rhodecode-enterprise-ce Commit - r2660:499461c1

api: enable setting sync flag for user groups on create/edit.

marcink -

r2660:499461c1 default

parent child

The requested changes are too big and content was truncated. Show full diff

rhodecode/api/tests/test_update_user_group.py

0 +18 -3

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import mock
             import pytest
             from rhodecode.model.user import UserModel
             from rhodecode.model.user_group import UserGroupModel
             from rhodecode.tests import TEST_USER_ADMIN_EMAIL
             from rhodecode.api.tests.utils import (
                 build_data, api_call, assert_error, assert_ok, crash, jsonify)
             @pytest.mark.usefixtures("testuser_api", "app")
             class TestUpdateUserGroup(object):
                 @pytest.mark.parametrize("changing_attr, updates", [
                     ('group_name', {'group_name': 'new_group_name'}),
                     ('group_name', {'group_name': 'test_group_for_update'}),
                     # ('owner', {'owner': TEST_USER_REGULAR_LOGIN}),
                     ('owner_email', {'owner_email': TEST_USER_ADMIN_EMAIL}),
                     ('active', {'active': False}),
-                    ('active', {'active': True})
+                    ('active', {'active': True}),
+                    ('sync', {'sync': False}),
+                    ('sync', {'sync': True})
                 ])
                 def test_api_update_user_group(self, changing_attr, updates, user_util):
                     user_group = user_util.create_user_group()
                     group_name = user_group.users_group_name
                     expected_api_data = user_group.get_api_data()
                     expected_api_data.update(updates)
                     id_, params = build_data(
                         self.apikey, 'update_user_group', usergroupid=group_name,
                         **updates)
                     response = api_call(self.app, params)
+                    # special case for sync
+                    if changing_attr == 'sync' and updates['sync'] is False:
+                        expected_api_data['sync'] = None
+                    elif changing_attr == 'sync' and updates['sync'] is True:
+                        expected_api_data['sync'] = 'manual_api'
                     expected = {
                         'msg': 'updated user group ID:%s %s' % (
                             user_group.users_group_id, user_group.users_group_name),
                         'user_group': jsonify(expected_api_data)
                     }
                     assert_ok(id_, expected, given=response.body)
                 @pytest.mark.parametrize("changing_attr, updates", [
                     # TODO: mikhail: decide if we need to test against the commented params
                     # ('group_name', {'group_name': 'new_group_name'}),
                     # ('group_name', {'group_name': 'test_group_for_update'}),
                     # ('owner', {'owner': TEST_USER_REGULAR_LOGIN}),
                     ('owner_email', {'owner_email': TEST_USER_ADMIN_EMAIL}),
                     ('active', {'active': False}),
-                    ('active', {'active': True})
+                    ('active', {'active': True}),
+                    ('sync', {'sync': False}),
+                    ('sync', {'sync': True})
                 ])
                 def test_api_update_user_group_regular_user(
                         self, changing_attr, updates, user_util):
                     user_group = user_util.create_user_group()
                     group_name = user_group.users_group_name
                     expected_api_data = user_group.get_api_data()
                     expected_api_data.update(updates)
                     # grant permission to this user
                     user = UserModel().get_by_username(self.TEST_USER_LOGIN)
                     user_util.grant_user_permission_to_user_group(
                         user_group, user, 'usergroup.admin')
                     id_, params = build_data(
                         self.apikey_regular, 'update_user_group',
                         usergroupid=group_name, **updates)
                     response = api_call(self.app, params)
+                    # special case for sync
+                    if changing_attr == 'sync' and updates['sync'] is False:
+                        expected_api_data['sync'] = None
+                    elif changing_attr == 'sync' and updates['sync'] is True:
+                        expected_api_data['sync'] = 'manual_api'
                     expected = {
                         'msg': 'updated user group ID:%s %s' % (
                             user_group.users_group_id, user_group.users_group_name),
                         'user_group': jsonify(expected_api_data)
                     }
                     assert_ok(id_, expected, given=response.body)
                 def test_api_update_user_group_regular_user_no_permission(self, user_util):
                     user_group = user_util.create_user_group()
                     group_name = user_group.users_group_name
                     id_, params = build_data(
                         self.apikey_regular, 'update_user_group', usergroupid=group_name)
                     response = api_call(self.app, params)
                     expected = 'user group `%s` does not exist' % (group_name)
                     assert_error(id_, expected, given=response.body)
                 @mock.patch.object(UserGroupModel, 'update', crash)
                 def test_api_update_user_group_exception_occurred(self, user_util):
                     user_group = user_util.create_user_group()
                     group_name = user_group.users_group_name
                     id_, params = build_data(
                         self.apikey, 'update_user_group', usergroupid=group_name)
                     response = api_call(self.app, params)
                     expected = 'failed to update user group `%s`' % (group_name,)
                     assert_error(id_, expected, given=response.body)

rhodecode/api/views/user_group_api.py

0 +33 -4

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from rhodecode.api import (
                 jsonrpc_method, JSONRPCError, JSONRPCForbidden, JSONRPCValidationError)
             from rhodecode.api.utils import (
                 Optional, OAttr, store_update, has_superadmin_permission, get_origin,
                 get_user_or_error, get_user_group_or_error, get_perm_or_error)
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import HasUserGroupPermissionAnyApi, HasPermissionAnyApi
             from rhodecode.lib.exceptions import UserGroupAssignedException
             from rhodecode.model.db import Session
             from rhodecode.model.scm import UserGroupList
             from rhodecode.model.user_group import UserGroupModel
             from rhodecode.model import validation_schema
             from rhodecode.model.validation_schema.schemas import user_group_schema
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_user_group(request, apiuser, usergroupid):
                 """
                 Returns the data of an existing user group.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group from which to return data.
                 :type usergroupid: str or int
                 Example error output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": <id>,
                       "result": {
                         "active": true,
                         "group_description": "group description",
                         "group_name": "group name",
                         "permissions": [
                           {
                             "name": "owner-name",
                             "origin": "owner",
                             "permission": "usergroup.admin",
                             "type": "user"
                           },
                           {
                           {
                             "name": "user name",
                             "origin": "permission",
                             "permission": "usergroup.admin",
                             "type": "user"
                           },
                           {
                             "name": "user group name",
                             "origin": "permission",
                             "permission": "usergroup.write",
                             "type": "user_group"
                           }
                         ],
                         "permissions_summary": {
                           "repositories": {
                             "aa-root-level-repo-1": "repository.admin"
                           },
                           "repositories_groups": {}
                         },
                         "owner": "owner name",
                         "users": [],
                         "users_group_id": 2
                       }
                     }
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError('user group `%s` does not exist' % (
                             usergroupid,))
                 permissions = []
                 for _user in user_group.permissions():
                     user_data = {
                         'name': _user.username,
                         'permission': _user.permission,
                         'origin': get_origin(_user),
                         'type': "user",
                     }
                     permissions.append(user_data)
                 for _user_group in user_group.permission_user_groups():
                     user_group_data = {
                         'name': _user_group.users_group_name,
                         'permission': _user_group.permission,
                         'origin': get_origin(_user_group),
                         'type': "user_group",
                     }
                     permissions.append(user_group_data)
                 data = user_group.get_api_data()
                 data["permissions"] = permissions
                 data["permissions_summary"] = UserGroupModel().get_perms_summary(
                     user_group.users_group_id)
                 return data
             @jsonrpc_method()
             def get_user_groups(request, apiuser):
                 """
                 Lists all the existing user groups within RhodeCode.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result : [<user_group_obj>,...]
                     error : null
                 """
                 include_secrets = has_superadmin_permission(apiuser)
                 result = []
                 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                 extras = {'user': apiuser}
                 for user_group in UserGroupList(UserGroupModel().get_all(),
                                                 perm_set=_perms, extra_kwargs=extras):
                     result.append(
                         user_group.get_api_data(include_secrets=include_secrets))
                 return result
             @jsonrpc_method()
             def create_user_group(
                     request, apiuser, group_name, description=Optional(''),
-                    owner=Optional(OAttr('apiuser')), active=Optional(True)):
+                    owner=Optional(OAttr('apiuser')), active=Optional(True),
+                    sync=Optional(None)):
                 """
                 Creates a new user group.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param group_name: Set the name of the new user group.
                 :type group_name: str
                 :param description: Give a description of the new user group.
                 :type description: str
                 :param owner: Set the owner of the new user group.
                     If not set, the owner is the |authtoken| user.
                 :type owner: Optional(str or int)
                 :param active: Set this group as active.
                 :type active: Optional(``True`` | ``False``)
+                :param sync: Set enabled or disabled the automatically sync from
+                    external authentication types like ldap.
+                :type sync: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "created new user group `<groupname>`",
                               "user_group": <user_group_object>
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "user group `<group name>` already exist"
                     or
                     "failed to create group `<group name>`"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     if not HasPermissionAnyApi('hg.usergroup.create.true')(user=apiuser):
                         raise JSONRPCForbidden()
                 if UserGroupModel().get_by_name(group_name):
                     raise JSONRPCError("user group `%s` already exist" % (group_name,))
                 if isinstance(owner, Optional):
                     owner = apiuser.user_id
                 owner = get_user_or_error(owner)
                 active = Optional.extract(active)
                 description = Optional.extract(description)
+                sync = Optional.extract(sync)
+                # set the sync option based on group_data
+                group_data = None
+                if sync:
+                    group_data = {
+                        'extern_type': 'manual_api',
+                        'extern_type_set_by': apiuser.username
+                    }
                 schema = user_group_schema.UserGroupSchema().bind(
                     # user caller
                     user=apiuser)
                 try:
                     schema_data = schema.deserialize(dict(
                         user_group_name=group_name,
                         user_group_description=description,
                         user_group_owner=owner.username,
                         user_group_active=active,
                         ))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 try:
                     user_group = UserGroupModel().create(
                         name=schema_data['user_group_name'],
                         description=schema_data['user_group_description'],
                         owner=owner,
-                        active=schema_data['user_group_active'])
+                        active=schema_data['user_group_active'], group_data=group_data)
                     Session().flush()
                     creation_data = user_group.get_api_data()
                     audit_logger.store_api(
                         'user_group.create', action_data={'data': creation_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'created new user group `%s`' % group_name,
                         'user_group': creation_data
                     }
                 except Exception:
                     log.exception("Error occurred during creation of user group")
                     raise JSONRPCError('failed to create group `%s`' % (group_name,))
             @jsonrpc_method()
             def update_user_group(request, apiuser, usergroupid, group_name=Optional(''),
                                   description=Optional(''), owner=Optional(None),
-                                  active=Optional(True)):
+                                  active=Optional(True), sync=Optional(None)):
                 """
                 Updates the specified `user group` with the details provided.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the id of the `user group` to update.
                 :type usergroupid: str or int
                 :param group_name: Set the new name the `user group`
                 :type group_name: str
                 :param description: Give a description for the `user group`
                 :type description: str
                 :param owner: Set the owner of the `user group`.
                 :type owner: Optional(str or int)
                 :param active: Set the group as active.
                 :type active: Optional(``True`` | ``False``)
+                :param sync: Set enabled or disabled the automatically sync from
+                    external authentication types like ldap.
+                :type sync: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": 'updated user group ID:<user group id> <user group name>',
                     "user_group": <user_group_object>
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to update user group `<user group name>`"
                   }
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 include_secrets = False
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 else:
                     include_secrets = True
                 if not isinstance(owner, Optional):
                     owner = get_user_or_error(owner)
                 old_data = user_group.get_api_data()
                 updates = {}
                 store_update(updates, group_name, 'users_group_name')
                 store_update(updates, description, 'user_group_description')
                 store_update(updates, owner, 'user')
                 store_update(updates, active, 'users_group_active')
+                sync = Optional.extract(sync)
+                group_data = None
+                if sync is True:
+                    group_data = {
+                        'extern_type': 'manual_api',
+                        'extern_type_set_by': apiuser.username
+                    }
+                if sync is False:
+                    group_data = user_group.group_data
+                    if group_data and "extern_type" in group_data:
+                        del group_data["extern_type"]
                 try:
-                    UserGroupModel().update(user_group, updates)
+                    UserGroupModel().update(user_group, updates, group_data=group_data)
                     audit_logger.store_api(
                         'user_group.edit', action_data={'old_data': old_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'updated user group ID:%s %s' % (
                             user_group.users_group_id, user_group.users_group_name),
                         'user_group': user_group.get_api_data(
                             include_secrets=include_secrets)
                     }
                 except Exception:
                     log.exception("Error occurred during update of user group")
                     raise JSONRPCError(
                         'failed to update user group `%s`' % (usergroupid,))
             @jsonrpc_method()
             def delete_user_group(request, apiuser, usergroupid):
                 """
                 Deletes the specified `user group`.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: filled automatically from apikey
                 :type apiuser: AuthUser
                 :param usergroupid:
                 :type usergroupid: int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "deleted user group ID:<user_group_id> <user_group_name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to delete user group ID:<user_group_id> <user_group_name>"
                     or
                     "RepoGroup assigned to <repo_groups_list>"
                   }
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 old_data = user_group.get_api_data()
                 try:
                     UserGroupModel().delete(user_group)
                     audit_logger.store_api(
                         'user_group.delete', action_data={'old_data': old_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'deleted user group ID:%s %s' % (
                             user_group.users_group_id, user_group.users_group_name),
                         'user_group': None
                     }
                 except UserGroupAssignedException as e:
                     log.exception("UserGroupAssigned error")
                     raise JSONRPCError(str(e))
                 except Exception:
                     log.exception("Error occurred during deletion of user group")
                     raise JSONRPCError(
                         'failed to delete user group ID:%s %s' %(
                             user_group.users_group_id, user_group.users_group_name))
             @jsonrpc_method()
             def add_user_to_user_group(request, apiuser, usergroupid, userid):
                 """
                 Adds a user to a `user group`. If the user already exists in the group
                 this command will return false.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified user group.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the name of the `user group` to which a
                     user will be added.
                 :type usergroupid: int
                 :param userid: Set the `user_id` of the user to add to the group.
                 :type userid: int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                       "success": True|False # depends on if member is in group
                       "msg": "added member `<username>` to user group `<groupname>` |
                               User is already in that group"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to add member to user group `<user_group_name>`"
                   }
                 """
                 user = get_user_or_error(userid)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError('user group `%s` does not exist' % (
                             usergroupid,))
                 old_values = user_group.get_api_data()
                 try:
                     ugm = UserGroupModel().add_user_to_group(user_group, user)
                     success = True if ugm is not True else False
                     msg = 'added member `%s` to user group `%s`' % (
                         user.username, user_group.users_group_name
                     )
                     msg = msg if success else 'User is already in that group'
                     if success:
                         user_data = user.get_api_data()
                         audit_logger.store_api(
                             'user_group.edit.member.add',
                             action_data={'user': user_data, 'old_data': old_values},
                             user=apiuser)
                     Session().commit()
                     return {
                         'success': success,
                         'msg': msg
                     }
                 except Exception:
                     log.exception("Error occurred during adding a member to user group")
                     raise JSONRPCError(
                         'failed to add member to user group `%s`' % (
                             user_group.users_group_name,
                         )
                     )
             @jsonrpc_method()
             def remove_user_from_user_group(request, apiuser, usergroupid, userid):
                 """
                 Removes a user from a user group.
                 * If the specified user is not in the group, this command will return
                   `false`.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Sets the user group name.
                 :type usergroupid: str or int
                 :param userid: The user you wish to remove from |RCE|.
                 :type userid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "success":  True|False,  # depends on if member is in group
                               "msg": "removed member <username> from user group <groupname> |
                                       User wasn't in group"
                             }
                     error:  null
                 """
                 user = get_user_or_error(userid)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 old_values = user_group.get_api_data()
                 try:
                     success = UserGroupModel().remove_user_from_group(user_group, user)
                     msg = 'removed member `%s` from user group `%s`' % (
                         user.username, user_group.users_group_name
                     )
                     msg = msg if success else "User wasn't in group"
                     if success:
                         user_data = user.get_api_data()
                         audit_logger.store_api(
                             'user_group.edit.member.delete',
                             action_data={'user': user_data, 'old_data': old_values},
                             user=apiuser)
                     Session().commit()
                     return {'success': success, 'msg': msg}
                 except Exception:
                     log.exception("Error occurred during removing an member from user group")
                     raise JSONRPCError(
                         'failed to remove member from user group `%s`' % (
                             user_group.users_group_name,
                         )
                     )
             @jsonrpc_method()
             def grant_user_permission_to_user_group(
                     request, apiuser, usergroupid, userid, perm):
                 """
                 Set permissions for a user in a user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group to edit permissions on.
                 :type usergroupid: str or int
                 :param userid: Set the user from whom you wish to set permissions.
                 :type userid: str
                 :param perm: (usergroup.(none|read|write|admin))
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Granted perm: `<perm_name>` for user: `<username>` in user group: `<user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 user = get_user_or_error(userid)
                 perm = get_perm_or_error(perm, prefix='usergroup.')
                 try:
                     UserGroupModel().grant_user_permission(
                         user_group=user_group, user=user, perm=perm)
                     Session().commit()
                     return {
                         'msg':
                             'Granted perm: `%s` for user: `%s` in user group: `%s`' % (
                                 perm.permission_name, user.username,
                                 user_group.users_group_name
                             ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user: '
                         '`%s` in user group: `%s`' % (
                             userid, user_group.users_group_name))
             @jsonrpc_method()
             def revoke_user_permission_from_user_group(
                     request, apiuser, usergroupid, userid):
                 """
                 Revoke a users permissions in a user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group from which to revoke the user
                     permissions.
                 :type: usergroupid: str or int
                 :param userid: Set the userid of the user whose permissions will be
                     revoked.
                 :type userid: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Revoked perm for user: `<username>` in user group: `<user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 user = get_user_or_error(userid)
                 try:
                     UserGroupModel().revoke_user_permission(
                         user_group=user_group, user=user)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm for user: `%s` in user group: `%s`' % (
                             user.username, user_group.users_group_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user: `%s` in user group: `%s`'
                         % (userid, user_group.users_group_name))
             @jsonrpc_method()
             def grant_user_group_permission_to_user_group(
                     request, apiuser, usergroupid, sourceusergroupid, perm):
                 """
                 Give one user group permissions to another user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group on which to edit permissions.
                 :type usergroupid: str or int
                 :param sourceusergroupid: Set the source user group to which
                     access/permissions will be granted.
                 :type sourceusergroupid: str or int
                 :param perm: (usergroup.(none|read|write|admin))
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Granted perm: `<perm_name>` for user group: `<source_user_group_name>` in user group: `<user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(sourceusergroupid)
                 target_user_group = get_user_group_or_error(usergroupid)
                 perm = get_perm_or_error(perm, prefix='usergroup.')
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser,
                             user_group_name=target_user_group.users_group_name):
                         raise JSONRPCError(
                             'to user group `%s` does not exist' % (usergroupid,))
                     # check if we have at least read permission for source user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (sourceusergroupid,))
                 try:
                     UserGroupModel().grant_user_group_permission(
                         target_user_group=target_user_group,
                         user_group=user_group, perm=perm)
                     Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` for user group: `%s` '
                                'in user group: `%s`' % (
                                    perm.permission_name, user_group.users_group_name,
                                    target_user_group.users_group_name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user group in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'user group: `%s`' % (
                             sourceusergroupid, target_user_group.users_group_name
                         )
                     )
             @jsonrpc_method()
             def revoke_user_group_permission_from_user_group(
                     request, apiuser, usergroupid, sourceusergroupid):
                 """
                 Revoke the permissions that one user group has to another.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group on which to edit permissions.
                 :type usergroupid: str or int
                 :param sourceusergroupid: Set the user group from which permissions
                     are revoked.
                 :type sourceusergroupid: str or int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Revoked perm for user group: `<user_group_name>` in user group: `<target_user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(sourceusergroupid)
                 target_user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser,
                             user_group_name=target_user_group.users_group_name):
                         raise JSONRPCError(
                             'to user group `%s` does not exist' % (usergroupid,))
                     # check if we have at least read permission
                     # for the source user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (sourceusergroupid,))
                 try:
                     UserGroupModel().revoke_user_group_permission(
                         target_user_group=target_user_group, user_group=user_group)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm for user group: '
                                '`%s` in user group: `%s`' % (
                                    user_group.users_group_name,
                                    target_user_group.users_group_name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user group in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: '
                         '`%s` in user group: `%s`' % (
                             sourceusergroupid, target_user_group.users_group_name
                         )
                     )

rhodecode/apps/admin/views/user_groups.py

0 +1 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import formencode
             import formencode.htmlfill
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from pyramid.response import Response
             from pyramid.renderers import render
             from rhodecode.apps._base import BaseAppView, DataGridAppView
             from rhodecode.lib.auth import (
                 LoginRequired, NotAnonymous, CSRFRequired, HasPermissionAnyDecorator)
             from rhodecode.lib import helpers as h, audit_logger
             from rhodecode.lib.utils2 import safe_unicode
             from rhodecode.model.forms import UserGroupForm
             from rhodecode.model.permission import PermissionModel
             from rhodecode.model.scm import UserGroupList
             from rhodecode.model.db import (
                 or_, count, User, UserGroup, UserGroupMember)
             from rhodecode.model.meta import Session
             from rhodecode.model.user_group import UserGroupModel
             log = logging.getLogger(__name__)
             class AdminUserGroupsView(BaseAppView, DataGridAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     PermissionModel().set_global_permission_choices(
                         c, gettext_translator=self.request.translate)
                     return c
                 # permission check in data loading of
                 # `user_groups_list_data` via UserGroupList
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='user_groups', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_groups.mako')
                 def user_groups_list(self):
                     c = self.load_default_context()
                     return self._get_template_context(c)
                 # permission check inside
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='user_groups_data', request_method='GET',
                     renderer='json_ext', xhr=True)
                 def user_groups_list_data(self):
                     self.load_default_context()
                     column_map = {
                         'active': 'users_group_active',
                         'description': 'user_group_description',
                         'members': 'members_total',
                         'owner': 'user_username',
                         'sync': 'group_data'
                     }
                     draw, start, limit = self._extract_chunk(self.request)
                     search_q, order_by, order_dir = self._extract_ordering(
                         self.request, column_map=column_map)
                     _render = self.request.get_partial_renderer(
                         'rhodecode:templates/data_table/_dt_elements.mako')
                     def user_group_name(user_group_name):
                         return _render("user_group_name", user_group_name)
                     def user_group_actions(user_group_id, user_group_name):
                         return _render("user_group_actions", user_group_id, user_group_name)
                     def user_profile(username):
                         return _render('user_profile', username)
                     auth_user_group_list = UserGroupList(
                         UserGroup.query().all(), perm_set=['usergroup.admin'])
                     allowed_ids = [-1]
                     for user_group in auth_user_group_list:
                             allowed_ids.append(user_group.users_group_id)
                     user_groups_data_total_count = UserGroup.query()\
                         .filter(UserGroup.users_group_id.in_(allowed_ids))\
                         .count()
                     member_count = count(UserGroupMember.user_id)
                     base_q = Session.query(
                         UserGroup.users_group_name,
                         UserGroup.user_group_description,
                         UserGroup.users_group_active,
                         UserGroup.users_group_id,
                         UserGroup.group_data,
                         User,
                         member_count.label('member_count')
                     ) \
                     .filter(UserGroup.users_group_id.in_(allowed_ids)) \
                     .outerjoin(UserGroupMember) \
                     .join(User, User.user_id == UserGroup.user_id) \
                     .group_by(UserGroup, User)
                     if search_q:
                         like_expression = u'%{}%'.format(safe_unicode(search_q))
                         base_q = base_q.filter(or_(
                             UserGroup.users_group_name.ilike(like_expression),
                         ))
                     user_groups_data_total_filtered_count = base_q.count()
                     if order_by == 'members_total':
                         sort_col = member_count
                     elif order_by == 'user_username':
                         sort_col = User.username
                     else:
                         sort_col = getattr(UserGroup, order_by, None)
                     if isinstance(sort_col, count) or sort_col:
                         if order_dir == 'asc':
                             sort_col = sort_col.asc()
                         else:
                             sort_col = sort_col.desc()
                     base_q = base_q.order_by(sort_col)
                     base_q = base_q.offset(start).limit(limit)
                     # authenticated access to user groups
                     auth_user_group_list = base_q.all()
                     user_groups_data = []
                     for user_gr in auth_user_group_list:
                         user_groups_data.append({
                             "users_group_name": user_group_name(user_gr.users_group_name),
                             "name_raw": h.escape(user_gr.users_group_name),
                             "description": h.escape(user_gr.user_group_description),
                             "members": user_gr.member_count,
                             # NOTE(marcink): because of advanced query we
                             # need to load it like that
-                            "sync": UserGroup._load_group_data(
+                            "sync": UserGroup._load_sync(user_gr.group_data),
-                                user_gr.group_data).get('extern_type'),
                             "active": h.bool2icon(user_gr.users_group_active),
                             "owner": user_profile(user_gr.User.username),
                             "action": user_group_actions(
                                 user_gr.users_group_id, user_gr.users_group_name)
                         })
                     data = ({
                         'draw': draw,
                         'data': user_groups_data,
                         'recordsTotal': user_groups_data_total_count,
                         'recordsFiltered': user_groups_data_total_filtered_count,
                     })
                     return data
                 @LoginRequired()
                 @HasPermissionAnyDecorator('hg.admin', 'hg.usergroup.create.true')
                 @view_config(
                     route_name='user_groups_new', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_add.mako')
                 def user_groups_new(self):
                     c = self.load_default_context()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAnyDecorator('hg.admin', 'hg.usergroup.create.true')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_groups_create', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_add.mako')
                 def user_groups_create(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     users_group_form = UserGroupForm(self.request.translate)()
                     user_group_name = self.request.POST.get('users_group_name')
                     try:
                         form_result = users_group_form.to_python(dict(self.request.POST))
                         user_group = UserGroupModel().create(
                             name=form_result['users_group_name'],
                             description=form_result['user_group_description'],
                             owner=self._rhodecode_user.user_id,
                             active=form_result['users_group_active'])
                         Session().flush()
                         creation_data = user_group.get_api_data()
                         user_group_name = form_result['users_group_name']
                         audit_logger.store_web(
                             'user_group.create', action_data={'data': creation_data},
                             user=self._rhodecode_user)
                         user_group_link = h.link_to(
                             h.escape(user_group_name),
                             h.route_path(
                                 'edit_user_group', user_group_id=user_group.users_group_id))
                         h.flash(h.literal(_('Created user group %(user_group_link)s')
                                           % {'user_group_link': user_group_link}),
                                 category='success')
                         Session().commit()
                         user_group_id = user_group.users_group_id
                     except formencode.Invalid as errors:
                         data = render(
                             'rhodecode:templates/admin/user_groups/user_group_add.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=errors.value,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception creating user group")
                         h.flash(_('Error occurred during creation of user group %s') \
                                 % user_group_name, category='error')
                         raise HTTPFound(h.route_path('user_groups_new'))
                     raise HTTPFound(
                         h.route_path('edit_user_group', user_group_id=user_group_id))

rhodecode/model/db.py

0 0 0

	1	NO CONTENT: modified file			NO CONTENT: modified file
The requested commit or file is too big and content was truncated. Show full diff

rhodecode/model/user_group.py

0 +6 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import traceback
             from rhodecode.lib.utils2 import safe_str, safe_unicode
             from rhodecode.lib.exceptions import (
                 UserGroupAssignedException, RepoGroupAssignmentError)
             from rhodecode.lib.utils2 import (
                 get_current_rhodecode_user, action_logger_generic)
             from rhodecode.model import BaseModel
             from rhodecode.model.scm import UserGroupList
             from rhodecode.model.db import (
                 joinedload, true, func, User, UserGroupMember, UserGroup,
                 UserGroupRepoToPerm, Permission, UserGroupToPerm, UserUserGroupToPerm,
                 UserGroupUserGroupToPerm, UserGroupRepoGroupToPerm)
             log = logging.getLogger(__name__)
             class UserGroupModel(BaseModel):
                 cls = UserGroup
                 def _get_user_group(self, user_group):
                     return self._get_instance(UserGroup, user_group,
                                               callback=UserGroup.get_by_group_name)
                 def _create_default_perms(self, user_group):
                     # create default permission
                     default_perm = 'usergroup.read'
                     def_user = User.get_default_user()
                     for p in def_user.user_perms:
                         if p.permission.permission_name.startswith('usergroup.'):
                             default_perm = p.permission.permission_name
                             break
                     user_group_to_perm = UserUserGroupToPerm()
                     user_group_to_perm.permission = Permission.get_by_key(default_perm)
                     user_group_to_perm.user_group = user_group
                     user_group_to_perm.user_id = def_user.user_id
                     return user_group_to_perm
                 def update_permissions(
                         self, user_group, perm_additions=None, perm_updates=None,
                         perm_deletions=None, check_perms=True, cur_user=None):
                     from rhodecode.lib.auth import HasUserGroupPermissionAny
                     if not perm_additions:
                         perm_additions = []
                     if not perm_updates:
                         perm_updates = []
                     if not perm_deletions:
                         perm_deletions = []
                     req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')
                     changes = {
                         'added': [],
                         'updated': [],
                         'deleted': []
                     }
                     # update permissions
                     for member_id, perm, member_type in perm_updates:
                         member_id = int(member_id)
                         if member_type == 'user':
                             member_name = User.get(member_id).username
                             # this updates existing one
                             self.grant_user_permission(
                                 user_group=user_group, user=member_id, perm=perm
                             )
                         else:
                             # check if we have permissions to alter this usergroup
                             member_name = UserGroup.get(member_id).users_group_name
                             if not check_perms or HasUserGroupPermissionAny(
                                     *req_perms)(member_name, user=cur_user):
                                 self.grant_user_group_permission(
                                     target_user_group=user_group, user_group=member_id, perm=perm)
                         changes['updated'].append({'type': member_type, 'id': member_id,
                                                    'name': member_name, 'new_perm': perm})
                     # set new permissions
                     for member_id, perm, member_type in perm_additions:
                         member_id = int(member_id)
                         if member_type == 'user':
                             member_name = User.get(member_id).username
                             self.grant_user_permission(
                                 user_group=user_group, user=member_id, perm=perm)
                         else:
                             # check if we have permissions to alter this usergroup
                             member_name = UserGroup.get(member_id).users_group_name
                             if not check_perms or HasUserGroupPermissionAny(
                                     *req_perms)(member_name, user=cur_user):
                                 self.grant_user_group_permission(
                                     target_user_group=user_group, user_group=member_id, perm=perm)
                         changes['added'].append({'type': member_type, 'id': member_id,
                                                  'name': member_name, 'new_perm': perm})
                     # delete permissions
                     for member_id, perm, member_type in perm_deletions:
                         member_id = int(member_id)
                         if member_type == 'user':
                             member_name = User.get(member_id).username
                             self.revoke_user_permission(user_group=user_group, user=member_id)
                         else:
                             # check if we have permissions to alter this usergroup
                             member_name = UserGroup.get(member_id).users_group_name
                             if not check_perms or HasUserGroupPermissionAny(
                                     *req_perms)(member_name, user=cur_user):
                                 self.revoke_user_group_permission(
                                     target_user_group=user_group, user_group=member_id)
                         changes['deleted'].append({'type': member_type, 'id': member_id,
                                                    'name': member_name, 'new_perm': perm})
                     return changes
                 def get(self, user_group_id, cache=False):
                     return UserGroup.get(user_group_id)
                 def get_group(self, user_group):
                     return self._get_user_group(user_group)
                 def get_by_name(self, name, cache=False, case_insensitive=False):
                     return UserGroup.get_by_group_name(name, cache, case_insensitive)
                 def create(self, name, description, owner, active=True, group_data=None):
                     try:
                         new_user_group = UserGroup()
                         new_user_group.user = self._get_user(owner)
                         new_user_group.users_group_name = name
                         new_user_group.user_group_description = description
                         new_user_group.users_group_active = active
                         if group_data:
                             new_user_group.group_data = group_data
                         self.sa.add(new_user_group)
                         perm_obj = self._create_default_perms(new_user_group)
                         self.sa.add(perm_obj)
                         self.grant_user_permission(user_group=new_user_group,
                                                    user=owner, perm='usergroup.admin')
                         return new_user_group
                     except Exception:
                         log.error(traceback.format_exc())
                         raise
                 def _get_memberships_for_user_ids(self, user_group, user_id_list):
                     members = []
                     for user_id in user_id_list:
                         member = self._get_membership(user_group.users_group_id, user_id)
                         members.append(member)
                     return members
                 def _get_added_and_removed_user_ids(self, user_group, user_id_list):
                     current_members = user_group.members or []
                     current_members_ids = [m.user.user_id for m in current_members]
                     added_members = [
                         user_id for user_id in user_id_list
                         if user_id not in current_members_ids]
                     if user_id_list == []:
                         # all members were deleted
                         deleted_members = current_members_ids
                     else:
                         deleted_members = [
                             user_id for user_id in current_members_ids
                             if user_id not in user_id_list]
                     return added_members, deleted_members
                 def _set_users_as_members(self, user_group, user_ids):
                     user_group.members = []
                     self.sa.flush()
                     members = self._get_memberships_for_user_ids(
                         user_group, user_ids)
                     user_group.members = members
                     self.sa.add(user_group)
                 def _update_members_from_user_ids(self, user_group, user_ids):
                     added, removed = self._get_added_and_removed_user_ids(
                         user_group, user_ids)
                     self._set_users_as_members(user_group, user_ids)
                     self._log_user_changes('added to', user_group, added)
                     self._log_user_changes('removed from', user_group, removed)
                     return added, removed
                 def _clean_members_data(self, members_data):
                     if not members_data:
                         members_data = []
                     members = []
                     for user in members_data:
                         uid = int(user['member_user_id'])
                         if uid not in members and user['type'] in ['new', 'existing']:
                             members.append(uid)
                     return members
-                def update(self, user_group, form_data):
+                def update(self, user_group, form_data, group_data=None):
                     user_group = self._get_user_group(user_group)
                     if 'users_group_name' in form_data:
                         user_group.users_group_name = form_data['users_group_name']
                     if 'users_group_active' in form_data:
                         user_group.users_group_active = form_data['users_group_active']
                     if 'user_group_description' in form_data:
                         user_group.user_group_description = form_data[
                             'user_group_description']
                     # handle owner change
                     if 'user' in form_data:
                         owner = form_data['user']
                         if isinstance(owner, basestring):
                             owner = User.get_by_username(form_data['user'])
                         if not isinstance(owner, User):
                             raise ValueError(
                                 'invalid owner for user group: %s' % form_data['user'])
                         user_group.user = owner
                     added_user_ids = []
                     removed_user_ids = []
                     if 'users_group_members' in form_data:
                         members_id_list = self._clean_members_data(
                             form_data['users_group_members'])
                         added_user_ids, removed_user_ids = \
                             self._update_members_from_user_ids(user_group, members_id_list)
+                    if group_data:
+                        new_group_data = {}
+                        new_group_data.update(group_data)
+                        user_group.group_data = new_group_data
                     self.sa.add(user_group)
                     return user_group, added_user_ids, removed_user_ids
                 def delete(self, user_group, force=False):
                     """
                     Deletes repository group, unless force flag is used
                     raises exception if there are members in that group, else deletes
                     group and users
                     :param user_group:
                     :param force:
                     """
                     user_group = self._get_user_group(user_group)
                     if not user_group:
                         return
                     try:
                         # check if this group is not assigned to repo
                         assigned_to_repo = [x.repository for x in UserGroupRepoToPerm.query()\
                             .filter(UserGroupRepoToPerm.users_group == user_group).all()]
                         # check if this group is not assigned to repo
                         assigned_to_repo_group = [x.group for x in UserGroupRepoGroupToPerm.query()\
                             .filter(UserGroupRepoGroupToPerm.users_group == user_group).all()]
                         if (assigned_to_repo or assigned_to_repo_group) and not force:
                             assigned = ','.join(map(safe_str,
                                                 assigned_to_repo+assigned_to_repo_group))
                             raise UserGroupAssignedException(
                                 'UserGroup assigned to %s' % (assigned,))
                         self.sa.delete(user_group)
                     except Exception:
                         log.error(traceback.format_exc())
                         raise
                 def _log_user_changes(self, action, user_group, user_or_users):
                     users = user_or_users
                     if not isinstance(users, (list, tuple)):
                         users = [users]
                     group_name = user_group.users_group_name
                     for user_or_user_id in users:
                         user = self._get_user(user_or_user_id)
                         log_text = 'User {user} {action} {group}'.format(
                             action=action, user=user.username, group=group_name)
                         action_logger_generic(log_text)
                 def _find_user_in_group(self, user, user_group):
                     user_group_member = None
                     for m in user_group.members:
                         if m.user_id == user.user_id:
                             # Found this user's membership row
                             user_group_member = m
                             break
                     return user_group_member
                 def _get_membership(self, user_group_id, user_id):
                     user_group_member = UserGroupMember(user_group_id, user_id)
                     return user_group_member
                 def add_user_to_group(self, user_group, user):
                     user_group = self._get_user_group(user_group)
                     user = self._get_user(user)
                     user_member = self._find_user_in_group(user, user_group)
                     if user_member:
                         # user already in the group, skip
                         return True
                     member = self._get_membership(
                         user_group.users_group_id, user.user_id)
                     user_group.members.append(member)
                     try:
                         self.sa.add(member)
                     except Exception:
                         # what could go wrong here?
                         log.error(traceback.format_exc())
                         raise
                     self._log_user_changes('added to', user_group, user)
                     return member
                 def remove_user_from_group(self, user_group, user):
                     user_group = self._get_user_group(user_group)
                     user = self._get_user(user)
                     user_group_member = self._find_user_in_group(user, user_group)
                     if not user_group_member:
                         # User isn't in that group
                         return False
                     try:
                         self.sa.delete(user_group_member)
                     except Exception:
                         log.error(traceback.format_exc())
                         raise
                     self._log_user_changes('removed from', user_group, user)
                     return True
                 def has_perm(self, user_group, perm):
                     user_group = self._get_user_group(user_group)
                     perm = self._get_perm(perm)
                     return UserGroupToPerm.query()\
                         .filter(UserGroupToPerm.users_group == user_group)\
                         .filter(UserGroupToPerm.permission == perm).scalar() is not None
                 def grant_perm(self, user_group, perm):
                     user_group = self._get_user_group(user_group)
                     perm = self._get_perm(perm)
                     # if this permission is already granted skip it
                     _perm = UserGroupToPerm.query()\
                         .filter(UserGroupToPerm.users_group == user_group)\
                         .filter(UserGroupToPerm.permission == perm)\
                         .scalar()
                     if _perm:
                         return
                     new = UserGroupToPerm()
                     new.users_group = user_group
                     new.permission = perm
                     self.sa.add(new)
                     return new
                 def revoke_perm(self, user_group, perm):
                     user_group = self._get_user_group(user_group)
                     perm = self._get_perm(perm)
                     obj = UserGroupToPerm.query()\
                         .filter(UserGroupToPerm.users_group == user_group)\
                         .filter(UserGroupToPerm.permission == perm).scalar()
                     if obj:
                         self.sa.delete(obj)
                 def grant_user_permission(self, user_group, user, perm):
                     """
                     Grant permission for user on given user group, or update
                     existing one if found
                     :param user_group: Instance of UserGroup, users_group_id,
                         or users_group_name
                     :param user: Instance of User, user_id or username
                     :param perm: Instance of Permission, or permission_name
                     """
                     user_group = self._get_user_group(user_group)
                     user = self._get_user(user)
                     permission = self._get_perm(perm)
                     # check if we have that permission already
                     obj = self.sa.query(UserUserGroupToPerm)\
                         .filter(UserUserGroupToPerm.user == user)\
                         .filter(UserUserGroupToPerm.user_group == user_group)\
                         .scalar()
                     if obj is None:
                         # create new !
                         obj = UserUserGroupToPerm()
                     obj.user_group = user_group
                     obj.user = user
                     obj.permission = permission
                     self.sa.add(obj)
                     log.debug('Granted perm %s to %s on %s', perm, user, user_group)
                     action_logger_generic(
                         'granted permission: {} to user: {} on usergroup: {}'.format(
                             perm, user, user_group), namespace='security.usergroup')
                     return obj
                 def revoke_user_permission(self, user_group, user):
                     """
                     Revoke permission for user on given user group
                     :param user_group: Instance of UserGroup, users_group_id,
                         or users_group name
                     :param user: Instance of User, user_id or username
                     """
                     user_group = self._get_user_group(user_group)
                     user = self._get_user(user)
                     obj = self.sa.query(UserUserGroupToPerm)\
                         .filter(UserUserGroupToPerm.user == user)\
                         .filter(UserUserGroupToPerm.user_group == user_group)\
                         .scalar()
                     if obj:
                         self.sa.delete(obj)
                         log.debug('Revoked perm on %s on %s', user_group, user)
                         action_logger_generic(
                             'revoked permission from user: {} on usergroup: {}'.format(
                                 user, user_group), namespace='security.usergroup')
                 def grant_user_group_permission(self, target_user_group, user_group, perm):
                     """
                     Grant user group permission for given target_user_group
                     :param target_user_group:
                     :param user_group:
                     :param perm:
                     """
                     target_user_group = self._get_user_group(target_user_group)
                     user_group = self._get_user_group(user_group)
                     permission = self._get_perm(perm)
                     # forbid assigning same user group to itself
                     if target_user_group == user_group:
                         raise RepoGroupAssignmentError('target repo:%s cannot be '
                                                        'assigned to itself' % target_user_group)
                     # check if we have that permission already
                     obj = self.sa.query(UserGroupUserGroupToPerm)\
                         .filter(UserGroupUserGroupToPerm.target_user_group == target_user_group)\
                         .filter(UserGroupUserGroupToPerm.user_group == user_group)\
                         .scalar()
                     if obj is None:
                         # create new !
                         obj = UserGroupUserGroupToPerm()
                     obj.user_group = user_group
                     obj.target_user_group = target_user_group
                     obj.permission = permission
                     self.sa.add(obj)
                     log.debug(
                         'Granted perm %s to %s on %s', perm, target_user_group, user_group)
                     action_logger_generic(
                         'granted permission: {} to usergroup: {} on usergroup: {}'.format(
                             perm, user_group, target_user_group),
                         namespace='security.usergroup')
                     return obj
                 def revoke_user_group_permission(self, target_user_group, user_group):
                     """
                     Revoke user group permission for given target_user_group
                     :param target_user_group:
                     :param user_group:
                     """
                     target_user_group = self._get_user_group(target_user_group)
                     user_group = self._get_user_group(user_group)
                     obj = self.sa.query(UserGroupUserGroupToPerm)\
                         .filter(UserGroupUserGroupToPerm.target_user_group == target_user_group)\
                         .filter(UserGroupUserGroupToPerm.user_group == user_group)\
                         .scalar()
                     if obj:
                         self.sa.delete(obj)
                         log.debug(
                             'Revoked perm on %s on %s', target_user_group, user_group)
                         action_logger_generic(
                             'revoked permission from usergroup: {} on usergroup: {}'.format(
                                 user_group, target_user_group),
                             namespace='security.repogroup')
                 def get_perms_summary(self, user_group_id):
                     permissions = {
                         'repositories': {},
                         'repositories_groups': {},
                     }
                     ugroup_repo_perms = UserGroupRepoToPerm.query()\
                         .options(joinedload(UserGroupRepoToPerm.permission))\
                         .options(joinedload(UserGroupRepoToPerm.repository))\
                         .filter(UserGroupRepoToPerm.users_group_id == user_group_id)\
                         .all()
                     for gr in ugroup_repo_perms:
                         permissions['repositories'][gr.repository.repo_name]  \
                             = gr.permission.permission_name
                     ugroup_group_perms = UserGroupRepoGroupToPerm.query()\
                         .options(joinedload(UserGroupRepoGroupToPerm.permission))\
                         .options(joinedload(UserGroupRepoGroupToPerm.group))\
                         .filter(UserGroupRepoGroupToPerm.users_group_id == user_group_id)\
                         .all()
                     for gr in ugroup_group_perms:
                         permissions['repositories_groups'][gr.group.group_name] \
                             = gr.permission.permission_name
                     return permissions
                 def enforce_groups(self, user, groups, extern_type=None):
                     user = self._get_user(user)
                     current_groups = user.group_member
                     # find the external created groups, i.e automatically created
                     log.debug('Enforcing user group set `%s` on user %s', groups, user)
                     # calculate from what groups user should be removed
                     # external_groups that are not in groups
                     for gr in [x.users_group for x in current_groups]:
                         managed = gr.group_data.get('extern_type')
                         if managed:
                             if gr.users_group_name not in groups:
                                 log.debug('Removing user %s from user group %s. '
                                           'Group sync managed by: %s', user, gr, managed)
                                 self.remove_user_from_group(gr, user)
                         else:
                             log.debug('Skipping removal from group %s since it is '
                                       'not set to be automatically synchronized' % gr)
                     # now we calculate in which groups user should be == groups params
                     owner = User.get_first_super_admin().username
                     for gr in set(groups):
                         existing_group = UserGroup.get_by_group_name(gr)
                         if not existing_group:
                             desc = 'Automatically created from plugin:%s' % extern_type
                             # we use first admin account to set the owner of the group
                             existing_group = UserGroupModel().create(
                                 gr, desc, owner, group_data={'extern_type': extern_type})
                         # we can only add users to groups which have set sync flag via
                         # extern_type attribute.
                         # This is either set and created via plugins, or manually
                         managed = existing_group.group_data.get('extern_type')
                         if managed:
                             log.debug('Adding user %s to user group %s', user, gr)
                             UserGroupModel().add_user_to_group(existing_group, user)
                         else:
                             log.debug('Skipping addition to group %s since it is '
                                       'not set to be automatically synchronized' % gr)
                 def change_groups(self, user, groups):
                     """
                     This method changes user group assignment
                     :param user:  User
                     :param groups: array of UserGroupModel
                     """
                     user = self._get_user(user)
                     log.debug('Changing user(%s) assignment to groups(%s)', user, groups)
                     current_groups = user.group_member
                     current_groups = [x.users_group for x in current_groups]
                     # calculate from what groups user should be removed/add
                     groups = set(groups)
                     current_groups = set(current_groups)
                     groups_to_remove = current_groups - groups
                     groups_to_add = groups - current_groups
                     removed_from_groups = []
                     added_to_groups = []
                     for gr in groups_to_remove:
                         log.debug('Removing user %s from user group %s',
                                   user.username, gr.users_group_name)
                         removed_from_groups.append(gr.users_group_id)
                         self.remove_user_from_group(gr.users_group_name, user.username)
                     for gr in groups_to_add:
                         log.debug('Adding user %s to user group %s',
                                   user.username, gr.users_group_name)
                         added_to_groups.append(gr.users_group_id)
                         UserGroupModel().add_user_to_group(
                             gr.users_group_name, user.username)
                     return added_to_groups, removed_from_groups
                 def _serialize_user_group(self, user_group):
                     import rhodecode.lib.helpers as h
                     return {
                             'id': user_group.users_group_id,
                             # TODO: marcink figure out a way to generate the url for the
                             # icon
                             'icon_link': '',
                             'value_display': 'Group: %s (%d members)' % (
                                 user_group.users_group_name, len(user_group.members),),
                             'value': user_group.users_group_name,
                             'description': user_group.user_group_description,
                             'owner': user_group.user.username,
                             'owner_icon': h.gravatar_url(user_group.user.email, 30),
                             'value_display_owner': h.person(user_group.user.email),
                             'value_type': 'user_group',
                             'active': user_group.users_group_active,
                         }
                 def get_user_groups(self, name_contains=None, limit=20, only_active=True,
                                     expand_groups=False):
                     query = self.sa.query(UserGroup)
                     if only_active:
                         query = query.filter(UserGroup.users_group_active == true())
                     if name_contains:
                         ilike_expression = u'%{}%'.format(safe_unicode(name_contains))
                         query = query.filter(
                             UserGroup.users_group_name.ilike(ilike_expression))\
                             .order_by(func.length(UserGroup.users_group_name))\
                             .order_by(UserGroup.users_group_name)
                         query = query.limit(limit)
                     user_groups = query.all()
                     perm_set = ['usergroup.read', 'usergroup.write', 'usergroup.admin']
                     user_groups = UserGroupList(user_groups, perm_set=perm_set)
                     # store same serialize method to extract data from User
                     from rhodecode.model.user import UserModel
                     serialize_user = UserModel()._serialize_user
                     _groups = []
                     for group in user_groups:
                         entry = self._serialize_user_group(group)
                         if expand_groups:
                             expanded_members = []
                             for member in group.members:
                                 expanded_members.append(serialize_user(member.user))
                             entry['members'] = expanded_members
                         _groups.append(entry)
                     return _groups
                 @staticmethod
                 def get_user_groups_as_dict(user_group):
                     import rhodecode.lib.helpers as h
                     data = {
                         'users_group_id': user_group.users_group_id,
                         'group_name': user_group.users_group_name,
                         'group_description': user_group.user_group_description,
                         'active': user_group.users_group_active,
                         "owner": user_group.user.username,
                         'owner_icon': h.gravatar_url(user_group.user.email, 30),
                         "owner_data": {
                             'owner': user_group.user.username,
                             'owner_icon': h.gravatar_url(user_group.user.email, 30)}
                         }
                     return data

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages