rhodecode-enterprise-ce Commit - r2106:44a92162

1

# -*- coding: utf-8 -*-

1

# -*- coding: utf-8 -*-

2

3

4

#

4

#

5

# This program is free software: you can redistribute it and/or modify

5

# This program is free software: you can redistribute it and/or modify

6

# it under the terms of the GNU Affero General Public License, version 3

6

# it under the terms of the GNU Affero General Public License, version 3

7

# (only), as published by the Free Software Foundation.

7

# (only), as published by the Free Software Foundation.

8

#

8

#

9

# This program is distributed in the hope that it will be useful,

9

# This program is distributed in the hope that it will be useful,

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12

# GNU General Public License for more details.

12

# GNU General Public License for more details.

13

#

13

#

14

# You should have received a copy of the GNU Affero General Public License

14

# You should have received a copy of the GNU Affero General Public License

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

16

#

16

#

17

# This program is dual-licensed. If you wish to learn more about the

17

# This program is dual-licensed. If you wish to learn more about the

18

# RhodeCode Enterprise Edition, including its added features, Support services,

18

# RhodeCode Enterprise Edition, including its added features, Support services,

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

20

21

import logging

21

import logging

22

23

import peppercorn

23

import peppercorn

24

import formencode

24

import formencode

25

import formencode.htmlfill

25

import formencode.htmlfill

26

from pyramid.httpexceptions import HTTPFound

26

from pyramid.httpexceptions import HTTPFound

27

from pyramid.view import view_config

27

from pyramid.view import view_config

28

from pyramid.response import Response

28

from pyramid.response import Response

29

from pyramid.renderers import render

29

from pyramid.renderers import render

30

31

from rhodecode.lib.exceptions import (

31

from rhodecode.lib.exceptions import (

32

RepoGroupAssignmentError, UserGroupAssignedException)

32

RepoGroupAssignmentError, UserGroupAssignedException)

33

from rhodecode.model.forms import (

33

from rhodecode.model.forms import (

34

UserGroupPermsForm, UserGroupForm, UserIndividualPermissionsForm,

34

UserGroupPermsForm, UserGroupForm, UserIndividualPermissionsForm,

35

UserPermissionsForm)

35

UserPermissionsForm)

36

from rhodecode.model.permission import PermissionModel

36

from rhodecode.model.permission import PermissionModel

37

38

from rhodecode.apps._base import UserGroupAppView

38

from rhodecode.apps._base import UserGroupAppView

39

from rhodecode.lib.auth import (

39

from rhodecode.lib.auth import (

40

LoginRequired, HasUserGroupPermissionAnyDecorator, CSRFRequired)

40

LoginRequired, HasUserGroupPermissionAnyDecorator, CSRFRequired)

41

from rhodecode.lib import helpers as h, audit_logger

41

from rhodecode.lib import helpers as h, audit_logger

42

from rhodecode.lib.utils2 import str2bool

42

from rhodecode.lib.utils2 import str2bool

43

from rhodecode.model.db import (

43

from rhodecode.model.db import (

44

joinedload, User, UserGroupRepoToPerm, UserGroupRepoGroupToPerm)

44

joinedload, User, UserGroupRepoToPerm, UserGroupRepoGroupToPerm)

45

from rhodecode.model.meta import Session

45

from rhodecode.model.meta import Session

46

from rhodecode.model.user_group import UserGroupModel

46

from rhodecode.model.user_group import UserGroupModel

47

48

log = logging.getLogger(__name__)

48

log = logging.getLogger(__name__)

49

50

51

class UserGroupsView(UserGroupAppView):

51

class UserGroupsView(UserGroupAppView):

52

53

def load_default_context(self):

53

def load_default_context(self):

54

c = self._get_local_tmpl_context()

54

c = self._get_local_tmpl_context()

55

56

PermissionModel().set_global_permission_choices(

56

PermissionModel().set_global_permission_choices(

57

c, gettext_translator=self.request.translate)

57

c, gettext_translator=self.request.translate)

58

59

self._register_global_c(c)

59

self._register_global_c(c)

60

return c

60

return c

61

62

def _get_perms_summary(self, user_group_id):

62

def _get_perms_summary(self, user_group_id):

63

permissions = {

63

permissions = {

64

'repositories': {},

64

'repositories': {},

65

'repositories_groups': {},

65

'repositories_groups': {},

66

}

66

}

67

ugroup_repo_perms = UserGroupRepoToPerm.query()\

67

ugroup_repo_perms = UserGroupRepoToPerm.query()\

68

.options(joinedload(UserGroupRepoToPerm.permission))\

68

.options(joinedload(UserGroupRepoToPerm.permission))\

69

.options(joinedload(UserGroupRepoToPerm.repository))\

69

.options(joinedload(UserGroupRepoToPerm.repository))\

70

.filter(UserGroupRepoToPerm.users_group_id == user_group_id)\

70

.filter(UserGroupRepoToPerm.users_group_id == user_group_id)\

71

.all()

71

.all()

72

73

for gr in ugroup_repo_perms:

73

for gr in ugroup_repo_perms:

74

permissions['repositories'][gr.repository.repo_name] \

74

permissions['repositories'][gr.repository.repo_name] \

75

= gr.permission.permission_name

75

= gr.permission.permission_name

76

77

ugroup_group_perms = UserGroupRepoGroupToPerm.query()\

77

ugroup_group_perms = UserGroupRepoGroupToPerm.query()\

78

.options(joinedload(UserGroupRepoGroupToPerm.permission))\

78

.options(joinedload(UserGroupRepoGroupToPerm.permission))\

79

.options(joinedload(UserGroupRepoGroupToPerm.group))\

79

.options(joinedload(UserGroupRepoGroupToPerm.group))\

80

.filter(UserGroupRepoGroupToPerm.users_group_id == user_group_id)\

80

.filter(UserGroupRepoGroupToPerm.users_group_id == user_group_id)\

81

.all()

81

.all()

82

83

for gr in ugroup_group_perms:

83

for gr in ugroup_group_perms:

84

permissions['repositories_groups'][gr.group.group_name] \

84

permissions['repositories_groups'][gr.group.group_name] \

85

= gr.permission.permission_name

85

= gr.permission.permission_name

86

return permissions

86

return permissions

87

88

@LoginRequired()

88

@LoginRequired()

89

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

89

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

90

@view_config(

90

@view_config(

91

route_name='user_group_members_data', request_method='GET',

91

route_name='user_group_members_data', request_method='GET',

92

renderer='json_ext', xhr=True)

92

renderer='json_ext', xhr=True)

93

def user_group_members(self):

93

def user_group_members(self):

94

"""

94

"""

95

Return members of given user group

95

Return members of given user group

96

"""

96

"""

97

user_group = self.db_user_group

97

user_group = self.db_user_group

98

group_members_obj = sorted((x.user for x in user_group.members),

98

group_members_obj = sorted((x.user for x in user_group.members),

99

key=lambda u: u.username.lower())

99

key=lambda u: u.username.lower())

100

101

group_members = [

101

group_members = [

102

{

102

{

103

'id': user.user_id,

103

'id': user.user_id,

104

'first_name': user.first_name,

104

'first_name': user.first_name,

105

'last_name': user.last_name,

105

'last_name': user.last_name,

106

'username': user.username,

106

'username': user.username,

107

'icon_link': h.gravatar_url(user.email, 30),

107

'icon_link': h.gravatar_url(user.email, 30),

108

'value_display': h.person(user.email),

108

'value_display': h.person(user.email),

109

'value': user.username,

109

'value': user.username,

110

'value_type': 'user',

110

'value_type': 'user',

111

'active': user.active,

111

'active': user.active,

112

}

112

}

113

for user in group_members_obj

113

for user in group_members_obj

114

]

114

]

115

116

return {

116

return {

117

'members': group_members

117

'members': group_members

118

}

118

}

119

120

@LoginRequired()

120

@LoginRequired()

121

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

121

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

122

@view_config(

122

@view_config(

123

route_name='edit_user_group_perms_summary', request_method='GET',

123

route_name='edit_user_group_perms_summary', request_method='GET',

124

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

124

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

125

def user_group_perms_summary(self):

125

def user_group_perms_summary(self):

126

c = self.load_default_context()

126

c = self.load_default_context()

127

c.user_group = self.db_user_group

127

c.user_group = self.db_user_group

128

c.active = 'perms_summary'

128

c.active = 'perms_summary'

129

c.permissions = self._get_perms_summary(c.user_group.users_group_id)

129

c.permissions = self._get_perms_summary(c.user_group.users_group_id)

130

return self._get_template_context(c)

130

return self._get_template_context(c)

131

132

@LoginRequired()

132

@LoginRequired()

133

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

133

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

134

@view_config(

134

@view_config(

135

route_name='edit_user_group_perms_summary_json', request_method='GET',

135

route_name='edit_user_group_perms_summary_json', request_method='GET',

136

renderer='json_ext')

136

renderer='json_ext')

137

def user_group_perms_summary_json(self):

137

def user_group_perms_summary_json(self):

138

self.load_default_context()

138

self.load_default_context()

139

user_group = self.db_user_group

139

user_group = self.db_user_group

140

return self._get_perms_summary(user_group.users_group_id)

140

return self._get_perms_summary(user_group.users_group_id)

141

142

def _revoke_perms_on_yourself(self, form_result):

142

def _revoke_perms_on_yourself(self, form_result):

143

_updates = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),

143

_updates = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),

144

form_result['perm_updates'])

144

form_result['perm_updates'])

145

_additions = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),

145

_additions = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),

146

form_result['perm_additions'])

146

form_result['perm_additions'])

147

_deletions = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),

147

_deletions = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),

148

form_result['perm_deletions'])

148

form_result['perm_deletions'])

149

admin_perm = 'usergroup.admin'

149

admin_perm = 'usergroup.admin'

150

if _updates and _updates[0][1] != admin_perm or \

150

if _updates and _updates[0][1] != admin_perm or \

151

_additions and _additions[0][1] != admin_perm or \

151

_additions and _additions[0][1] != admin_perm or \

152

_deletions and _deletions[0][1] != admin_perm:

152

_deletions and _deletions[0][1] != admin_perm:

153

return True

153

return True

154

return False

154

return False

155

156

@LoginRequired()

156

@LoginRequired()

157

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

157

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

158

@CSRFRequired()

158

@CSRFRequired()

159

@view_config(

159

@view_config(

160

route_name='user_groups_update', request_method='POST',

160

route_name='user_groups_update', request_method='POST',

161

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

161

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

162

def user_group_update(self):

162

def user_group_update(self):

163

_ = self.request.translate

163

_ = self.request.translate

164

165

user_group = self.db_user_group

165

user_group = self.db_user_group

166

user_group_id = user_group.users_group_id

166

user_group_id = user_group.users_group_id

167

168

c = self.load_default_context()

168

c = self.load_default_context()

169

c.user_group = user_group

169

c.user_group = user_group

170

c.group_members_obj = [x.user for x in c.user_group.members]

170

c.group_members_obj = [x.user for x in c.user_group.members]

171

c.group_members_obj.sort(key=lambda u: u.username.lower())

171

c.group_members_obj.sort(key=lambda u: u.username.lower())

172

c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]

172

c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]

173

c.active = 'settings'

173

c.active = 'settings'

174

175

users_group_form = UserGroupForm(

175

users_group_form = UserGroupForm(

176

edit=True, old_data=c.user_group.get_dict(), allow_disabled=True)()

176

edit=True, old_data=c.user_group.get_dict(), allow_disabled=True)()

177

178

old_values = c.user_group.get_api_data()

178

old_values = c.user_group.get_api_data()

179

user_group_name = self.request.POST.get('users_group_name')

179

user_group_name = self.request.POST.get('users_group_name')

180

try:

180

try:

181

form_result = users_group_form.to_python(self.request.POST)

181

form_result = users_group_form.to_python(self.request.POST)

182

pstruct = peppercorn.parse(self.request.POST.items())

182

pstruct = peppercorn.parse(self.request.POST.items())

183

form_result['users_group_members'] = pstruct['user_group_members']

183

form_result['users_group_members'] = pstruct['user_group_members']

184

185

user_group, added_members, removed_members = \

185

user_group, added_members, removed_members = \

186

UserGroupModel().update(c.user_group, form_result)

186

UserGroupModel().update(c.user_group, form_result)

187

updated_user_group = form_result['users_group_name']

187

updated_user_group = form_result['users_group_name']

188

189

for user_id in added_members:

190

user = User.get(user_id)

191

user_data = user.get_api_data()

192

audit_logger.store_web(

193

'user_group.edit.member.add',

194

action_data={'user': user_data, 'old_data': old_values},

195

user=self._rhodecode_user)

196

197

for user_id in removed_members:

198

user = User.get(user_id)

199

user_data = user.get_api_data()

200

audit_logger.store_web(

201

'user_group.edit.member.delete',

202

action_data={'user': user_data, 'old_data': old_values},

203

user=self._rhodecode_user)

204

189

audit_logger.store_web(

205

audit_logger.store_web(

190

'user_group.edit', action_data={'old_data': old_values},

206

'user_group.edit', action_data={'old_data': old_values},

191

user=self._rhodecode_user)

207

user=self._rhodecode_user)

192

208

193

# TODO(marcink): use added/removed to set user_group.edit.member.add

194

195

h.flash(_('Updated user group %s') % updated_user_group,

209

h.flash(_('Updated user group %s') % updated_user_group,

196

category='success')

210

category='success')

197

Session().commit()

211

Session().commit()

198

except formencode.Invalid as errors:

212

except formencode.Invalid as errors:

199

defaults = errors.value

213

defaults = errors.value

200

e = errors.error_dict or {}

214

e = errors.error_dict or {}

201

215

202

data = render(

216

data = render(

203

'rhodecode:templates/admin/user_groups/user_group_edit.mako',

217

'rhodecode:templates/admin/user_groups/user_group_edit.mako',

204

self._get_template_context(c), self.request)

218

self._get_template_context(c), self.request)

205

html = formencode.htmlfill.render(

219

html = formencode.htmlfill.render(

206

data,

220

data,

207

defaults=defaults,

221

defaults=defaults,

208

errors=e,

222

errors=e,

209

prefix_error=False,

223

prefix_error=False,

210

encoding="UTF-8",

224

encoding="UTF-8",

211

force_defaults=False

225

force_defaults=False

212

)

226

)

213

return Response(html)

227

return Response(html)

214

228

215

except Exception:

229

except Exception:

216

log.exception("Exception during update of user group")

230

log.exception("Exception during update of user group")

217

h.flash(_('Error occurred during update of user group %s')

231

h.flash(_('Error occurred during update of user group %s')

218

% user_group_name, category='error')

232

% user_group_name, category='error')

219

233

220

raise HTTPFound(

234

raise HTTPFound(

221

h.route_path('edit_user_group', user_group_id=user_group_id))

235

h.route_path('edit_user_group', user_group_id=user_group_id))

222

236

223

@LoginRequired()

237

@LoginRequired()

224

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

238

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

225

@CSRFRequired()

239

@CSRFRequired()

226

@view_config(

240

@view_config(

227

route_name='user_groups_delete', request_method='POST',

241

route_name='user_groups_delete', request_method='POST',

228

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

242

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

229

def user_group_delete(self):

243

def user_group_delete(self):

230

_ = self.request.translate

244

_ = self.request.translate

231

user_group = self.db_user_group

245

user_group = self.db_user_group

232

246

233

self.load_default_context()

247

self.load_default_context()

234

force = str2bool(self.request.POST.get('force'))

248

force = str2bool(self.request.POST.get('force'))

235

249

236

old_values = user_group.get_api_data()

250

old_values = user_group.get_api_data()

237

try:

251

try:

238

UserGroupModel().delete(user_group, force=force)

252

UserGroupModel().delete(user_group, force=force)

239

audit_logger.store_web(

253

audit_logger.store_web(

240

'user.delete', action_data={'old_data': old_values},

254

'user.delete', action_data={'old_data': old_values},

241

user=self._rhodecode_user)

255

user=self._rhodecode_user)

242

Session().commit()

256

Session().commit()

243

h.flash(_('Successfully deleted user group'), category='success')

257

h.flash(_('Successfully deleted user group'), category='success')

244

except UserGroupAssignedException as e:

258

except UserGroupAssignedException as e:

245

h.flash(str(e), category='error')

259

h.flash(str(e), category='error')

246

except Exception:

260

except Exception:

247

log.exception("Exception during deletion of user group")

261

log.exception("Exception during deletion of user group")

248

h.flash(_('An error occurred during deletion of user group'),

262

h.flash(_('An error occurred during deletion of user group'),

249

category='error')

263

category='error')

250

raise HTTPFound(h.route_path('user_groups'))

264

raise HTTPFound(h.route_path('user_groups'))

251

265

252

@LoginRequired()

266

@LoginRequired()

253

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

267

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

254

@view_config(

268

@view_config(

255

route_name='edit_user_group', request_method='GET',

269

route_name='edit_user_group', request_method='GET',

256

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

270

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

257

def user_group_edit(self):

271

def user_group_edit(self):

258

user_group = self.db_user_group

272

user_group = self.db_user_group

259

273

260

c = self.load_default_context()

274

c = self.load_default_context()

261

c.user_group = user_group

275

c.user_group = user_group

262

c.group_members_obj = [x.user for x in c.user_group.members]

276

c.group_members_obj = [x.user for x in c.user_group.members]

263

c.group_members_obj.sort(key=lambda u: u.username.lower())

277

c.group_members_obj.sort(key=lambda u: u.username.lower())

264

c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]

278

c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]

265

279

266

c.active = 'settings'

280

c.active = 'settings'

267

281

268

defaults = user_group.get_dict()

282

defaults = user_group.get_dict()

269

# fill owner

283

# fill owner

270

if user_group.user:

284

if user_group.user:

271

defaults.update({'user': user_group.user.username})

285

defaults.update({'user': user_group.user.username})

272

else:

286

else:

273

replacement_user = User.get_first_super_admin().username

287

replacement_user = User.get_first_super_admin().username

274

defaults.update({'user': replacement_user})

288

defaults.update({'user': replacement_user})

275

289

276

data = render(

290

data = render(

277

'rhodecode:templates/admin/user_groups/user_group_edit.mako',

291

'rhodecode:templates/admin/user_groups/user_group_edit.mako',

278

self._get_template_context(c), self.request)

292

self._get_template_context(c), self.request)

279

html = formencode.htmlfill.render(

293

html = formencode.htmlfill.render(

280

data,

294

data,

281

defaults=defaults,

295

defaults=defaults,

282

encoding="UTF-8",

296

encoding="UTF-8",

283

force_defaults=False

297

force_defaults=False

284

)

298

)

285

return Response(html)

299

return Response(html)

286

300

287

@LoginRequired()

301

@LoginRequired()

288

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

302

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

289

@view_config(

303

@view_config(

290

route_name='edit_user_group_perms', request_method='GET',

304

route_name='edit_user_group_perms', request_method='GET',

291

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

305

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

292

def user_group_edit_perms(self):

306

def user_group_edit_perms(self):

293

user_group = self.db_user_group

307

user_group = self.db_user_group

294

c = self.load_default_context()

308

c = self.load_default_context()

295

c.user_group = user_group

309

c.user_group = user_group

296

c.active = 'perms'

310

c.active = 'perms'

297

311

298

defaults = {}

312

defaults = {}

299

# fill user group users

313

# fill user group users

300

for p in c.user_group.user_user_group_to_perm:

314

for p in c.user_group.user_user_group_to_perm:

301

defaults.update({'u_perm_%s' % p.user.user_id:

315

defaults.update({'u_perm_%s' % p.user.user_id:

302

p.permission.permission_name})

316

p.permission.permission_name})

303

317

304

for p in c.user_group.user_group_user_group_to_perm:

318

for p in c.user_group.user_group_user_group_to_perm:

305

defaults.update({'g_perm_%s' % p.user_group.users_group_id:

319

defaults.update({'g_perm_%s' % p.user_group.users_group_id:

306

p.permission.permission_name})

320

p.permission.permission_name})

307

321

308

data = render(

322

data = render(

309

'rhodecode:templates/admin/user_groups/user_group_edit.mako',

323

'rhodecode:templates/admin/user_groups/user_group_edit.mako',

310

self._get_template_context(c), self.request)

324

self._get_template_context(c), self.request)

311

html = formencode.htmlfill.render(

325

html = formencode.htmlfill.render(

312

data,

326

data,

313

defaults=defaults,

327

defaults=defaults,

314

encoding="UTF-8",

328

encoding="UTF-8",

315

force_defaults=False

329

force_defaults=False

316

)

330

)

317

return Response(html)

331

return Response(html)

318

332

319

@LoginRequired()

333

@LoginRequired()

320

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

334

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

321

@CSRFRequired()

335

@CSRFRequired()

322

@view_config(

336

@view_config(

323

route_name='edit_user_group_perms_update', request_method='POST',

337

route_name='edit_user_group_perms_update', request_method='POST',

324

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

338

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

325

def user_group_update_perms(self):

339

def user_group_update_perms(self):

326

"""

340

"""

327

grant permission for given user group

341

grant permission for given user group

328

"""

342

"""

329

_ = self.request.translate

343

_ = self.request.translate

330

344

331

user_group = self.db_user_group

345

user_group = self.db_user_group

332

user_group_id = user_group.users_group_id

346

user_group_id = user_group.users_group_id

333

c = self.load_default_context()

347

c = self.load_default_context()

334

c.user_group = user_group

348

c.user_group = user_group

335

form = UserGroupPermsForm()().to_python(self.request.POST)

349

form = UserGroupPermsForm()().to_python(self.request.POST)

336

350

337

if not self._rhodecode_user.is_admin:

351

if not self._rhodecode_user.is_admin:

338

if self._revoke_perms_on_yourself(form):

352

if self._revoke_perms_on_yourself(form):

339

msg = _('Cannot change permission for yourself as admin')

353

msg = _('Cannot change permission for yourself as admin')

340

h.flash(msg, category='warning')

354

h.flash(msg, category='warning')

341

raise HTTPFound(

355

raise HTTPFound(

342

h.route_path('edit_user_group_perms',

356

h.route_path('edit_user_group_perms',

343

user_group_id=user_group_id))

357

user_group_id=user_group_id))

344

358

345

try:

359

try:

346

changes = UserGroupModel().update_permissions(

360

changes = UserGroupModel().update_permissions(

347

user_group_id,

361

user_group_id,

348

form['perm_additions'], form['perm_updates'],

362

form['perm_additions'], form['perm_updates'],

349

form['perm_deletions'])

363

form['perm_deletions'])

350

364

351

except RepoGroupAssignmentError:

365

except RepoGroupAssignmentError:

352

h.flash(_('Target group cannot be the same'), category='error')

366

h.flash(_('Target group cannot be the same'), category='error')

353

raise HTTPFound(

367

raise HTTPFound(

354

h.route_path('edit_user_group_perms',

368

h.route_path('edit_user_group_perms',

355

user_group_id=user_group_id))

369

user_group_id=user_group_id))

356

370

357

action_data = {

371

action_data = {

358

'added': changes['added'],

372

'added': changes['added'],

359

'updated': changes['updated'],

373

'updated': changes['updated'],

360

'deleted': changes['deleted'],

374

'deleted': changes['deleted'],

361

}

375

}

362

audit_logger.store_web(

376

audit_logger.store_web(

363

'user_group.edit.permissions', action_data=action_data,

377

'user_group.edit.permissions', action_data=action_data,

364

user=self._rhodecode_user)

378

user=self._rhodecode_user)

365

379

366

Session().commit()

380

Session().commit()

367

h.flash(_('User Group permissions updated'), category='success')

381

h.flash(_('User Group permissions updated'), category='success')

368

raise HTTPFound(

382

raise HTTPFound(

369

h.route_path('edit_user_group_perms', user_group_id=user_group_id))

383

h.route_path('edit_user_group_perms', user_group_id=user_group_id))

370

384

371

@LoginRequired()

385

@LoginRequired()

372

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

386

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

373

@view_config(

387

@view_config(

374

route_name='edit_user_group_global_perms', request_method='GET',

388

route_name='edit_user_group_global_perms', request_method='GET',

375

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

389

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

376

def user_group_global_perms_edit(self):

390

def user_group_global_perms_edit(self):

377

user_group = self.db_user_group

391

user_group = self.db_user_group

378

c = self.load_default_context()

392

c = self.load_default_context()

379

c.user_group = user_group

393

c.user_group = user_group

380

c.active = 'global_perms'

394

c.active = 'global_perms'

381

395

382

c.default_user = User.get_default_user()

396

c.default_user = User.get_default_user()

383

defaults = c.user_group.get_dict()

397

defaults = c.user_group.get_dict()

384

defaults.update(c.default_user.get_default_perms(suffix='_inherited'))

398

defaults.update(c.default_user.get_default_perms(suffix='_inherited'))

385

defaults.update(c.user_group.get_default_perms())

399

defaults.update(c.user_group.get_default_perms())

386

400

387

data = render(

401

data = render(

388

'rhodecode:templates/admin/user_groups/user_group_edit.mako',

402

'rhodecode:templates/admin/user_groups/user_group_edit.mako',

389

self._get_template_context(c), self.request)

403

self._get_template_context(c), self.request)

390

html = formencode.htmlfill.render(

404

html = formencode.htmlfill.render(

391

data,

405

data,

392

defaults=defaults,

406

defaults=defaults,

393

encoding="UTF-8",

407

encoding="UTF-8",

394

force_defaults=False

408

force_defaults=False

395

)

409

)

396

return Response(html)

410

return Response(html)

397

411

398

@LoginRequired()

412

@LoginRequired()

399

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

413

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

400

@CSRFRequired()

414

@CSRFRequired()

401

@view_config(

415

@view_config(

402

route_name='edit_user_group_global_perms_update', request_method='POST',

416

route_name='edit_user_group_global_perms_update', request_method='POST',

403

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

417

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

404

def user_group_global_perms_update(self):

418

def user_group_global_perms_update(self):

405

_ = self.request.translate

419

_ = self.request.translate

406

user_group = self.db_user_group

420

user_group = self.db_user_group

407

user_group_id = self.db_user_group.users_group_id

421

user_group_id = self.db_user_group.users_group_id

408

422

409

c = self.load_default_context()

423

c = self.load_default_context()

410

c.user_group = user_group

424

c.user_group = user_group

411

c.active = 'global_perms'

425

c.active = 'global_perms'

412

426

413

try:

427

try:

414

# first stage that verifies the checkbox

428

# first stage that verifies the checkbox

415

_form = UserIndividualPermissionsForm()

429

_form = UserIndividualPermissionsForm()

416

form_result = _form.to_python(dict(self.request.POST))

430

form_result = _form.to_python(dict(self.request.POST))

417

inherit_perms = form_result['inherit_default_permissions']

431

inherit_perms = form_result['inherit_default_permissions']

418

user_group.inherit_default_permissions = inherit_perms

432

user_group.inherit_default_permissions = inherit_perms

419

Session().add(user_group)

433

Session().add(user_group)

420

434

421

if not inherit_perms:

435

if not inherit_perms:

422

# only update the individual ones if we un check the flag

436

# only update the individual ones if we un check the flag

423

_form = UserPermissionsForm(

437

_form = UserPermissionsForm(

424

[x[0] for x in c.repo_create_choices],

438

[x[0] for x in c.repo_create_choices],

425

[x[0] for x in c.repo_create_on_write_choices],

439

[x[0] for x in c.repo_create_on_write_choices],

426

[x[0] for x in c.repo_group_create_choices],

440

[x[0] for x in c.repo_group_create_choices],

427

[x[0] for x in c.user_group_create_choices],

441

[x[0] for x in c.user_group_create_choices],

428

[x[0] for x in c.fork_choices],

442

[x[0] for x in c.fork_choices],

429

[x[0] for x in c.inherit_default_permission_choices])()

443

[x[0] for x in c.inherit_default_permission_choices])()

430

444

431

form_result = _form.to_python(dict(self.request.POST))

445

form_result = _form.to_python(dict(self.request.POST))

432

form_result.update(

446

form_result.update(

433

{'perm_user_group_id': user_group.users_group_id})

447

{'perm_user_group_id': user_group.users_group_id})

434

448

435

PermissionModel().update_user_group_permissions(form_result)

449

PermissionModel().update_user_group_permissions(form_result)

436

450

437

Session().commit()

451

Session().commit()

438

h.flash(_('User Group global permissions updated successfully'),

452

h.flash(_('User Group global permissions updated successfully'),

439

category='success')

453

category='success')

440

454

441

except formencode.Invalid as errors:

455

except formencode.Invalid as errors:

442

defaults = errors.value

456

defaults = errors.value

443

457

444

data = render(

458

data = render(

445

'rhodecode:templates/admin/user_groups/user_group_edit.mako',

459

'rhodecode:templates/admin/user_groups/user_group_edit.mako',

446

self._get_template_context(c), self.request)

460

self._get_template_context(c), self.request)

447

html = formencode.htmlfill.render(

461

html = formencode.htmlfill.render(

448

data,

462

data,

449

defaults=defaults,

463

defaults=defaults,

450

errors=errors.error_dict or {},

464

errors=errors.error_dict or {},

451

prefix_error=False,

465

prefix_error=False,

452

encoding="UTF-8",

466

encoding="UTF-8",

453

force_defaults=False

467

force_defaults=False

454

)

468

)

455

return Response(html)

469

return Response(html)

456

except Exception:

470

except Exception:

457

log.exception("Exception during permissions saving")

471

log.exception("Exception during permissions saving")

458

h.flash(_('An error occurred during permissions saving'),

472

h.flash(_('An error occurred during permissions saving'),

459

category='error')

473

category='error')

460

474

461

raise HTTPFound(

475

raise HTTPFound(

462

h.route_path('edit_user_group_global_perms',

476

h.route_path('edit_user_group_global_perms',

463

user_group_id=user_group_id))

477

user_group_id=user_group_id))

464

478

465

@LoginRequired()

479

@LoginRequired()

466

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

480

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

467

@view_config(

481

@view_config(

468

route_name='edit_user_group_advanced', request_method='GET',

482

route_name='edit_user_group_advanced', request_method='GET',

469

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

483

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

470

def user_group_edit_advanced(self):

484

def user_group_edit_advanced(self):

471

user_group = self.db_user_group

485

user_group = self.db_user_group

472

486

473

c = self.load_default_context()

487

c = self.load_default_context()

474

c.user_group = user_group

488

c.user_group = user_group

475

c.active = 'advanced'

489

c.active = 'advanced'

476

c.group_members_obj = sorted(

490

c.group_members_obj = sorted(

477

(x.user for x in c.user_group.members),

491

(x.user for x in c.user_group.members),

478

key=lambda u: u.username.lower())

492

key=lambda u: u.username.lower())

479

493

480

c.group_to_repos = sorted(

494

c.group_to_repos = sorted(

481

(x.repository for x in c.user_group.users_group_repo_to_perm),

495

(x.repository for x in c.user_group.users_group_repo_to_perm),

482

key=lambda u: u.repo_name.lower())

496

key=lambda u: u.repo_name.lower())

483

497

484

c.group_to_repo_groups = sorted(

498

c.group_to_repo_groups = sorted(

485

(x.group for x in c.user_group.users_group_repo_group_to_perm),

499

(x.group for x in c.user_group.users_group_repo_group_to_perm),

486

key=lambda u: u.group_name.lower())

500

key=lambda u: u.group_name.lower())

487

501

488

c.group_to_review_rules = sorted(

502

c.group_to_review_rules = sorted(

489

(x.users_group for x in c.user_group.user_group_review_rules),

503

(x.users_group for x in c.user_group.user_group_review_rules),

490

key=lambda u: u.users_group_name.lower())

504

key=lambda u: u.users_group_name.lower())

491

505

492

return self._get_template_context(c)

506

return self._get_template_context(c)

493

507

494

@LoginRequired()

508

@LoginRequired()

495

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

509

@HasUserGroupPermissionAnyDecorator('usergroup.admin')

496

@CSRFRequired()

510

@CSRFRequired()

497

@view_config(

511

@view_config(

498

route_name='edit_user_group_advanced_sync', request_method='POST',

512

route_name='edit_user_group_advanced_sync', request_method='POST',

499

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

513

renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')

500

def user_group_edit_advanced_set_synchronization(self):

514

def user_group_edit_advanced_set_synchronization(self):

501

_ = self.request.translate

515

_ = self.request.translate

502

user_group = self.db_user_group

516

user_group = self.db_user_group

503

user_group_id = user_group.users_group_id

517

user_group_id = user_group.users_group_id

504

518

505

existing = user_group.group_data.get('extern_type')

519

existing = user_group.group_data.get('extern_type')

506

520

507

if existing:

521

if existing:

508

new_state = user_group.group_data

522

new_state = user_group.group_data

509

new_state['extern_type'] = None

523

new_state['extern_type'] = None

510

else:

524

else:

511

new_state = user_group.group_data

525

new_state = user_group.group_data

512

new_state['extern_type'] = 'manual'

526

new_state['extern_type'] = 'manual'

513

new_state['extern_type_set_by'] = self._rhodecode_user.username

527

new_state['extern_type_set_by'] = self._rhodecode_user.username

514

528

515

try:

529

try:

516

user_group.group_data = new_state

530

user_group.group_data = new_state

517

Session().add(user_group)

531

Session().add(user_group)

518

Session().commit()

532

Session().commit()

519

533

520

h.flash(_('User Group synchronization updated successfully'),

534

h.flash(_('User Group synchronization updated successfully'),

521

category='success')

535

category='success')

522

except Exception:

536

except Exception:

523

log.exception("Exception during sync settings saving")

537

log.exception("Exception during sync settings saving")

524

h.flash(_('An error occurred during synchronization update'),

538

h.flash(_('An error occurred during synchronization update'),

525

category='error')

539

category='error')

526

540

527

raise HTTPFound(

541

raise HTTPFound(

528

h.route_path('edit_user_group_advanced',

542

h.route_path('edit_user_group_advanced',

529

user_group_id=user_group_id))

543

user_group_id=user_group_id))

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import peppercorn
             import formencode
             import formencode.htmlfill
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from pyramid.response import Response
             from pyramid.renderers import render
             from rhodecode.lib.exceptions import (
                 RepoGroupAssignmentError, UserGroupAssignedException)
             from rhodecode.model.forms import (
                 UserGroupPermsForm, UserGroupForm, UserIndividualPermissionsForm,
                 UserPermissionsForm)
             from rhodecode.model.permission import PermissionModel
             from rhodecode.apps._base import UserGroupAppView
             from rhodecode.lib.auth import (
                 LoginRequired, HasUserGroupPermissionAnyDecorator, CSRFRequired)
             from rhodecode.lib import helpers as h, audit_logger
             from rhodecode.lib.utils2 import str2bool
             from rhodecode.model.db import (
                 joinedload, User, UserGroupRepoToPerm, UserGroupRepoGroupToPerm)
             from rhodecode.model.meta import Session
             from rhodecode.model.user_group import UserGroupModel
             log = logging.getLogger(__name__)
             class UserGroupsView(UserGroupAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     PermissionModel().set_global_permission_choices(
                         c, gettext_translator=self.request.translate)
                     self._register_global_c(c)
                     return c
                 def _get_perms_summary(self, user_group_id):
                     permissions = {
                         'repositories': {},
                         'repositories_groups': {},
                     }
                     ugroup_repo_perms = UserGroupRepoToPerm.query()\
                         .options(joinedload(UserGroupRepoToPerm.permission))\
                         .options(joinedload(UserGroupRepoToPerm.repository))\
                         .filter(UserGroupRepoToPerm.users_group_id == user_group_id)\
                         .all()
                     for gr in ugroup_repo_perms:
                         permissions['repositories'][gr.repository.repo_name]  \
                             = gr.permission.permission_name
                     ugroup_group_perms = UserGroupRepoGroupToPerm.query()\
                         .options(joinedload(UserGroupRepoGroupToPerm.permission))\
                         .options(joinedload(UserGroupRepoGroupToPerm.group))\
                         .filter(UserGroupRepoGroupToPerm.users_group_id == user_group_id)\
                         .all()
                     for gr in ugroup_group_perms:
                         permissions['repositories_groups'][gr.group.group_name] \
                             = gr.permission.permission_name
                     return permissions
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='user_group_members_data', request_method='GET',
                     renderer='json_ext', xhr=True)
                 def user_group_members(self):
                     """
                     Return members of given user group
                     """
                     user_group = self.db_user_group
                     group_members_obj = sorted((x.user for x in user_group.members),
                                                key=lambda u: u.username.lower())
                     group_members = [
                         {
                             'id': user.user_id,
                             'first_name': user.first_name,
                             'last_name': user.last_name,
                             'username': user.username,
                             'icon_link': h.gravatar_url(user.email, 30),
                             'value_display': h.person(user.email),
                             'value': user.username,
                             'value_type': 'user',
                             'active': user.active,
                         }
                         for user in group_members_obj
                     ]
                     return {
                         'members': group_members
                     }
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_perms_summary', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_perms_summary(self):
                     c = self.load_default_context()
                     c.user_group = self.db_user_group
                     c.active = 'perms_summary'
                     c.permissions = self._get_perms_summary(c.user_group.users_group_id)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_perms_summary_json', request_method='GET',
                     renderer='json_ext')
                 def user_group_perms_summary_json(self):
                     self.load_default_context()
                     user_group = self.db_user_group
                     return self._get_perms_summary(user_group.users_group_id)
                 def _revoke_perms_on_yourself(self, form_result):
                     _updates = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),
                                       form_result['perm_updates'])
                     _additions = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),
                                         form_result['perm_additions'])
                     _deletions = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),
                                         form_result['perm_deletions'])
                     admin_perm = 'usergroup.admin'
                     if _updates   and _updates[0][1]   != admin_perm or \
                        _additions and _additions[0][1] != admin_perm or \
                        _deletions and _deletions[0][1] != admin_perm:
                         return True
                     return False
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_groups_update', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_update(self):
                     _ = self.request.translate
                     user_group = self.db_user_group
                     user_group_id = user_group.users_group_id
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.group_members_obj = [x.user for x in c.user_group.members]
                     c.group_members_obj.sort(key=lambda u: u.username.lower())
                     c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]
                     c.active = 'settings'
                     users_group_form = UserGroupForm(
                         edit=True, old_data=c.user_group.get_dict(), allow_disabled=True)()
                     old_values = c.user_group.get_api_data()
                     user_group_name = self.request.POST.get('users_group_name')
                     try:
                         form_result = users_group_form.to_python(self.request.POST)
                         pstruct = peppercorn.parse(self.request.POST.items())
                         form_result['users_group_members'] = pstruct['user_group_members']
                         user_group, added_members, removed_members = \
                             UserGroupModel().update(c.user_group, form_result)
                         updated_user_group = form_result['users_group_name']
+                        for user_id in added_members:
+                            user = User.get(user_id)
+                            user_data = user.get_api_data()
+                            audit_logger.store_web(
+                                'user_group.edit.member.add',
+                                action_data={'user': user_data, 'old_data': old_values},
+                                user=self._rhodecode_user)
+                        for user_id in removed_members:
+                            user = User.get(user_id)
+                            user_data = user.get_api_data()
+                            audit_logger.store_web(
+                                'user_group.edit.member.delete',
+                                action_data={'user': user_data, 'old_data': old_values},
+                                user=self._rhodecode_user)
                         audit_logger.store_web(
                             'user_group.edit', action_data={'old_data': old_values},
                             user=self._rhodecode_user)
-                        # TODO(marcink): use added/removed to set user_group.edit.member.add
                         h.flash(_('Updated user group %s') % updated_user_group,
                                 category='success')
                         Session().commit()
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         e = errors.error_dict or {}
                         data = render(
                             'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=defaults,
                             errors=e,
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception during update of user group")
                         h.flash(_('Error occurred during update of user group %s')
                                 % user_group_name, category='error')
                     raise HTTPFound(
                         h.route_path('edit_user_group', user_group_id=user_group_id))
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_groups_delete', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_delete(self):
                     _ = self.request.translate
                     user_group = self.db_user_group
                     self.load_default_context()
                     force = str2bool(self.request.POST.get('force'))
                     old_values = user_group.get_api_data()
                     try:
                         UserGroupModel().delete(user_group, force=force)
                         audit_logger.store_web(
                             'user.delete', action_data={'old_data': old_values},
                             user=self._rhodecode_user)
                         Session().commit()
                         h.flash(_('Successfully deleted user group'), category='success')
                     except UserGroupAssignedException as e:
                         h.flash(str(e), category='error')
                     except Exception:
                         log.exception("Exception during deletion of user group")
                         h.flash(_('An error occurred during deletion of user group'),
                                 category='error')
                     raise HTTPFound(h.route_path('user_groups'))
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_edit(self):
                     user_group = self.db_user_group
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.group_members_obj = [x.user for x in c.user_group.members]
                     c.group_members_obj.sort(key=lambda u: u.username.lower())
                     c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]
                     c.active = 'settings'
                     defaults = user_group.get_dict()
                     # fill owner
                     if user_group.user:
                         defaults.update({'user': user_group.user.username})
                     else:
                         replacement_user = User.get_first_super_admin().username
                         defaults.update({'user': replacement_user})
                     data = render(
                         'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_perms', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_edit_perms(self):
                     user_group = self.db_user_group
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.active = 'perms'
                     defaults = {}
                     # fill user group users
                     for p in c.user_group.user_user_group_to_perm:
                         defaults.update({'u_perm_%s' % p.user.user_id:
                                          p.permission.permission_name})
                     for p in c.user_group.user_group_user_group_to_perm:
                         defaults.update({'g_perm_%s' % p.user_group.users_group_id:
                                          p.permission.permission_name})
                     data = render(
                         'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_group_perms_update', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_update_perms(self):
                     """
                     grant permission for given user group
                     """
                     _ = self.request.translate
                     user_group = self.db_user_group
                     user_group_id = user_group.users_group_id
                     c = self.load_default_context()
                     c.user_group = user_group
                     form = UserGroupPermsForm()().to_python(self.request.POST)
                     if not self._rhodecode_user.is_admin:
                         if self._revoke_perms_on_yourself(form):
                             msg = _('Cannot change permission for yourself as admin')
                             h.flash(msg, category='warning')
                             raise HTTPFound(
                                 h.route_path('edit_user_group_perms',
                                              user_group_id=user_group_id))
                     try:
                         changes = UserGroupModel().update_permissions(
                             user_group_id,
                             form['perm_additions'], form['perm_updates'],
                             form['perm_deletions'])
                     except RepoGroupAssignmentError:
                         h.flash(_('Target group cannot be the same'), category='error')
                         raise HTTPFound(
                             h.route_path('edit_user_group_perms',
                                          user_group_id=user_group_id))
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_web(
                         'user_group.edit.permissions', action_data=action_data,
                         user=self._rhodecode_user)
                     Session().commit()
                     h.flash(_('User Group permissions updated'), category='success')
                     raise HTTPFound(
                         h.route_path('edit_user_group_perms', user_group_id=user_group_id))
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_global_perms', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_global_perms_edit(self):
                     user_group = self.db_user_group
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.active = 'global_perms'
                     c.default_user = User.get_default_user()
                     defaults = c.user_group.get_dict()
                     defaults.update(c.default_user.get_default_perms(suffix='_inherited'))
                     defaults.update(c.user_group.get_default_perms())
                     data = render(
                         'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_group_global_perms_update', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_global_perms_update(self):
                     _ = self.request.translate
                     user_group = self.db_user_group
                     user_group_id = self.db_user_group.users_group_id
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.active = 'global_perms'
                     try:
                         # first stage that verifies the checkbox
                         _form = UserIndividualPermissionsForm()
                         form_result = _form.to_python(dict(self.request.POST))
                         inherit_perms = form_result['inherit_default_permissions']
                         user_group.inherit_default_permissions = inherit_perms
                         Session().add(user_group)
                         if not inherit_perms:
                             # only update the individual ones if we un check the flag
                             _form = UserPermissionsForm(
                                 [x[0] for x in c.repo_create_choices],
                                 [x[0] for x in c.repo_create_on_write_choices],
                                 [x[0] for x in c.repo_group_create_choices],
                                 [x[0] for x in c.user_group_create_choices],
                                 [x[0] for x in c.fork_choices],
                                 [x[0] for x in c.inherit_default_permission_choices])()
                             form_result = _form.to_python(dict(self.request.POST))
                             form_result.update(
                                 {'perm_user_group_id': user_group.users_group_id})
                             PermissionModel().update_user_group_permissions(form_result)
                         Session().commit()
                         h.flash(_('User Group global permissions updated successfully'),
                                 category='success')
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         data = render(
                             'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=defaults,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception during permissions saving")
                         h.flash(_('An error occurred during permissions saving'),
                                 category='error')
                     raise HTTPFound(
                         h.route_path('edit_user_group_global_perms',
                                      user_group_id=user_group_id))
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_advanced', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_edit_advanced(self):
                     user_group = self.db_user_group
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.active = 'advanced'
                     c.group_members_obj = sorted(
                         (x.user for x in c.user_group.members),
                         key=lambda u: u.username.lower())
                     c.group_to_repos = sorted(
                         (x.repository for x in c.user_group.users_group_repo_to_perm),
                         key=lambda u: u.repo_name.lower())
                     c.group_to_repo_groups = sorted(
                         (x.group for x in c.user_group.users_group_repo_group_to_perm),
                         key=lambda u: u.group_name.lower())
                     c.group_to_review_rules = sorted(
                         (x.users_group for x in c.user_group.user_group_review_rules),
                         key=lambda u: u.users_group_name.lower())
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_group_advanced_sync', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_edit_advanced_set_synchronization(self):
                     _ = self.request.translate
                     user_group = self.db_user_group
                     user_group_id = user_group.users_group_id
                     existing = user_group.group_data.get('extern_type')
                     if existing:
                         new_state = user_group.group_data
                         new_state['extern_type'] = None
                     else:
                         new_state = user_group.group_data
                         new_state['extern_type'] = 'manual'
                         new_state['extern_type_set_by'] = self._rhodecode_user.username
                     try:
                         user_group.group_data = new_state
                         Session().add(user_group)
                         Session().commit()
                         h.flash(_('User Group synchronization updated successfully'),
                                 category='success')
                     except Exception:
                         log.exception("Exception during sync settings saving")
                         h.flash(_('An error occurred during synchronization update'),
                                 category='error')
                     raise HTTPFound(
                         h.route_path('edit_user_group_advanced',
                                      user_group_id=user_group_id))