apiuser):
447 447 validate_repo_group_permissions(
448 448 apiuser, repogroupid, repo_group, ('group.admin',))
449 449
450 450 user = get_user_or_error(userid)
451 451 perm = get_perm_or_error(perm, prefix='group.')
452 452 apply_to_children = Optional.extract(apply_to_children)
453 453
454 perm_additions = [[user.user_id, perm, "user"]]
454 perm_additions = [[user.user_id, perm.permission_name, "user"]]
455 455 try:
456 456 RepoGroupModel().update_permissions(repo_group=repo_group,
457 457 perm_additions=perm_additions,
458 458 recursive=apply_to_children,
459 459 cur_user=apiuser)
460 460 Session().commit()
461 461 return {
462 462 'msg': 'Granted perm: `%s` (recursive:%s) for user: '
463 463 '`%s` in repo group: `%s`' % (
464 464 perm.permission_name, apply_to_children, user.username,
465 465 repo_group.name
466 466 ),
467 467 'success': True
468 468 }
469 469 except Exception:
470 470 log.exception("Exception occurred while trying to grant "
471 471 "user permissions to repo group")
472 472 raise JSONRPCError(
473 473 'failed to edit permission for user: '
474 474 '`%s` in repo group: `%s`' % (userid, repo_group.name))
475 475
476 476
477 477 @jsonrpc_method()
478 478 def revoke_user_permission_from_repo_group(
479 479 request, apiuser, repogroupid, userid,
480 480 apply_to_children=Optional('none')):
481 481 """
482 482 Revoke permission for a user in a given repository group.
483 483
484 484 This command can only be run using an |authtoken| with admin
485 485 permissions on the |repo| group.
486 486
487 487 :param apiuser: This is filled automatically from the |authtoken|.
488 488 :type apiuser: AuthUser
489 489 :param repogroupid: Set the name or ID of the repository group.
490 490 :type repogroupid: str or int
491 491 :param userid: Set the user name to revoke.
492 492 :type userid: str
493 493 :param apply_to_children: 'none', 'repos', 'groups', 'all'
494 494 :type apply_to_children: str
495 495
496 496 Example output:
497 497
498 498 .. code-block:: bash
499 499
500 500 id : <id_given_in_input>
501 501 result: {
502 502 "msg" : "Revoked perm (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",
503 503 "success": true
504 504 }
505 505 error: null
506 506
507 507 Example error output:
508 508
509 509 .. code-block:: bash
510 510
511 511 id : <id_given_in_input>
512 512 result : null
513 513 error : {
514 514 "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
515 515 }
516 516
517 517 """
518 518
519 519 repo_group = get_repo_group_or_error(repogroupid)
520 520
521 521 if not has_superadmin_permission(apiuser):
522 522 validate_repo_group_permissions(
523 523 apiuser, repogroupid, repo_group, ('group.admin',))
524 524
525 525 user = get_user_or_error(userid)
526 526 apply_to_children = Optional.extract(apply_to_children)
527 527
528 528 perm_deletions = [[user.user_id, None, "user"]]
529 529 try:
530 530 RepoGroupModel().update_permissions(repo_group=repo_group,
531 531 perm_deletions=perm_deletions,
532 532 recursive=apply_to_children,
533 533 cur_user=apiuser)
534 534 Session().commit()
535 535 return {
536 536 'msg': 'Revoked perm (recursive:%s) for user: '
537 537 '`%s` in repo group: `%s`' % (
538 538 apply_to_children, user.username, repo_group.name
539 539 ),
540 540 'success': True
541 541 }
542 542 except Exception:
543 543 log.exception("Exception occurred while trying revoke user "
544 544 "permission from repo group")
545 545 raise JSONRPCError(
546 546 'failed to edit permission for user: '
547 547 '`%s` in repo group: `%s`' % (userid, repo_group.name))
548 548
549 549
550 550 @jsonrpc_method()
551 551 def grant_user_group_permission_to_repo_group(
552 552 request, apiuser, repogroupid, usergroupid, perm,
553 553 apply_to_children=Optional('none'), ):
554 554 """
555 555 Grant permission for a user group on given repository group, or update
556 556 existing permissions if found.
557 557
558 558 This command can only be run using an |authtoken| with admin
559 559 permissions on the |repo| group.
560 560
561 561 :param apiuser: This is filled automatically from the |authtoken|.
562 562 :type apiuser: AuthUser
563 563 :param repogroupid: Set the name or id of repository group
564 564 :type repogroupid: str or int
565 565 :param usergroupid: id of usergroup
566 566 :type usergroupid: str or int
567 567 :param perm: (group.(none|read|write|admin))
568 568 :type perm: str
569 569 :param apply_to_children: 'none', 'repos', 'groups', 'all'
570 570 :type apply_to_children: str
571 571
572 572 Example output:
573 573
574 574 .. code-block:: bash
575 575
576 576 id : <id_given_in_input>
577 577 result : {
578 578 "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",
579 579 "success": true
580 580
581 581 }
582 582 error : null
583 583
584 584 Example error output:
585 585
586 586 .. code-block:: bash
587 587
588 588 id : <id_given_in_input>
589 589 result : null
590 590 error : {
591 591 "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
592 592 }
593 593
594 594 """
595 595
596 596 repo_group = get_repo_group_or_error(repogroupid)
597 597 perm = get_perm_or_error(perm, prefix='group.')
598 598 user_group = get_user_group_or_error(usergroupid)
599 599 if not has_superadmin_permission(apiuser):
600 600 validate_repo_group_permissions(
601 601 apiuser, repogroupid, repo_group, ('group.admin',))
602 602
603 603 # check if we have at least read permission for this user group !
604 604 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
605 605 if not HasUserGroupPermissionAnyApi(*_perms)(
606 606 user=apiuser, user_group_name=user_group.users_group_name):
607 607 raise JSONRPCError(
608 608 'user group `%s` does not exist' % (usergroupid,))
609 609
610 610 apply_to_children = Optional.extract(apply_to_children)
611 611
612 perm_additions = [[user_group.users_group_id, perm, "user_group"]]
612 perm_additions = [[user_group.users_group_id, perm.permission_name, "user_group"]]
613 613 try:
614 614 RepoGroupModel().update_permissions(repo_group=repo_group,
615 615 perm_additions=perm_additions,
616 616 recursive=apply_to_children,
617 617 cur_user=apiuser)
618 618 Session().commit()
619 619 return {
620 620 'msg': 'Granted perm: `%s` (recursive:%s) '
621 621 'for user group: `%s` in repo group: `%s`' % (
622 622 perm.permission_name, apply_to_children,
623 623 user_group.users_group_name, repo_group.name
624 624 ),
625 625 'success': True
626 626 }
627 627 except Exception:
628 628 log.exception("Exception occurred while trying to grant user "
629 629 "group permissions to repo group")
630 630 raise JSONRPCError(
631 631 'failed to edit permission for user group: `%s` in '
632 632 'repo group: `%s`' % (
633 633 usergroupid, repo_group.name
634 634 )
635 635 )
636 636
637 637
638 638 @jsonrpc_method()
639 639 def revoke_user_group_permission_from_repo_group(
640 640 request, apiuser, repogroupid, usergroupid,
641 641 apply_to_children=Optional('none')):
642 642 """
643 643 Revoke permission for user group on given repository.
644 644
645 645 This command can only be run using an |authtoken| with admin
646 646 permissions on the |repo| group.
647 647
648 648 :param apiuser: This is filled automatically from the |authtoken|.
649 649 :type apiuser: AuthUser
650 650 :param repogroupid: name or id of repository group
651 651 :type repogroupid: str or int
652 652 :param usergroupid:
653 653 :param apply_to_children: 'none', 'repos', 'groups', 'all'
654 654 :type apply_to_children: str
655 655
656 656 Example output:
657 657
658 658 .. code-block:: bash
659 659
660 660 id : <id_given_in_input>
661 661 result: {
662 662 "msg" : "Revoked perm (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",
663 663 "success": true
664 664 }
665 665 error: null
666 666
667 667 Example error output:
668 668
669 669 .. code-block:: bash
670 670
671 671 id : <id_given_in_input>
672 672 result : null
673 673 error : {
674 674 "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
675 675 }
676 676
677 677
678 678 """
679 679
680 680 repo_group = get_repo_group_or_error(repogroupid)
681 681 user_group = get_user_group_or_error(usergroupid)
682 682 if not has_superadmin_permission(apiuser):
683 683 validate_repo_group_permissions(
684 684 apiuser, repogroupid, repo_group, ('group.admin',))
685 685
686 686 # check if we have at least read permission for this user group !
687 687 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
688 688 if not HasUserGroupPermissionAnyApi(*_perms)(
689 689 user=apiuser, user_group_name=user_group.users_group_name):
690 690 raise JSONRPCError(
691 691 'user group `%s` does not exist' % (usergroupid,))
692 692
693 693 apply_to_children = Optional.extract(apply_to_children)
694 694
695 695 perm_deletions = [[user_group.users_group_id, None, "user_group"]]
696 696 try:
697 697 RepoGroupModel().update_permissions(repo_group=repo_group,
698 698 perm_deletions=perm_deletions,
699 699 recursive=apply_to_children,
700 700 cur_user=apiuser)
701 701 Session().commit()
702 702 return {
703 703 'msg': 'Revoked perm (recursive:%s) for user group: '
704 704 '`%s` in repo group: `%s`' % (
705 705 apply_to_children, user_group.users_group_name,
706 706 repo_group.name
707 707 ),
708 708 'success': True
709 709 }
710 710 except Exception:
711 711 log.exception("Exception occurred while trying revoke user group "
712 712 "permissions from repo group")
713 713 raise JSONRPCError(
714 714 'failed to edit permission for user group: '
715 715 '`%s` in repo group: `%s`' % (
716 716 user_group.users_group_name, repo_group.name
717 717 )
718 718 )
719 719
General Comments 0
You need to be logged in to leave comments. Login now