rhodecode-enterprise-ce Commit - r3853:5f8c0244

core: added more accurate time measurement for called functions

marcink -

r3853:5f8c0244 default

parent child

configs/gunicorn_config.py

0 +1 -1

             """
             gunicorn config extension and hooks. Sets additional configuration that is
             available post the .ini config.
             - workers = ${cpu_number}
             - threads = 1
             - proc_name = ${gunicorn_proc_name}
             - worker_class = sync
             - worker_connections = 10
             - max_requests = 1000
             - max_requests_jitter = 30
             - timeout = 21600
             """
             import multiprocessing
             import sys
             import time
             import datetime
             import threading
             import traceback
             from gunicorn.glogging import Logger
             # GLOBAL
             errorlog = '-'
             accesslog = '-'
             loglevel = 'debug'
             # SECURITY
             # The maximum size of HTTP request line in bytes.
             # 0 for unlimited
             limit_request_line = 0
             # Limit the number of HTTP headers fields in a request.
             # By default this value is 100 and can’t be larger than 32768.
             limit_request_fields = 10240
             # Limit the allowed size of an HTTP request header field.
             # Value is a positive number or 0.
             # Setting it to 0 will allow unlimited header field sizes.
             limit_request_field_size = 0
             # Timeout for graceful workers restart.
             # After receiving a restart signal, workers have this much time to finish
             # serving requests. Workers still alive after the timeout (starting from the
             # receipt of the restart signal) are force killed.
             graceful_timeout = 30
             # The number of seconds to wait for requests on a Keep-Alive connection.
             # Generally set in the 1-5 seconds range.
             keepalive = 2
             # SERVER MECHANICS
             # None == system temp dir
             # worker_tmp_dir is recommended to be set to some tmpfs
             worker_tmp_dir = None
             tmp_upload_dir = None
             # Custom log format
             access_log_format = (
                 '%(t)s [%(p)-8s] GNCRN %(h)-15s rqt:%(L)s %(s)s %(b)-6s "%(m)s:%(U)s %(q)s" usr:%(u)s "%(f)s" "%(a)s"')
             # self adjust workers based on CPU count
             # workers = multiprocessing.cpu_count() * 2 + 1
             def post_fork(server, worker):
                 server.log.info("[<%-10s>] WORKER spawned", worker.pid)
             def pre_fork(server, worker):
                 pass
             def pre_exec(server):
                 server.log.info("Forked child, re-executing.")
             def on_starting(server):
                 server.log.info("Server is starting.")
             def when_ready(server):
                 server.log.info("Server is ready. Spawning workers")
             def on_reload(server):
                 pass
             def worker_int(worker):
                 worker.log.info("[<%-10s>] worker received INT or QUIT signal", worker.pid)
                 # get traceback info, on worker crash
                 id2name = dict([(th.ident, th.name) for th in threading.enumerate()])
                 code = []
                 for thread_id, stack in sys._current_frames().items():
                     code.append(
                         "\n# Thread: %s(%d)" % (id2name.get(thread_id, ""), thread_id))
                     for fname, lineno, name, line in traceback.extract_stack(stack):
                         code.append('File: "%s", line %d, in %s' % (fname, lineno, name))
                         if line:
                             code.append("  %s" % (line.strip()))
                 worker.log.debug("\n".join(code))
             def worker_abort(worker):
                 worker.log.info("[<%-10s>] worker received SIGABRT signal", worker.pid)
             def worker_exit(server, worker):
                 worker.log.info("[<%-10s>] worker exit", worker.pid)
             def child_exit(server, worker):
                 worker.log.info("[<%-10s>] worker child exit", worker.pid)
             def pre_request(worker, req):
                 worker.start_time = time.time()
                 worker.log.debug(
                     "GNCRN PRE  WORKER [cnt:%s]: %s %s", worker.nr, req.method, req.path)
             def post_request(worker, req, environ, resp):
                 total_time = time.time() - worker.start_time
                 worker.log.debug(
-                    "GNCRN POST WORKER [cnt:%s]: %s %s resp: %s, Load Time: %.3fs",
+                    "GNCRN POST WORKER [cnt:%s]: %s %s resp: %s, Load Time: %.4fs",
                     worker.nr, req.method, req.path, resp.status_code, total_time)
             class RhodeCodeLogger(Logger):
                 """
                 Custom Logger that allows some customization that gunicorn doesn't allow
                 """
                 datefmt = r"%Y-%m-%d %H:%M:%S"
                 def __init__(self, cfg):
                     Logger.__init__(self, cfg)
                 def now(self):
                     """ return date in RhodeCode Log format """
                     now = time.time()
                     msecs = int((now - long(now)) * 1000)
                     return time.strftime(self.datefmt, time.localtime(now)) + '.{0:03d}'.format(msecs)
             logger_class = RhodeCodeLogger

rhodecode/api/views/search_api.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from rhodecode.api import jsonrpc_method
             from rhodecode.api.exc import JSONRPCValidationError
             from rhodecode.api.utils import Optional
             from rhodecode.lib.index import searcher_from_config
             from rhodecode.model import validation_schema
             from rhodecode.model.validation_schema.schemas import search_schema
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def search(request, apiuser, search_query, search_type, page_limit=Optional(10),
                        page=Optional(1), search_sort=Optional('newfirst'),
                        repo_name=Optional(None), repo_group_name=Optional(None)):
                 """
                 Fetch Full Text Search results using API.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param search_query: Search query.
                 :type search_query: str
                 :param search_type: Search type. The following are valid options:
                     * commit
                     * content
                     * path
                 :type search_type: str
                 :param page_limit: Page item limit, from 1 to 500. Default 10 items.
                 :type page_limit: Optional(int)
                 :param page: Page number. Default first page.
                 :type page: Optional(int)
                 :param search_sort: Search sort order. Default newfirst. The following are valid options:
                     * newfirst
                     * oldfirst
                 :type search_sort: Optional(str)
                 :param repo_name: Filter by one repo. Default is all.
                 :type repo_name: Optional(str)
                 :param repo_group_name: Filter by one repo group. Default is all.
                 :type repo_group_name: Optional(str)
                 """
                 data = {'execution_time': ''}
                 repo_name = Optional.extract(repo_name)
                 repo_group_name = Optional.extract(repo_group_name)
                 schema = search_schema.SearchParamsSchema()
                 try:
                     search_params = schema.deserialize(
                         dict(search_query=search_query,
                              search_type=search_type,
                              search_sort=Optional.extract(search_sort),
                              page_limit=Optional.extract(page_limit),
                              requested_page=Optional.extract(page))
                     )
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 search_query = search_params.get('search_query')
                 search_type = search_params.get('search_type')
                 search_sort = search_params.get('search_sort')
                 if search_params.get('search_query'):
                     page_limit = search_params['page_limit']
                     requested_page = search_params['requested_page']
                     searcher = searcher_from_config(request.registry.settings)
                     try:
                         search_result = searcher.search(
                             search_query, search_type, apiuser, repo_name, repo_group_name,
                             requested_page=requested_page, page_limit=page_limit, sort=search_sort)
                         data.update(dict(
                             results=list(search_result['results']), page=requested_page,
                             item_count=search_result['count'],
                             items_per_page=page_limit))
                     finally:
                         searcher.cleanup()
                     if not search_result['error']:
-                        data['execution_time'] = '%s results (%.3f seconds)' % (
+                        data['execution_time'] = '%s results (%.4f seconds)' % (
                             search_result['count'],
                             search_result['runtime'])
                     else:
                         node = schema['search_query']
                         raise JSONRPCValidationError(
                             colander_exc=validation_schema.Invalid(node, search_result['error']))
                 return data

rhodecode/apps/repository/views/repo_feed.py

0 +2 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2017-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import pytz
             import logging
             from pyramid.view import view_config
             from pyramid.response import Response
             from webhelpers.feedgenerator import Rss201rev2Feed, Atom1Feed
             from rhodecode.apps._base import RepoAppView
             from rhodecode.lib import audit_logger
             from rhodecode.lib import rc_cache
             from rhodecode.lib import helpers as h
             from rhodecode.lib.auth import (
                 LoginRequired, HasRepoPermissionAnyDecorator)
             from rhodecode.lib.diffs import DiffProcessor, LimitedDiffContainer
             from rhodecode.lib.utils2 import str2bool, safe_int, md5_safe
             from rhodecode.model.db import UserApiKeys, CacheKey
             log = logging.getLogger(__name__)
             class RepoFeedView(RepoAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     self._load_defaults()
                     return c
                 def _get_config(self):
                     import rhodecode
                     config = rhodecode.CONFIG
                     return {
                         'language': 'en-us',
                         'feed_ttl': '5',  # TTL of feed,
                         'feed_include_diff':
                             str2bool(config.get('rss_include_diff', False)),
                         'feed_items_per_page':
                             safe_int(config.get('rss_items_per_page', 20)),
                         'feed_diff_limit':
                             # we need to protect from parsing huge diffs here other way
                             # we can kill the server
                             safe_int(config.get('rss_cut_off_limit', 32 * 1024)),
                     }
                 def _load_defaults(self):
                     _ = self.request.translate
                     config = self._get_config()
                     # common values for feeds
                     self.description = _('Changes on %s repository')
                     self.title = self.title = _('%s %s feed') % (self.db_repo_name, '%s')
                     self.language = config["language"]
                     self.ttl = config["feed_ttl"]
                     self.feed_include_diff = config['feed_include_diff']
                     self.feed_diff_limit = config['feed_diff_limit']
                     self.feed_items_per_page = config['feed_items_per_page']
                 def _changes(self, commit):
                     diff_processor = DiffProcessor(
                         commit.diff(), diff_limit=self.feed_diff_limit)
                     _parsed = diff_processor.prepare(inline_diff=False)
                     limited_diff = isinstance(_parsed, LimitedDiffContainer)
                     return diff_processor, _parsed, limited_diff
                 def _get_title(self, commit):
                     return h.shorter(commit.message, 160)
                 def _get_description(self, commit):
                     _renderer = self.request.get_partial_renderer(
                         'rhodecode:templates/feed/atom_feed_entry.mako')
                     diff_processor, parsed_diff, limited_diff = self._changes(commit)
                     filtered_parsed_diff, has_hidden_changes = self.path_filter.filter_patchset(parsed_diff)
                     return _renderer(
                         'body',
                         commit=commit,
                         parsed_diff=filtered_parsed_diff,
                         limited_diff=limited_diff,
                         feed_include_diff=self.feed_include_diff,
                         diff_processor=diff_processor,
                         has_hidden_changes=has_hidden_changes
                     )
                 def _set_timezone(self, date, tzinfo=pytz.utc):
                     if not getattr(date, "tzinfo", None):
                         date.replace(tzinfo=tzinfo)
                     return date
                 def _get_commits(self):
                     return list(self.rhodecode_vcs_repo[-self.feed_items_per_page:])
                 def uid(self, repo_id, commit_id):
                     return '{}:{}'.format(md5_safe(repo_id), md5_safe(commit_id))
                 @LoginRequired(auth_token_access=[UserApiKeys.ROLE_FEED])
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @view_config(
                     route_name='atom_feed_home', request_method='GET',
                     renderer=None)
                 @view_config(
                     route_name='atom_feed_home_old', request_method='GET',
                     renderer=None)
                 def atom(self):
                     """
                     Produce an atom-1.0 feed via feedgenerator module
                     """
                     self.load_default_context()
                     cache_namespace_uid = 'cache_repo_instance.{}_{}'.format(
                         self.db_repo.repo_id, CacheKey.CACHE_TYPE_FEED)
                     invalidation_namespace = CacheKey.REPO_INVALIDATION_NAMESPACE.format(
                         repo_id=self.db_repo.repo_id)
                     region = rc_cache.get_or_create_region('cache_repo_longterm',
                                                            cache_namespace_uid)
                     condition = not self.path_filter.is_enabled
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
                                                            condition=condition)
                     def generate_atom_feed(repo_id, _repo_name, _feed_type):
                         feed = Atom1Feed(
                             title=self.title % _repo_name,
                             link=h.route_url('repo_summary', repo_name=_repo_name),
                             description=self.description % _repo_name,
                             language=self.language,
                             ttl=self.ttl
                         )
                         for commit in reversed(self._get_commits()):
                             date = self._set_timezone(commit.date)
                             feed.add_item(
                                 unique_id=self.uid(repo_id, commit.raw_id),
                                 title=self._get_title(commit),
                                 author_name=commit.author,
                                 description=self._get_description(commit),
                                 link=h.route_url(
                                     'repo_commit', repo_name=_repo_name,
                                     commit_id=commit.raw_id),
                                 pubdate=date,)
                         return feed.mime_type, feed.writeString('utf-8')
                     inv_context_manager = rc_cache.InvalidationContext(
                         uid=cache_namespace_uid, invalidation_namespace=invalidation_namespace)
                     with inv_context_manager as invalidation_context:
                         args = (self.db_repo.repo_id, self.db_repo.repo_name, 'atom',)
                         # re-compute and store cache if we get invalidate signal
                         if invalidation_context.should_invalidate():
                             mime_type, feed = generate_atom_feed.refresh(*args)
                         else:
                             mime_type, feed = generate_atom_feed(*args)
-                        log.debug('Repo ATOM feed computed in %.3fs',
+                        log.debug('Repo ATOM feed computed in %.4fs',
                                   inv_context_manager.compute_time)
                     response = Response(feed)
                     response.content_type = mime_type
                     return response
                 @LoginRequired(auth_token_access=[UserApiKeys.ROLE_FEED])
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @view_config(
                     route_name='rss_feed_home', request_method='GET',
                     renderer=None)
                 @view_config(
                     route_name='rss_feed_home_old', request_method='GET',
                     renderer=None)
                 def rss(self):
                     """
                     Produce an rss2 feed via feedgenerator module
                     """
                     self.load_default_context()
                     cache_namespace_uid = 'cache_repo_instance.{}_{}'.format(
                         self.db_repo.repo_id, CacheKey.CACHE_TYPE_FEED)
                     invalidation_namespace = CacheKey.REPO_INVALIDATION_NAMESPACE.format(
                         repo_id=self.db_repo.repo_id)
                     region = rc_cache.get_or_create_region('cache_repo_longterm',
                                                            cache_namespace_uid)
                     condition = not self.path_filter.is_enabled
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
                                                            condition=condition)
                     def generate_rss_feed(repo_id, _repo_name, _feed_type):
                         feed = Rss201rev2Feed(
                             title=self.title % _repo_name,
                             link=h.route_url('repo_summary', repo_name=_repo_name),
                             description=self.description % _repo_name,
                             language=self.language,
                             ttl=self.ttl
                         )
                         for commit in reversed(self._get_commits()):
                             date = self._set_timezone(commit.date)
                             feed.add_item(
                                 unique_id=self.uid(repo_id, commit.raw_id),
                                 title=self._get_title(commit),
                                 author_name=commit.author,
                                 description=self._get_description(commit),
                                 link=h.route_url(
                                     'repo_commit', repo_name=_repo_name,
                                     commit_id=commit.raw_id),
                                 pubdate=date,)
                         return feed.mime_type, feed.writeString('utf-8')
                     inv_context_manager = rc_cache.InvalidationContext(
                         uid=cache_namespace_uid, invalidation_namespace=invalidation_namespace)
                     with inv_context_manager as invalidation_context:
                         args = (self.db_repo.repo_id, self.db_repo.repo_name, 'rss',)
                         # re-compute and store cache if we get invalidate signal
                         if invalidation_context.should_invalidate():
                             mime_type, feed = generate_rss_feed.refresh(*args)
                         else:
                             mime_type, feed = generate_rss_feed(*args)
                         log.debug(
-                            'Repo RSS feed computed in %.3fs', inv_context_manager.compute_time)
+                            'Repo RSS feed computed in %.4fs', inv_context_manager.compute_time)
                     response = Response(feed)
                     response.content_type = mime_type
                     return response

rhodecode/apps/repository/views/repo_summary.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import string
             import rhodecode
             from pyramid.view import view_config
             from rhodecode.lib.view_utils import get_format_ref_id
             from rhodecode.apps._base import RepoAppView
             from rhodecode.config.conf import (LANGUAGES_EXTENSIONS_MAP)
             from rhodecode.lib import helpers as h, rc_cache
             from rhodecode.lib.utils2 import safe_str, safe_int
             from rhodecode.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator
             from rhodecode.lib.markup_renderer import MarkupRenderer, relative_links
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.vcs.backends.base import EmptyCommit
             from rhodecode.lib.vcs.exceptions import (
                 CommitError, EmptyRepositoryError, CommitDoesNotExistError)
             from rhodecode.model.db import Statistics, CacheKey, User
             from rhodecode.model.meta import Session
             from rhodecode.model.repo import ReadmeFinder
             from rhodecode.model.scm import ScmModel
             log = logging.getLogger(__name__)
             class RepoSummaryView(RepoAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context(include_app_defaults=True)
                     c.rhodecode_repo = None
                     if not c.repository_requirements_missing:
                         c.rhodecode_repo = self.rhodecode_vcs_repo
                     return c
                 def _get_readme_data(self, db_repo, renderer_type):
                     log.debug('Looking for README file')
                     cache_namespace_uid = 'cache_repo_instance.{}_{}'.format(
                         db_repo.repo_id, CacheKey.CACHE_TYPE_README)
                     invalidation_namespace = CacheKey.REPO_INVALIDATION_NAMESPACE.format(
                         repo_id=self.db_repo.repo_id)
                     region = rc_cache.get_or_create_region('cache_repo_longterm', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid)
                     def generate_repo_readme(repo_id, _repo_name, _renderer_type):
                         readme_data = None
                         readme_node = None
                         readme_filename = None
                         commit = self._get_landing_commit_or_none(db_repo)
                         if commit:
                             log.debug("Searching for a README file.")
                             readme_node = ReadmeFinder(_renderer_type).search(commit)
                         if readme_node:
                             log.debug('Found README node: %s', readme_node)
                             relative_urls = {
                                 'raw': h.route_path(
                                     'repo_file_raw', repo_name=_repo_name,
                                     commit_id=commit.raw_id, f_path=readme_node.path),
                                 'standard': h.route_path(
                                     'repo_files', repo_name=_repo_name,
                                     commit_id=commit.raw_id, f_path=readme_node.path),
                             }
                             readme_data = self._render_readme_or_none(
                                 commit, readme_node, relative_urls)
                             readme_filename = readme_node.unicode_path
                         return readme_data, readme_filename
                     inv_context_manager = rc_cache.InvalidationContext(
                         uid=cache_namespace_uid, invalidation_namespace=invalidation_namespace)
                     with inv_context_manager as invalidation_context:
                         args = (db_repo.repo_id, db_repo.repo_name, renderer_type,)
                         # re-compute and store cache if we get invalidate signal
                         if invalidation_context.should_invalidate():
                             instance = generate_repo_readme.refresh(*args)
                         else:
                             instance = generate_repo_readme(*args)
                         log.debug(
-                            'Repo readme generated and computed in %.3fs',
+                            'Repo readme generated and computed in %.4fs',
                             inv_context_manager.compute_time)
                         return instance
                 def _get_landing_commit_or_none(self, db_repo):
                     log.debug("Getting the landing commit.")
                     try:
                         commit = db_repo.get_landing_commit()
                         if not isinstance(commit, EmptyCommit):
                             return commit
                         else:
                             log.debug("Repository is empty, no README to render.")
                     except CommitError:
                         log.exception(
                             "Problem getting commit when trying to render the README.")
                 def _render_readme_or_none(self, commit, readme_node, relative_urls):
                     log.debug(
                         'Found README file `%s` rendering...', readme_node.path)
                     renderer = MarkupRenderer()
                     try:
                         html_source = renderer.render(
                             readme_node.content, filename=readme_node.path)
                         if relative_urls:
                             return relative_links(html_source, relative_urls)
                         return html_source
                     except Exception:
                         log.exception(
                             "Exception while trying to render the README")
                 def _load_commits_context(self, c):
                     p = safe_int(self.request.GET.get('page'), 1)
                     size = safe_int(self.request.GET.get('size'), 10)
                     def url_generator(**kw):
                         query_params = {
                             'size': size
                         }
                         query_params.update(kw)
                         return h.route_path(
                             'repo_summary_commits',
                             repo_name=c.rhodecode_db_repo.repo_name, _query=query_params)
                     pre_load = ['author', 'branch', 'date', 'message']
                     try:
                         collection = self.rhodecode_vcs_repo.get_commits(
                             pre_load=pre_load, translate_tags=False)
                     except EmptyRepositoryError:
                         collection = self.rhodecode_vcs_repo
                     c.repo_commits = h.RepoPage(
                         collection, page=p, items_per_page=size, url=url_generator)
                     page_ids = [x.raw_id for x in c.repo_commits]
                     c.comments = self.db_repo.get_comments(page_ids)
                     c.statuses = self.db_repo.statuses(page_ids)
                 def _prepare_and_set_clone_url(self, c):
                     username = ''
                     if self._rhodecode_user.username != User.DEFAULT_USER:
                         username = safe_str(self._rhodecode_user.username)
                     _def_clone_uri = _def_clone_uri_id = c.clone_uri_tmpl
                     _def_clone_uri_ssh = c.clone_uri_ssh_tmpl
                     if '{repo}' in _def_clone_uri:
                         _def_clone_uri_id = _def_clone_uri.replace('{repo}', '_{repoid}')
                     elif '{repoid}' in _def_clone_uri:
                         _def_clone_uri_id = _def_clone_uri.replace('_{repoid}', '{repo}')
                     c.clone_repo_url = self.db_repo.clone_url(
                         user=username, uri_tmpl=_def_clone_uri)
                     c.clone_repo_url_id = self.db_repo.clone_url(
                         user=username, uri_tmpl=_def_clone_uri_id)
                     c.clone_repo_url_ssh = self.db_repo.clone_url(
                         uri_tmpl=_def_clone_uri_ssh, ssh=True)
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @view_config(
                     route_name='repo_summary_commits', request_method='GET',
                     renderer='rhodecode:templates/summary/summary_commits.mako')
                 def summary_commits(self):
                     c = self.load_default_context()
                     self._prepare_and_set_clone_url(c)
                     self._load_commits_context(c)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @view_config(
                     route_name='repo_summary', request_method='GET',
                     renderer='rhodecode:templates/summary/summary.mako')
                 @view_config(
                     route_name='repo_summary_slash', request_method='GET',
                     renderer='rhodecode:templates/summary/summary.mako')
                 @view_config(
                     route_name='repo_summary_explicit', request_method='GET',
                     renderer='rhodecode:templates/summary/summary.mako')
                 def summary(self):
                     c = self.load_default_context()
                     # Prepare the clone URL
                     self._prepare_and_set_clone_url(c)
                     # update every 5 min
                     if self.db_repo.last_commit_cache_update_diff > 60 * 5:
                         self.db_repo.update_commit_cache()
                     # If enabled, get statistics data
                     c.show_stats = bool(self.db_repo.enable_statistics)
                     stats = Session().query(Statistics) \
                         .filter(Statistics.repository == self.db_repo) \
                         .scalar()
                     c.stats_percentage = 0
                     if stats and stats.languages:
                         c.no_data = False is self.db_repo.enable_statistics
                         lang_stats_d = json.loads(stats.languages)
                         # Sort first by decreasing count and second by the file extension,
                         # so we have a consistent output.
                         lang_stats_items = sorted(lang_stats_d.iteritems(),
                                                   key=lambda k: (-k[1], k[0]))[:10]
                         lang_stats = [(x, {"count": y,
                                            "desc": LANGUAGES_EXTENSIONS_MAP.get(x)})
                                       for x, y in lang_stats_items]
                         c.trending_languages = json.dumps(lang_stats)
                     else:
                         c.no_data = True
                         c.trending_languages = json.dumps({})
                     scm_model = ScmModel()
                     c.enable_downloads = self.db_repo.enable_downloads
                     c.repository_followers = scm_model.get_followers(self.db_repo)
                     c.repository_forks = scm_model.get_forks(self.db_repo)
                     # first interaction with the VCS instance after here...
                     if c.repository_requirements_missing:
                         self.request.override_renderer = \
                             'rhodecode:templates/summary/missing_requirements.mako'
                         return self._get_template_context(c)
                     c.readme_data, c.readme_file = \
                         self._get_readme_data(self.db_repo, c.visual.default_renderer)
                     # loads the summary commits template context
                     self._load_commits_context(c)
                     return self._get_template_context(c)
                 def get_request_commit_id(self):
                     return self.request.matchdict['commit_id']
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @view_config(
                     route_name='repo_stats', request_method='GET',
                     renderer='json_ext')
                 def repo_stats(self):
                     commit_id = self.get_request_commit_id()
                     show_stats = bool(self.db_repo.enable_statistics)
                     repo_id = self.db_repo.repo_id
                     cache_seconds = safe_int(
                         rhodecode.CONFIG.get('rc_cache.cache_repo.expiration_time'))
                     cache_on = cache_seconds > 0
                     log.debug(
                         'Computing REPO TREE for repo_id %s commit_id `%s` '
                         'with caching: %s[TTL: %ss]' % (
                             repo_id, commit_id, cache_on, cache_seconds or 0))
                     cache_namespace_uid = 'cache_repo.{}'.format(repo_id)
                     region = rc_cache.get_or_create_region('cache_repo', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
                                                            condition=cache_on)
                     def compute_stats(repo_id, commit_id, show_stats):
                         code_stats = {}
                         size = 0
                         try:
                             scm_instance = self.db_repo.scm_instance()
                             commit = scm_instance.get_commit(commit_id)
                             for node in commit.get_filenodes_generator():
                                 size += node.size
                                 if not show_stats:
                                     continue
                                 ext = string.lower(node.extension)
                                 ext_info = LANGUAGES_EXTENSIONS_MAP.get(ext)
                                 if ext_info:
                                     if ext in code_stats:
                                         code_stats[ext]['count'] += 1
                                     else:
                                         code_stats[ext] = {"count": 1, "desc": ext_info}
                         except (EmptyRepositoryError, CommitDoesNotExistError):
                             pass
                         return {'size': h.format_byte_size_binary(size),
                                 'code_stats': code_stats}
                     stats = compute_stats(self.db_repo.repo_id, commit_id, show_stats)
                     return stats
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @view_config(
                     route_name='repo_refs_data', request_method='GET',
                     renderer='json_ext')
                 def repo_refs_data(self):
                     _ = self.request.translate
                     self.load_default_context()
                     repo = self.rhodecode_vcs_repo
                     refs_to_create = [
                         (_("Branch"), repo.branches, 'branch'),
                         (_("Tag"), repo.tags, 'tag'),
                         (_("Bookmark"), repo.bookmarks, 'book'),
                     ]
                     res = self._create_reference_data(repo, self.db_repo_name, refs_to_create)
                     data = {
                         'more': False,
                         'results': res
                     }
                     return data
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @view_config(
                     route_name='repo_refs_changelog_data', request_method='GET',
                     renderer='json_ext')
                 def repo_refs_changelog_data(self):
                     _ = self.request.translate
                     self.load_default_context()
                     repo = self.rhodecode_vcs_repo
                     refs_to_create = [
                         (_("Branches"), repo.branches, 'branch'),
                         (_("Closed branches"), repo.branches_closed, 'branch_closed'),
                         # TODO: enable when vcs can handle bookmarks filters
                         # (_("Bookmarks"), repo.bookmarks, "book"),
                     ]
                     res = self._create_reference_data(
                         repo, self.db_repo_name, refs_to_create)
                     data = {
                         'more': False,
                         'results': res
                     }
                     return data
                 def _create_reference_data(self, repo, full_repo_name, refs_to_create):
                     format_ref_id = get_format_ref_id(repo)
                     result = []
                     for title, refs, ref_type in refs_to_create:
                         if refs:
                             result.append({
                                 'text': title,
                                 'children': self._create_reference_items(
                                     repo, full_repo_name, refs, ref_type,
                                     format_ref_id),
                             })
                     return result
                 def _create_reference_items(self, repo, full_repo_name, refs, ref_type, format_ref_id):
                     result = []
                     is_svn = h.is_svn(repo)
                     for ref_name, raw_id in refs.iteritems():
                         files_url = self._create_files_url(
                             repo, full_repo_name, ref_name, raw_id, is_svn)
                         result.append({
                             'text': ref_name,
                             'id': format_ref_id(ref_name, raw_id),
                             'raw_id': raw_id,
                             'type': ref_type,
                             'files_url': files_url,
                             'idx': 0,
                         })
                     return result
                 def _create_files_url(self, repo, full_repo_name, ref_name, raw_id, is_svn):
                     use_commit_id = '/' in ref_name or is_svn
                     return h.route_path(
                         'repo_files',
                         repo_name=full_repo_name,
                         f_path=ref_name if is_svn else '',
                         commit_id=raw_id if use_commit_id else ref_name,
                         _query=dict(at=ref_name))

rhodecode/apps/search/views.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import urllib
             from pyramid.view import view_config
             from webhelpers.util import update_params
             from rhodecode.apps._base import BaseAppView, RepoAppView, RepoGroupAppView
             from rhodecode.lib.auth import (
                 LoginRequired, HasRepoPermissionAnyDecorator, HasRepoGroupPermissionAnyDecorator)
             from rhodecode.lib.helpers import Page
             from rhodecode.lib.utils2 import safe_str
             from rhodecode.lib.index import searcher_from_config
             from rhodecode.model import validation_schema
             from rhodecode.model.validation_schema.schemas import search_schema
             log = logging.getLogger(__name__)
             def perform_search(request, tmpl_context, repo_name=None, repo_group_name=None):
                 searcher = searcher_from_config(request.registry.settings)
                 formatted_results = []
                 execution_time = ''
                 schema = search_schema.SearchParamsSchema()
                 search_tags = []
                 search_params = {}
                 errors = []
                 try:
                     search_params = schema.deserialize(
                         dict(
                             search_query=request.GET.get('q'),
                             search_type=request.GET.get('type'),
                             search_sort=request.GET.get('sort'),
                             search_max_lines=request.GET.get('max_lines'),
                             page_limit=request.GET.get('page_limit'),
                             requested_page=request.GET.get('page'),
                          )
                     )
                 except validation_schema.Invalid as e:
                     errors = e.children
                 def url_generator(**kw):
                     q = urllib.quote(safe_str(search_query))
                     return update_params(
                         "?q=%s&type=%s&max_lines=%s" % (
                             q, safe_str(search_type), search_max_lines), **kw)
                 c = tmpl_context
                 search_query = search_params.get('search_query')
                 search_type = search_params.get('search_type')
                 search_sort = search_params.get('search_sort')
                 search_max_lines = search_params.get('search_max_lines')
                 if search_params.get('search_query'):
                     page_limit = search_params['page_limit']
                     requested_page = search_params['requested_page']
                     try:
                         search_result = searcher.search(
                             search_query, search_type, c.auth_user, repo_name, repo_group_name,
                             requested_page=requested_page, page_limit=page_limit, sort=search_sort)
                         formatted_results = Page(
                             search_result['results'], page=requested_page,
                             item_count=search_result['count'],
                             items_per_page=page_limit, url=url_generator)
                     finally:
                         searcher.cleanup()
                     search_tags = searcher.extract_search_tags(search_query)
                     if not search_result['error']:
-                        execution_time = '%s results (%.3f seconds)' % (
+                        execution_time = '%s results (%.4f seconds)' % (
                             search_result['count'],
                             search_result['runtime'])
                     elif not errors:
                         node = schema['search_query']
                         errors = [
                             validation_schema.Invalid(node, search_result['error'])]
                 c.perm_user = c.auth_user
                 c.repo_name = repo_name
                 c.repo_group_name = repo_group_name
                 c.sort = search_sort
                 c.url_generator = url_generator
                 c.errors = errors
                 c.formatted_results = formatted_results
                 c.runtime = execution_time
                 c.cur_query = search_query
                 c.search_type = search_type
                 c.searcher = searcher
                 c.search_tags = search_tags
             class SearchView(BaseAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     return c
                 @LoginRequired()
                 @view_config(
                     route_name='search', request_method='GET',
                     renderer='rhodecode:templates/search/search.mako')
                 def search(self):
                     c = self.load_default_context()
                     perform_search(self.request, c)
                     return self._get_template_context(c)
             class SearchRepoView(RepoAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     c.active = 'search'
                     return c
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @view_config(
                     route_name='search_repo', request_method='GET',
                     renderer='rhodecode:templates/search/search.mako')
                 @view_config(
                     route_name='search_repo_alt', request_method='GET',
                     renderer='rhodecode:templates/search/search.mako')
                 def search_repo(self):
                     c = self.load_default_context()
                     perform_search(self.request, c, repo_name=self.db_repo_name)
                     return self._get_template_context(c)
             class SearchRepoGroupView(RepoGroupAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     c.active = 'search'
                     return c
                 @LoginRequired()
                 @HasRepoGroupPermissionAnyDecorator(
                     'group.read', 'group.write', 'group.admin')
                 @view_config(
                     route_name='search_repo_group', request_method='GET',
                     renderer='rhodecode:templates/search/search.mako')
                 def search_repo_group(self):
                     c = self.load_default_context()
                     perform_search(self.request, c, repo_group_name=self.db_repo_group_name)
                     return self._get_template_context(c)

rhodecode/authentication/base.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Authentication modules
             """
             import socket
             import string
             import colander
             import copy
             import logging
             import time
             import traceback
             import warnings
             import functools
             from pyramid.threadlocal import get_current_registry
             from rhodecode.authentication.interface import IAuthnPluginRegistry
             from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
             from rhodecode.lib import rc_cache
             from rhodecode.lib.auth import PasswordGenerator, _RhodeCodeCryptoBCrypt
             from rhodecode.lib.utils2 import safe_int, safe_str
             from rhodecode.lib.exceptions import LdapConnectionError, LdapUsernameError, \
                 LdapPasswordError
             from rhodecode.model.db import User
             from rhodecode.model.meta import Session
             from rhodecode.model.settings import SettingsModel
             from rhodecode.model.user import UserModel
             from rhodecode.model.user_group import UserGroupModel
             log = logging.getLogger(__name__)
             # auth types that authenticate() function can receive
             VCS_TYPE = 'vcs'
             HTTP_TYPE = 'http'
             external_auth_session_key = 'rhodecode.external_auth'
             class hybrid_property(object):
                 """
                 a property decorator that works both for instance and class
                 """
                 def __init__(self, fget, fset=None, fdel=None, expr=None):
                     self.fget = fget
                     self.fset = fset
                     self.fdel = fdel
                     self.expr = expr or fget
                     functools.update_wrapper(self, fget)
                 def __get__(self, instance, owner):
                     if instance is None:
                         return self.expr(owner)
                     else:
                         return self.fget(instance)
                 def __set__(self, instance, value):
                     self.fset(instance, value)
                 def __delete__(self, instance):
                     self.fdel(instance)
             class LazyFormencode(object):
                 def __init__(self, formencode_obj, *args, **kwargs):
                     self.formencode_obj = formencode_obj
                     self.args = args
                     self.kwargs = kwargs
                 def __call__(self, *args, **kwargs):
                     from inspect import isfunction
                     formencode_obj = self.formencode_obj
                     if isfunction(formencode_obj):
                         # case we wrap validators into functions
                         formencode_obj = self.formencode_obj(*args, **kwargs)
                     return formencode_obj(*self.args, **self.kwargs)
             class RhodeCodeAuthPluginBase(object):
                 # UID is used to register plugin to the registry
                 uid = None
                 # cache the authentication request for N amount of seconds. Some kind
                 # of authentication methods are very heavy and it's very efficient to cache
                 # the result of a call. If it's set to None (default) cache is off
                 AUTH_CACHE_TTL = None
                 AUTH_CACHE = {}
                 auth_func_attrs = {
                     "username": "unique username",
                     "firstname": "first name",
                     "lastname": "last name",
                     "email": "email address",
                     "groups": '["list", "of", "groups"]',
                     "user_group_sync":
                         'True|False defines if returned user groups should be synced',
                     "extern_name": "name in external source of record",
                     "extern_type": "type of external source of record",
                     "admin": 'True|False defines if user should be RhodeCode super admin',
                     "active":
                         'True|False defines active state of user internally for RhodeCode',
                     "active_from_extern":
                         "True|False|None, active state from the external auth, "
                         "None means use definition from RhodeCode extern_type active value"
                 }
                 # set on authenticate() method and via set_auth_type func.
                 auth_type = None
                 # set on authenticate() method and via set_calling_scope_repo, this is a
                 # calling scope repository when doing authentication most likely on VCS
                 # operations
                 acl_repo_name = None
                 # List of setting names to store encrypted. Plugins may override this list
                 # to store settings encrypted.
                 _settings_encrypted = []
                 # Mapping of python to DB settings model types. Plugins may override or
                 # extend this mapping.
                 _settings_type_map = {
                     colander.String: 'unicode',
                     colander.Integer: 'int',
                     colander.Boolean: 'bool',
                     colander.List: 'list',
                 }
                 # list of keys in settings that are unsafe to be logged, should be passwords
                 # or other crucial credentials
                 _settings_unsafe_keys = []
                 def __init__(self, plugin_id):
                     self._plugin_id = plugin_id
                 def __str__(self):
                     return self.get_id()
                 def _get_setting_full_name(self, name):
                     """
                     Return the full setting name used for storing values in the database.
                     """
                     # TODO: johbo: Using the name here is problematic. It would be good to
                     # introduce either new models in the database to hold Plugin and
                     # PluginSetting or to use the plugin id here.
                     return 'auth_{}_{}'.format(self.name, name)
                 def _get_setting_type(self, name):
                     """
                     Return the type of a setting. This type is defined by the SettingsModel
                     and determines how the setting is stored in DB. Optionally the suffix
                     `.encrypted` is appended to instruct SettingsModel to store it
                     encrypted.
                     """
                     schema_node = self.get_settings_schema().get(name)
                     db_type = self._settings_type_map.get(
                         type(schema_node.typ), 'unicode')
                     if name in self._settings_encrypted:
                         db_type = '{}.encrypted'.format(db_type)
                     return db_type
                 @classmethod
                 def docs(cls):
                     """
                     Defines documentation url which helps with plugin setup
                     """
                     return ''
                 @classmethod
                 def icon(cls):
                     """
                     Defines ICON in SVG format for authentication method
                     """
                     return ''
                 def is_enabled(self):
                     """
                     Returns true if this plugin is enabled. An enabled plugin can be
                     configured in the admin interface but it is not consulted during
                     authentication.
                     """
                     auth_plugins = SettingsModel().get_auth_plugins()
                     return self.get_id() in auth_plugins
                 def is_active(self, plugin_cached_settings=None):
                     """
                     Returns true if the plugin is activated. An activated plugin is
                     consulted during authentication, assumed it is also enabled.
                     """
                     return self.get_setting_by_name(
                         'enabled', plugin_cached_settings=plugin_cached_settings)
                 def get_id(self):
                     """
                     Returns the plugin id.
                     """
                     return self._plugin_id
                 def get_display_name(self):
                     """
                     Returns a translation string for displaying purposes.
                     """
                     raise NotImplementedError('Not implemented in base class')
                 def get_settings_schema(self):
                     """
                     Returns a colander schema, representing the plugin settings.
                     """
                     return AuthnPluginSettingsSchemaBase()
                 def get_settings(self):
                     """
                     Returns the plugin settings as dictionary.
                     """
                     settings = {}
                     raw_settings = SettingsModel().get_all_settings()
                     for node in self.get_settings_schema():
                         settings[node.name] = self.get_setting_by_name(
                             node.name, plugin_cached_settings=raw_settings)
                     return settings
                 def get_setting_by_name(self, name, default=None, plugin_cached_settings=None):
                     """
                     Returns a plugin setting by name.
                     """
                     full_name = 'rhodecode_{}'.format(self._get_setting_full_name(name))
                     if plugin_cached_settings:
                         plugin_settings = plugin_cached_settings
                     else:
                         plugin_settings = SettingsModel().get_all_settings()
                     if full_name in plugin_settings:
                         return plugin_settings[full_name]
                     else:
                         return default
                 def create_or_update_setting(self, name, value):
                     """
                     Create or update a setting for this plugin in the persistent storage.
                     """
                     full_name = self._get_setting_full_name(name)
                     type_ = self._get_setting_type(name)
                     db_setting = SettingsModel().create_or_update_setting(
                         full_name, value, type_)
                     return db_setting.app_settings_value
                 def log_safe_settings(self, settings):
                     """
                     returns a log safe representation of settings, without any secrets
                     """
                     settings_copy = copy.deepcopy(settings)
                     for k in self._settings_unsafe_keys:
                         if k in settings_copy:
                             del settings_copy[k]
                     return settings_copy
                 @hybrid_property
                 def name(self):
                     """
                     Returns the name of this authentication plugin.
                     :returns: string
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def get_url_slug(self):
                     """
                     Returns a slug which should be used when constructing URLs which refer
                     to this plugin. By default it returns the plugin name. If the name is
                     not suitable for using it in an URL the plugin should override this
                     method.
                     """
                     return self.name
                 @property
                 def is_headers_auth(self):
                     """
                     Returns True if this authentication plugin uses HTTP headers as
                     authentication method.
                     """
                     return False
                 @hybrid_property
                 def is_container_auth(self):
                     """
                     Deprecated method that indicates if this authentication plugin uses
                     HTTP headers as authentication method.
                     """
                     warnings.warn(
                         'Use is_headers_auth instead.', category=DeprecationWarning)
                     return self.is_headers_auth
                 @hybrid_property
                 def allows_creating_users(self):
                     """
                     Defines if Plugin allows users to be created on-the-fly when
                     authentication is called. Controls how external plugins should behave
                     in terms if they are allowed to create new users, or not. Base plugins
                     should not be allowed to, but External ones should be !
                     :return: bool
                     """
                     return False
                 def set_auth_type(self, auth_type):
                     self.auth_type = auth_type
                 def set_calling_scope_repo(self, acl_repo_name):
                     self.acl_repo_name = acl_repo_name
                 def allows_authentication_from(
                         self, user, allows_non_existing_user=True,
                         allowed_auth_plugins=None, allowed_auth_sources=None):
                     """
                     Checks if this authentication module should accept a request for
                     the current user.
                     :param user: user object fetched using plugin's get_user() method.
                     :param allows_non_existing_user: if True, don't allow the
                         user to be empty, meaning not existing in our database
                     :param allowed_auth_plugins: if provided, users extern_type will be
                         checked against a list of provided extern types, which are plugin
                         auth_names in the end
                     :param allowed_auth_sources: authentication type allowed,
                         `http` or `vcs` default is both.
                         defines if plugin will accept only http authentication vcs
                         authentication(git/hg) or both
                     :returns: boolean
                     """
                     if not user and not allows_non_existing_user:
                         log.debug('User is empty but plugin does not allow empty users,'
                                   'not allowed to authenticate')
                         return False
                     expected_auth_plugins = allowed_auth_plugins or [self.name]
                     if user and (user.extern_type and
                                  user.extern_type not in expected_auth_plugins):
                         log.debug(
                             'User `%s` is bound to `%s` auth type. Plugin allows only '
                             '%s, skipping', user, user.extern_type, expected_auth_plugins)
                         return False
                     # by default accept both
                     expected_auth_from = allowed_auth_sources or [HTTP_TYPE, VCS_TYPE]
                     if self.auth_type not in expected_auth_from:
                         log.debug('Current auth source is %s but plugin only allows %s',
                                   self.auth_type, expected_auth_from)
                         return False
                     return True
                 def get_user(self, username=None, **kwargs):
                     """
                     Helper method for user fetching in plugins, by default it's using
                     simple fetch by username, but this method can be custimized in plugins
                     eg. headers auth plugin to fetch user by environ params
                     :param username: username if given to fetch from database
                     :param kwargs: extra arguments needed for user fetching.
                     """
                     user = None
                     log.debug(
                         'Trying to fetch user `%s` from RhodeCode database', username)
                     if username:
                         user = User.get_by_username(username)
                         if not user:
                             log.debug('User not found, fallback to fetch user in '
                                       'case insensitive mode')
                             user = User.get_by_username(username, case_insensitive=True)
                     else:
                         log.debug('provided username:`%s` is empty skipping...', username)
                     if not user:
                         log.debug('User `%s` not found in database', username)
                     else:
                         log.debug('Got DB user:%s', user)
                     return user
                 def user_activation_state(self):
                     """
                     Defines user activation state when creating new users
                     :returns: boolean
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def auth(self, userobj, username, passwd, settings, **kwargs):
                     """
                     Given a user object (which may be null), username, a plaintext
                     password, and a settings object (containing all the keys needed as
                     listed in settings()), authenticate this user's login attempt.
                     Return None on failure. On success, return a dictionary of the form:
                         see: RhodeCodeAuthPluginBase.auth_func_attrs
                     This is later validated for correctness
                     """
                     raise NotImplementedError("not implemented in base class")
                 def _authenticate(self, userobj, username, passwd, settings, **kwargs):
                     """
                     Wrapper to call self.auth() that validates call on it
                     :param userobj: userobj
                     :param username: username
                     :param passwd: plaintext password
                     :param settings: plugin settings
                     """
                     auth = self.auth(userobj, username, passwd, settings, **kwargs)
                     if auth:
                         auth['_plugin'] = self.name
                         auth['_ttl_cache'] = self.get_ttl_cache(settings)
                         # check if hash should be migrated ?
                         new_hash = auth.get('_hash_migrate')
                         if new_hash:
                             self._migrate_hash_to_bcrypt(username, passwd, new_hash)
                         if 'user_group_sync' not in auth:
                             auth['user_group_sync'] = False
                         return self._validate_auth_return(auth)
                     return auth
                 def _migrate_hash_to_bcrypt(self, username, password, new_hash):
                     new_hash_cypher = _RhodeCodeCryptoBCrypt()
                     # extra checks, so make sure new hash is correct.
                     password_encoded = safe_str(password)
                     if new_hash and new_hash_cypher.hash_check(
                             password_encoded, new_hash):
                         cur_user = User.get_by_username(username)
                         cur_user.password = new_hash
                         Session().add(cur_user)
                         Session().flush()
                         log.info('Migrated user %s hash to bcrypt', cur_user)
                 def _validate_auth_return(self, ret):
                     if not isinstance(ret, dict):
                         raise Exception('returned value from auth must be a dict')
                     for k in self.auth_func_attrs:
                         if k not in ret:
                             raise Exception('Missing %s attribute from returned data' % k)
                     return ret
                 def get_ttl_cache(self, settings=None):
                     plugin_settings = settings or self.get_settings()
                     # we set default to 30, we make a compromise here,
                     # performance > security, mostly due to LDAP/SVN, majority
                     # of users pick cache_ttl to be enabled
                     from rhodecode.authentication import plugin_default_auth_ttl
                     cache_ttl = plugin_default_auth_ttl
                     if isinstance(self.AUTH_CACHE_TTL, (int, long)):
                         # plugin cache set inside is more important than the settings value
                         cache_ttl = self.AUTH_CACHE_TTL
                     elif plugin_settings.get('cache_ttl'):
                         cache_ttl = safe_int(plugin_settings.get('cache_ttl'), 0)
                     plugin_cache_active = bool(cache_ttl and cache_ttl > 0)
                     return plugin_cache_active, cache_ttl
             class RhodeCodeExternalAuthPlugin(RhodeCodeAuthPluginBase):
                 @hybrid_property
                 def allows_creating_users(self):
                     return True
                 def use_fake_password(self):
                     """
                     Return a boolean that indicates whether or not we should set the user's
                     password to a random value when it is authenticated by this plugin.
                     If your plugin provides authentication, then you will generally
                     want this.
                     :returns: boolean
                     """
                     raise NotImplementedError("Not implemented in base class")
                 def _authenticate(self, userobj, username, passwd, settings, **kwargs):
                     # at this point _authenticate calls plugin's `auth()` function
                     auth = super(RhodeCodeExternalAuthPlugin, self)._authenticate(
                         userobj, username, passwd, settings, **kwargs)
                     if auth:
                         # maybe plugin will clean the username ?
                         # we should use the return value
                         username = auth['username']
                         # if external source tells us that user is not active, we should
                         # skip rest of the process. This can prevent from creating users in
                         # RhodeCode when using external authentication, but if it's
                         # inactive user we shouldn't create that user anyway
                         if auth['active_from_extern'] is False:
                             log.warning(
                                 "User %s authenticated against %s, but is inactive",
                                 username, self.__module__)
                             return None
                         cur_user = User.get_by_username(username, case_insensitive=True)
                         is_user_existing = cur_user is not None
                         if is_user_existing:
                             log.debug('Syncing user `%s` from '
                                       '`%s` plugin', username, self.name)
                         else:
                             log.debug('Creating non existing user `%s` from '
                                       '`%s` plugin', username, self.name)
                         if self.allows_creating_users:
                             log.debug('Plugin `%s` allows to '
                                       'create new users', self.name)
                         else:
                             log.debug('Plugin `%s` does not allow to '
                                       'create new users', self.name)
                         user_parameters = {
                             'username': username,
                             'email': auth["email"],
                             'firstname': auth["firstname"],
                             'lastname': auth["lastname"],
                             'active': auth["active"],
                             'admin': auth["admin"],
                             'extern_name': auth["extern_name"],
                             'extern_type': self.name,
                             'plugin': self,
                             'allow_to_create_user': self.allows_creating_users,
                         }
                         if not is_user_existing:
                             if self.use_fake_password():
                                 # Randomize the PW because we don't need it, but don't want
                                 # them blank either
                                 passwd = PasswordGenerator().gen_password(length=16)
                             user_parameters['password'] = passwd
                         else:
                             # Since the password is required by create_or_update method of
                             # UserModel, we need to set it explicitly.
                             # The create_or_update method is smart and recognises the
                             # password hashes as well.
                             user_parameters['password'] = cur_user.password
                         # we either create or update users, we also pass the flag
                         # that controls if this method can actually do that.
                         # raises NotAllowedToCreateUserError if it cannot, and we try to.
                         user = UserModel().create_or_update(**user_parameters)
                         Session().flush()
                         # enforce user is just in given groups, all of them has to be ones
                         # created from plugins. We store this info in _group_data JSON
                         # field
                         if auth['user_group_sync']:
                             try:
                                 groups = auth['groups'] or []
                                 log.debug(
                                     'Performing user_group sync based on set `%s` '
                                     'returned by `%s` plugin', groups, self.name)
                                 UserGroupModel().enforce_groups(user, groups, self.name)
                             except Exception:
                                 # for any reason group syncing fails, we should
                                 # proceed with login
                                 log.error(traceback.format_exc())
                         Session().commit()
                     return auth
             class AuthLdapBase(object):
                 @classmethod
                 def _build_servers(cls, ldap_server_type, ldap_server, port, use_resolver=True):
                     def host_resolver(host, port, full_resolve=True):
                         """
                         Main work for this function is to prevent ldap connection issues,
                         and detect them early using a "greenified" sockets
                         """
                         host = host.strip()
                         if not full_resolve:
                             return '{}:{}'.format(host, port)
                         log.debug('LDAP: Resolving IP for LDAP host %s', host)
                         try:
                             ip = socket.gethostbyname(host)
                             log.debug('Got LDAP server %s ip %s', host, ip)
                         except Exception:
                             raise LdapConnectionError(
                                 'Failed to resolve host: `{}`'.format(host))
                         log.debug('LDAP: Checking if IP %s is accessible', ip)
                         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                         try:
                             s.connect((ip, int(port)))
                             s.shutdown(socket.SHUT_RD)
                         except Exception:
                             raise LdapConnectionError(
                                 'Failed to connect to host: `{}:{}`'.format(host, port))
                         return '{}:{}'.format(host, port)
                     if len(ldap_server) == 1:
                         # in case of single server use resolver to detect potential
                         # connection issues
                         full_resolve = True
                     else:
                         full_resolve = False
                     return ', '.join(
                         ["{}://{}".format(
                             ldap_server_type,
                             host_resolver(host, port, full_resolve=use_resolver and full_resolve))
                          for host in ldap_server])
                 @classmethod
                 def _get_server_list(cls, servers):
                     return map(string.strip, servers.split(','))
                 @classmethod
                 def get_uid(cls, username, server_addresses):
                     uid = username
                     for server_addr in server_addresses:
                         uid = chop_at(username, "@%s" % server_addr)
                     return uid
                 @classmethod
                 def validate_username(cls, username):
                     if "," in username:
                         raise LdapUsernameError(
                             "invalid character `,` in username: `{}`".format(username))
                 @classmethod
                 def validate_password(cls, username, password):
                     if not password:
                         msg = "Authenticating user %s with blank password not allowed"
                         log.warning(msg, username)
                         raise LdapPasswordError(msg)
             def loadplugin(plugin_id):
                 """
                 Loads and returns an instantiated authentication plugin.
                 Returns the RhodeCodeAuthPluginBase subclass on success,
                 or None on failure.
                 """
                 # TODO: Disusing pyramids thread locals to retrieve the registry.
                 authn_registry = get_authn_registry()
                 plugin = authn_registry.get_plugin(plugin_id)
                 if plugin is None:
                     log.error('Authentication plugin not found: "%s"', plugin_id)
                 return plugin
             def get_authn_registry(registry=None):
                 registry = registry or get_current_registry()
                 authn_registry = registry.getUtility(IAuthnPluginRegistry)
                 return authn_registry
             def authenticate(username, password, environ=None, auth_type=None,
                              skip_missing=False, registry=None, acl_repo_name=None):
                 """
                 Authentication function used for access control,
                 It tries to authenticate based on enabled authentication modules.
                 :param username: username can be empty for headers auth
                 :param password: password can be empty for headers auth
                 :param environ: environ headers passed for headers auth
                 :param auth_type: type of authentication, either `HTTP_TYPE` or `VCS_TYPE`
                 :param skip_missing: ignores plugins that are in db but not in environment
                 :returns: None if auth failed, plugin_user dict if auth is correct
                 """
                 if not auth_type or auth_type not in [HTTP_TYPE, VCS_TYPE]:
                     raise ValueError('auth type must be on of http, vcs got "%s" instead'
                                      % auth_type)
                 headers_only = environ and not (username and password)
                 authn_registry = get_authn_registry(registry)
                 plugins_to_check = authn_registry.get_plugins_for_authentication()
                 log.debug('Starting ordered authentication chain using %s plugins',
                           [x.name for x in plugins_to_check])
                 for plugin in plugins_to_check:
                     plugin.set_auth_type(auth_type)
                     plugin.set_calling_scope_repo(acl_repo_name)
                     if headers_only and not plugin.is_headers_auth:
                         log.debug('Auth type is for headers only and plugin `%s` is not '
                                   'headers plugin, skipping...', plugin.get_id())
                         continue
                     log.debug('Trying authentication using ** %s **', plugin.get_id())
                     # load plugin settings from RhodeCode database
                     plugin_settings = plugin.get_settings()
                     plugin_sanitized_settings = plugin.log_safe_settings(plugin_settings)
                     log.debug('Plugin `%s` settings:%s', plugin.get_id(), plugin_sanitized_settings)
                     # use plugin's method of user extraction.
                     user = plugin.get_user(username, environ=environ,
                                            settings=plugin_settings)
                     display_user = user.username if user else username
                     log.debug(
                         'Plugin %s extracted user is `%s`', plugin.get_id(), display_user)
                     if not plugin.allows_authentication_from(user):
                         log.debug('Plugin %s does not accept user `%s` for authentication',
                                   plugin.get_id(), display_user)
                         continue
                     else:
                         log.debug('Plugin %s accepted user `%s` for authentication',
                                   plugin.get_id(), display_user)
                     log.info('Authenticating user `%s` using %s plugin',
                              display_user, plugin.get_id())
                     plugin_cache_active, cache_ttl = plugin.get_ttl_cache(plugin_settings)
                     log.debug('AUTH_CACHE_TTL for plugin `%s` active: %s (TTL: %s)',
                               plugin.get_id(), plugin_cache_active, cache_ttl)
                     user_id = user.user_id if user else None
                     # don't cache for empty users
                     plugin_cache_active = plugin_cache_active and user_id
                     cache_namespace_uid = 'cache_user_auth.{}'.format(user_id)
                     region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
                                                            expiration_time=cache_ttl,
                                                            condition=plugin_cache_active)
                     def compute_auth(
                             cache_name, plugin_name, username, password):
                         # _authenticate is a wrapper for .auth() method of plugin.
                         # it checks if .auth() sends proper data.
                         # For RhodeCodeExternalAuthPlugin it also maps users to
                         # Database and maps the attributes returned from .auth()
                         # to RhodeCode database. If this function returns data
                         # then auth is correct.
                         log.debug('Running plugin `%s` _authenticate method '
                                   'using username and password', plugin.get_id())
                         return plugin._authenticate(
                             user, username, password, plugin_settings,
                             environ=environ or {})
                     start = time.time()
                     # for environ based auth, password can be empty, but then the validation is
                     # on the server that fills in the env data needed for authentication
                     plugin_user = compute_auth('auth', plugin.name, username, (password or ''))
                     auth_time = time.time() - start
-                    log.debug('Authentication for plugin `%s` completed in %.3fs, '
+                    log.debug('Authentication for plugin `%s` completed in %.4fs, '
                               'expiration time of fetched cache %.1fs.',
                               plugin.get_id(), auth_time, cache_ttl)
                     log.debug('PLUGIN USER DATA: %s', plugin_user)
                     if plugin_user:
                         log.debug('Plugin returned proper authentication data')
                         return plugin_user
                     # we failed to Auth because .auth() method didn't return proper user
                     log.debug("User `%s` failed to authenticate against %s",
                               display_user, plugin.get_id())
                 # case when we failed to authenticate against all defined plugins
                 return None
             def chop_at(s, sub, inclusive=False):
                 """Truncate string ``s`` at the first occurrence of ``sub``.
                 If ``inclusive`` is true, truncate just after ``sub`` rather than at it.
                 >>> chop_at("plutocratic brats", "rat")
                 'plutoc'
                 >>> chop_at("plutocratic brats", "rat", True)
                 'plutocrat'
                 """
                 pos = s.find(sub)
                 if pos == -1:
                     return s
                 if inclusive:
                     return s[:pos+len(sub)]
                 return s[:pos]

rhodecode/lib/auth.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             authentication and permission libraries
             """
             import os
             import time
             import inspect
             import collections
             import fnmatch
             import hashlib
             import itertools
             import logging
             import random
             import traceback
             from functools import wraps
             import ipaddress
             from pyramid.httpexceptions import HTTPForbidden, HTTPFound, HTTPNotFound
             from sqlalchemy.orm.exc import ObjectDeletedError
             from sqlalchemy.orm import joinedload
             from zope.cachedescriptors.property import Lazy as LazyProperty
             import rhodecode
             from rhodecode.model import meta
             from rhodecode.model.meta import Session
             from rhodecode.model.user import UserModel
             from rhodecode.model.db import (
                 User, Repository, Permission, UserToPerm, UserGroupToPerm, UserGroupMember,
                 UserIpMap, UserApiKeys, RepoGroup, UserGroup)
             from rhodecode.lib import rc_cache
             from rhodecode.lib.utils2 import safe_unicode, aslist, safe_str, md5, safe_int, sha1
             from rhodecode.lib.utils import (
                 get_repo_slug, get_repo_group_slug, get_user_group_slug)
             from rhodecode.lib.caching_query import FromCache
             if rhodecode.is_unix:
                 import bcrypt
             log = logging.getLogger(__name__)
             csrf_token_key = "csrf_token"
             class PasswordGenerator(object):
                 """
                 This is a simple class for generating password from different sets of
                 characters
                 usage::
                     passwd_gen = PasswordGenerator()
                     #print 8-letter password containing only big and small letters
                         of alphabet
                     passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
                 """
                 ALPHABETS_NUM = r'''1234567890'''
                 ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''
                 ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''
                 ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''
                 ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \
                     + ALPHABETS_NUM + ALPHABETS_SPECIAL
                 ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM
                 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
                 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM
                 ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM
                 def __init__(self, passwd=''):
                     self.passwd = passwd
                 def gen_password(self, length, type_=None):
                     if type_ is None:
                         type_ = self.ALPHABETS_FULL
                     self.passwd = ''.join([random.choice(type_) for _ in range(length)])
                     return self.passwd
             class _RhodeCodeCryptoBase(object):
                 ENC_PREF = None
                 def hash_create(self, str_):
                     """
                     hash the string using
                     :param str_: password to hash
                     """
                     raise NotImplementedError
                 def hash_check_with_upgrade(self, password, hashed):
                     """
                     Returns tuple in which first element is boolean that states that
                     given password matches it's hashed version, and the second is new hash
                     of the password, in case this password should be migrated to new
                     cipher.
                     """
                     checked_hash = self.hash_check(password, hashed)
                     return checked_hash, None
                 def hash_check(self, password, hashed):
                     """
                     Checks matching password with it's hashed value.
                     :param password: password
                     :param hashed: password in hashed form
                     """
                     raise NotImplementedError
                 def _assert_bytes(self, value):
                     """
                     Passing in an `unicode` object can lead to hard to detect issues
                     if passwords contain non-ascii characters.  Doing a type check
                     during runtime, so that such mistakes are detected early on.
                     """
                     if not isinstance(value, str):
                         raise TypeError(
                             "Bytestring required as input, got %r." % (value, ))
             class _RhodeCodeCryptoBCrypt(_RhodeCodeCryptoBase):
                 ENC_PREF = ('$2a$10', '$2b$10')
                 def hash_create(self, str_):
                     self._assert_bytes(str_)
                     return bcrypt.hashpw(str_, bcrypt.gensalt(10))
                 def hash_check_with_upgrade(self, password, hashed):
                     """
                     Returns tuple in which first element is boolean that states that
                     given password matches it's hashed version, and the second is new hash
                     of the password, in case this password should be migrated to new
                     cipher.
                     This implements special upgrade logic which works like that:
                      - check if the given password == bcrypted hash, if yes then we
                        properly used password and it was already in bcrypt. Proceed
                        without any changes
                      - if bcrypt hash check is not working try with sha256. If hash compare
                        is ok, it means we using correct but old hashed password. indicate
                        hash change and proceed
                     """
                     new_hash = None
                     # regular pw check
                     password_match_bcrypt = self.hash_check(password, hashed)
                     # now we want to know if the password was maybe from sha256
                     # basically calling _RhodeCodeCryptoSha256().hash_check()
                     if not password_match_bcrypt:
                         if _RhodeCodeCryptoSha256().hash_check(password, hashed):
                             new_hash = self.hash_create(password)  # make new bcrypt hash
                             password_match_bcrypt = True
                     return password_match_bcrypt, new_hash
                 def hash_check(self, password, hashed):
                     """
                     Checks matching password with it's hashed value.
                     :param password: password
                     :param hashed: password in hashed form
                     """
                     self._assert_bytes(password)
                     try:
                         return bcrypt.hashpw(password, hashed) == hashed
                     except ValueError as e:
                         # we're having a invalid salt here probably, we should not crash
                         # just return with False as it would be a wrong password.
                         log.debug('Failed to check password hash using bcrypt %s',
                                   safe_str(e))
                     return False
             class _RhodeCodeCryptoSha256(_RhodeCodeCryptoBase):
                 ENC_PREF = '_'
                 def hash_create(self, str_):
                     self._assert_bytes(str_)
                     return hashlib.sha256(str_).hexdigest()
                 def hash_check(self, password, hashed):
                     """
                     Checks matching password with it's hashed value.
                     :param password: password
                     :param hashed: password in hashed form
                     """
                     self._assert_bytes(password)
                     return hashlib.sha256(password).hexdigest() == hashed
             class _RhodeCodeCryptoTest(_RhodeCodeCryptoBase):
                 ENC_PREF = '_'
                 def hash_create(self, str_):
                     self._assert_bytes(str_)
                     return sha1(str_)
                 def hash_check(self, password, hashed):
                     """
                     Checks matching password with it's hashed value.
                     :param password: password
                     :param hashed: password in hashed form
                     """
                     self._assert_bytes(password)
                     return sha1(password) == hashed
             def crypto_backend():
                 """
                 Return the matching crypto backend.
                 Selection is based on if we run tests or not, we pick sha1-test backend to run
                 tests faster since BCRYPT is expensive to calculate
                 """
                 if rhodecode.is_test:
                     RhodeCodeCrypto = _RhodeCodeCryptoTest()
                 else:
                     RhodeCodeCrypto = _RhodeCodeCryptoBCrypt()
                 return RhodeCodeCrypto
             def get_crypt_password(password):
                 """
                 Create the hash of `password` with the active crypto backend.
                 :param password: The cleartext password.
                 :type password: unicode
                 """
                 password = safe_str(password)
                 return crypto_backend().hash_create(password)
             def check_password(password, hashed):
                 """
                 Check if the value in `password` matches the hash in `hashed`.
                 :param password: The cleartext password.
                 :type password: unicode
                 :param hashed: The expected hashed version of the password.
                 :type hashed: The hash has to be passed in in text representation.
                 """
                 password = safe_str(password)
                 return crypto_backend().hash_check(password, hashed)
             def generate_auth_token(data, salt=None):
                 """
                 Generates API KEY from given string
                 """
                 if salt is None:
                     salt = os.urandom(16)
                 return hashlib.sha1(safe_str(data) + salt).hexdigest()
             def get_came_from(request):
                 """
                 get query_string+path from request sanitized after removing auth_token
                 """
                 _req = request
                 path = _req.path
                 if 'auth_token' in _req.GET:
                     # sanitize the request and remove auth_token for redirection
                     _req.GET.pop('auth_token')
                 qs = _req.query_string
                 if qs:
                     path += '?' + qs
                 return path
             class CookieStoreWrapper(object):
                 def __init__(self, cookie_store):
                     self.cookie_store = cookie_store
                 def __repr__(self):
                     return 'CookieStore<%s>' % (self.cookie_store)
                 def get(self, key, other=None):
                     if isinstance(self.cookie_store, dict):
                         return self.cookie_store.get(key, other)
                     elif isinstance(self.cookie_store, AuthUser):
                         return self.cookie_store.__dict__.get(key, other)
             def _cached_perms_data(user_id, scope, user_is_admin,
                                    user_inherit_default_permissions, explicit, algo,
                                    calculate_super_admin):
                 permissions = PermissionCalculator(
                     user_id, scope, user_is_admin, user_inherit_default_permissions,
                     explicit, algo, calculate_super_admin)
                 return permissions.calculate()
             class PermOrigin(object):
                 SUPER_ADMIN = 'superadmin'
                 ARCHIVED = 'archived'
                 REPO_USER = 'user:%s'
                 REPO_USERGROUP = 'usergroup:%s'
                 REPO_OWNER = 'repo.owner'
                 REPO_DEFAULT = 'repo.default'
                 REPO_DEFAULT_NO_INHERIT = 'repo.default.no.inherit'
                 REPO_PRIVATE = 'repo.private'
                 REPOGROUP_USER = 'user:%s'
                 REPOGROUP_USERGROUP = 'usergroup:%s'
                 REPOGROUP_OWNER = 'group.owner'
                 REPOGROUP_DEFAULT = 'group.default'
                 REPOGROUP_DEFAULT_NO_INHERIT = 'group.default.no.inherit'
                 USERGROUP_USER = 'user:%s'
                 USERGROUP_USERGROUP = 'usergroup:%s'
                 USERGROUP_OWNER = 'usergroup.owner'
                 USERGROUP_DEFAULT = 'usergroup.default'
                 USERGROUP_DEFAULT_NO_INHERIT = 'usergroup.default.no.inherit'
             class PermOriginDict(dict):
                 """
                 A special dict used for tracking permissions along with their origins.
                 `__setitem__` has been overridden to expect a tuple(perm, origin)
                 `__getitem__` will return only the perm
                 `.perm_origin_stack` will return the stack of (perm, origin) set per key
                 >>> perms = PermOriginDict()
                 >>> perms['resource'] = 'read', 'default'
                 >>> perms['resource']
                 'read'
                 >>> perms['resource'] = 'write', 'admin'
                 >>> perms['resource']
                 'write'
                 >>> perms.perm_origin_stack
                 {'resource': [('read', 'default'), ('write', 'admin')]}
                 """
                 def __init__(self, *args, **kw):
                     dict.__init__(self, *args, **kw)
                     self.perm_origin_stack = collections.OrderedDict()
                 def __setitem__(self, key, (perm, origin)):
                     self.perm_origin_stack.setdefault(key, []).append(
                         (perm, origin))
                     dict.__setitem__(self, key, perm)
             class BranchPermOriginDict(PermOriginDict):
                 """
                 Dedicated branch permissions dict, with tracking of patterns and origins.
                 >>> perms = BranchPermOriginDict()
                 >>> perms['resource'] = '*pattern', 'read', 'default'
                 >>> perms['resource']
                 {'*pattern': 'read'}
                 >>> perms['resource'] = '*pattern', 'write', 'admin'
                 >>> perms['resource']
                 {'*pattern': 'write'}
                 >>> perms.perm_origin_stack
                 {'resource': {'*pattern': [('read', 'default'), ('write', 'admin')]}}
                 """
                 def __setitem__(self, key, (pattern, perm, origin)):
                     self.perm_origin_stack.setdefault(key, {}) \
                         .setdefault(pattern, []).append((perm, origin))
                     if key in self:
                         self[key].__setitem__(pattern, perm)
                     else:
                         patterns = collections.OrderedDict()
                         patterns[pattern] = perm
                         dict.__setitem__(self, key, patterns)
             class PermissionCalculator(object):
                 def __init__(
                         self, user_id, scope, user_is_admin,
                         user_inherit_default_permissions, explicit, algo,
                         calculate_super_admin_as_user=False):
                     self.user_id = user_id
                     self.user_is_admin = user_is_admin
                     self.inherit_default_permissions = user_inherit_default_permissions
                     self.explicit = explicit
                     self.algo = algo
                     self.calculate_super_admin_as_user = calculate_super_admin_as_user
                     scope = scope or {}
                     self.scope_repo_id = scope.get('repo_id')
                     self.scope_repo_group_id = scope.get('repo_group_id')
                     self.scope_user_group_id = scope.get('user_group_id')
                     self.default_user_id = User.get_default_user(cache=True).user_id
                     self.permissions_repositories = PermOriginDict()
                     self.permissions_repository_groups = PermOriginDict()
                     self.permissions_user_groups = PermOriginDict()
                     self.permissions_repository_branches = BranchPermOriginDict()
                     self.permissions_global = set()
                     self.default_repo_perms = Permission.get_default_repo_perms(
                         self.default_user_id, self.scope_repo_id)
                     self.default_repo_groups_perms = Permission.get_default_group_perms(
                         self.default_user_id, self.scope_repo_group_id)
                     self.default_user_group_perms = \
                         Permission.get_default_user_group_perms(
                             self.default_user_id, self.scope_user_group_id)
                     # default branch perms
                     self.default_branch_repo_perms = \
                         Permission.get_default_repo_branch_perms(
                             self.default_user_id, self.scope_repo_id)
                 def calculate(self):
                     if self.user_is_admin and not self.calculate_super_admin_as_user:
                         return self._calculate_admin_permissions()
                     self._calculate_global_default_permissions()
                     self._calculate_global_permissions()
                     self._calculate_default_permissions()
                     self._calculate_repository_permissions()
                     self._calculate_repository_branch_permissions()
                     self._calculate_repository_group_permissions()
                     self._calculate_user_group_permissions()
                     return self._permission_structure()
                 def _calculate_admin_permissions(self):
                     """
                     admin user have all default rights for repositories
                     and groups set to admin
                     """
                     self.permissions_global.add('hg.admin')
                     self.permissions_global.add('hg.create.write_on_repogroup.true')
                     # repositories
                     for perm in self.default_repo_perms:
                         r_k = perm.UserRepoToPerm.repository.repo_name
                         archived = perm.UserRepoToPerm.repository.archived
                         p = 'repository.admin'
                         self.permissions_repositories[r_k] = p, PermOrigin.SUPER_ADMIN
                         # special case for archived repositories, which we block still even for
                         # super admins
                         if archived:
                             p = 'repository.read'
                             self.permissions_repositories[r_k] = p, PermOrigin.ARCHIVED
                     # repository groups
                     for perm in self.default_repo_groups_perms:
                         rg_k = perm.UserRepoGroupToPerm.group.group_name
                         p = 'group.admin'
                         self.permissions_repository_groups[rg_k] = p, PermOrigin.SUPER_ADMIN
                     # user groups
                     for perm in self.default_user_group_perms:
                         u_k = perm.UserUserGroupToPerm.user_group.users_group_name
                         p = 'usergroup.admin'
                         self.permissions_user_groups[u_k] = p, PermOrigin.SUPER_ADMIN
                     # branch permissions
                     # since super-admin also can have custom rule permissions
                     # we *always* need to calculate those inherited from default, and also explicit
                     self._calculate_default_permissions_repository_branches(
                         user_inherit_object_permissions=False)
                     self._calculate_repository_branch_permissions()
                     return self._permission_structure()
                 def _calculate_global_default_permissions(self):
                     """
                     global permissions taken from the default user
                     """
                     default_global_perms = UserToPerm.query()\
                         .filter(UserToPerm.user_id == self.default_user_id)\
                         .options(joinedload(UserToPerm.permission))
                     for perm in default_global_perms:
                         self.permissions_global.add(perm.permission.permission_name)
                     if self.user_is_admin:
                         self.permissions_global.add('hg.admin')
                         self.permissions_global.add('hg.create.write_on_repogroup.true')
                 def _calculate_global_permissions(self):
                     """
                     Set global system permissions with user permissions or permissions
                     taken from the user groups of the current user.
                     The permissions include repo creating, repo group creating, forking
                     etc.
                     """
                     # now we read the defined permissions and overwrite what we have set
                     # before those can be configured from groups or users explicitly.
                     # In case we want to extend this list we should make sure
                     # this is in sync with User.DEFAULT_USER_PERMISSIONS definitions
                     _configurable = frozenset([
                         'hg.fork.none', 'hg.fork.repository',
                         'hg.create.none', 'hg.create.repository',
                         'hg.usergroup.create.false', 'hg.usergroup.create.true',
                         'hg.repogroup.create.false', 'hg.repogroup.create.true',
                         'hg.create.write_on_repogroup.false', 'hg.create.write_on_repogroup.true',
                         'hg.inherit_default_perms.false', 'hg.inherit_default_perms.true'
                     ])
                     # USER GROUPS comes first user group global permissions
                     user_perms_from_users_groups = Session().query(UserGroupToPerm)\
                         .options(joinedload(UserGroupToPerm.permission))\
                         .join((UserGroupMember, UserGroupToPerm.users_group_id ==
                                UserGroupMember.users_group_id))\
                         .filter(UserGroupMember.user_id == self.user_id)\
                         .order_by(UserGroupToPerm.users_group_id)\
                         .all()
                     # need to group here by groups since user can be in more than
                     # one group, so we get all groups
                     _explicit_grouped_perms = [
                         [x, list(y)] for x, y in
                         itertools.groupby(user_perms_from_users_groups,
                                           lambda _x: _x.users_group)]
                     for gr, perms in _explicit_grouped_perms:
                         # since user can be in multiple groups iterate over them and
                         # select the lowest permissions first (more explicit)
                         # TODO(marcink): do this^^
                         # group doesn't inherit default permissions so we actually set them
                         if not gr.inherit_default_permissions:
                             # NEED TO IGNORE all previously set configurable permissions
                             # and replace them with explicitly set from this user
                             # group permissions
                             self.permissions_global = self.permissions_global.difference(
                                 _configurable)
                             for perm in perms:
                                 self.permissions_global.add(perm.permission.permission_name)
                     # user explicit global permissions
                     user_perms = Session().query(UserToPerm)\
                         .options(joinedload(UserToPerm.permission))\
                         .filter(UserToPerm.user_id == self.user_id).all()
                     if not self.inherit_default_permissions:
                         # NEED TO IGNORE all configurable permissions and
                         # replace them with explicitly set from this user permissions
                         self.permissions_global = self.permissions_global.difference(
                             _configurable)
                         for perm in user_perms:
                             self.permissions_global.add(perm.permission.permission_name)
                 def _calculate_default_permissions_repositories(self, user_inherit_object_permissions):
                     for perm in self.default_repo_perms:
                         r_k = perm.UserRepoToPerm.repository.repo_name
                         archived = perm.UserRepoToPerm.repository.archived
                         p = perm.Permission.permission_name
                         o = PermOrigin.REPO_DEFAULT
                         self.permissions_repositories[r_k] = p, o
                         # if we decide this user isn't inheriting permissions from
                         # default user we set him to .none so only explicit
                         # permissions work
                         if not user_inherit_object_permissions:
                             p = 'repository.none'
                             o = PermOrigin.REPO_DEFAULT_NO_INHERIT
                             self.permissions_repositories[r_k] = p, o
                         if perm.Repository.private and not (
                                 perm.Repository.user_id == self.user_id):
                             # disable defaults for private repos,
                             p = 'repository.none'
                             o = PermOrigin.REPO_PRIVATE
                             self.permissions_repositories[r_k] = p, o
                         elif perm.Repository.user_id == self.user_id:
                             # set admin if owner
                             p = 'repository.admin'
                             o = PermOrigin.REPO_OWNER
                             self.permissions_repositories[r_k] = p, o
                         if self.user_is_admin:
                             p = 'repository.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_repositories[r_k] = p, o
                         # finally in case of archived repositories, we downgrade  higher
                         # permissions to read
                         if archived:
                             current_perm = self.permissions_repositories[r_k]
                             if current_perm in ['repository.write', 'repository.admin']:
                                 p = 'repository.read'
                                 o = PermOrigin.ARCHIVED
                                 self.permissions_repositories[r_k] = p, o
                 def _calculate_default_permissions_repository_branches(self, user_inherit_object_permissions):
                     for perm in self.default_branch_repo_perms:
                         r_k = perm.UserRepoToPerm.repository.repo_name
                         p = perm.Permission.permission_name
                         pattern = perm.UserToRepoBranchPermission.branch_pattern
                         o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
                         if not self.explicit:
                             cur_perm = self.permissions_repository_branches.get(r_k)
                             if cur_perm:
                                 cur_perm = cur_perm[pattern]
                             cur_perm = cur_perm or 'branch.none'
                             p = self._choose_permission(p, cur_perm)
                         # NOTE(marcink): register all pattern/perm instances in this
                         # special dict that aggregates entries
                         self.permissions_repository_branches[r_k] = pattern, p, o
                 def _calculate_default_permissions_repository_groups(self, user_inherit_object_permissions):
                     for perm in self.default_repo_groups_perms:
                         rg_k = perm.UserRepoGroupToPerm.group.group_name
                         p = perm.Permission.permission_name
                         o = PermOrigin.REPOGROUP_DEFAULT
                         self.permissions_repository_groups[rg_k] = p, o
                         # if we decide this user isn't inheriting permissions from default
                         # user we set him to .none so only explicit permissions work
                         if not user_inherit_object_permissions:
                             p = 'group.none'
                             o = PermOrigin.REPOGROUP_DEFAULT_NO_INHERIT
                             self.permissions_repository_groups[rg_k] = p, o
                         if perm.RepoGroup.user_id == self.user_id:
                             # set admin if owner
                             p = 'group.admin'
                             o = PermOrigin.REPOGROUP_OWNER
                             self.permissions_repository_groups[rg_k] = p, o
                         if self.user_is_admin:
                             p = 'group.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_repository_groups[rg_k] = p, o
                 def _calculate_default_permissions_user_groups(self, user_inherit_object_permissions):
                     for perm in self.default_user_group_perms:
                         u_k = perm.UserUserGroupToPerm.user_group.users_group_name
                         p = perm.Permission.permission_name
                         o = PermOrigin.USERGROUP_DEFAULT
                         self.permissions_user_groups[u_k] = p, o
                         # if we decide this user isn't inheriting permissions from default
                         # user we set him to .none so only explicit permissions work
                         if not user_inherit_object_permissions:
                             p = 'usergroup.none'
                             o = PermOrigin.USERGROUP_DEFAULT_NO_INHERIT
                             self.permissions_user_groups[u_k] = p, o
                         if perm.UserGroup.user_id == self.user_id:
                             # set admin if owner
                             p = 'usergroup.admin'
                             o = PermOrigin.USERGROUP_OWNER
                             self.permissions_user_groups[u_k] = p, o
                         if self.user_is_admin:
                             p = 'usergroup.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_user_groups[u_k] = p, o
                 def _calculate_default_permissions(self):
                     """
                     Set default user permissions for repositories, repository branches,
                     repository groups, user groups taken from the default user.
                     Calculate inheritance of object permissions based on what we have now
                     in GLOBAL permissions. We check if .false is in GLOBAL since this is
                     explicitly set. Inherit is the opposite of .false being there.
                     .. note::
                        the syntax is little bit odd but what we need to check here is
                        the opposite of .false permission being in the list so even for
                        inconsistent state when both .true/.false is there
                        .false is more important
                     """
                     user_inherit_object_permissions = not ('hg.inherit_default_perms.false'
                                                            in self.permissions_global)
                     # default permissions inherited from `default` user permissions
                     self._calculate_default_permissions_repositories(
                         user_inherit_object_permissions)
                     self._calculate_default_permissions_repository_branches(
                         user_inherit_object_permissions)
                     self._calculate_default_permissions_repository_groups(
                         user_inherit_object_permissions)
                     self._calculate_default_permissions_user_groups(
                         user_inherit_object_permissions)
                 def _calculate_repository_permissions(self):
                     """
                     Repository permissions for the current user.
                     Check if the user is part of user groups for this repository and
                     fill in the permission from it. `_choose_permission` decides of which
                     permission should be selected based on selected method.
                     """
                     # user group for repositories permissions
                     user_repo_perms_from_user_group = Permission\
                         .get_default_repo_perms_from_user_group(
                             self.user_id, self.scope_repo_id)
                     multiple_counter = collections.defaultdict(int)
                     for perm in user_repo_perms_from_user_group:
                         r_k = perm.UserGroupRepoToPerm.repository.repo_name
                         multiple_counter[r_k] += 1
                         p = perm.Permission.permission_name
                         o = PermOrigin.REPO_USERGROUP % perm.UserGroupRepoToPerm\
                             .users_group.users_group_name
                         if multiple_counter[r_k] > 1:
                             cur_perm = self.permissions_repositories[r_k]
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_repositories[r_k] = p, o
                         if perm.Repository.user_id == self.user_id:
                             # set admin if owner
                             p = 'repository.admin'
                             o = PermOrigin.REPO_OWNER
                             self.permissions_repositories[r_k] = p, o
                         if self.user_is_admin:
                             p = 'repository.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_repositories[r_k] = p, o
                     # user explicit permissions for repositories, overrides any specified
                     # by the group permission
                     user_repo_perms = Permission.get_default_repo_perms(
                         self.user_id, self.scope_repo_id)
                     for perm in user_repo_perms:
                         r_k = perm.UserRepoToPerm.repository.repo_name
                         p = perm.Permission.permission_name
                         o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
                         if not self.explicit:
                             cur_perm = self.permissions_repositories.get(
                                 r_k, 'repository.none')
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_repositories[r_k] = p, o
                         if perm.Repository.user_id == self.user_id:
                             # set admin if owner
                             p = 'repository.admin'
                             o = PermOrigin.REPO_OWNER
                             self.permissions_repositories[r_k] = p, o
                         if self.user_is_admin:
                             p = 'repository.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_repositories[r_k] = p, o
                 def _calculate_repository_branch_permissions(self):
                     # user group for repositories permissions
                     user_repo_branch_perms_from_user_group = Permission\
                         .get_default_repo_branch_perms_from_user_group(
                             self.user_id, self.scope_repo_id)
                     multiple_counter = collections.defaultdict(int)
                     for perm in user_repo_branch_perms_from_user_group:
                         r_k = perm.UserGroupRepoToPerm.repository.repo_name
                         p = perm.Permission.permission_name
                         pattern = perm.UserGroupToRepoBranchPermission.branch_pattern
                         o = PermOrigin.REPO_USERGROUP % perm.UserGroupRepoToPerm\
                             .users_group.users_group_name
                         multiple_counter[r_k] += 1
                         if multiple_counter[r_k] > 1:
                             cur_perm = self.permissions_repository_branches[r_k][pattern]
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_repository_branches[r_k] = pattern, p, o
                     # user explicit branch permissions for repositories, overrides
                     # any specified by the group permission
                     user_repo_branch_perms = Permission.get_default_repo_branch_perms(
                         self.user_id, self.scope_repo_id)
                     for perm in user_repo_branch_perms:
                         r_k = perm.UserRepoToPerm.repository.repo_name
                         p = perm.Permission.permission_name
                         pattern = perm.UserToRepoBranchPermission.branch_pattern
                         o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
                         if not self.explicit:
                             cur_perm = self.permissions_repository_branches.get(r_k)
                             if cur_perm:
                                 cur_perm = cur_perm[pattern]
                             cur_perm = cur_perm or 'branch.none'
                             p = self._choose_permission(p, cur_perm)
                         # NOTE(marcink): register all pattern/perm instances in this
                         # special dict that aggregates entries
                         self.permissions_repository_branches[r_k] = pattern, p, o
                 def _calculate_repository_group_permissions(self):
                     """
                     Repository group permissions for the current user.
                     Check if the user is part of user groups for repository groups and
                     fill in the permissions from it. `_choose_permission` decides of which
                     permission should be selected based on selected method.
                     """
                     # user group for repo groups permissions
                     user_repo_group_perms_from_user_group = Permission\
                         .get_default_group_perms_from_user_group(
                             self.user_id, self.scope_repo_group_id)
                     multiple_counter = collections.defaultdict(int)
                     for perm in user_repo_group_perms_from_user_group:
                         rg_k = perm.UserGroupRepoGroupToPerm.group.group_name
                         multiple_counter[rg_k] += 1
                         o = PermOrigin.REPOGROUP_USERGROUP % perm.UserGroupRepoGroupToPerm\
                             .users_group.users_group_name
                         p = perm.Permission.permission_name
                         if multiple_counter[rg_k] > 1:
                             cur_perm = self.permissions_repository_groups[rg_k]
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_repository_groups[rg_k] = p, o
                         if perm.RepoGroup.user_id == self.user_id:
                             # set admin if owner, even for member of other user group
                             p = 'group.admin'
                             o = PermOrigin.REPOGROUP_OWNER
                             self.permissions_repository_groups[rg_k] = p, o
                         if self.user_is_admin:
                             p = 'group.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_repository_groups[rg_k] = p, o
                     # user explicit permissions for repository groups
                     user_repo_groups_perms = Permission.get_default_group_perms(
                         self.user_id, self.scope_repo_group_id)
                     for perm in user_repo_groups_perms:
                         rg_k = perm.UserRepoGroupToPerm.group.group_name
                         o = PermOrigin.REPOGROUP_USER % perm.UserRepoGroupToPerm\
                             .user.username
                         p = perm.Permission.permission_name
                         if not self.explicit:
                             cur_perm = self.permissions_repository_groups.get(rg_k, 'group.none')
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_repository_groups[rg_k] = p, o
                         if perm.RepoGroup.user_id == self.user_id:
                             # set admin if owner
                             p = 'group.admin'
                             o = PermOrigin.REPOGROUP_OWNER
                             self.permissions_repository_groups[rg_k] = p, o
                         if self.user_is_admin:
                             p = 'group.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_repository_groups[rg_k] = p, o
                 def _calculate_user_group_permissions(self):
                     """
                     User group permissions for the current user.
                     """
                     # user group for user group permissions
                     user_group_from_user_group = Permission\
                         .get_default_user_group_perms_from_user_group(
                             self.user_id, self.scope_user_group_id)
                     multiple_counter = collections.defaultdict(int)
                     for perm in user_group_from_user_group:
                         ug_k = perm.UserGroupUserGroupToPerm\
                             .target_user_group.users_group_name
                         multiple_counter[ug_k] += 1
                         o = PermOrigin.USERGROUP_USERGROUP % perm.UserGroupUserGroupToPerm\
                             .user_group.users_group_name
                         p = perm.Permission.permission_name
                         if multiple_counter[ug_k] > 1:
                             cur_perm = self.permissions_user_groups[ug_k]
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_user_groups[ug_k] = p, o
                         if perm.UserGroup.user_id == self.user_id:
                             # set admin if owner, even for member of other user group
                             p = 'usergroup.admin'
                             o = PermOrigin.USERGROUP_OWNER
                             self.permissions_user_groups[ug_k] = p, o
                         if self.user_is_admin:
                             p = 'usergroup.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_user_groups[ug_k] = p, o
                     # user explicit permission for user groups
                     user_user_groups_perms = Permission.get_default_user_group_perms(
                         self.user_id, self.scope_user_group_id)
                     for perm in user_user_groups_perms:
                         ug_k = perm.UserUserGroupToPerm.user_group.users_group_name
                         o = PermOrigin.USERGROUP_USER % perm.UserUserGroupToPerm\
                             .user.username
                         p = perm.Permission.permission_name
                         if not self.explicit:
                             cur_perm = self.permissions_user_groups.get(ug_k, 'usergroup.none')
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_user_groups[ug_k] = p, o
                         if perm.UserGroup.user_id == self.user_id:
                             # set admin if owner
                             p = 'usergroup.admin'
                             o = PermOrigin.USERGROUP_OWNER
                             self.permissions_user_groups[ug_k] = p, o
                         if self.user_is_admin:
                             p = 'usergroup.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_user_groups[ug_k] = p, o
                 def _choose_permission(self, new_perm, cur_perm):
                     new_perm_val = Permission.PERM_WEIGHTS[new_perm]
                     cur_perm_val = Permission.PERM_WEIGHTS[cur_perm]
                     if self.algo == 'higherwin':
                         if new_perm_val > cur_perm_val:
                             return new_perm
                         return cur_perm
                     elif self.algo == 'lowerwin':
                         if new_perm_val < cur_perm_val:
                             return new_perm
                         return cur_perm
                 def _permission_structure(self):
                     return {
                         'global': self.permissions_global,
                         'repositories': self.permissions_repositories,
                         'repository_branches': self.permissions_repository_branches,
                         'repositories_groups': self.permissions_repository_groups,
                         'user_groups': self.permissions_user_groups,
                     }
             def allowed_auth_token_access(view_name, auth_token, whitelist=None):
                 """
                 Check if given controller_name is in whitelist of auth token access
                 """
                 if not whitelist:
                     from rhodecode import CONFIG
                     whitelist = aslist(
                         CONFIG.get('api_access_controllers_whitelist'), sep=',')
                 # backward compat translation
                 compat = {
                     # old controller, new VIEW
                     'ChangesetController:*': 'RepoCommitsView:*',
                     'ChangesetController:changeset_patch': 'RepoCommitsView:repo_commit_patch',
                     'ChangesetController:changeset_raw': 'RepoCommitsView:repo_commit_raw',
                     'FilesController:raw': 'RepoCommitsView:repo_commit_raw',
                     'FilesController:archivefile': 'RepoFilesView:repo_archivefile',
                     'GistsController:*': 'GistView:*',
                 }
                 log.debug(
                     'Allowed views for AUTH TOKEN access: %s', whitelist)
                 auth_token_access_valid = False
                 for entry in whitelist:
                     token_match = True
                     if entry in compat:
                         # translate from old Controllers to Pyramid Views
                         entry = compat[entry]
                     if '@' in entry:
                         # specific AuthToken
                         entry, allowed_token = entry.split('@', 1)
                         token_match = auth_token == allowed_token
                     if fnmatch.fnmatch(view_name, entry) and token_match:
                         auth_token_access_valid = True
                         break
                 if auth_token_access_valid:
                     log.debug('view: `%s` matches entry in whitelist: %s',
                               view_name, whitelist)
                 else:
                     msg = ('view: `%s` does *NOT* match any entry in whitelist: %s'
                            % (view_name, whitelist))
                     if auth_token:
                         # if we use auth token key and don't have access it's a warning
                         log.warning(msg)
                     else:
                         log.debug(msg)
                 return auth_token_access_valid
             class AuthUser(object):
                 """
                 A simple object that handles all attributes of user in RhodeCode
                 It does lookup based on API key,given user, or user present in session
                 Then it fills all required information for such user. It also checks if
                 anonymous access is enabled and if so, it returns default user as logged in
                 """
                 GLOBAL_PERMS = [x[0] for x in Permission.PERMS]
                 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None):
                     self.user_id = user_id
                     self._api_key = api_key
                     self.api_key = None
                     self.username = username
                     self.ip_addr = ip_addr
                     self.name = ''
                     self.lastname = ''
                     self.first_name = ''
                     self.last_name = ''
                     self.email = ''
                     self.is_authenticated = False
                     self.admin = False
                     self.inherit_default_permissions = False
                     self.password = ''
                     self.anonymous_user = None  # propagated on propagate_data
                     self.propagate_data()
                     self._instance = None
                     self._permissions_scoped_cache = {}  # used to bind scoped calculation
                 @LazyProperty
                 def permissions(self):
                     return self.get_perms(user=self, cache=None)
                 @LazyProperty
                 def permissions_safe(self):
                     """
                     Filtered permissions excluding not allowed repositories
                     """
                     perms = self.get_perms(user=self, cache=None)
                     perms['repositories'] = {
                         k: v for k, v in perms['repositories'].items()
                         if v != 'repository.none'}
                     perms['repositories_groups'] = {
                         k: v for k, v in perms['repositories_groups'].items()
                         if v != 'group.none'}
                     perms['user_groups'] = {
                         k: v for k, v in perms['user_groups'].items()
                         if v != 'usergroup.none'}
                     perms['repository_branches'] = {
                         k: v for k, v in perms['repository_branches'].iteritems()
                         if v != 'branch.none'}
                     return perms
                 @LazyProperty
                 def permissions_full_details(self):
                     return self.get_perms(
                         user=self, cache=None, calculate_super_admin=True)
                 def permissions_with_scope(self, scope):
                     """
                     Call the get_perms function with scoped data. The scope in that function
                     narrows the SQL calls to the given ID of objects resulting in fetching
                     Just particular permission we want to obtain. If scope is an empty dict
                     then it basically narrows the scope to GLOBAL permissions only.
                     :param scope: dict
                     """
                     if 'repo_name' in scope:
                         obj = Repository.get_by_repo_name(scope['repo_name'])
                         if obj:
                             scope['repo_id'] = obj.repo_id
                     _scope = collections.OrderedDict()
                     _scope['repo_id'] = -1
                     _scope['user_group_id'] = -1
                     _scope['repo_group_id'] = -1
                     for k in sorted(scope.keys()):
                         _scope[k] = scope[k]
                     # store in cache to mimic how the @LazyProperty works,
                     # the difference here is that we use the unique key calculated
                     # from params and values
                     return self.get_perms(user=self, cache=None, scope=_scope)
                 def get_instance(self):
                     return User.get(self.user_id)
                 def propagate_data(self):
                     """
                     Fills in user data and propagates values to this instance. Maps fetched
                     user attributes to this class instance attributes
                     """
                     log.debug('AuthUser: starting data propagation for new potential user')
                     user_model = UserModel()
                     anon_user = self.anonymous_user = User.get_default_user(cache=True)
                     is_user_loaded = False
                     # lookup by userid
                     if self.user_id is not None and self.user_id != anon_user.user_id:
                         log.debug('Trying Auth User lookup by USER ID: `%s`', self.user_id)
                         is_user_loaded = user_model.fill_data(self, user_id=self.user_id)
                     # try go get user by api key
                     elif self._api_key and self._api_key != anon_user.api_key:
                         log.debug('Trying Auth User lookup by API KEY: `%s`', self._api_key)
                         is_user_loaded = user_model.fill_data(self, api_key=self._api_key)
                     # lookup by username
                     elif self.username:
                         log.debug('Trying Auth User lookup by USER NAME: `%s`', self.username)
                         is_user_loaded = user_model.fill_data(self, username=self.username)
                     else:
                         log.debug('No data in %s that could been used to log in', self)
                     if not is_user_loaded:
                         log.debug(
                             'Failed to load user. Fallback to default user %s', anon_user)
                         # if we cannot authenticate user try anonymous
                         if anon_user.active:
                             log.debug('default user is active, using it as a session user')
                             user_model.fill_data(self, user_id=anon_user.user_id)
                             # then we set this user is logged in
                             self.is_authenticated = True
                         else:
                             log.debug('default user is NOT active')
                             # in case of disabled anonymous user we reset some of the
                             # parameters so such user is "corrupted", skipping the fill_data
                             for attr in ['user_id', 'username', 'admin', 'active']:
                                 setattr(self, attr, None)
                             self.is_authenticated = False
                     if not self.username:
                         self.username = 'None'
                     log.debug('AuthUser: propagated user is now %s', self)
                 def get_perms(self, user, scope=None, explicit=True, algo='higherwin',
                               calculate_super_admin=False, cache=None):
                     """
                     Fills user permission attribute with permissions taken from database
                     works for permissions given for repositories, and for permissions that
                     are granted to groups
                     :param user: instance of User object from database
                     :param explicit: In case there are permissions both for user and a group
                         that user is part of, explicit flag will defiine if user will
                         explicitly override permissions from group, if it's False it will
                         make decision based on the algo
                     :param algo: algorithm to decide what permission should be choose if
                         it's multiple defined, eg user in two different groups. It also
                         decides if explicit flag is turned off how to specify the permission
                         for case when user is in a group + have defined separate permission
                     :param calculate_super_admin: calculate permissions for super-admin in the
                         same way as for regular user without speedups
                     :param cache: Use caching for calculation, None = let the cache backend decide
                     """
                     user_id = user.user_id
                     user_is_admin = user.is_admin
                     # inheritance of global permissions like create repo/fork repo etc
                     user_inherit_default_permissions = user.inherit_default_permissions
                     cache_seconds = safe_int(
                         rhodecode.CONFIG.get('rc_cache.cache_perms.expiration_time'))
                     if cache is None:
                         # let the backend cache decide
                         cache_on = cache_seconds > 0
                     else:
                         cache_on = cache
                     log.debug(
                         'Computing PERMISSION tree for user %s scope `%s` '
                         'with caching: %s[TTL: %ss]', user, scope, cache_on, cache_seconds or 0)
                     cache_namespace_uid = 'cache_user_auth.{}'.format(user_id)
                     region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
                                                            condition=cache_on)
                     def compute_perm_tree(cache_name,
                             user_id, scope, user_is_admin,user_inherit_default_permissions,
                             explicit, algo, calculate_super_admin):
                         return _cached_perms_data(
                             user_id, scope, user_is_admin, user_inherit_default_permissions,
                             explicit, algo, calculate_super_admin)
                     start = time.time()
                     result = compute_perm_tree(
                         'permissions', user_id, scope, user_is_admin,
                          user_inherit_default_permissions, explicit, algo,
                          calculate_super_admin)
                     result_repr = []
                     for k in result:
                         result_repr.append((k, len(result[k])))
                     total = time.time() - start
-                    log.debug('PERMISSION tree for user %s computed in %.3fs: %s',
+                    log.debug('PERMISSION tree for user %s computed in %.4fs: %s',
                               user, total, result_repr)
                     return result
                 @property
                 def is_default(self):
                     return self.username == User.DEFAULT_USER
                 @property
                 def is_admin(self):
                     return self.admin
                 @property
                 def is_user_object(self):
                     return self.user_id is not None
                 @property
                 def repositories_admin(self):
                     """
                     Returns list of repositories you're an admin of
                     """
                     return [
                         x[0] for x in self.permissions['repositories'].items()
                         if x[1] == 'repository.admin']
                 @property
                 def repository_groups_admin(self):
                     """
                     Returns list of repository groups you're an admin of
                     """
                     return [
                         x[0] for x in self.permissions['repositories_groups'].items()
                         if x[1] == 'group.admin']
                 @property
                 def user_groups_admin(self):
                     """
                     Returns list of user groups you're an admin of
                     """
                     return [
                         x[0] for x in self.permissions['user_groups'].items()
                         if x[1] == 'usergroup.admin']
                 def repo_acl_ids(self, perms=None, name_filter=None, cache=False):
                     """
                     Returns list of repository ids that user have access to based on given
                     perms. The cache flag should be only used in cases that are used for
                     display purposes, NOT IN ANY CASE for permission checks.
                     """
                     from rhodecode.model.scm import RepoList
                     if not perms:
                         perms = [
                             'repository.read', 'repository.write', 'repository.admin']
                     def _cached_repo_acl(user_id, perm_def, _name_filter):
                         qry = Repository.query()
                         if _name_filter:
                             ilike_expression = u'%{}%'.format(safe_unicode(_name_filter))
                             qry = qry.filter(
                                 Repository.repo_name.ilike(ilike_expression))
                         return [x.repo_id for x in
                                 RepoList(qry, perm_set=perm_def)]
                     return _cached_repo_acl(self.user_id, perms, name_filter)
                 def repo_group_acl_ids(self, perms=None, name_filter=None, cache=False):
                     """
                     Returns list of repository group ids that user have access to based on given
                     perms. The cache flag should be only used in cases that are used for
                     display purposes, NOT IN ANY CASE for permission checks.
                     """
                     from rhodecode.model.scm import RepoGroupList
                     if not perms:
                         perms = [
                             'group.read', 'group.write', 'group.admin']
                     def _cached_repo_group_acl(user_id, perm_def, _name_filter):
                         qry = RepoGroup.query()
                         if _name_filter:
                             ilike_expression = u'%{}%'.format(safe_unicode(_name_filter))
                             qry = qry.filter(
                                 RepoGroup.group_name.ilike(ilike_expression))
                         return [x.group_id for x in
                                 RepoGroupList(qry, perm_set=perm_def)]
                     return _cached_repo_group_acl(self.user_id, perms, name_filter)
                 def user_group_acl_ids(self, perms=None, name_filter=None, cache=False):
                     """
                     Returns list of user group ids that user have access to based on given
                     perms. The cache flag should be only used in cases that are used for
                     display purposes, NOT IN ANY CASE for permission checks.
                     """
                     from rhodecode.model.scm import UserGroupList
                     if not perms:
                         perms = [
                             'usergroup.read', 'usergroup.write', 'usergroup.admin']
                     def _cached_user_group_acl(user_id, perm_def, name_filter):
                         qry = UserGroup.query()
                         if name_filter:
                             ilike_expression = u'%{}%'.format(safe_unicode(name_filter))
                             qry = qry.filter(
                                 UserGroup.users_group_name.ilike(ilike_expression))
                         return [x.users_group_id for x in
                                 UserGroupList(qry, perm_set=perm_def)]
                     return _cached_user_group_acl(self.user_id, perms, name_filter)
                 @property
                 def ip_allowed(self):
                     """
                     Checks if ip_addr used in constructor is allowed from defined list of
                     allowed ip_addresses for user
                     :returns: boolean, True if ip is in allowed ip range
                     """
                     # check IP
                     inherit = self.inherit_default_permissions
                     return AuthUser.check_ip_allowed(self.user_id, self.ip_addr,
                                                      inherit_from_default=inherit)
                 @property
                 def personal_repo_group(self):
                     return RepoGroup.get_user_personal_repo_group(self.user_id)
                 @LazyProperty
                 def feed_token(self):
                     return self.get_instance().feed_token
                 @classmethod
                 def check_ip_allowed(cls, user_id, ip_addr, inherit_from_default):
                     allowed_ips = AuthUser.get_allowed_ips(
                         user_id, cache=True, inherit_from_default=inherit_from_default)
                     if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
                         log.debug('IP:%s for user %s is in range of %s',
                                   ip_addr, user_id, allowed_ips)
                         return True
                     else:
                         log.info('Access for IP:%s forbidden for user %s, '
                                  'not in %s', ip_addr, user_id, allowed_ips)
                         return False
                 def get_branch_permissions(self, repo_name, perms=None):
                     perms = perms or self.permissions_with_scope({'repo_name': repo_name})
                     branch_perms = perms.get('repository_branches', {})
                     if not branch_perms:
                         return {}
                     repo_branch_perms = branch_perms.get(repo_name)
                     return repo_branch_perms or {}
                 def get_rule_and_branch_permission(self, repo_name, branch_name):
                     """
                     Check if this AuthUser has defined any permissions for branches. If any of
                     the rules match in order, we return the matching permissions
                     """
                     rule = default_perm = ''
                     repo_branch_perms = self.get_branch_permissions(repo_name=repo_name)
                     if not repo_branch_perms:
                         return rule, default_perm
                     # now calculate the permissions
                     for pattern, branch_perm in repo_branch_perms.items():
                         if fnmatch.fnmatch(branch_name, pattern):
                             rule = '`{}`=>{}'.format(pattern, branch_perm)
                             return rule, branch_perm
                     return rule, default_perm
                 def __repr__(self):
                     return "<AuthUser('id:%s[%s] ip:%s auth:%s')>"\
                         % (self.user_id, self.username, self.ip_addr, self.is_authenticated)
                 def set_authenticated(self, authenticated=True):
                     if self.user_id != self.anonymous_user.user_id:
                         self.is_authenticated = authenticated
                 def get_cookie_store(self):
                     return {
                         'username': self.username,
                         'password': md5(self.password or ''),
                         'user_id': self.user_id,
                         'is_authenticated': self.is_authenticated
                     }
                 @classmethod
                 def from_cookie_store(cls, cookie_store):
                     """
                     Creates AuthUser from a cookie store
                     :param cls:
                     :param cookie_store:
                     """
                     user_id = cookie_store.get('user_id')
                     username = cookie_store.get('username')
                     api_key = cookie_store.get('api_key')
                     return AuthUser(user_id, api_key, username)
                 @classmethod
                 def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
                     _set = set()
                     if inherit_from_default:
                         def_user_id = User.get_default_user(cache=True).user_id
                         default_ips = UserIpMap.query().filter(UserIpMap.user_id == def_user_id)
                         if cache:
                             default_ips = default_ips.options(
                                 FromCache("sql_cache_short", "get_user_ips_default"))
                         # populate from default user
                         for ip in default_ips:
                             try:
                                 _set.add(ip.ip_addr)
                             except ObjectDeletedError:
                                 # since we use heavy caching sometimes it happens that
                                 # we get deleted objects here, we just skip them
                                 pass
                     # NOTE:(marcink) we don't want to load any rules for empty
                     # user_id which is the case of access of non logged users when anonymous
                     # access is disabled
                     user_ips = []
                     if user_id:
                         user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
                         if cache:
                             user_ips = user_ips.options(
                                 FromCache("sql_cache_short", "get_user_ips_%s" % user_id))
                     for ip in user_ips:
                         try:
                             _set.add(ip.ip_addr)
                         except ObjectDeletedError:
                             # since we use heavy caching sometimes it happens that we get
                             # deleted objects here, we just skip them
                             pass
                     return _set or {ip for ip in ['0.0.0.0/0', '::/0']}
             def set_available_permissions(settings):
                 """
                 This function will propagate pyramid settings with all available defined
                 permission given in db. We don't want to check each time from db for new
                 permissions since adding a new permission also requires application restart
                 ie. to decorate new views with the newly created permission
                 :param settings: current pyramid registry.settings
                 """
                 log.debug('auth: getting information about all available permissions')
                 try:
                     sa = meta.Session
                     all_perms = sa.query(Permission).all()
                     settings.setdefault('available_permissions',
                                         [x.permission_name for x in all_perms])
                     log.debug('auth: set available permissions')
                 except Exception:
                     log.exception('Failed to fetch permissions from the database.')
                     raise
             def get_csrf_token(session, force_new=False, save_if_missing=True):
                 """
                 Return the current authentication token, creating one if one doesn't
                 already exist and the save_if_missing flag is present.
                 :param session: pass in the pyramid session, else we use the global ones
                 :param force_new: force to re-generate the token and store it in session
                 :param save_if_missing: save the newly generated token if it's missing in
                     session
                 """
                 # NOTE(marcink): probably should be replaced with below one from pyramid 1.9
                 # from pyramid.csrf import get_csrf_token
                 if (csrf_token_key not in session and save_if_missing) or force_new:
                     token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()
                     session[csrf_token_key] = token
                     if hasattr(session, 'save'):
                         session.save()
                 return session.get(csrf_token_key)
             def get_request(perm_class_instance):
                 from pyramid.threadlocal import get_current_request
                 pyramid_request = get_current_request()
                 return pyramid_request
             # CHECK DECORATORS
             class CSRFRequired(object):
                 """
                 Decorator for authenticating a form
                 This decorator uses an authorization token stored in the client's
                 session for prevention of certain Cross-site request forgery (CSRF)
                 attacks (See
                 http://en.wikipedia.org/wiki/Cross-site_request_forgery for more
                 information).
                 For use with the ``webhelpers.secure_form`` helper functions.
                 """
                 def __init__(self, token=csrf_token_key, header='X-CSRF-Token',
                     except_methods=None):
                     self.token = token
                     self.header = header
                     self.except_methods = except_methods or []
                 def __call__(self, func):
                     return get_cython_compat_decorator(self.__wrapper, func)
                 def _get_csrf(self, _request):
                     return _request.POST.get(self.token, _request.headers.get(self.header))
                 def check_csrf(self, _request, cur_token):
                     supplied_token = self._get_csrf(_request)
                     return supplied_token and supplied_token == cur_token
                 def _get_request(self):
                     return get_request(self)
                 def __wrapper(self, func, *fargs, **fkwargs):
                     request = self._get_request()
                     if request.method in self.except_methods:
                         return func(*fargs, **fkwargs)
                     cur_token = get_csrf_token(request.session, save_if_missing=False)
                     if self.check_csrf(request, cur_token):
                         if request.POST.get(self.token):
                             del request.POST[self.token]
                         return func(*fargs, **fkwargs)
                     else:
                         reason = 'token-missing'
                         supplied_token = self._get_csrf(request)
                         if supplied_token and cur_token != supplied_token:
                             reason = 'token-mismatch [%s:%s]' % (
                                 cur_token or ''[:6], supplied_token or ''[:6])
                         csrf_message = \
                             ("Cross-site request forgery detected, request denied. See "
                              "http://en.wikipedia.org/wiki/Cross-site_request_forgery for "
                              "more information.")
                     log.warn('Cross-site request forgery detected, request %r DENIED: %s '
                              'REMOTE_ADDR:%s, HEADERS:%s' % (
                                  request, reason, request.remote_addr, request.headers))
                     raise HTTPForbidden(explanation=csrf_message)
             class LoginRequired(object):
                 """
                 Must be logged in to execute this function else
                 redirect to login page
                 :param api_access: if enabled this checks only for valid auth token
                     and grants access based on valid token
                 """
                 def __init__(self, auth_token_access=None):
                     self.auth_token_access = auth_token_access
                 def __call__(self, func):
                     return get_cython_compat_decorator(self.__wrapper, func)
                 def _get_request(self):
                     return get_request(self)
                 def __wrapper(self, func, *fargs, **fkwargs):
                     from rhodecode.lib import helpers as h
                     cls = fargs[0]
                     user = cls._rhodecode_user
                     request = self._get_request()
                     _ = request.translate
                     loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
                     log.debug('Starting login restriction checks for user: %s', user)
                     # check if our IP is allowed
                     ip_access_valid = True
                     if not user.ip_allowed:
                         h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr,))),
                                 category='warning')
                         ip_access_valid = False
                     # check if we used an APIKEY and it's a valid one
                     # defined white-list of controllers which API access will be enabled
                     _auth_token = request.GET.get(
                         'auth_token', '') or request.GET.get('api_key', '')
                     auth_token_access_valid = allowed_auth_token_access(
                         loc, auth_token=_auth_token)
                     # explicit controller is enabled or API is in our whitelist
                     if self.auth_token_access or auth_token_access_valid:
                         log.debug('Checking AUTH TOKEN access for %s', cls)
                         db_user = user.get_instance()
                         if db_user:
                             if self.auth_token_access:
                                 roles = self.auth_token_access
                             else:
                                 roles = [UserApiKeys.ROLE_HTTP]
                             token_match = db_user.authenticate_by_token(
                                 _auth_token, roles=roles)
                         else:
                             log.debug('Unable to fetch db instance for auth user: %s', user)
                             token_match = False
                         if _auth_token and token_match:
                             auth_token_access_valid = True
                             log.debug('AUTH TOKEN ****%s is VALID', _auth_token[-4:])
                         else:
                             auth_token_access_valid = False
                             if not _auth_token:
                                 log.debug("AUTH TOKEN *NOT* present in request")
                             else:
                                 log.warning("AUTH TOKEN ****%s *NOT* valid", _auth_token[-4:])
                     log.debug('Checking if %s is authenticated @ %s', user.username, loc)
                     reason = 'RHODECODE_AUTH' if user.is_authenticated \
                         else 'AUTH_TOKEN_AUTH'
                     if ip_access_valid and (
                             user.is_authenticated or auth_token_access_valid):
                         log.info('user %s authenticating with:%s IS authenticated on func %s',
                                  user, reason, loc)
                         return func(*fargs, **fkwargs)
                     else:
                         log.warning(
                             'user %s authenticating with:%s NOT authenticated on '
                             'func: %s: IP_ACCESS:%s AUTH_TOKEN_ACCESS:%s',
                             user, reason, loc, ip_access_valid, auth_token_access_valid)
                         # we preserve the get PARAM
                         came_from = get_came_from(request)
                         log.debug('redirecting to login page with %s', came_from)
                         raise HTTPFound(
                             h.route_path('login', _query={'came_from': came_from}))
             class NotAnonymous(object):
                 """
                 Must be logged in to execute this function else
                 redirect to login page
                 """
                 def __call__(self, func):
                     return get_cython_compat_decorator(self.__wrapper, func)
                 def _get_request(self):
                     return get_request(self)
                 def __wrapper(self, func, *fargs, **fkwargs):
                     import rhodecode.lib.helpers as h
                     cls = fargs[0]
                     self.user = cls._rhodecode_user
                     request = self._get_request()
                     _ = request.translate
                     log.debug('Checking if user is not anonymous @%s', cls)
                     anonymous = self.user.username == User.DEFAULT_USER
                     if anonymous:
                         came_from = get_came_from(request)
                         h.flash(_('You need to be a registered user to '
                                   'perform this action'),
                                 category='warning')
                         raise HTTPFound(
                             h.route_path('login', _query={'came_from': came_from}))
                     else:
                         return func(*fargs, **fkwargs)
             class PermsDecorator(object):
                 """
                 Base class for controller decorators, we extract the current user from
                 the class itself, which has it stored in base controllers
                 """
                 def __init__(self, *required_perms):
                     self.required_perms = set(required_perms)
                 def __call__(self, func):
                     return get_cython_compat_decorator(self.__wrapper, func)
                 def _get_request(self):
                     return get_request(self)
                 def __wrapper(self, func, *fargs, **fkwargs):
                     import rhodecode.lib.helpers as h
                     cls = fargs[0]
                     _user = cls._rhodecode_user
                     request = self._get_request()
                     _ = request.translate
                     log.debug('checking %s permissions %s for %s %s',
                               self.__class__.__name__, self.required_perms, cls, _user)
                     if self.check_permissions(_user):
                         log.debug('Permission granted for %s %s', cls, _user)
                         return func(*fargs, **fkwargs)
                     else:
                         log.debug('Permission denied for %s %s', cls, _user)
                         anonymous = _user.username == User.DEFAULT_USER
                         if anonymous:
                             came_from = get_came_from(self._get_request())
                             h.flash(_('You need to be signed in to view this page'),
                                     category='warning')
                             raise HTTPFound(
                                 h.route_path('login', _query={'came_from': came_from}))
                         else:
                             # redirect with 404 to prevent resource discovery
                             raise HTTPNotFound()
                 def check_permissions(self, user):
                     """Dummy function for overriding"""
                     raise NotImplementedError(
                         'You have to write this function in child class')
             class HasPermissionAllDecorator(PermsDecorator):
                 """
                 Checks for access permission for all given predicates. All of them
                 have to be meet in order to fulfill the request
                 """
                 def check_permissions(self, user):
                     perms = user.permissions_with_scope({})
                     if self.required_perms.issubset(perms['global']):
                         return True
                     return False
             class HasPermissionAnyDecorator(PermsDecorator):
                 """
                 Checks for access permission for any of given predicates. In order to
                 fulfill the request any of predicates must be meet
                 """
                 def check_permissions(self, user):
                     perms = user.permissions_with_scope({})
                     if self.required_perms.intersection(perms['global']):
                         return True
                     return False
             class HasRepoPermissionAllDecorator(PermsDecorator):
                 """
                 Checks for access permission for all given predicates for specific
                 repository. All of them have to be meet in order to fulfill the request
                 """
                 def _get_repo_name(self):
                     _request = self._get_request()
                     return get_repo_slug(_request)
                 def check_permissions(self, user):
                     perms = user.permissions
                     repo_name = self._get_repo_name()
                     try:
                         user_perms = {perms['repositories'][repo_name]}
                     except KeyError:
                         log.debug('cannot locate repo with name: `%s` in permissions defs',
                                   repo_name)
                         return False
                     log.debug('checking `%s` permissions for repo `%s`',
                               user_perms, repo_name)
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasRepoPermissionAnyDecorator(PermsDecorator):
                 """
                 Checks for access permission for any of given predicates for specific
                 repository. In order to fulfill the request any of predicates must be meet
                 """
                 def _get_repo_name(self):
                     _request = self._get_request()
                     return get_repo_slug(_request)
                 def check_permissions(self, user):
                     perms = user.permissions
                     repo_name = self._get_repo_name()
                     try:
                         user_perms = {perms['repositories'][repo_name]}
                     except KeyError:
                         log.debug(
                             'cannot locate repo with name: `%s` in permissions defs',
                             repo_name)
                         return False
                     log.debug('checking `%s` permissions for repo `%s`',
                               user_perms, repo_name)
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAllDecorator(PermsDecorator):
                 """
                 Checks for access permission for all given predicates for specific
                 repository group. All of them have to be meet in order to
                 fulfill the request
                 """
                 def _get_repo_group_name(self):
                     _request = self._get_request()
                     return get_repo_group_slug(_request)
                 def check_permissions(self, user):
                     perms = user.permissions
                     group_name = self._get_repo_group_name()
                     try:
                         user_perms = {perms['repositories_groups'][group_name]}
                     except KeyError:
                         log.debug(
                             'cannot locate repo group with name: `%s` in permissions defs',
                             group_name)
                         return False
                     log.debug('checking `%s` permissions for repo group `%s`',
                               user_perms, group_name)
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAnyDecorator(PermsDecorator):
                 """
                 Checks for access permission for any of given predicates for specific
                 repository group. In order to fulfill the request any
                 of predicates must be met
                 """
                 def _get_repo_group_name(self):
                     _request = self._get_request()
                     return get_repo_group_slug(_request)
                 def check_permissions(self, user):
                     perms = user.permissions
                     group_name = self._get_repo_group_name()
                     try:
                         user_perms = {perms['repositories_groups'][group_name]}
                     except KeyError:
                         log.debug(
                             'cannot locate repo group with name: `%s` in permissions defs',
                             group_name)
                         return False
                     log.debug('checking `%s` permissions for repo group `%s`',
                               user_perms, group_name)
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAllDecorator(PermsDecorator):
                 """
                 Checks for access permission for all given predicates for specific
                 user group. All of them have to be meet in order to fulfill the request
                 """
                 def _get_user_group_name(self):
                     _request = self._get_request()
                     return get_user_group_slug(_request)
                 def check_permissions(self, user):
                     perms = user.permissions
                     group_name = self._get_user_group_name()
                     try:
                         user_perms = {perms['user_groups'][group_name]}
                     except KeyError:
                         return False
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAnyDecorator(PermsDecorator):
                 """
                 Checks for access permission for any of given predicates for specific
                 user group. In order to fulfill the request any of predicates must be meet
                 """
                 def _get_user_group_name(self):
                     _request = self._get_request()
                     return get_user_group_slug(_request)
                 def check_permissions(self, user):
                     perms = user.permissions
                     group_name = self._get_user_group_name()
                     try:
                         user_perms = {perms['user_groups'][group_name]}
                     except KeyError:
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             # CHECK FUNCTIONS
             class PermsFunction(object):
                 """Base function for other check functions"""
                 def __init__(self, *perms):
                     self.required_perms = set(perms)
                     self.repo_name = None
                     self.repo_group_name = None
                     self.user_group_name = None
                 def __bool__(self):
                     frame = inspect.currentframe()
                     stack_trace = traceback.format_stack(frame)
                     log.error('Checking bool value on a class instance of perm '
                               'function is not allowed: %s', ''.join(stack_trace))
                     # rather than throwing errors, here we always return False so if by
                     # accident someone checks truth for just an instance it will always end
                     # up in returning False
                     return False
                 __nonzero__ = __bool__
                 def __call__(self, check_location='', user=None):
                     if not user:
                         log.debug('Using user attribute from global request')
                         request = self._get_request()
                         user = request.user
                     # init auth user if not already given
                     if not isinstance(user, AuthUser):
                         log.debug('Wrapping user %s into AuthUser', user)
                         user = AuthUser(user.user_id)
                     cls_name = self.__class__.__name__
                     check_scope = self._get_check_scope(cls_name)
                     check_location = check_location or 'unspecified location'
                     log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,
                               self.required_perms, user, check_scope, check_location)
                     if not user:
                         log.warning('Empty user given for permission check')
                         return False
                     if self.check_permissions(user):
                         log.debug('Permission to repo:`%s` GRANTED for user:`%s` @ %s',
                                   check_scope, user, check_location)
                         return True
                     else:
                         log.debug('Permission to repo:`%s` DENIED for user:`%s` @ %s',
                                   check_scope, user, check_location)
                         return False
                 def _get_request(self):
                     return get_request(self)
                 def _get_check_scope(self, cls_name):
                     return {
                         'HasPermissionAll':          'GLOBAL',
                         'HasPermissionAny':          'GLOBAL',
                         'HasRepoPermissionAll':      'repo:%s' % self.repo_name,
                         'HasRepoPermissionAny':      'repo:%s' % self.repo_name,
                         'HasRepoGroupPermissionAll': 'repo_group:%s' % self.repo_group_name,
                         'HasRepoGroupPermissionAny': 'repo_group:%s' % self.repo_group_name,
                         'HasUserGroupPermissionAll': 'user_group:%s' % self.user_group_name,
                         'HasUserGroupPermissionAny': 'user_group:%s' % self.user_group_name,
                     }.get(cls_name, '?:%s' % cls_name)
                 def check_permissions(self, user):
                     """Dummy function for overriding"""
                     raise Exception('You have to write this function in child class')
             class HasPermissionAll(PermsFunction):
                 def check_permissions(self, user):
                     perms = user.permissions_with_scope({})
                     if self.required_perms.issubset(perms.get('global')):
                         return True
                     return False
             class HasPermissionAny(PermsFunction):
                 def check_permissions(self, user):
                     perms = user.permissions_with_scope({})
                     if self.required_perms.intersection(perms.get('global')):
                         return True
                     return False
             class HasRepoPermissionAll(PermsFunction):
                 def __call__(self, repo_name=None, check_location='', user=None):
                     self.repo_name = repo_name
                     return super(HasRepoPermissionAll, self).__call__(check_location, user)
                 def _get_repo_name(self):
                     if not self.repo_name:
                         _request = self._get_request()
                         self.repo_name = get_repo_slug(_request)
                     return self.repo_name
                 def check_permissions(self, user):
                     self.repo_name = self._get_repo_name()
                     perms = user.permissions
                     try:
                         user_perms = {perms['repositories'][self.repo_name]}
                     except KeyError:
                         return False
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasRepoPermissionAny(PermsFunction):
                 def __call__(self, repo_name=None, check_location='', user=None):
                     self.repo_name = repo_name
                     return super(HasRepoPermissionAny, self).__call__(check_location, user)
                 def _get_repo_name(self):
                     if not self.repo_name:
                         _request = self._get_request()
                         self.repo_name = get_repo_slug(_request)
                     return self.repo_name
                 def check_permissions(self, user):
                     self.repo_name = self._get_repo_name()
                     perms = user.permissions
                     try:
                         user_perms = {perms['repositories'][self.repo_name]}
                     except KeyError:
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAny(PermsFunction):
                 def __call__(self, group_name=None, check_location='', user=None):
                     self.repo_group_name = group_name
                     return super(HasRepoGroupPermissionAny, self).__call__(check_location, user)
                 def check_permissions(self, user):
                     perms = user.permissions
                     try:
                         user_perms = {perms['repositories_groups'][self.repo_group_name]}
                     except KeyError:
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAll(PermsFunction):
                 def __call__(self, group_name=None, check_location='', user=None):
                     self.repo_group_name = group_name
                     return super(HasRepoGroupPermissionAll, self).__call__(check_location, user)
                 def check_permissions(self, user):
                     perms = user.permissions
                     try:
                         user_perms = {perms['repositories_groups'][self.repo_group_name]}
                     except KeyError:
                         return False
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAny(PermsFunction):
                 def __call__(self, user_group_name=None, check_location='', user=None):
                     self.user_group_name = user_group_name
                     return super(HasUserGroupPermissionAny, self).__call__(check_location, user)
                 def check_permissions(self, user):
                     perms = user.permissions
                     try:
                         user_perms = {perms['user_groups'][self.user_group_name]}
                     except KeyError:
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAll(PermsFunction):
                 def __call__(self, user_group_name=None, check_location='', user=None):
                     self.user_group_name = user_group_name
                     return super(HasUserGroupPermissionAll, self).__call__(check_location, user)
                 def check_permissions(self, user):
                     perms = user.permissions
                     try:
                         user_perms = {perms['user_groups'][self.user_group_name]}
                     except KeyError:
                         return False
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
             class HasPermissionAnyMiddleware(object):
                 def __init__(self, *perms):
                     self.required_perms = set(perms)
                 def __call__(self, auth_user, repo_name):
                     # repo_name MUST be unicode, since we handle keys in permission
                     # dict by unicode
                     repo_name = safe_unicode(repo_name)
                     log.debug(
                         'Checking VCS protocol permissions %s for user:%s repo:`%s`',
                         self.required_perms, auth_user, repo_name)
                     if self.check_permissions(auth_user, repo_name):
                         log.debug('Permission to repo:`%s` GRANTED for user:%s @ %s',
                                   repo_name, auth_user, 'PermissionMiddleware')
                         return True
                     else:
                         log.debug('Permission to repo:`%s` DENIED for user:%s @ %s',
                                   repo_name, auth_user, 'PermissionMiddleware')
                         return False
                 def check_permissions(self, user, repo_name):
                     perms = user.permissions_with_scope({'repo_name': repo_name})
                     try:
                         user_perms = {perms['repositories'][repo_name]}
                     except Exception:
                         log.exception('Error while accessing user permissions')
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             # SPECIAL VERSION TO HANDLE API AUTH
             class _BaseApiPerm(object):
                 def __init__(self, *perms):
                     self.required_perms = set(perms)
                 def __call__(self, check_location=None, user=None, repo_name=None,
                              group_name=None, user_group_name=None):
                     cls_name = self.__class__.__name__
                     check_scope = 'global:%s' % (self.required_perms,)
                     if repo_name:
                         check_scope += ', repo_name:%s' % (repo_name,)
                     if group_name:
                         check_scope += ', repo_group_name:%s' % (group_name,)
                     if user_group_name:
                         check_scope += ', user_group_name:%s' % (user_group_name,)
                     log.debug('checking cls:%s %s %s @ %s',
                               cls_name, self.required_perms, check_scope, check_location)
                     if not user:
                         log.debug('Empty User passed into arguments')
                         return False
                     # process user
                     if not isinstance(user, AuthUser):
                         user = AuthUser(user.user_id)
                     if not check_location:
                         check_location = 'unspecified'
                     if self.check_permissions(user.permissions, repo_name, group_name,
                                               user_group_name):
                         log.debug('Permission to repo:`%s` GRANTED for user:`%s` @ %s',
                                   check_scope, user, check_location)
                         return True
                     else:
                         log.debug('Permission to repo:`%s` DENIED for user:`%s` @ %s',
                                   check_scope, user, check_location)
                         return False
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     """
                     implement in child class should return True if permissions are ok,
                     False otherwise
                     :param perm_defs: dict with permission definitions
                     :param repo_name: repo name
                     """
                     raise NotImplementedError()
             class HasPermissionAllApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     if self.required_perms.issubset(perm_defs.get('global')):
                         return True
                     return False
             class HasPermissionAnyApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     if self.required_perms.intersection(perm_defs.get('global')):
                         return True
                     return False
             class HasRepoPermissionAllApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     try:
                         _user_perms = {perm_defs['repositories'][repo_name]}
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.issubset(_user_perms):
                         return True
                     return False
             class HasRepoPermissionAnyApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     try:
                         _user_perms = {perm_defs['repositories'][repo_name]}
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.intersection(_user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAnyApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     try:
                         _user_perms = {perm_defs['repositories_groups'][group_name]}
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.intersection(_user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAllApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     try:
                         _user_perms = {perm_defs['repositories_groups'][group_name]}
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.issubset(_user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAnyApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     try:
                         _user_perms = {perm_defs['user_groups'][user_group_name]}
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.intersection(_user_perms):
                         return True
                     return False
             def check_ip_access(source_ip, allowed_ips=None):
                 """
                 Checks if source_ip is a subnet of any of allowed_ips.
                 :param source_ip:
                 :param allowed_ips: list of allowed ips together with mask
                 """
                 log.debug('checking if ip:%s is subnet of %s', source_ip, allowed_ips)
                 source_ip_address = ipaddress.ip_address(safe_unicode(source_ip))
                 if isinstance(allowed_ips, (tuple, list, set)):
                     for ip in allowed_ips:
                         ip = safe_unicode(ip)
                         try:
                             network_address = ipaddress.ip_network(ip, strict=False)
                             if source_ip_address in network_address:
                                 log.debug('IP %s is network %s', source_ip_address, network_address)
                                 return True
                             # for any case we cannot determine the IP, don't crash just
                             # skip it and log as error, we want to say forbidden still when
                             # sending bad IP
                         except Exception:
                             log.error(traceback.format_exc())
                             continue
                 return False
             def get_cython_compat_decorator(wrapper, func):
                 """
                 Creates a cython compatible decorator. The previously used
                 decorator.decorator() function seems to be incompatible with cython.
                 :param wrapper: __wrapper method of the decorator class
                 :param func: decorated function
                 """
                 @wraps(func)
                 def local_wrapper(*args, **kwds):
                     return wrapper(func, *args, **kwds)
                 local_wrapper.__wrapped__ = func
                 return local_wrapper

rhodecode/lib/dbmigrate/schema/db_4_16_0_0.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Database Models for RhodeCode Enterprise
             """
             import re
             import os
             import time
             import hashlib
             import logging
             import datetime
             import warnings
             import ipaddress
             import functools
             import traceback
             import collections
             from sqlalchemy import (
                 or_, and_, not_, func, TypeDecorator, event,
                 Index, Sequence, UniqueConstraint, ForeignKey, CheckConstraint, Column,
                 Boolean, String, Unicode, UnicodeText, DateTime, Integer, LargeBinary,
                 Text, Float, PickleType)
             from sqlalchemy.sql.expression import true, false
             from sqlalchemy.sql.functions import coalesce, count  # pragma: no cover
             from sqlalchemy.orm import (
                 relationship, joinedload, class_mapper, validates, aliased)
             from sqlalchemy.ext.declarative import declared_attr
             from sqlalchemy.ext.hybrid import hybrid_property
             from sqlalchemy.exc import IntegrityError  # pragma: no cover
             from sqlalchemy.dialects.mysql import LONGTEXT
             from zope.cachedescriptors.property import Lazy as LazyProperty
             from pyramid import compat
             from pyramid.threadlocal import get_current_request
             from rhodecode.translation import _
             from rhodecode.lib.vcs import get_vcs_instance
             from rhodecode.lib.vcs.backends.base import EmptyCommit, Reference
             from rhodecode.lib.utils2 import (
                 str2bool, safe_str, get_commit_safe, safe_unicode, sha1_safe,
                 time_to_datetime, aslist, Optional, safe_int, get_clone_url, AttributeDict,
                 glob2re, StrictAttributeDict, cleaned_uri)
             from rhodecode.lib.jsonalchemy import MutationObj, MutationList, JsonType, \
                 JsonRaw
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.caching_query import FromCache
             from rhodecode.lib.encrypt import AESCipher
             from rhodecode.model.meta import Base, Session
             URL_SEP = '/'
             log = logging.getLogger(__name__)
             # =============================================================================
             # BASE CLASSES
             # =============================================================================
             # this is propagated from .ini file rhodecode.encrypted_values.secret or
             # beaker.session.secret if first is not set.
             # and initialized at environment.py
             ENCRYPTION_KEY = None
             # used to sort permissions by types, '#' used here is not allowed to be in
             # usernames, and it's very early in sorted string.printable table.
             PERMISSION_TYPE_SORT = {
                 'admin': '####',
                 'write': '###',
                 'read':  '##',
                 'none':  '#',
             }
             def display_user_sort(obj):
                 """
                 Sort function used to sort permissions in .permissions() function of
                 Repository, RepoGroup, UserGroup. Also it put the default user in front
                 of all other resources
                 """
                 if obj.username == User.DEFAULT_USER:
                     return '#####'
                 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
                 return prefix + obj.username
             def display_user_group_sort(obj):
                 """
                 Sort function used to sort permissions in .permissions() function of
                 Repository, RepoGroup, UserGroup. Also it put the default user in front
                 of all other resources
                 """
                 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
                 return prefix + obj.users_group_name
             def _hash_key(k):
                 return sha1_safe(k)
             def in_filter_generator(qry, items, limit=500):
                 """
                 Splits IN() into multiple with OR
                 e.g.::
                 cnt = Repository.query().filter(
                     or_(
                         *in_filter_generator(Repository.repo_id, range(100000))
                     )).count()
                 """
                 if not items:
                     # empty list will cause empty query which might cause security issues
                     # this can lead to hidden unpleasant results
                     items = [-1]
                 parts = []
                 for chunk in xrange(0, len(items), limit):
                     parts.append(
                         qry.in_(items[chunk: chunk + limit])
                     )
                 return parts
             base_table_args = {
                 'extend_existing': True,
                 'mysql_engine': 'InnoDB',
                 'mysql_charset': 'utf8',
                 'sqlite_autoincrement': True
             }
             class EncryptedTextValue(TypeDecorator):
                 """
                 Special column for encrypted long text data, use like::
                     value = Column("encrypted_value", EncryptedValue(), nullable=False)
                 This column is intelligent so if value is in unencrypted form it return
                 unencrypted form, but on save it always encrypts
                 """
                 impl = Text
                 def process_bind_param(self, value, dialect):
                     if not value:
                         return value
                     if value.startswith('enc$aes$') or value.startswith('enc$aes_hmac$'):
                         # protect against double encrypting if someone manually starts
                         # doing
                         raise ValueError('value needs to be in unencrypted format, ie. '
                                          'not starting with enc$aes')
                     return 'enc$aes_hmac$%s' % AESCipher(
                         ENCRYPTION_KEY, hmac=True).encrypt(value)
                 def process_result_value(self, value, dialect):
                     import rhodecode
                     if not value:
                         return value
                     parts = value.split('$', 3)
                     if not len(parts) == 3:
                         # probably not encrypted values
                         return value
                     else:
                         if parts[0] != 'enc':
                             # parts ok but without our header ?
                             return value
                         enc_strict_mode = str2bool(rhodecode.CONFIG.get(
                             'rhodecode.encrypted_values.strict') or True)
                         # at that stage we know it's our encryption
                         if parts[1] == 'aes':
                             decrypted_data = AESCipher(ENCRYPTION_KEY).decrypt(parts[2])
                         elif parts[1] == 'aes_hmac':
                             decrypted_data = AESCipher(
                                 ENCRYPTION_KEY, hmac=True,
                                 strict_verification=enc_strict_mode).decrypt(parts[2])
                         else:
                             raise ValueError(
                                 'Encryption type part is wrong, must be `aes` '
                                 'or `aes_hmac`, got `%s` instead' % (parts[1]))
                         return decrypted_data
             class BaseModel(object):
                 """
                 Base Model for all classes
                 """
                 @classmethod
                 def _get_keys(cls):
                     """return column names for this model """
                     return class_mapper(cls).c.keys()
                 def get_dict(self):
                     """
                     return dict with keys and values corresponding
                     to this model data """
                     d = {}
                     for k in self._get_keys():
                         d[k] = getattr(self, k)
                     # also use __json__() if present to get additional fields
                     _json_attr = getattr(self, '__json__', None)
                     if _json_attr:
                         # update with attributes from __json__
                         if callable(_json_attr):
                             _json_attr = _json_attr()
                         for k, val in _json_attr.iteritems():
                             d[k] = val
                     return d
                 def get_appstruct(self):
                     """return list with keys and values tuples corresponding
                     to this model data """
                     lst = []
                     for k in self._get_keys():
                         lst.append((k, getattr(self, k),))
                     return lst
                 def populate_obj(self, populate_dict):
                     """populate model with data from given populate_dict"""
                     for k in self._get_keys():
                         if k in populate_dict:
                             setattr(self, k, populate_dict[k])
                 @classmethod
                 def query(cls):
                     return Session().query(cls)
                 @classmethod
                 def get(cls, id_):
                     if id_:
                         return cls.query().get(id_)
                 @classmethod
                 def get_or_404(cls, id_):
                     from pyramid.httpexceptions import HTTPNotFound
                     try:
                         id_ = int(id_)
                     except (TypeError, ValueError):
                         raise HTTPNotFound()
                     res = cls.query().get(id_)
                     if not res:
                         raise HTTPNotFound()
                     return res
                 @classmethod
                 def getAll(cls):
                     # deprecated and left for backward compatibility
                     return cls.get_all()
                 @classmethod
                 def get_all(cls):
                     return cls.query().all()
                 @classmethod
                 def delete(cls, id_):
                     obj = cls.query().get(id_)
                     Session().delete(obj)
                 @classmethod
                 def identity_cache(cls, session, attr_name, value):
                     exist_in_session = []
                     for (item_cls, pkey), instance in session.identity_map.items():
                         if cls == item_cls and getattr(instance, attr_name) == value:
                             exist_in_session.append(instance)
                     if exist_in_session:
                         if len(exist_in_session) == 1:
                             return exist_in_session[0]
                         log.exception(
                             'multiple objects with attr %s and '
                             'value %s found with same name: %r',
                             attr_name, value, exist_in_session)
                 def __repr__(self):
                     if hasattr(self, '__unicode__'):
                         # python repr needs to return str
                         try:
                             return safe_str(self.__unicode__())
                         except UnicodeDecodeError:
                             pass
                     return '<DB:%s>' % (self.__class__.__name__)
             class RhodeCodeSetting(Base, BaseModel):
                 __tablename__ = 'rhodecode_settings'
                 __table_args__ = (
                     UniqueConstraint('app_settings_name'),
                     base_table_args
                 )
                 SETTINGS_TYPES = {
                     'str': safe_str,
                     'int': safe_int,
                     'unicode': safe_unicode,
                     'bool': str2bool,
                     'list': functools.partial(aslist, sep=',')
                 }
                 DEFAULT_UPDATE_URL = 'https://rhodecode.com/api/v1/info/versions'
                 GLOBAL_CONF_KEY = 'app_settings'
                 app_settings_id = Column("app_settings_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 app_settings_name = Column("app_settings_name", String(255), nullable=True, unique=None, default=None)
                 _app_settings_value = Column("app_settings_value", String(4096), nullable=True, unique=None, default=None)
                 _app_settings_type = Column("app_settings_type", String(255), nullable=True, unique=None, default=None)
                 def __init__(self, key='', val='', type='unicode'):
                     self.app_settings_name = key
                     self.app_settings_type = type
                     self.app_settings_value = val
                 @validates('_app_settings_value')
                 def validate_settings_value(self, key, val):
                     assert type(val) == unicode
                     return val
                 @hybrid_property
                 def app_settings_value(self):
                     v = self._app_settings_value
                     _type = self.app_settings_type
                     if _type:
                         _type = self.app_settings_type.split('.')[0]
                         # decode the encrypted value
                         if 'encrypted' in self.app_settings_type:
                             cipher = EncryptedTextValue()
                             v = safe_unicode(cipher.process_result_value(v, None))
                     converter = self.SETTINGS_TYPES.get(_type) or \
                         self.SETTINGS_TYPES['unicode']
                     return converter(v)
                 @app_settings_value.setter
                 def app_settings_value(self, val):
                     """
                     Setter that will always make sure we use unicode in app_settings_value
                     :param val:
                     """
                     val = safe_unicode(val)
                     # encode the encrypted value
                     if 'encrypted' in self.app_settings_type:
                         cipher = EncryptedTextValue()
                         val = safe_unicode(cipher.process_bind_param(val, None))
                     self._app_settings_value = val
                 @hybrid_property
                 def app_settings_type(self):
                     return self._app_settings_type
                 @app_settings_type.setter
                 def app_settings_type(self, val):
                     if val.split('.')[0] not in self.SETTINGS_TYPES:
                         raise Exception('type must be one of %s got %s'
                                         % (self.SETTINGS_TYPES.keys(), val))
                     self._app_settings_type = val
                 @classmethod
                 def get_by_prefix(cls, prefix):
                     return RhodeCodeSetting.query()\
                         .filter(RhodeCodeSetting.app_settings_name.startswith(prefix))\
                         .all()
                 def __unicode__(self):
                     return u"<%s('%s:%s[%s]')>" % (
                         self.__class__.__name__,
                         self.app_settings_name, self.app_settings_value,
                         self.app_settings_type
                     )
             class RhodeCodeUi(Base, BaseModel):
                 __tablename__ = 'rhodecode_ui'
                 __table_args__ = (
                     UniqueConstraint('ui_key'),
                     base_table_args
                 )
                 HOOK_REPO_SIZE = 'changegroup.repo_size'
                 # HG
                 HOOK_PRE_PULL = 'preoutgoing.pre_pull'
                 HOOK_PULL = 'outgoing.pull_logger'
                 HOOK_PRE_PUSH = 'prechangegroup.pre_push'
                 HOOK_PRETX_PUSH = 'pretxnchangegroup.pre_push'
                 HOOK_PUSH = 'changegroup.push_logger'
                 HOOK_PUSH_KEY = 'pushkey.key_push'
                 # TODO: johbo: Unify way how hooks are configured for git and hg,
                 # git part is currently hardcoded.
                 # SVN PATTERNS
                 SVN_BRANCH_ID = 'vcs_svn_branch'
                 SVN_TAG_ID = 'vcs_svn_tag'
                 ui_id = Column(
                     "ui_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 ui_section = Column(
                     "ui_section", String(255), nullable=True, unique=None, default=None)
                 ui_key = Column(
                     "ui_key", String(255), nullable=True, unique=None, default=None)
                 ui_value = Column(
                     "ui_value", String(255), nullable=True, unique=None, default=None)
                 ui_active = Column(
                     "ui_active", Boolean(), nullable=True, unique=None, default=True)
                 def __repr__(self):
                     return '<%s[%s]%s=>%s]>' % (self.__class__.__name__, self.ui_section,
                                                 self.ui_key, self.ui_value)
             class RepoRhodeCodeSetting(Base, BaseModel):
                 __tablename__ = 'repo_rhodecode_settings'
                 __table_args__ = (
                     UniqueConstraint(
                         'app_settings_name', 'repository_id',
                         name='uq_repo_rhodecode_setting_name_repo_id'),
                     base_table_args
                 )
                 repository_id = Column(
                     "repository_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=False)
                 app_settings_id = Column(
                     "app_settings_id", Integer(), nullable=False, unique=True,
                     default=None, primary_key=True)
                 app_settings_name = Column(
                     "app_settings_name", String(255), nullable=True, unique=None,
                     default=None)
                 _app_settings_value = Column(
                     "app_settings_value", String(4096), nullable=True, unique=None,
                     default=None)
                 _app_settings_type = Column(
                     "app_settings_type", String(255), nullable=True, unique=None,
                     default=None)
                 repository = relationship('Repository')
                 def __init__(self, repository_id, key='', val='', type='unicode'):
                     self.repository_id = repository_id
                     self.app_settings_name = key
                     self.app_settings_type = type
                     self.app_settings_value = val
                 @validates('_app_settings_value')
                 def validate_settings_value(self, key, val):
                     assert type(val) == unicode
                     return val
                 @hybrid_property
                 def app_settings_value(self):
                     v = self._app_settings_value
                     type_ = self.app_settings_type
                     SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
                     converter = SETTINGS_TYPES.get(type_) or SETTINGS_TYPES['unicode']
                     return converter(v)
                 @app_settings_value.setter
                 def app_settings_value(self, val):
                     """
                     Setter that will always make sure we use unicode in app_settings_value
                     :param val:
                     """
                     self._app_settings_value = safe_unicode(val)
                 @hybrid_property
                 def app_settings_type(self):
                     return self._app_settings_type
                 @app_settings_type.setter
                 def app_settings_type(self, val):
                     SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
                     if val not in SETTINGS_TYPES:
                         raise Exception('type must be one of %s got %s'
                                         % (SETTINGS_TYPES.keys(), val))
                     self._app_settings_type = val
                 def __unicode__(self):
                     return u"<%s('%s:%s:%s[%s]')>" % (
                         self.__class__.__name__, self.repository.repo_name,
                         self.app_settings_name, self.app_settings_value,
                         self.app_settings_type
                     )
             class RepoRhodeCodeUi(Base, BaseModel):
                 __tablename__ = 'repo_rhodecode_ui'
                 __table_args__ = (
                     UniqueConstraint(
                         'repository_id', 'ui_section', 'ui_key',
                         name='uq_repo_rhodecode_ui_repository_id_section_key'),
                     base_table_args
                 )
                 repository_id = Column(
                     "repository_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=False)
                 ui_id = Column(
                     "ui_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 ui_section = Column(
                     "ui_section", String(255), nullable=True, unique=None, default=None)
                 ui_key = Column(
                     "ui_key", String(255), nullable=True, unique=None, default=None)
                 ui_value = Column(
                     "ui_value", String(255), nullable=True, unique=None, default=None)
                 ui_active = Column(
                     "ui_active", Boolean(), nullable=True, unique=None, default=True)
                 repository = relationship('Repository')
                 def __repr__(self):
                     return '<%s[%s:%s]%s=>%s]>' % (
                         self.__class__.__name__, self.repository.repo_name,
                         self.ui_section, self.ui_key, self.ui_value)
             class User(Base, BaseModel):
                 __tablename__ = 'users'
                 __table_args__ = (
                     UniqueConstraint('username'), UniqueConstraint('email'),
                     Index('u_username_idx', 'username'),
                     Index('u_email_idx', 'email'),
                     base_table_args
                 )
                 DEFAULT_USER = 'default'
                 DEFAULT_USER_EMAIL = 'anonymous@rhodecode.org'
                 DEFAULT_GRAVATAR_URL = 'https://secure.gravatar.com/avatar/{md5email}?d=identicon&s={size}'
                 user_id = Column("user_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 username = Column("username", String(255), nullable=True, unique=None, default=None)
                 password = Column("password", String(255), nullable=True, unique=None, default=None)
                 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 admin = Column("admin", Boolean(), nullable=True, unique=None, default=False)
                 name = Column("firstname", String(255), nullable=True, unique=None, default=None)
                 lastname = Column("lastname", String(255), nullable=True, unique=None, default=None)
                 _email = Column("email", String(255), nullable=True, unique=None, default=None)
                 last_login = Column("last_login", DateTime(timezone=False), nullable=True, unique=None, default=None)
                 last_activity = Column('last_activity', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 extern_type = Column("extern_type", String(255), nullable=True, unique=None, default=None)
                 extern_name = Column("extern_name", String(255), nullable=True, unique=None, default=None)
                 _api_key = Column("api_key", String(255), nullable=True, unique=None, default=None)
                 inherit_default_permissions = Column("inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 _user_data = Column("user_data", LargeBinary(), nullable=True)  # JSON data
                 user_log = relationship('UserLog')
                 user_perms = relationship('UserToPerm', primaryjoin="User.user_id==UserToPerm.user_id", cascade='all')
                 repositories = relationship('Repository')
                 repository_groups = relationship('RepoGroup')
                 user_groups = relationship('UserGroup')
                 user_followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_user_id==User.user_id', cascade='all')
                 followings = relationship('UserFollowing', primaryjoin='UserFollowing.user_id==User.user_id', cascade='all')
                 repo_to_perm = relationship('UserRepoToPerm', primaryjoin='UserRepoToPerm.user_id==User.user_id', cascade='all')
                 repo_group_to_perm = relationship('UserRepoGroupToPerm', primaryjoin='UserRepoGroupToPerm.user_id==User.user_id', cascade='all')
                 user_group_to_perm = relationship('UserUserGroupToPerm', primaryjoin='UserUserGroupToPerm.user_id==User.user_id', cascade='all')
                 group_member = relationship('UserGroupMember', cascade='all')
                 notifications = relationship('UserNotification', cascade='all')
                 # notifications assigned to this user
                 user_created_notifications = relationship('Notification', cascade='all')
                 # comments created by this user
                 user_comments = relationship('ChangesetComment', cascade='all')
                 # user profile extra info
                 user_emails = relationship('UserEmailMap', cascade='all')
                 user_ip_map = relationship('UserIpMap', cascade='all')
                 user_auth_tokens = relationship('UserApiKeys', cascade='all')
                 user_ssh_keys = relationship('UserSshKeys', cascade='all')
                 # gists
                 user_gists = relationship('Gist', cascade='all')
                 # user pull requests
                 user_pull_requests = relationship('PullRequest', cascade='all')
                 # external identities
                 extenal_identities = relationship(
                     'ExternalIdentity',
                     primaryjoin="User.user_id==ExternalIdentity.local_user_id",
                     cascade='all')
                 # review rules
                 user_review_rules = relationship('RepoReviewRuleUser', cascade='all')
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
                                                   self.user_id, self.username)
                 @hybrid_property
                 def email(self):
                     return self._email
                 @email.setter
                 def email(self, val):
                     self._email = val.lower() if val else None
                 @hybrid_property
                 def first_name(self):
                     from rhodecode.lib import helpers as h
                     if self.name:
                         return h.escape(self.name)
                     return self.name
                 @hybrid_property
                 def last_name(self):
                     from rhodecode.lib import helpers as h
                     if self.lastname:
                         return h.escape(self.lastname)
                     return self.lastname
                 @hybrid_property
                 def api_key(self):
                     """
                     Fetch if exist an auth-token with role ALL connected to this user
                     """
                     user_auth_token = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == self.user_id)\
                         .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_ALL).first()
                     if user_auth_token:
                         user_auth_token = user_auth_token.api_key
                     return user_auth_token
                 @api_key.setter
                 def api_key(self, val):
                     # don't allow to set API key this is deprecated for now
                     self._api_key = None
                 @property
                 def reviewer_pull_requests(self):
                     return PullRequestReviewers.query() \
                         .options(joinedload(PullRequestReviewers.pull_request)) \
                         .filter(PullRequestReviewers.user_id == self.user_id) \
                         .all()
                 @property
                 def firstname(self):
                     # alias for future
                     return self.name
                 @property
                 def emails(self):
                     other = UserEmailMap.query()\
                         .filter(UserEmailMap.user == self) \
                         .order_by(UserEmailMap.email_id.asc()) \
                         .all()
                     return [self.email] + [x.email for x in other]
                 @property
                 def auth_tokens(self):
                     auth_tokens = self.get_auth_tokens()
                     return [x.api_key for x in auth_tokens]
                 def get_auth_tokens(self):
                     return UserApiKeys.query()\
                         .filter(UserApiKeys.user == self)\
                         .order_by(UserApiKeys.user_api_key_id.asc())\
                         .all()
                 @LazyProperty
                 def feed_token(self):
                     return self.get_feed_token()
                 def get_feed_token(self, cache=True):
                     feed_tokens = UserApiKeys.query()\
                         .filter(UserApiKeys.user == self)\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_FEED)
                     if cache:
                         feed_tokens = feed_tokens.options(
                             FromCache("sql_cache_short", "get_user_feed_token_%s" % self.user_id))
                     feed_tokens = feed_tokens.all()
                     if feed_tokens:
                         return feed_tokens[0].api_key
                     return 'NO_FEED_TOKEN_AVAILABLE'
                 @classmethod
                 def get(cls, user_id, cache=False):
                     if not user_id:
                         return
                     user = cls.query()
                     if cache:
                         user = user.options(
                             FromCache("sql_cache_short", "get_users_%s" % user_id))
                     return user.get(user_id)
                 @classmethod
                 def extra_valid_auth_tokens(cls, user, role=None):
                     tokens = UserApiKeys.query().filter(UserApiKeys.user == user)\
                             .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))
                     if role:
                         tokens = tokens.filter(or_(UserApiKeys.role == role,
                                                    UserApiKeys.role == UserApiKeys.ROLE_ALL))
                     return tokens.all()
                 def authenticate_by_token(self, auth_token, roles=None, scope_repo_id=None):
                     from rhodecode.lib import auth
                     log.debug('Trying to authenticate user: %s via auth-token, '
                               'and roles: %s', self, roles)
                     if not auth_token:
                         return False
                     crypto_backend = auth.crypto_backend()
                     roles = (roles or []) + [UserApiKeys.ROLE_ALL]
                     tokens_q = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == self.user_id)\
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time()))
                     tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles))
                     plain_tokens = []
                     hash_tokens = []
                     user_tokens = tokens_q.all()
                     log.debug('Found %s user tokens to check for authentication', len(user_tokens))
                     for token in user_tokens:
                         log.debug('AUTH_TOKEN: checking if user token with id `%s` matches',
                                   token.user_api_key_id)
                         # verify scope first, since it's way faster than hash calculation of
                         # encrypted tokens
                         if token.repo_id:
                             # token has a scope, we need to verify it
                             if scope_repo_id != token.repo_id:
                                 log.debug(
                                     'AUTH_TOKEN: scope mismatch, token has a set repo scope: %s, '
                                     'and calling scope is:%s, skipping further checks',
                                      token.repo, scope_repo_id)
                                 # token has a scope, and it doesn't match, skip token
                                 continue
                         if token.api_key.startswith(crypto_backend.ENC_PREF):
                             hash_tokens.append(token.api_key)
                         else:
                             plain_tokens.append(token.api_key)
                     is_plain_match = auth_token in plain_tokens
                     if is_plain_match:
                         return True
                     for hashed in hash_tokens:
                         # NOTE(marcink): this is expensive to calculate, but most secure
                         match = crypto_backend.hash_check(auth_token, hashed)
                         if match:
                             return True
                     return False
                 @property
                 def ip_addresses(self):
                     ret = UserIpMap.query().filter(UserIpMap.user == self).all()
                     return [x.ip_addr for x in ret]
                 @property
                 def username_and_name(self):
                     return '%s (%s %s)' % (self.username, self.first_name, self.last_name)
                 @property
                 def username_or_name_or_email(self):
                     full_name = self.full_name if self.full_name is not ' ' else None
                     return self.username or full_name or self.email
                 @property
                 def full_name(self):
                     return '%s %s' % (self.first_name, self.last_name)
                 @property
                 def full_name_or_username(self):
                     return ('%s %s' % (self.first_name, self.last_name)
                             if (self.first_name and self.last_name) else self.username)
                 @property
                 def full_contact(self):
                     return '%s %s <%s>' % (self.first_name, self.last_name, self.email)
                 @property
                 def short_contact(self):
                     return '%s %s' % (self.first_name, self.last_name)
                 @property
                 def is_admin(self):
                     return self.admin
                 def AuthUser(self, **kwargs):
                     """
                     Returns instance of AuthUser for this user
                     """
                     from rhodecode.lib.auth import AuthUser
                     return AuthUser(user_id=self.user_id, username=self.username, **kwargs)
                 @hybrid_property
                 def user_data(self):
                     if not self._user_data:
                         return {}
                     try:
                         return json.loads(self._user_data)
                     except TypeError:
                         return {}
                 @user_data.setter
                 def user_data(self, val):
                     if not isinstance(val, dict):
                         raise Exception('user_data must be dict, got %s' % type(val))
                     try:
                         self._user_data = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @classmethod
                 def get_by_username(cls, username, case_insensitive=False,
                                     cache=False, identity_cache=False):
                     session = Session()
                     if case_insensitive:
                         q = cls.query().filter(
                             func.lower(cls.username) == func.lower(username))
                     else:
                         q = cls.query().filter(cls.username == username)
                     if cache:
                         if identity_cache:
                             val = cls.identity_cache(session, 'username', username)
                             if val:
                                 return val
                         else:
                             cache_key = "get_user_by_name_%s" % _hash_key(username)
                             q = q.options(
                                 FromCache("sql_cache_short", cache_key))
                     return q.scalar()
                 @classmethod
                 def get_by_auth_token(cls, auth_token, cache=False):
                     q = UserApiKeys.query()\
                         .filter(UserApiKeys.api_key == auth_token)\
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time()))
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", "get_auth_token_%s" % auth_token))
                     match = q.first()
                     if match:
                         return match.user
                 @classmethod
                 def get_by_email(cls, email, case_insensitive=False, cache=False):
                     if case_insensitive:
                         q = cls.query().filter(func.lower(cls.email) == func.lower(email))
                     else:
                         q = cls.query().filter(cls.email == email)
                     email_key = _hash_key(email)
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", "get_email_key_%s" % email_key))
                     ret = q.scalar()
                     if ret is None:
                         q = UserEmailMap.query()
                         # try fetching in alternate email map
                         if case_insensitive:
                             q = q.filter(func.lower(UserEmailMap.email) == func.lower(email))
                         else:
                             q = q.filter(UserEmailMap.email == email)
                         q = q.options(joinedload(UserEmailMap.user))
                         if cache:
                             q = q.options(
                                 FromCache("sql_cache_short", "get_email_map_key_%s" % email_key))
                         ret = getattr(q.scalar(), 'user', None)
                     return ret
                 @classmethod
                 def get_from_cs_author(cls, author):
                     """
                     Tries to get User objects out of commit author string
                     :param author:
                     """
                     from rhodecode.lib.helpers import email, author_name
                     # Valid email in the attribute passed, see if they're in the system
                     _email = email(author)
                     if _email:
                         user = cls.get_by_email(_email, case_insensitive=True)
                         if user:
                             return user
                     # Maybe we can match by username?
                     _author = author_name(author)
                     user = cls.get_by_username(_author, case_insensitive=True)
                     if user:
                         return user
                 def update_userdata(self, **kwargs):
                     usr = self
                     old = usr.user_data
                     old.update(**kwargs)
                     usr.user_data = old
                     Session().add(usr)
                     log.debug('updated userdata with ', kwargs)
                 def update_lastlogin(self):
                     """Update user lastlogin"""
                     self.last_login = datetime.datetime.now()
                     Session().add(self)
                     log.debug('updated user %s lastlogin', self.username)
                 def update_password(self, new_password):
                     from rhodecode.lib.auth import get_crypt_password
                     self.password = get_crypt_password(new_password)
                     Session().add(self)
                 @classmethod
                 def get_first_super_admin(cls):
                     user = User.query()\
                         .filter(User.admin == true()) \
                         .order_by(User.user_id.asc()) \
                         .first()
                     if user is None:
                         raise Exception('FATAL: Missing administrative account!')
                     return user
                 @classmethod
                 def get_all_super_admins(cls):
                     """
                     Returns all admin accounts sorted by username
                     """
                     return User.query().filter(User.admin == true())\
                         .order_by(User.username.asc()).all()
                 @classmethod
                 def get_default_user(cls, cache=False, refresh=False):
                     user = User.get_by_username(User.DEFAULT_USER, cache=cache)
                     if user is None:
                         raise Exception('FATAL: Missing default account!')
                     if refresh:
                         # The default user might be based on outdated state which
                         # has been loaded from the cache.
                         # A call to refresh() ensures that the
                         # latest state from the database is used.
                         Session().refresh(user)
                     return user
                 def _get_default_perms(self, user, suffix=''):
                     from rhodecode.model.permission import PermissionModel
                     return PermissionModel().get_default_perms(user.user_perms, suffix)
                 def get_default_perms(self, suffix=''):
                     return self._get_default_perms(self, suffix)
                 def get_api_data(self, include_secrets=False, details='full'):
                     """
                     Common function for generating user related data for API
                     :param include_secrets: By default secrets in the API data will be replaced
                        by a placeholder value to prevent exposing this data by accident. In case
                        this data shall be exposed, set this flag to ``True``.
                     :param details: details can be 'basic|full' basic gives only a subset of
                        the available user information that includes user_id, name and emails.
                     """
                     user = self
                     user_data = self.user_data
                     data = {
                         'user_id': user.user_id,
                         'username': user.username,
                         'firstname': user.name,
                         'lastname': user.lastname,
                         'email': user.email,
                         'emails': user.emails,
                     }
                     if details == 'basic':
                         return data
                     auth_token_length = 40
                     auth_token_replacement = '*' * auth_token_length
                     extras = {
                         'auth_tokens': [auth_token_replacement],
                         'active': user.active,
                         'admin': user.admin,
                         'extern_type': user.extern_type,
                         'extern_name': user.extern_name,
                         'last_login': user.last_login,
                         'last_activity': user.last_activity,
                         'ip_addresses': user.ip_addresses,
                         'language': user_data.get('language')
                     }
                     data.update(extras)
                     if include_secrets:
                         data['auth_tokens'] = user.auth_tokens
                     return data
                 def __json__(self):
                     data = {
                         'full_name': self.full_name,
                         'full_name_or_username': self.full_name_or_username,
                         'short_contact': self.short_contact,
                         'full_contact': self.full_contact,
                     }
                     data.update(self.get_api_data())
                     return data
             class UserApiKeys(Base, BaseModel):
                 __tablename__ = 'user_api_keys'
                 __table_args__ = (
                     Index('uak_api_key_idx', 'api_key', unique=True),
                     Index('uak_api_key_expires_idx', 'api_key', 'expires'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 # ApiKey role
                 ROLE_ALL = 'token_role_all'
                 ROLE_HTTP = 'token_role_http'
                 ROLE_VCS = 'token_role_vcs'
                 ROLE_API = 'token_role_api'
                 ROLE_FEED = 'token_role_feed'
                 ROLE_PASSWORD_RESET = 'token_password_reset'
                 ROLES = [ROLE_ALL, ROLE_HTTP, ROLE_VCS, ROLE_API, ROLE_FEED]
                 user_api_key_id = Column("user_api_key_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 api_key = Column("api_key", String(255), nullable=False, unique=True)
                 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 expires = Column('expires', Float(53), nullable=False)
                 role = Column('role', String(255), nullable=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 # scope columns
                 repo_id = Column(
                     'repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 repo_group_id = Column(
                     'repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 user = relationship('User', lazy='joined')
                 def __unicode__(self):
                     return u"<%s('%s')>" % (self.__class__.__name__, self.role)
                 def __json__(self):
                     data = {
                         'auth_token': self.api_key,
                         'role': self.role,
                         'scope': self.scope_humanized,
                         'expired': self.expired
                     }
                     return data
                 def get_api_data(self, include_secrets=False):
                     data = self.__json__()
                     if include_secrets:
                         return data
                     else:
                         data['auth_token'] = self.token_obfuscated
                         return data
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @property
                 def expired(self):
                     if self.expires == -1:
                         return False
                     return time.time() > self.expires
                 @classmethod
                 def _get_role_name(cls, role):
                     return {
                         cls.ROLE_ALL: _('all'),
                         cls.ROLE_HTTP: _('http/web interface'),
                         cls.ROLE_VCS: _('vcs (git/hg/svn protocol)'),
                         cls.ROLE_API: _('api calls'),
                         cls.ROLE_FEED: _('feed access'),
                     }.get(role, role)
                 @property
                 def role_humanized(self):
                     return self._get_role_name(self.role)
                 def _get_scope(self):
                     if self.repo:
                         return repr(self.repo)
                     if self.repo_group:
                         return repr(self.repo_group) + ' (recursive)'
                     return 'global'
                 @property
                 def scope_humanized(self):
                     return self._get_scope()
                 @property
                 def token_obfuscated(self):
                     if self.api_key:
                         return self.api_key[:4] + "****"
             class UserEmailMap(Base, BaseModel):
                 __tablename__ = 'user_email_map'
                 __table_args__ = (
                     Index('uem_email_idx', 'email'),
                     UniqueConstraint('email'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 email_id = Column("email_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 _email = Column("email", String(255), nullable=True, unique=False, default=None)
                 user = relationship('User', lazy='joined')
                 @validates('_email')
                 def validate_email(self, key, email):
                     # check if this email is not main one
                     main_email = Session().query(User).filter(User.email == email).scalar()
                     if main_email is not None:
                         raise AttributeError('email %s is present is user table' % email)
                     return email
                 @hybrid_property
                 def email(self):
                     return self._email
                 @email.setter
                 def email(self, val):
                     self._email = val.lower() if val else None
             class UserIpMap(Base, BaseModel):
                 __tablename__ = 'user_ip_map'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'ip_addr'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 ip_addr = Column("ip_addr", String(255), nullable=True, unique=False, default=None)
                 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 description = Column("description", String(10000), nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @classmethod
                 def _get_ip_range(cls, ip_addr):
                     net = ipaddress.ip_network(safe_unicode(ip_addr), strict=False)
                     return [str(net.network_address), str(net.broadcast_address)]
                 def __json__(self):
                     return {
                       'ip_addr': self.ip_addr,
                       'ip_range': self._get_ip_range(self.ip_addr),
                     }
                 def __unicode__(self):
                     return u"<%s('user_id:%s=>%s')>" % (self.__class__.__name__,
                                                         self.user_id, self.ip_addr)
             class UserSshKeys(Base, BaseModel):
                 __tablename__ = 'user_ssh_keys'
                 __table_args__ = (
                     Index('usk_ssh_key_fingerprint_idx', 'ssh_key_fingerprint'),
                     UniqueConstraint('ssh_key_fingerprint'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 ssh_key_id = Column('ssh_key_id', Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 ssh_key_data = Column('ssh_key_data', String(10240), nullable=False, unique=None, default=None)
                 ssh_key_fingerprint = Column('ssh_key_fingerprint', String(255), nullable=False, unique=None, default=None)
                 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 accessed_on = Column('accessed_on', DateTime(timezone=False), nullable=True, default=None)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 def __json__(self):
                     data = {
                         'ssh_fingerprint': self.ssh_key_fingerprint,
                         'description': self.description,
                         'created_on': self.created_on
                     }
                     return data
                 def get_api_data(self):
                     data = self.__json__()
                     return data
             class UserLog(Base, BaseModel):
                 __tablename__ = 'user_logs'
                 __table_args__ = (
                     base_table_args,
                 )
                 VERSION_1 = 'v1'
                 VERSION_2 = 'v2'
                 VERSIONS = [VERSION_1, VERSION_2]
                 user_log_id = Column("user_log_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id',ondelete='SET NULL'), nullable=True, unique=None, default=None)
                 username = Column("username", String(255), nullable=True, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id', ondelete='SET NULL'), nullable=True, unique=None, default=None)
                 repository_name = Column("repository_name", String(255), nullable=True, unique=None, default=None)
                 user_ip = Column("user_ip", String(255), nullable=True, unique=None, default=None)
                 action = Column("action", Text().with_variant(Text(1200000), 'mysql'), nullable=True, unique=None, default=None)
                 action_date = Column("action_date", DateTime(timezone=False), nullable=True, unique=None, default=None)
                 version = Column("version", String(255), nullable=True, default=VERSION_1)
                 user_data = Column('user_data_json', MutationObj.as_mutable(JsonType(dialect_map=dict(mysql=LONGTEXT()))))
                 action_data = Column('action_data_json', MutationObj.as_mutable(JsonType(dialect_map=dict(mysql=LONGTEXT()))))
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (
                         self.__class__.__name__, self.repository_name, self.action)
                 def __json__(self):
                     return {
                         'user_id': self.user_id,
                         'username': self.username,
                         'repository_id': self.repository_id,
                         'repository_name': self.repository_name,
                         'user_ip': self.user_ip,
                         'action_date': self.action_date,
                         'action': self.action,
                     }
                 @hybrid_property
                 def entry_id(self):
                     return self.user_log_id
                 @property
                 def action_as_day(self):
                     return datetime.date(*self.action_date.timetuple()[:3])
                 user = relationship('User')
                 repository = relationship('Repository', cascade='')
             class UserGroup(Base, BaseModel):
                 __tablename__ = 'users_groups'
                 __table_args__ = (
                     base_table_args,
                 )
                 users_group_id = Column("users_group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_name = Column("users_group_name", String(255), nullable=False, unique=True, default=None)
                 user_group_description = Column("user_group_description", String(10000), nullable=True, unique=None, default=None)
                 users_group_active = Column("users_group_active", Boolean(), nullable=True, unique=None, default=None)
                 inherit_default_permissions = Column("users_group_inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 _group_data = Column("group_data", LargeBinary(), nullable=True)  # JSON data
                 members = relationship('UserGroupMember', cascade="all, delete, delete-orphan", lazy="joined")
                 users_group_to_perm = relationship('UserGroupToPerm', cascade='all')
                 users_group_repo_to_perm = relationship('UserGroupRepoToPerm', cascade='all')
                 users_group_repo_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
                 user_user_group_to_perm = relationship('UserUserGroupToPerm', cascade='all')
                 user_group_user_group_to_perm = relationship('UserGroupUserGroupToPerm ', primaryjoin="UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id", cascade='all')
                 user_group_review_rules = relationship('RepoReviewRuleUserGroup', cascade='all')
                 user = relationship('User', primaryjoin="User.user_id==UserGroup.user_id")
                 @classmethod
                 def _load_group_data(cls, column):
                     if not column:
                         return {}
                     try:
                         return json.loads(column) or {}
                     except TypeError:
                         return {}
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.user_group_description)
                 @hybrid_property
                 def group_data(self):
                     return self._load_group_data(self._group_data)
                 @group_data.expression
                 def group_data(self, **kwargs):
                     return self._group_data
                 @group_data.setter
                 def group_data(self, val):
                     try:
                         self._group_data = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @classmethod
                 def _load_sync(cls, group_data):
                     if group_data:
                         return group_data.get('extern_type')
                 @property
                 def sync(self):
                     return self._load_sync(self.group_data)
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
                                                   self.users_group_id,
                                                   self.users_group_name)
                 @classmethod
                 def get_by_group_name(cls, group_name, cache=False,
                                       case_insensitive=False):
                     if case_insensitive:
                         q = cls.query().filter(func.lower(cls.users_group_name) ==
                                                func.lower(group_name))
                     else:
                         q = cls.query().filter(cls.users_group_name == group_name)
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", "get_group_%s" % _hash_key(group_name)))
                     return q.scalar()
                 @classmethod
                 def get(cls, user_group_id, cache=False):
                     if not user_group_id:
                         return
                     user_group = cls.query()
                     if cache:
                         user_group = user_group.options(
                             FromCache("sql_cache_short", "get_users_group_%s" % user_group_id))
                     return user_group.get(user_group_id)
                 def permissions(self, with_admins=True, with_owner=True):
                     """
                     Permissions for user groups
                     """
                     _admin_perm = 'usergroup.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     q = UserUserGroupToPerm.query().filter(UserUserGroupToPerm.user_group == self)
                     q = q.options(joinedload(UserUserGroupToPerm.user_group),
                                   joinedload(UserUserGroupToPerm.user),
                                   joinedload(UserUserGroupToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     return super_admin_rows + owner_row + perm_rows
                 def permission_user_groups(self):
                     q = UserGroupUserGroupToPerm.query().filter(UserGroupUserGroupToPerm.target_user_group == self)
                     q = q.options(joinedload(UserGroupUserGroupToPerm.user_group),
                                   joinedload(UserGroupUserGroupToPerm.target_user_group),
                                   joinedload(UserGroupUserGroupToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         usr = AttributeDict(_user_group.user_group.get_dict())
                         usr.permission = _user_group.permission.permission_name
                         perm_rows.append(usr)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def _get_default_perms(self, user_group, suffix=''):
                     from rhodecode.model.permission import PermissionModel
                     return PermissionModel().get_default_perms(user_group.users_group_to_perm, suffix)
                 def get_default_perms(self, suffix=''):
                     return self._get_default_perms(self, suffix)
                 def get_api_data(self, with_group_members=True, include_secrets=False):
                     """
                     :param include_secrets: See :meth:`User.get_api_data`, this parameter is
                        basically forwarded.
                     """
                     user_group = self
                     data = {
                         'users_group_id': user_group.users_group_id,
                         'group_name': user_group.users_group_name,
                         'group_description': user_group.user_group_description,
                         'active': user_group.users_group_active,
                         'owner': user_group.user.username,
                         'sync': user_group.sync,
                         'owner_email': user_group.user.email,
                     }
                     if with_group_members:
                         users = []
                         for user in user_group.members:
                             user = user.user
                             users.append(user.get_api_data(include_secrets=include_secrets))
                         data['users'] = users
                     return data
             class UserGroupMember(Base, BaseModel):
                 __tablename__ = 'users_groups_members'
                 __table_args__ = (
                     base_table_args,
                 )
                 users_group_member_id = Column("users_group_member_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 users_group = relationship('UserGroup')
                 def __init__(self, gr_id='', u_id=''):
                     self.users_group_id = gr_id
                     self.user_id = u_id
             class RepositoryField(Base, BaseModel):
                 __tablename__ = 'repositories_fields'
                 __table_args__ = (
                     UniqueConstraint('repository_id', 'field_key'),  # no-multi field
                     base_table_args,
                 )
                 PREFIX = 'ex_'  # prefix used in form to not conflict with already existing fields
                 repo_field_id = Column("repo_field_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 field_key = Column("field_key", String(250))
                 field_label = Column("field_label", String(1024), nullable=False)
                 field_value = Column("field_value", String(10000), nullable=False)
                 field_desc = Column("field_desc", String(1024), nullable=False)
                 field_type = Column("field_type", String(255), nullable=False, unique=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 repository = relationship('Repository')
                 @property
                 def field_key_prefixed(self):
                     return 'ex_%s' % self.field_key
                 @classmethod
                 def un_prefix_key(cls, key):
                     if key.startswith(cls.PREFIX):
                         return key[len(cls.PREFIX):]
                     return key
                 @classmethod
                 def get_by_key_name(cls, key, repo):
                     row = cls.query()\
                             .filter(cls.repository == repo)\
                             .filter(cls.field_key == key).scalar()
                     return row
             class Repository(Base, BaseModel):
                 __tablename__ = 'repositories'
                 __table_args__ = (
                     Index('r_repo_name_idx', 'repo_name', mysql_length=255),
                     base_table_args,
                 )
                 DEFAULT_CLONE_URI = '{scheme}://{user}@{netloc}/{repo}'
                 DEFAULT_CLONE_URI_ID = '{scheme}://{user}@{netloc}/_{repoid}'
                 DEFAULT_CLONE_URI_SSH = 'ssh://{sys_user}@{hostname}/{repo}'
                 STATE_CREATED = 'repo_state_created'
                 STATE_PENDING = 'repo_state_pending'
                 STATE_ERROR = 'repo_state_error'
                 LOCK_AUTOMATIC = 'lock_auto'
                 LOCK_API = 'lock_api'
                 LOCK_WEB = 'lock_web'
                 LOCK_PULL = 'lock_pull'
                 NAME_SEP = URL_SEP
                 repo_id = Column(
                     "repo_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 _repo_name = Column(
                     "repo_name", Text(), nullable=False, default=None)
                 _repo_name_hash = Column(
                     "repo_name_hash", String(255), nullable=False, unique=True)
                 repo_state = Column("repo_state", String(255), nullable=True)
                 clone_uri = Column(
                     "clone_uri", EncryptedTextValue(), nullable=True, unique=False,
                     default=None)
                 push_uri = Column(
                     "push_uri", EncryptedTextValue(), nullable=True, unique=False,
                     default=None)
                 repo_type = Column(
                     "repo_type", String(255), nullable=False, unique=False, default=None)
                 user_id = Column(
                     "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
                     unique=False, default=None)
                 private = Column(
                     "private", Boolean(), nullable=True, unique=None, default=None)
                 archived = Column(
                     "archived", Boolean(), nullable=True, unique=None, default=None)
                 enable_statistics = Column(
                     "statistics", Boolean(), nullable=True, unique=None, default=True)
                 enable_downloads = Column(
                     "downloads", Boolean(), nullable=True, unique=None, default=True)
                 description = Column(
                     "description", String(10000), nullable=True, unique=None, default=None)
                 created_on = Column(
                     'created_on', DateTime(timezone=False), nullable=True, unique=None,
                     default=datetime.datetime.now)
                 updated_on = Column(
                     'updated_on', DateTime(timezone=False), nullable=True, unique=None,
                     default=datetime.datetime.now)
                 _landing_revision = Column(
                     "landing_revision", String(255), nullable=False, unique=False,
                     default=None)
                 enable_locking = Column(
                     "enable_locking", Boolean(), nullable=False, unique=None,
                     default=False)
                 _locked = Column(
                     "locked", String(255), nullable=True, unique=False, default=None)
                 _changeset_cache = Column(
                     "changeset_cache", LargeBinary(), nullable=True)  # JSON data
                 fork_id = Column(
                     "fork_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=False, default=None)
                 group_id = Column(
                     "group_id", Integer(), ForeignKey('groups.group_id'), nullable=True,
                     unique=False, default=None)
                 user = relationship('User', lazy='joined')
                 fork = relationship('Repository', remote_side=repo_id, lazy='joined')
                 group = relationship('RepoGroup', lazy='joined')
                 repo_to_perm = relationship(
                     'UserRepoToPerm', cascade='all',
                     order_by='UserRepoToPerm.repo_to_perm_id')
                 users_group_to_perm = relationship('UserGroupRepoToPerm', cascade='all')
                 stats = relationship('Statistics', cascade='all', uselist=False)
                 followers = relationship(
                     'UserFollowing',
                     primaryjoin='UserFollowing.follows_repo_id==Repository.repo_id',
                     cascade='all')
                 extra_fields = relationship(
                     'RepositoryField', cascade="all, delete, delete-orphan")
                 logs = relationship('UserLog')
                 comments = relationship(
                     'ChangesetComment', cascade="all, delete, delete-orphan")
                 pull_requests_source = relationship(
                     'PullRequest',
                     primaryjoin='PullRequest.source_repo_id==Repository.repo_id',
                     cascade="all, delete, delete-orphan")
                 pull_requests_target = relationship(
                     'PullRequest',
                     primaryjoin='PullRequest.target_repo_id==Repository.repo_id',
                     cascade="all, delete, delete-orphan")
                 ui = relationship('RepoRhodeCodeUi', cascade="all")
                 settings = relationship('RepoRhodeCodeSetting', cascade="all")
                 integrations = relationship('Integration',
                                             cascade="all, delete, delete-orphan")
                 scoped_tokens = relationship('UserApiKeys', cascade="all")
                 def __unicode__(self):
                     return u"<%s('%s:%s')>" % (self.__class__.__name__, self.repo_id,
                                                safe_unicode(self.repo_name))
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @hybrid_property
                 def landing_rev(self):
                     # always should return [rev_type, rev]
                     if self._landing_revision:
                         _rev_info = self._landing_revision.split(':')
                         if len(_rev_info) < 2:
                             _rev_info.insert(0, 'rev')
                         return [_rev_info[0], _rev_info[1]]
                     return [None, None]
                 @landing_rev.setter
                 def landing_rev(self, val):
                     if ':' not in val:
                         raise ValueError('value must be delimited with `:` and consist '
                                          'of <rev_type>:<rev>, got %s instead' % val)
                     self._landing_revision = val
                 @hybrid_property
                 def locked(self):
                     if self._locked:
                         user_id, timelocked, reason = self._locked.split(':')
                         lock_values = int(user_id), timelocked, reason
                     else:
                         lock_values = [None, None, None]
                     return lock_values
                 @locked.setter
                 def locked(self, val):
                     if val and isinstance(val, (list, tuple)):
                         self._locked = ':'.join(map(str, val))
                     else:
                         self._locked = None
                 @hybrid_property
                 def changeset_cache(self):
                     from rhodecode.lib.vcs.backends.base import EmptyCommit
                     dummy = EmptyCommit().__json__()
                     if not self._changeset_cache:
                         return dummy
                     try:
                         return json.loads(self._changeset_cache)
                     except TypeError:
                         return dummy
                     except Exception:
                         log.error(traceback.format_exc())
                         return dummy
                 @changeset_cache.setter
                 def changeset_cache(self, val):
                     try:
                         self._changeset_cache = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @hybrid_property
                 def repo_name(self):
                     return self._repo_name
                 @repo_name.setter
                 def repo_name(self, value):
                     self._repo_name = value
                     self._repo_name_hash = hashlib.sha1(safe_str(value)).hexdigest()
                 @classmethod
                 def normalize_repo_name(cls, repo_name):
                     """
                     Normalizes os specific repo_name to the format internally stored inside
                     database using URL_SEP
                     :param cls:
                     :param repo_name:
                     """
                     return cls.NAME_SEP.join(repo_name.split(os.sep))
                 @classmethod
                 def get_by_repo_name(cls, repo_name, cache=False, identity_cache=False):
                     session = Session()
                     q = session.query(cls).filter(cls.repo_name == repo_name)
                     if cache:
                         if identity_cache:
                             val = cls.identity_cache(session, 'repo_name', repo_name)
                             if val:
                                 return val
                         else:
                             cache_key = "get_repo_by_name_%s" % _hash_key(repo_name)
                             q = q.options(
                                 FromCache("sql_cache_short", cache_key))
                     return q.scalar()
                 @classmethod
                 def get_by_id_or_repo_name(cls, repoid):
                     if isinstance(repoid, (int, long)):
                         try:
                             repo = cls.get(repoid)
                         except ValueError:
                             repo = None
                     else:
                         repo = cls.get_by_repo_name(repoid)
                     return repo
                 @classmethod
                 def get_by_full_path(cls, repo_full_path):
                     repo_name = repo_full_path.split(cls.base_path(), 1)[-1]
                     repo_name = cls.normalize_repo_name(repo_name)
                     return cls.get_by_repo_name(repo_name.strip(URL_SEP))
                 @classmethod
                 def get_repo_forks(cls, repo_id):
                     return cls.query().filter(Repository.fork_id == repo_id)
                 @classmethod
                 def base_path(cls):
                     """
                     Returns base path when all repos are stored
                     :param cls:
                     """
                     q = Session().query(RhodeCodeUi)\
                         .filter(RhodeCodeUi.ui_key == cls.NAME_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return q.one().ui_value
                 @classmethod
                 def get_all_repos(cls, user_id=Optional(None), group_id=Optional(None),
                                   case_insensitive=True, archived=False):
                     q = Repository.query()
                     if not archived:
                         q = q.filter(Repository.archived.isnot(true()))
                     if not isinstance(user_id, Optional):
                         q = q.filter(Repository.user_id == user_id)
                     if not isinstance(group_id, Optional):
                         q = q.filter(Repository.group_id == group_id)
                     if case_insensitive:
                         q = q.order_by(func.lower(Repository.repo_name))
                     else:
                         q = q.order_by(Repository.repo_name)
                     return q.all()
                 @property
                 def forks(self):
                     """
                     Return forks of this repo
                     """
                     return Repository.get_repo_forks(self.repo_id)
                 @property
                 def parent(self):
                     """
                     Returns fork parent
                     """
                     return self.fork
                 @property
                 def just_name(self):
                     return self.repo_name.split(self.NAME_SEP)[-1]
                 @property
                 def groups_with_parents(self):
                     groups = []
                     if self.group is None:
                         return groups
                     cur_gr = self.group
                     groups.insert(0, cur_gr)
                     while 1:
                         gr = getattr(cur_gr, 'parent_group', None)
                         cur_gr = cur_gr.parent_group
                         if gr is None:
                             break
                         groups.insert(0, gr)
                     return groups
                 @property
                 def groups_and_repo(self):
                     return self.groups_with_parents, self
                 @LazyProperty
                 def repo_path(self):
                     """
                     Returns base full path for that repository means where it actually
                     exists on a filesystem
                     """
                     q = Session().query(RhodeCodeUi).filter(
                         RhodeCodeUi.ui_key == self.NAME_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return q.one().ui_value
                 @property
                 def repo_full_path(self):
                     p = [self.repo_path]
                     # we need to split the name by / since this is how we store the
                     # names in the database, but that eventually needs to be converted
                     # into a valid system path
                     p += self.repo_name.split(self.NAME_SEP)
                     return os.path.join(*map(safe_unicode, p))
                 @property
                 def cache_keys(self):
                     """
                     Returns associated cache keys for that repo
                     """
                     invalidation_namespace = CacheKey.REPO_INVALIDATION_NAMESPACE.format(
                         repo_id=self.repo_id)
                     return CacheKey.query()\
                         .filter(CacheKey.cache_args == invalidation_namespace)\
                         .order_by(CacheKey.cache_key)\
                         .all()
                 @property
                 def cached_diffs_relative_dir(self):
                     """
                     Return a relative to the repository store path of cached diffs
                     used for safe display for users, who shouldn't know the absolute store
                     path
                     """
                     return os.path.join(
                         os.path.dirname(self.repo_name),
                         self.cached_diffs_dir.split(os.path.sep)[-1])
                 @property
                 def cached_diffs_dir(self):
                     path = self.repo_full_path
                     return os.path.join(
                         os.path.dirname(path),
                         '.__shadow_diff_cache_repo_{}'.format(self.repo_id))
                 def cached_diffs(self):
                     diff_cache_dir = self.cached_diffs_dir
                     if os.path.isdir(diff_cache_dir):
                         return os.listdir(diff_cache_dir)
                     return []
                 def shadow_repos(self):
                     shadow_repos_pattern = '.__shadow_repo_{}'.format(self.repo_id)
                     return [
                         x for x in os.listdir(os.path.dirname(self.repo_full_path))
                         if x.startswith(shadow_repos_pattern)]
                 def get_new_name(self, repo_name):
                     """
                     returns new full repository name based on assigned group and new new
                     :param group_name:
                     """
                     path_prefix = self.group.full_path_splitted if self.group else []
                     return self.NAME_SEP.join(path_prefix + [repo_name])
                 @property
                 def _config(self):
                     """
                     Returns db based config object.
                     """
                     from rhodecode.lib.utils import make_db_config
                     return make_db_config(clear_session=False, repo=self)
                 def permissions(self, with_admins=True, with_owner=True):
                     """
                     Permissions for repositories
                     """
                     _admin_perm = 'repository.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         usr.permission_id = None
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 usr.permission_id = None
                                 super_admin_rows.append(usr)
                     q = UserRepoToPerm.query().filter(UserRepoToPerm.repository == self)
                     q = q.options(joinedload(UserRepoToPerm.repository),
                                   joinedload(UserRepoToPerm.user),
                                   joinedload(UserRepoToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         # also check if this permission is maybe used by branch_permissions
                         if _usr.branch_perm_entry:
                             usr.branch_rules = [x.branch_rule_id for x in _usr.branch_perm_entry]
                         usr.permission = _usr.permission.permission_name
                         usr.permission_id = _usr.repo_to_perm_id
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     return super_admin_rows + owner_row + perm_rows
                 def permission_user_groups(self):
                     q = UserGroupRepoToPerm.query().filter(
                         UserGroupRepoToPerm.repository == self)
                     q = q.options(joinedload(UserGroupRepoToPerm.repository),
                                   joinedload(UserGroupRepoToPerm.users_group),
                                   joinedload(UserGroupRepoToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         usr = AttributeDict(_user_group.users_group.get_dict())
                         usr.permission = _user_group.permission.permission_name
                         perm_rows.append(usr)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def get_api_data(self, include_secrets=False):
                     """
                     Common function for generating repo api data
                     :param include_secrets: See :meth:`User.get_api_data`.
                     """
                     # TODO: mikhail: Here there is an anti-pattern, we probably need to
                     # move this methods on models level.
                     from rhodecode.model.settings import SettingsModel
                     from rhodecode.model.repo import RepoModel
                     repo = self
                     _user_id, _time, _reason = self.locked
                     data = {
                         'repo_id': repo.repo_id,
                         'repo_name': repo.repo_name,
                         'repo_type': repo.repo_type,
                         'clone_uri': repo.clone_uri or '',
                         'push_uri': repo.push_uri or '',
                         'url': RepoModel().get_url(self),
                         'private': repo.private,
                         'created_on': repo.created_on,
                         'description': repo.description_safe,
                         'landing_rev': repo.landing_rev,
                         'owner': repo.user.username,
                         'fork_of': repo.fork.repo_name if repo.fork else None,
                         'fork_of_id': repo.fork.repo_id if repo.fork else None,
                         'enable_statistics': repo.enable_statistics,
                         'enable_locking': repo.enable_locking,
                         'enable_downloads': repo.enable_downloads,
                         'last_changeset': repo.changeset_cache,
                         'locked_by': User.get(_user_id).get_api_data(
                             include_secrets=include_secrets) if _user_id else None,
                         'locked_date': time_to_datetime(_time) if _time else None,
                         'lock_reason': _reason if _reason else None,
                     }
                     # TODO: mikhail: should be per-repo settings here
                     rc_config = SettingsModel().get_all_settings()
                     repository_fields = str2bool(
                         rc_config.get('rhodecode_repository_fields'))
                     if repository_fields:
                         for f in self.extra_fields:
                             data[f.field_key_prefixed] = f.field_value
                     return data
                 @classmethod
                 def lock(cls, repo, user_id, lock_time=None, lock_reason=None):
                     if not lock_time:
                         lock_time = time.time()
                     if not lock_reason:
                         lock_reason = cls.LOCK_AUTOMATIC
                     repo.locked = [user_id, lock_time, lock_reason]
                     Session().add(repo)
                     Session().commit()
                 @classmethod
                 def unlock(cls, repo):
                     repo.locked = None
                     Session().add(repo)
                     Session().commit()
                 @classmethod
                 def getlock(cls, repo):
                     return repo.locked
                 def is_user_lock(self, user_id):
                     if self.lock[0]:
                         lock_user_id = safe_int(self.lock[0])
                         user_id = safe_int(user_id)
                         # both are ints, and they are equal
                         return all([lock_user_id, user_id]) and lock_user_id == user_id
                     return False
                 def get_locking_state(self, action, user_id, only_when_enabled=True):
                     """
                     Checks locking on this repository, if locking is enabled and lock is
                     present returns a tuple of make_lock, locked, locked_by.
                     make_lock can have 3 states None (do nothing) True, make lock
                     False release lock, This value is later propagated to hooks, which
                     do the locking. Think about this as signals passed to hooks what to do.
                     """
                     # TODO: johbo: This is part of the business logic and should be moved
                     # into the RepositoryModel.
                     if action not in ('push', 'pull'):
                         raise ValueError("Invalid action value: %s" % repr(action))
                     # defines if locked error should be thrown to user
                     currently_locked = False
                     # defines if new lock should be made, tri-state
                     make_lock = None
                     repo = self
                     user = User.get(user_id)
                     lock_info = repo.locked
                     if repo and (repo.enable_locking or not only_when_enabled):
                         if action == 'push':
                             # check if it's already locked !, if it is compare users
                             locked_by_user_id = lock_info[0]
                             if user.user_id == locked_by_user_id:
                                 log.debug(
                                     'Got `push` action from user %s, now unlocking', user)
                                 # unlock if we have push from user who locked
                                 make_lock = False
                             else:
                                 # we're not the same user who locked, ban with
                                 # code defined in settings (default is 423 HTTP Locked) !
                                 log.debug('Repo %s is currently locked by %s', repo, user)
                                 currently_locked = True
                         elif action == 'pull':
                             # [0] user [1] date
                             if lock_info[0] and lock_info[1]:
                                 log.debug('Repo %s is currently locked by %s', repo, user)
                                 currently_locked = True
                             else:
                                 log.debug('Setting lock on repo %s by %s', repo, user)
                                 make_lock = True
                     else:
                         log.debug('Repository %s do not have locking enabled', repo)
                     log.debug('FINAL locking values make_lock:%s,locked:%s,locked_by:%s',
                               make_lock, currently_locked, lock_info)
                     from rhodecode.lib.auth import HasRepoPermissionAny
                     perm_check = HasRepoPermissionAny('repository.write', 'repository.admin')
                     if make_lock and not perm_check(repo_name=repo.repo_name, user=user):
                         # if we don't have at least write permission we cannot make a lock
                         log.debug('lock state reset back to FALSE due to lack '
                                   'of at least read permission')
                         make_lock = False
                     return make_lock, currently_locked, lock_info
                 @property
                 def last_db_change(self):
                     return self.updated_on
                 @property
                 def clone_uri_hidden(self):
                     clone_uri = self.clone_uri
                     if clone_uri:
                         import urlobject
                         url_obj = urlobject.URLObject(cleaned_uri(clone_uri))
                         if url_obj.password:
                             clone_uri = url_obj.with_password('*****')
                     return clone_uri
                 @property
                 def push_uri_hidden(self):
                     push_uri = self.push_uri
                     if push_uri:
                         import urlobject
                         url_obj = urlobject.URLObject(cleaned_uri(push_uri))
                         if url_obj.password:
                             push_uri = url_obj.with_password('*****')
                     return push_uri
                 def clone_url(self, **override):
                     from rhodecode.model.settings import SettingsModel
                     uri_tmpl = None
                     if 'with_id' in override:
                         uri_tmpl = self.DEFAULT_CLONE_URI_ID
                         del override['with_id']
                     if 'uri_tmpl' in override:
                         uri_tmpl = override['uri_tmpl']
                         del override['uri_tmpl']
                     ssh = False
                     if 'ssh' in override:
                         ssh = True
                         del override['ssh']
                     # we didn't override our tmpl from **overrides
                     if not uri_tmpl:
                         rc_config = SettingsModel().get_all_settings(cache=True)
                         if ssh:
                             uri_tmpl = rc_config.get(
                                 'rhodecode_clone_uri_ssh_tmpl') or self.DEFAULT_CLONE_URI_SSH
                         else:
                             uri_tmpl = rc_config.get(
                                 'rhodecode_clone_uri_tmpl') or self.DEFAULT_CLONE_URI
                     request = get_current_request()
                     return get_clone_url(request=request,
                                          uri_tmpl=uri_tmpl,
                                          repo_name=self.repo_name,
                                          repo_id=self.repo_id, **override)
                 def set_state(self, state):
                     self.repo_state = state
                     Session().add(self)
                 #==========================================================================
                 # SCM PROPERTIES
                 #==========================================================================
                 def get_commit(self, commit_id=None, commit_idx=None, pre_load=None):
                     return get_commit_safe(
                         self.scm_instance(), commit_id, commit_idx, pre_load=pre_load)
                 def get_changeset(self, rev=None, pre_load=None):
                     warnings.warn("Use get_commit", DeprecationWarning)
                     commit_id = None
                     commit_idx = None
                     if isinstance(rev, compat.string_types):
                         commit_id = rev
                     else:
                         commit_idx = rev
                     return self.get_commit(commit_id=commit_id, commit_idx=commit_idx,
                                            pre_load=pre_load)
                 def get_landing_commit(self):
                     """
                     Returns landing commit, or if that doesn't exist returns the tip
                     """
                     _rev_type, _rev = self.landing_rev
                     commit = self.get_commit(_rev)
                     if isinstance(commit, EmptyCommit):
                         return self.get_commit()
                     return commit
                 def update_commit_cache(self, cs_cache=None, config=None):
                     """
                     Update cache of last changeset for repository, keys should be::
                         short_id
                         raw_id
                         revision
                         parents
                         message
                         date
                         author
                     :param cs_cache:
                     """
                     from rhodecode.lib.vcs.backends.base import BaseChangeset
                     if cs_cache is None:
                         # use no-cache version here
                         scm_repo = self.scm_instance(cache=False, config=config)
                         empty = scm_repo.is_empty()
                         if not empty:
                             cs_cache = scm_repo.get_commit(
                                 pre_load=["author", "date", "message", "parents"])
                         else:
                             cs_cache = EmptyCommit()
                     if isinstance(cs_cache, BaseChangeset):
                         cs_cache = cs_cache.__json__()
                     def is_outdated(new_cs_cache):
                         if (new_cs_cache['raw_id'] != self.changeset_cache['raw_id'] or
                             new_cs_cache['revision'] != self.changeset_cache['revision']):
                             return True
                         return False
                     # check if we have maybe already latest cached revision
                     if is_outdated(cs_cache) or not self.changeset_cache:
                         _default = datetime.datetime.utcnow()
                         last_change = cs_cache.get('date') or _default
                         if self.updated_on and self.updated_on > last_change:
                             # we check if last update is newer than the new value
                             # if yes, we use the current timestamp instead. Imagine you get
                             # old commit pushed 1y ago, we'd set last update 1y to ago.
                             last_change = _default
                         log.debug('updated repo %s with new commit cache %s',
                                   self.repo_name, cs_cache)
                         self.updated_on = last_change
                         self.changeset_cache = cs_cache
                         Session().add(self)
                         Session().commit()
                     else:
                         log.debug('Skipping update_commit_cache for repo:`%s` '
                                   'commit already with latest changes', self.repo_name)
                 @property
                 def tip(self):
                     return self.get_commit('tip')
                 @property
                 def author(self):
                     return self.tip.author
                 @property
                 def last_change(self):
                     return self.scm_instance().last_change
                 def get_comments(self, revisions=None):
                     """
                     Returns comments for this repository grouped by revisions
                     :param revisions: filter query by revisions only
                     """
                     cmts = ChangesetComment.query()\
                         .filter(ChangesetComment.repo == self)
                     if revisions:
                         cmts = cmts.filter(ChangesetComment.revision.in_(revisions))
                     grouped = collections.defaultdict(list)
                     for cmt in cmts.all():
                         grouped[cmt.revision].append(cmt)
                     return grouped
                 def statuses(self, revisions=None):
                     """
                     Returns statuses for this repository
                     :param revisions: list of revisions to get statuses for
                     """
                     statuses = ChangesetStatus.query()\
                         .filter(ChangesetStatus.repo == self)\
                         .filter(ChangesetStatus.version == 0)
                     if revisions:
                         # Try doing the filtering in chunks to avoid hitting limits
                         size = 500
                         status_results = []
                         for chunk in xrange(0, len(revisions), size):
                             status_results += statuses.filter(
                                 ChangesetStatus.revision.in_(
                                     revisions[chunk: chunk+size])
                             ).all()
                     else:
                         status_results = statuses.all()
                     grouped = {}
                     # maybe we have open new pullrequest without a status?
                     stat = ChangesetStatus.STATUS_UNDER_REVIEW
                     status_lbl = ChangesetStatus.get_status_lbl(stat)
                     for pr in PullRequest.query().filter(PullRequest.source_repo == self).all():
                         for rev in pr.revisions:
                             pr_id = pr.pull_request_id
                             pr_repo = pr.target_repo.repo_name
                             grouped[rev] = [stat, status_lbl, pr_id, pr_repo]
                     for stat in status_results:
                         pr_id = pr_repo = None
                         if stat.pull_request:
                             pr_id = stat.pull_request.pull_request_id
                             pr_repo = stat.pull_request.target_repo.repo_name
                         grouped[stat.revision] = [str(stat.status), stat.status_lbl,
                                                   pr_id, pr_repo]
                     return grouped
                 # ==========================================================================
                 # SCM CACHE INSTANCE
                 # ==========================================================================
                 def scm_instance(self, **kwargs):
                     import rhodecode
                     # Passing a config will not hit the cache currently only used
                     # for repo2dbmapper
                     config = kwargs.pop('config', None)
                     cache = kwargs.pop('cache', None)
                     full_cache = str2bool(rhodecode.CONFIG.get('vcs_full_cache'))
                     # if cache is NOT defined use default global, else we have a full
                     # control over cache behaviour
                     if cache is None and full_cache and not config:
                         return self._get_instance_cached()
                     return self._get_instance(cache=bool(cache), config=config)
                 def _get_instance_cached(self):
                     from rhodecode.lib import rc_cache
                     cache_namespace_uid = 'cache_repo_instance.{}'.format(self.repo_id)
                     invalidation_namespace = CacheKey.REPO_INVALIDATION_NAMESPACE.format(
                         repo_id=self.repo_id)
                     region = rc_cache.get_or_create_region('cache_repo_longterm', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid)
                     def get_instance_cached(repo_id, context_id):
                         return self._get_instance()
                     # we must use thread scoped cache here,
                     # because each thread of gevent needs it's own not shared connection and cache
                     # we also alter `args` so the cache key is individual for every green thread.
                     inv_context_manager = rc_cache.InvalidationContext(
                         uid=cache_namespace_uid, invalidation_namespace=invalidation_namespace,
                         thread_scoped=True)
                     with inv_context_manager as invalidation_context:
                         args = (self.repo_id, inv_context_manager.cache_key)
                         # re-compute and store cache if we get invalidate signal
                         if invalidation_context.should_invalidate():
                             instance = get_instance_cached.refresh(*args)
                         else:
                             instance = get_instance_cached(*args)
                         log.debug(
-                            'Repo instance fetched in %.3fs', inv_context_manager.compute_time)
+                            'Repo instance fetched in %.4fs', inv_context_manager.compute_time)
                         return instance
                 def _get_instance(self, cache=True, config=None):
                     config = config or self._config
                     custom_wire = {
                         'cache': cache  # controls the vcs.remote cache
                     }
                     repo = get_vcs_instance(
                         repo_path=safe_str(self.repo_full_path),
                         config=config,
                         with_wire=custom_wire,
                         create=False,
                         _vcs_alias=self.repo_type)
                     return repo
                 def __json__(self):
                     return {'landing_rev': self.landing_rev}
                 def get_dict(self):
                     # Since we transformed `repo_name` to a hybrid property, we need to
                     # keep compatibility with the code which uses `repo_name` field.
                     result = super(Repository, self).get_dict()
                     result['repo_name'] = result.pop('_repo_name', None)
                     return result
             class RepoGroup(Base, BaseModel):
                 __tablename__ = 'groups'
                 __table_args__ = (
                     UniqueConstraint('group_name', 'group_parent_id'),
                     base_table_args,
                 )
                 __mapper_args__ = {'order_by': 'group_name'}
                 CHOICES_SEPARATOR = '/'  # used to generate select2 choices for nested groups
                 group_id = Column("group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 group_name = Column("group_name", String(255), nullable=False, unique=True, default=None)
                 group_parent_id = Column("group_parent_id", Integer(), ForeignKey('groups.group_id'), nullable=True, unique=None, default=None)
                 group_description = Column("group_description", String(10000), nullable=True, unique=None, default=None)
                 enable_locking = Column("enable_locking", Boolean(), nullable=False, unique=None, default=False)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 updated_on = Column('updated_on', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
                 personal = Column('personal', Boolean(), nullable=True, unique=None, default=None)
                 repo_group_to_perm = relationship('UserRepoGroupToPerm', cascade='all', order_by='UserRepoGroupToPerm.group_to_perm_id')
                 users_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
                 parent_group = relationship('RepoGroup', remote_side=group_id)
                 user = relationship('User')
                 integrations = relationship('Integration',
                                             cascade="all, delete, delete-orphan")
                 def __init__(self, group_name='', parent_group=None):
                     self.group_name = group_name
                     self.parent_group = parent_group
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (
                         self.__class__.__name__, self.group_id, self.group_name)
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.group_description)
                 @classmethod
                 def _generate_choice(cls, repo_group):
                     from webhelpers.html import literal as _literal
                     _name = lambda k: _literal(cls.CHOICES_SEPARATOR.join(k))
                     return repo_group.group_id, _name(repo_group.full_path_splitted)
                 @classmethod
                 def groups_choices(cls, groups=None, show_empty_group=True):
                     if not groups:
                         groups = cls.query().all()
                     repo_groups = []
                     if show_empty_group:
                         repo_groups = [(-1, u'-- %s --' % _('No parent'))]
                     repo_groups.extend([cls._generate_choice(x) for x in groups])
                     repo_groups = sorted(
                         repo_groups, key=lambda t: t[1].split(cls.CHOICES_SEPARATOR)[0])
                     return repo_groups
                 @classmethod
                 def url_sep(cls):
                     return URL_SEP
                 @classmethod
                 def get_by_group_name(cls, group_name, cache=False, case_insensitive=False):
                     if case_insensitive:
                         gr = cls.query().filter(func.lower(cls.group_name)
                                                 == func.lower(group_name))
                     else:
                         gr = cls.query().filter(cls.group_name == group_name)
                     if cache:
                         name_key = _hash_key(group_name)
                         gr = gr.options(
                             FromCache("sql_cache_short", "get_group_%s" % name_key))
                     return gr.scalar()
                 @classmethod
                 def get_user_personal_repo_group(cls, user_id):
                     user = User.get(user_id)
                     if user.username == User.DEFAULT_USER:
                         return None
                     return cls.query()\
                         .filter(cls.personal == true()) \
                         .filter(cls.user == user) \
                         .order_by(cls.group_id.asc()) \
                         .first()
                 @classmethod
                 def get_all_repo_groups(cls, user_id=Optional(None), group_id=Optional(None),
                                         case_insensitive=True):
                     q = RepoGroup.query()
                     if not isinstance(user_id, Optional):
                         q = q.filter(RepoGroup.user_id == user_id)
                     if not isinstance(group_id, Optional):
                         q = q.filter(RepoGroup.group_parent_id == group_id)
                     if case_insensitive:
                         q = q.order_by(func.lower(RepoGroup.group_name))
                     else:
                         q = q.order_by(RepoGroup.group_name)
                     return q.all()
                 @property
                 def parents(self):
                     parents_recursion_limit = 10
                     groups = []
                     if self.parent_group is None:
                         return groups
                     cur_gr = self.parent_group
                     groups.insert(0, cur_gr)
                     cnt = 0
                     while 1:
                         cnt += 1
                         gr = getattr(cur_gr, 'parent_group', None)
                         cur_gr = cur_gr.parent_group
                         if gr is None:
                             break
                         if cnt == parents_recursion_limit:
                             # this will prevent accidental infinit loops
                             log.error('more than %s parents found for group %s, stopping '
                                       'recursive parent fetching', parents_recursion_limit, self)
                             break
                         groups.insert(0, gr)
                     return groups
                 @property
                 def last_db_change(self):
                     return self.updated_on
                 @property
                 def children(self):
                     return RepoGroup.query().filter(RepoGroup.parent_group == self)
                 @property
                 def name(self):
                     return self.group_name.split(RepoGroup.url_sep())[-1]
                 @property
                 def full_path(self):
                     return self.group_name
                 @property
                 def full_path_splitted(self):
                     return self.group_name.split(RepoGroup.url_sep())
                 @property
                 def repositories(self):
                     return Repository.query()\
                             .filter(Repository.group == self)\
                             .order_by(Repository.repo_name)
                 @property
                 def repositories_recursive_count(self):
                     cnt = self.repositories.count()
                     def children_count(group):
                         cnt = 0
                         for child in group.children:
                             cnt += child.repositories.count()
                             cnt += children_count(child)
                         return cnt
                     return cnt + children_count(self)
                 def _recursive_objects(self, include_repos=True):
                     all_ = []
                     def _get_members(root_gr):
                         if include_repos:
                             for r in root_gr.repositories:
                                 all_.append(r)
                         childs = root_gr.children.all()
                         if childs:
                             for gr in childs:
                                 all_.append(gr)
                                 _get_members(gr)
                     _get_members(self)
                     return [self] + all_
                 def recursive_groups_and_repos(self):
                     """
                     Recursive return all groups, with repositories in those groups
                     """
                     return self._recursive_objects()
                 def recursive_groups(self):
                     """
                     Returns all children groups for this group including children of children
                     """
                     return self._recursive_objects(include_repos=False)
                 def get_new_name(self, group_name):
                     """
                     returns new full group name based on parent and new name
                     :param group_name:
                     """
                     path_prefix = (self.parent_group.full_path_splitted if
                                    self.parent_group else [])
                     return RepoGroup.url_sep().join(path_prefix + [group_name])
                 def permissions(self, with_admins=True, with_owner=True):
                     """
                     Permissions for repository groups
                     """
                     _admin_perm = 'group.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     q = UserRepoGroupToPerm.query().filter(UserRepoGroupToPerm.group == self)
                     q = q.options(joinedload(UserRepoGroupToPerm.group),
                                   joinedload(UserRepoGroupToPerm.user),
                                   joinedload(UserRepoGroupToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     return super_admin_rows + owner_row + perm_rows
                 def permission_user_groups(self):
                     q = UserGroupRepoGroupToPerm.query().filter(
                         UserGroupRepoGroupToPerm.group == self)
                     q = q.options(joinedload(UserGroupRepoGroupToPerm.group),
                                   joinedload(UserGroupRepoGroupToPerm.users_group),
                                   joinedload(UserGroupRepoGroupToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         usr = AttributeDict(_user_group.users_group.get_dict())
                         usr.permission = _user_group.permission.permission_name
                         perm_rows.append(usr)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def get_api_data(self):
                     """
                     Common function for generating api data
                     """
                     group = self
                     data = {
                         'group_id': group.group_id,
                         'group_name': group.group_name,
                         'group_description': group.description_safe,
                         'parent_group': group.parent_group.group_name if group.parent_group else None,
                         'repositories': [x.repo_name for x in group.repositories],
                         'owner': group.user.username,
                     }
                     return data
             class Permission(Base, BaseModel):
                 __tablename__ = 'permissions'
                 __table_args__ = (
                     Index('p_perm_name_idx', 'permission_name'),
                     base_table_args,
                 )
                 PERMS = [
                     ('hg.admin', _('RhodeCode Super Administrator')),
                     ('repository.none', _('Repository no access')),
                     ('repository.read', _('Repository read access')),
                     ('repository.write', _('Repository write access')),
                     ('repository.admin', _('Repository admin access')),
                     ('group.none', _('Repository group no access')),
                     ('group.read', _('Repository group read access')),
                     ('group.write', _('Repository group write access')),
                     ('group.admin', _('Repository group admin access')),
                     ('usergroup.none', _('User group no access')),
                     ('usergroup.read', _('User group read access')),
                     ('usergroup.write', _('User group write access')),
                     ('usergroup.admin', _('User group admin access')),
                     ('branch.none', _('Branch no permissions')),
                     ('branch.merge', _('Branch access by web merge')),
                     ('branch.push', _('Branch access by push')),
                     ('branch.push_force', _('Branch access by push with force')),
                     ('hg.repogroup.create.false', _('Repository Group creation disabled')),
                     ('hg.repogroup.create.true', _('Repository Group creation enabled')),
                     ('hg.usergroup.create.false', _('User Group creation disabled')),
                     ('hg.usergroup.create.true', _('User Group creation enabled')),
                     ('hg.create.none', _('Repository creation disabled')),
                     ('hg.create.repository', _('Repository creation enabled')),
                     ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')),
                     ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')),
                     ('hg.fork.none', _('Repository forking disabled')),
                     ('hg.fork.repository', _('Repository forking enabled')),
                     ('hg.register.none', _('Registration disabled')),
                     ('hg.register.manual_activate', _('User Registration with manual account activation')),
                     ('hg.register.auto_activate', _('User Registration with automatic account activation')),
                     ('hg.password_reset.enabled', _('Password reset enabled')),
                     ('hg.password_reset.hidden', _('Password reset hidden')),
                     ('hg.password_reset.disabled', _('Password reset disabled')),
                     ('hg.extern_activate.manual', _('Manual activation of external account')),
                     ('hg.extern_activate.auto', _('Automatic activation of external account')),
                     ('hg.inherit_default_perms.false', _('Inherit object permissions from default user disabled')),
                     ('hg.inherit_default_perms.true', _('Inherit object permissions from default user enabled')),
                 ]
                 # definition of system default permissions for DEFAULT user, created on
                 # system setup
                 DEFAULT_USER_PERMISSIONS = [
                     # object perms
                     'repository.read',
                     'group.read',
                     'usergroup.read',
                     # branch, for backward compat we need same value as before so forced pushed
                     'branch.push_force',
                     # global
                     'hg.create.repository',
                     'hg.repogroup.create.false',
                     'hg.usergroup.create.false',
                     'hg.create.write_on_repogroup.true',
                     'hg.fork.repository',
                     'hg.register.manual_activate',
                     'hg.password_reset.enabled',
                     'hg.extern_activate.auto',
                     'hg.inherit_default_perms.true',
                 ]
                 # defines which permissions are more important higher the more important
                 # Weight defines which permissions are more important.
                 # The higher number the more important.
                 PERM_WEIGHTS = {
                     'repository.none': 0,
                     'repository.read': 1,
                     'repository.write': 3,
                     'repository.admin': 4,
                     'group.none': 0,
                     'group.read': 1,
                     'group.write': 3,
                     'group.admin': 4,
                     'usergroup.none': 0,
                     'usergroup.read': 1,
                     'usergroup.write': 3,
                     'usergroup.admin': 4,
                     'branch.none': 0,
                     'branch.merge': 1,
                     'branch.push': 3,
                     'branch.push_force': 4,
                     'hg.repogroup.create.false': 0,
                     'hg.repogroup.create.true': 1,
                     'hg.usergroup.create.false': 0,
                     'hg.usergroup.create.true': 1,
                     'hg.fork.none': 0,
                     'hg.fork.repository': 1,
                     'hg.create.none': 0,
                     'hg.create.repository': 1
                 }
                 permission_id = Column("permission_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 permission_name = Column("permission_name", String(255), nullable=True, unique=None, default=None)
                 permission_longname = Column("permission_longname", String(255), nullable=True, unique=None, default=None)
                 def __unicode__(self):
                     return u"<%s('%s:%s')>" % (
                         self.__class__.__name__, self.permission_id, self.permission_name
                     )
                 @classmethod
                 def get_by_key(cls, key):
                     return cls.query().filter(cls.permission_name == key).scalar()
                 @classmethod
                 def get_default_repo_perms(cls, user_id, repo_id=None):
                     q = Session().query(UserRepoToPerm, Repository, Permission)\
                         .join((Permission, UserRepoToPerm.permission_id == Permission.permission_id))\
                         .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\
                         .filter(UserRepoToPerm.user_id == user_id)
                     if repo_id:
                         q = q.filter(UserRepoToPerm.repository_id == repo_id)
                     return q.all()
                 @classmethod
                 def get_default_repo_branch_perms(cls, user_id, repo_id=None):
                     q = Session().query(UserToRepoBranchPermission, UserRepoToPerm, Permission) \
                         .join(
                             Permission,
                             UserToRepoBranchPermission.permission_id == Permission.permission_id) \
                         .join(
                             UserRepoToPerm,
                             UserToRepoBranchPermission.rule_to_perm_id == UserRepoToPerm.repo_to_perm_id) \
                         .filter(UserRepoToPerm.user_id == user_id)
                     if repo_id:
                         q = q.filter(UserToRepoBranchPermission.repository_id == repo_id)
                     return q.order_by(UserToRepoBranchPermission.rule_order).all()
                 @classmethod
                 def get_default_repo_perms_from_user_group(cls, user_id, repo_id=None):
                     q = Session().query(UserGroupRepoToPerm, Repository, Permission)\
                         .join(
                             Permission,
                             UserGroupRepoToPerm.permission_id == Permission.permission_id)\
                         .join(
                             Repository,
                             UserGroupRepoToPerm.repository_id == Repository.repo_id)\
                         .join(
                             UserGroup,
                             UserGroupRepoToPerm.users_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupRepoToPerm.users_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_id:
                         q = q.filter(UserGroupRepoToPerm.repository_id == repo_id)
                     return q.all()
                 @classmethod
                 def get_default_repo_branch_perms_from_user_group(cls, user_id, repo_id=None):
                     q = Session().query(UserGroupToRepoBranchPermission, UserGroupRepoToPerm, Permission) \
                         .join(
                             Permission,
                             UserGroupToRepoBranchPermission.permission_id == Permission.permission_id) \
                         .join(
                             UserGroupRepoToPerm,
                             UserGroupToRepoBranchPermission.rule_to_perm_id == UserGroupRepoToPerm.users_group_to_perm_id) \
                         .join(
                             UserGroup,
                             UserGroupRepoToPerm.users_group_id == UserGroup.users_group_id) \
                         .join(
                             UserGroupMember,
                             UserGroupRepoToPerm.users_group_id == UserGroupMember.users_group_id) \
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_id:
                         q = q.filter(UserGroupToRepoBranchPermission.repository_id == repo_id)
                     return q.order_by(UserGroupToRepoBranchPermission.rule_order).all()
                 @classmethod
                 def get_default_group_perms(cls, user_id, repo_group_id=None):
                     q = Session().query(UserRepoGroupToPerm, RepoGroup, Permission)\
                         .join(
                             Permission,
                             UserRepoGroupToPerm.permission_id == Permission.permission_id)\
                         .join(
                             RepoGroup,
                             UserRepoGroupToPerm.group_id == RepoGroup.group_id)\
                         .filter(UserRepoGroupToPerm.user_id == user_id)
                     if repo_group_id:
                         q = q.filter(UserRepoGroupToPerm.group_id == repo_group_id)
                     return q.all()
                 @classmethod
                 def get_default_group_perms_from_user_group(
                         cls, user_id, repo_group_id=None):
                     q = Session().query(UserGroupRepoGroupToPerm, RepoGroup, Permission)\
                         .join(
                             Permission,
                             UserGroupRepoGroupToPerm.permission_id ==
                             Permission.permission_id)\
                         .join(
                             RepoGroup,
                             UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id)\
                         .join(
                             UserGroup,
                             UserGroupRepoGroupToPerm.users_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupRepoGroupToPerm.users_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_group_id:
                         q = q.filter(UserGroupRepoGroupToPerm.group_id == repo_group_id)
                     return q.all()
                 @classmethod
                 def get_default_user_group_perms(cls, user_id, user_group_id=None):
                     q = Session().query(UserUserGroupToPerm, UserGroup, Permission)\
                         .join((Permission, UserUserGroupToPerm.permission_id == Permission.permission_id))\
                         .join((UserGroup, UserUserGroupToPerm.user_group_id == UserGroup.users_group_id))\
                         .filter(UserUserGroupToPerm.user_id == user_id)
                     if user_group_id:
                         q = q.filter(UserUserGroupToPerm.user_group_id == user_group_id)
                     return q.all()
                 @classmethod
                 def get_default_user_group_perms_from_user_group(
                         cls, user_id, user_group_id=None):
                     TargetUserGroup = aliased(UserGroup, name='target_user_group')
                     q = Session().query(UserGroupUserGroupToPerm, UserGroup, Permission)\
                         .join(
                             Permission,
                             UserGroupUserGroupToPerm.permission_id ==
                             Permission.permission_id)\
                         .join(
                             TargetUserGroup,
                             UserGroupUserGroupToPerm.target_user_group_id ==
                             TargetUserGroup.users_group_id)\
                         .join(
                             UserGroup,
                             UserGroupUserGroupToPerm.user_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupUserGroupToPerm.user_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if user_group_id:
                         q = q.filter(
                             UserGroupUserGroupToPerm.user_group_id == user_group_id)
                     return q.all()
             class UserRepoToPerm(Base, BaseModel):
                 __tablename__ = 'repo_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'repository_id', 'permission_id'),
                     base_table_args
                 )
                 repo_to_perm_id = Column("repo_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 repository = relationship('Repository')
                 permission = relationship('Permission')
                 branch_perm_entry = relationship('UserToRepoBranchPermission', cascade="all, delete, delete-orphan", lazy='joined')
                 @classmethod
                 def create(cls, user, repository, permission):
                     n = cls()
                     n.user = user
                     n.repository = repository
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.repository)
             class UserUserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_user_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'user_group_id', 'permission_id'),
                     base_table_args
                 )
                 user_user_group_to_perm_id = Column("user_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 user_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, user_group, permission):
                     n = cls()
                     n.user = user
                     n.user_group = user_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.user_group)
             class UserToPerm(Base, BaseModel):
                 __tablename__ = 'user_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'permission_id'),
                     base_table_args
                 )
                 user_to_perm_id = Column("user_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 permission = relationship('Permission', lazy='joined')
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.permission)
             class UserGroupRepoToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_repo_to_perm'
                 __table_args__ = (
                     UniqueConstraint('repository_id', 'users_group_id', 'permission_id'),
                     base_table_args
                 )
                 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 repository = relationship('Repository')
                 user_group_branch_perms = relationship('UserGroupToRepoBranchPermission', cascade='all')
                 @classmethod
                 def create(cls, users_group, repository, permission):
                     n = cls()
                     n.users_group = users_group
                     n.repository = repository
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupRepoToPerm:%s => %s >' % (self.users_group, self.repository)
             class UserGroupUserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_group_user_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('target_user_group_id', 'user_group_id', 'permission_id'),
                     CheckConstraint('target_user_group_id != user_group_id'),
                     base_table_args
                 )
                 user_group_user_group_to_perm_id = Column("user_group_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 target_user_group_id = Column("target_user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 target_user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id')
                 user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.user_group_id==UserGroup.users_group_id')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, target_user_group, user_group, permission):
                     n = cls()
                     n.target_user_group = target_user_group
                     n.user_group = user_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupUserGroup:%s => %s >' % (self.target_user_group, self.user_group)
             class UserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('users_group_id', 'permission_id',),
                     base_table_args
                 )
                 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
             class UserRepoGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_repo_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'group_id', 'permission_id'),
                     base_table_args
                 )
                 group_to_perm_id = Column("group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 group = relationship('RepoGroup')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, repository_group, permission):
                     n = cls()
                     n.user = user
                     n.group = repository_group
                     n.permission = permission
                     Session().add(n)
                     return n
             class UserGroupRepoGroupToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_repo_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('users_group_id', 'group_id'),
                     base_table_args
                 )
                 users_group_repo_group_to_perm_id = Column("users_group_repo_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 group = relationship('RepoGroup')
                 @classmethod
                 def create(cls, user_group, repository_group, permission):
                     n = cls()
                     n.users_group = user_group
                     n.group = repository_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupRepoGroupToPerm:%s => %s >' % (self.users_group, self.group)
             class Statistics(Base, BaseModel):
                 __tablename__ = 'statistics'
                 __table_args__ = (
                      base_table_args
                 )
                 stat_id = Column("stat_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=True, default=None)
                 stat_on_revision = Column("stat_on_revision", Integer(), nullable=False)
                 commit_activity = Column("commit_activity", LargeBinary(1000000), nullable=False)#JSON data
                 commit_activity_combined = Column("commit_activity_combined", LargeBinary(), nullable=False)#JSON data
                 languages = Column("languages", LargeBinary(1000000), nullable=False)#JSON data
                 repository = relationship('Repository', single_parent=True)
             class UserFollowing(Base, BaseModel):
                 __tablename__ = 'user_followings'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'follows_repository_id'),
                     UniqueConstraint('user_id', 'follows_user_id'),
                     base_table_args
                 )
                 user_following_id = Column("user_following_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 follows_repo_id = Column("follows_repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=None, default=None)
                 follows_user_id = Column("follows_user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 follows_from = Column('follows_from', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
                 user = relationship('User', primaryjoin='User.user_id==UserFollowing.user_id')
                 follows_user = relationship('User', primaryjoin='User.user_id==UserFollowing.follows_user_id')
                 follows_repository = relationship('Repository', order_by='Repository.repo_name')
                 @classmethod
                 def get_repo_followers(cls, repo_id):
                     return cls.query().filter(cls.follows_repo_id == repo_id)
             class CacheKey(Base, BaseModel):
                 __tablename__ = 'cache_invalidation'
                 __table_args__ = (
                     UniqueConstraint('cache_key'),
                     Index('key_idx', 'cache_key'),
                     base_table_args,
                 )
                 CACHE_TYPE_FEED = 'FEED'
                 CACHE_TYPE_README = 'README'
                 # namespaces used to register process/thread aware caches
                 REPO_INVALIDATION_NAMESPACE = 'repo_cache:{repo_id}'
                 SETTINGS_INVALIDATION_NAMESPACE = 'system_settings'
                 cache_id = Column("cache_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 cache_key = Column("cache_key", String(255), nullable=True, unique=None, default=None)
                 cache_args = Column("cache_args", String(255), nullable=True, unique=None, default=None)
                 cache_active = Column("cache_active", Boolean(), nullable=True, unique=None, default=False)
                 def __init__(self, cache_key, cache_args=''):
                     self.cache_key = cache_key
                     self.cache_args = cache_args
                     self.cache_active = False
                 def __unicode__(self):
                     return u"<%s('%s:%s[%s]')>" % (
                         self.__class__.__name__,
                         self.cache_id, self.cache_key, self.cache_active)
                 def _cache_key_partition(self):
                     prefix, repo_name, suffix = self.cache_key.partition(self.cache_args)
                     return prefix, repo_name, suffix
                 def get_prefix(self):
                     """
                     Try to extract prefix from existing cache key. The key could consist
                     of prefix, repo_name, suffix
                     """
                     # this returns prefix, repo_name, suffix
                     return self._cache_key_partition()[0]
                 def get_suffix(self):
                     """
                     get suffix that might have been used in _get_cache_key to
                     generate self.cache_key. Only used for informational purposes
                     in repo_edit.mako.
                     """
                     # prefix, repo_name, suffix
                     return self._cache_key_partition()[2]
                 @classmethod
                 def delete_all_cache(cls):
                     """
                     Delete all cache keys from database.
                     Should only be run when all instances are down and all entries
                     thus stale.
                     """
                     cls.query().delete()
                     Session().commit()
                 @classmethod
                 def set_invalidate(cls, cache_uid, delete=False):
                     """
                     Mark all caches of a repo as invalid in the database.
                     """
                     try:
                         qry = Session().query(cls).filter(cls.cache_args == cache_uid)
                         if delete:
                             qry.delete()
                             log.debug('cache objects deleted for cache args %s',
                                       safe_str(cache_uid))
                         else:
                             qry.update({"cache_active": False})
                             log.debug('cache objects marked as invalid for cache args %s',
                                       safe_str(cache_uid))
                         Session().commit()
                     except Exception:
                         log.exception(
                             'Cache key invalidation failed for cache args %s',
                             safe_str(cache_uid))
                         Session().rollback()
                 @classmethod
                 def get_active_cache(cls, cache_key):
                     inv_obj = cls.query().filter(cls.cache_key == cache_key).scalar()
                     if inv_obj:
                         return inv_obj
                     return None
             class ChangesetComment(Base, BaseModel):
                 __tablename__ = 'changeset_comments'
                 __table_args__ = (
                     Index('cc_revision_idx', 'revision'),
                     base_table_args,
                 )
                 COMMENT_OUTDATED = u'comment_outdated'
                 COMMENT_TYPE_NOTE = u'note'
                 COMMENT_TYPE_TODO = u'todo'
                 COMMENT_TYPES = [COMMENT_TYPE_NOTE, COMMENT_TYPE_TODO]
                 comment_id = Column('comment_id', Integer(), nullable=False, primary_key=True)
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
                 revision = Column('revision', String(40), nullable=True)
                 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
                 pull_request_version_id = Column("pull_request_version_id", Integer(), ForeignKey('pull_request_versions.pull_request_version_id'), nullable=True)
                 line_no = Column('line_no', Unicode(10), nullable=True)
                 hl_lines = Column('hl_lines', Unicode(512), nullable=True)
                 f_path = Column('f_path', Unicode(1000), nullable=True)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
                 text = Column('text', UnicodeText().with_variant(UnicodeText(25000), 'mysql'), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 renderer = Column('renderer', Unicode(64), nullable=True)
                 display_state = Column('display_state',  Unicode(128), nullable=True)
                 comment_type = Column('comment_type',  Unicode(128), nullable=True, default=COMMENT_TYPE_NOTE)
                 resolved_comment_id = Column('resolved_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'), nullable=True)
                 resolved_comment = relationship('ChangesetComment', remote_side=comment_id, back_populates='resolved_by')
                 resolved_by = relationship('ChangesetComment', back_populates='resolved_comment')
                 author = relationship('User', lazy='joined')
                 repo = relationship('Repository')
                 status_change = relationship('ChangesetStatus', cascade="all, delete, delete-orphan", lazy='joined')
                 pull_request = relationship('PullRequest', lazy='joined')
                 pull_request_version = relationship('PullRequestVersion')
                 @classmethod
                 def get_users(cls, revision=None, pull_request_id=None):
                     """
                     Returns user associated with this ChangesetComment. ie those
                     who actually commented
                     :param cls:
                     :param revision:
                     """
                     q = Session().query(User)\
                             .join(ChangesetComment.author)
                     if revision:
                         q = q.filter(cls.revision == revision)
                     elif pull_request_id:
                         q = q.filter(cls.pull_request_id == pull_request_id)
                     return q.all()
                 @classmethod
                 def get_index_from_version(cls, pr_version, versions):
                     num_versions = [x.pull_request_version_id for x in versions]
                     try:
                         return num_versions.index(pr_version) +1
                     except (IndexError, ValueError):
                         return
                 @property
                 def outdated(self):
                     return self.display_state == self.COMMENT_OUTDATED
                 def outdated_at_version(self, version):
                     """
                     Checks if comment is outdated for given pull request version
                     """
                     return self.outdated and self.pull_request_version_id != version
                 def older_than_version(self, version):
                     """
                     Checks if comment is made from previous version than given
                     """
                     if version is None:
                         return self.pull_request_version_id is not None
                     return self.pull_request_version_id < version
                 @property
                 def resolved(self):
                     return self.resolved_by[0] if self.resolved_by else None
                 @property
                 def is_todo(self):
                     return self.comment_type == self.COMMENT_TYPE_TODO
                 @property
                 def is_inline(self):
                     return self.line_no and self.f_path
                 def get_index_version(self, versions):
                     return self.get_index_from_version(
                         self.pull_request_version_id, versions)
                 def __repr__(self):
                     if self.comment_id:
                         return '<DB:Comment #%s>' % self.comment_id
                     else:
                         return '<DB:Comment at %#x>' % id(self)
                 def get_api_data(self):
                     comment = self
                     data = {
                         'comment_id': comment.comment_id,
                         'comment_type': comment.comment_type,
                         'comment_text': comment.text,
                         'comment_status': comment.status_change,
                         'comment_f_path': comment.f_path,
                         'comment_lineno': comment.line_no,
                         'comment_author': comment.author,
                         'comment_created_on': comment.created_on
                     }
                     return data
                 def __json__(self):
                     data = dict()
                     data.update(self.get_api_data())
                     return data
             class ChangesetStatus(Base, BaseModel):
                 __tablename__ = 'changeset_statuses'
                 __table_args__ = (
                     Index('cs_revision_idx', 'revision'),
                     Index('cs_version_idx', 'version'),
                     UniqueConstraint('repo_id', 'revision', 'version'),
                     base_table_args
                 )
                 STATUS_NOT_REVIEWED = DEFAULT = 'not_reviewed'
                 STATUS_APPROVED = 'approved'
                 STATUS_REJECTED = 'rejected'
                 STATUS_UNDER_REVIEW = 'under_review'
                 STATUSES = [
                     (STATUS_NOT_REVIEWED, _("Not Reviewed")),  # (no icon) and default
                     (STATUS_APPROVED, _("Approved")),
                     (STATUS_REJECTED, _("Rejected")),
                     (STATUS_UNDER_REVIEW, _("Under Review")),
                 ]
                 changeset_status_id = Column('changeset_status_id', Integer(), nullable=False, primary_key=True)
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None)
                 revision = Column('revision', String(40), nullable=False)
                 status = Column('status', String(128), nullable=False, default=DEFAULT)
                 changeset_comment_id = Column('changeset_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'))
                 modified_at = Column('modified_at', DateTime(), nullable=False, default=datetime.datetime.now)
                 version = Column('version', Integer(), nullable=False, default=0)
                 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
                 author = relationship('User', lazy='joined')
                 repo = relationship('Repository')
                 comment = relationship('ChangesetComment', lazy='joined')
                 pull_request = relationship('PullRequest', lazy='joined')
                 def __unicode__(self):
                     return u"<%s('%s[v%s]:%s')>" % (
                         self.__class__.__name__,
                         self.status, self.version, self.author
                     )
                 @classmethod
                 def get_status_lbl(cls, value):
                     return dict(cls.STATUSES).get(value)
                 @property
                 def status_lbl(self):
                     return ChangesetStatus.get_status_lbl(self.status)
                 def get_api_data(self):
                     status = self
                     data = {
                         'status_id': status.changeset_status_id,
                         'status': status.status,
                     }
                     return data
                 def __json__(self):
                     data = dict()
                     data.update(self.get_api_data())
                     return data
             class _PullRequestBase(BaseModel):
                 """
                 Common attributes of pull request and version entries.
                 """
                 # .status values
                 STATUS_NEW = u'new'
                 STATUS_OPEN = u'open'
                 STATUS_CLOSED = u'closed'
                 # available states
                 STATE_CREATING = u'creating'
                 STATE_UPDATING = u'updating'
                 STATE_MERGING = u'merging'
                 STATE_CREATED = u'created'
                 title = Column('title', Unicode(255), nullable=True)
                 description = Column(
                     'description', UnicodeText().with_variant(UnicodeText(10240), 'mysql'),
                     nullable=True)
                 description_renderer = Column('description_renderer', Unicode(64), nullable=True)
                 # new/open/closed status of pull request (not approve/reject/etc)
                 status = Column('status', Unicode(255), nullable=False, default=STATUS_NEW)
                 created_on = Column(
                     'created_on', DateTime(timezone=False), nullable=False,
                     default=datetime.datetime.now)
                 updated_on = Column(
                     'updated_on', DateTime(timezone=False), nullable=False,
                     default=datetime.datetime.now)
                 pull_request_state = Column("pull_request_state", String(255), nullable=True)
                 @declared_attr
                 def user_id(cls):
                     return Column(
                         "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
                         unique=None)
                 # 500 revisions max
                 _revisions = Column(
                     'revisions', UnicodeText().with_variant(UnicodeText(20500), 'mysql'))
                 @declared_attr
                 def source_repo_id(cls):
                     # TODO: dan: rename column to source_repo_id
                     return Column(
                         'org_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                         nullable=False)
                 _source_ref = Column('org_ref', Unicode(255), nullable=False)
                 @hybrid_property
                 def source_ref(self):
                     return self._source_ref
                 @source_ref.setter
                 def source_ref(self, val):
                     parts = (val or '').split(':')
                     if len(parts) != 3:
                         raise ValueError(
                             'Invalid reference format given: {}, expected X:Y:Z'.format(val))
                     self._source_ref = safe_unicode(val)
                 _target_ref = Column('other_ref', Unicode(255), nullable=False)
                 @hybrid_property
                 def target_ref(self):
                     return self._target_ref
                 @target_ref.setter
                 def target_ref(self, val):
                     parts = (val or '').split(':')
                     if len(parts) != 3:
                         raise ValueError(
                             'Invalid reference format given: {}, expected X:Y:Z'.format(val))
                     self._target_ref = safe_unicode(val)
                 @declared_attr
                 def target_repo_id(cls):
                     # TODO: dan: rename column to target_repo_id
                     return Column(
                         'other_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                         nullable=False)
                 _shadow_merge_ref = Column('shadow_merge_ref', Unicode(255), nullable=True)
                 # TODO: dan: rename column to last_merge_source_rev
                 _last_merge_source_rev = Column(
                     'last_merge_org_rev', String(40), nullable=True)
                 # TODO: dan: rename column to last_merge_target_rev
                 _last_merge_target_rev = Column(
                     'last_merge_other_rev', String(40), nullable=True)
                 _last_merge_status = Column('merge_status', Integer(), nullable=True)
                 merge_rev = Column('merge_rev', String(40), nullable=True)
                 reviewer_data = Column(
                     'reviewer_data_json', MutationObj.as_mutable(
                         JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
                 @property
                 def reviewer_data_json(self):
                     return json.dumps(self.reviewer_data)
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @hybrid_property
                 def revisions(self):
                     return self._revisions.split(':') if self._revisions else []
                 @revisions.setter
                 def revisions(self, val):
                     self._revisions = ':'.join(val)
                 @hybrid_property
                 def last_merge_status(self):
                     return safe_int(self._last_merge_status)
                 @last_merge_status.setter
                 def last_merge_status(self, val):
                     self._last_merge_status = val
                 @declared_attr
                 def author(cls):
                     return relationship('User', lazy='joined')
                 @declared_attr
                 def source_repo(cls):
                     return relationship(
                         'Repository',
                         primaryjoin='%s.source_repo_id==Repository.repo_id' % cls.__name__)
                 @property
                 def source_ref_parts(self):
                     return self.unicode_to_reference(self.source_ref)
                 @declared_attr
                 def target_repo(cls):
                     return relationship(
                         'Repository',
                         primaryjoin='%s.target_repo_id==Repository.repo_id' % cls.__name__)
                 @property
                 def target_ref_parts(self):
                     return self.unicode_to_reference(self.target_ref)
                 @property
                 def shadow_merge_ref(self):
                     return self.unicode_to_reference(self._shadow_merge_ref)
                 @shadow_merge_ref.setter
                 def shadow_merge_ref(self, ref):
                     self._shadow_merge_ref = self.reference_to_unicode(ref)
                 @staticmethod
                 def unicode_to_reference(raw):
                     """
                     Convert a unicode (or string) to a reference object.
                     If unicode evaluates to False it returns None.
                     """
                     if raw:
                         refs = raw.split(':')
                         return Reference(*refs)
                     else:
                         return None
                 @staticmethod
                 def reference_to_unicode(ref):
                     """
                     Convert a reference object to unicode.
                     If reference is None it returns None.
                     """
                     if ref:
                         return u':'.join(ref)
                     else:
                         return None
                 def get_api_data(self, with_merge_state=True):
                     from rhodecode.model.pull_request import PullRequestModel
                     pull_request = self
                     if with_merge_state:
                         merge_status = PullRequestModel().merge_status(pull_request)
                         merge_state = {
                             'status': merge_status[0],
                             'message': safe_unicode(merge_status[1]),
                         }
                     else:
                         merge_state = {'status': 'not_available',
                                        'message': 'not_available'}
                     merge_data = {
                         'clone_url': PullRequestModel().get_shadow_clone_url(pull_request),
                         'reference': (
                             pull_request.shadow_merge_ref._asdict()
                             if pull_request.shadow_merge_ref else None),
                     }
                     data = {
                         'pull_request_id': pull_request.pull_request_id,
                         'url': PullRequestModel().get_url(pull_request),
                         'title': pull_request.title,
                         'description': pull_request.description,
                         'status': pull_request.status,
                         'created_on': pull_request.created_on,
                         'updated_on': pull_request.updated_on,
                         'commit_ids': pull_request.revisions,
                         'review_status': pull_request.calculated_review_status(),
                         'mergeable': merge_state,
                         'source': {
                             'clone_url': pull_request.source_repo.clone_url(),
                             'repository': pull_request.source_repo.repo_name,
                             'reference': {
                                 'name': pull_request.source_ref_parts.name,
                                 'type': pull_request.source_ref_parts.type,
                                 'commit_id': pull_request.source_ref_parts.commit_id,
                             },
                         },
                         'target': {
                             'clone_url': pull_request.target_repo.clone_url(),
                             'repository': pull_request.target_repo.repo_name,
                             'reference': {
                                 'name': pull_request.target_ref_parts.name,
                                 'type': pull_request.target_ref_parts.type,
                                 'commit_id': pull_request.target_ref_parts.commit_id,
                             },
                         },
                         'merge': merge_data,
                         'author': pull_request.author.get_api_data(include_secrets=False,
                                                                    details='basic'),
                         'reviewers': [
                             {
                                 'user': reviewer.get_api_data(include_secrets=False,
                                                               details='basic'),
                                 'reasons': reasons,
                                 'review_status': st[0][1].status if st else 'not_reviewed',
                             }
                             for obj, reviewer, reasons, mandatory, st in
                             pull_request.reviewers_statuses()
                         ]
                     }
                     return data
             class PullRequest(Base, _PullRequestBase):
                 __tablename__ = 'pull_requests'
                 __table_args__ = (
                     base_table_args,
                 )
                 pull_request_id = Column(
                     'pull_request_id', Integer(), nullable=False, primary_key=True)
                 def __repr__(self):
                     if self.pull_request_id:
                         return '<DB:PullRequest #%s>' % self.pull_request_id
                     else:
                         return '<DB:PullRequest at %#x>' % id(self)
                 reviewers = relationship('PullRequestReviewers',
                                          cascade="all, delete, delete-orphan")
                 statuses = relationship('ChangesetStatus',
                                         cascade="all, delete, delete-orphan")
                 comments = relationship('ChangesetComment',
                                         cascade="all, delete, delete-orphan")
                 versions = relationship('PullRequestVersion',
                                         cascade="all, delete, delete-orphan",
                                         lazy='dynamic')
                 @classmethod
                 def get_pr_display_object(cls, pull_request_obj, org_pull_request_obj,
                                           internal_methods=None):
                     class PullRequestDisplay(object):
                         """
                         Special object wrapper for showing PullRequest data via Versions
                         It mimics PR object as close as possible. This is read only object
                         just for display
                         """
                         def __init__(self, attrs, internal=None):
                             self.attrs = attrs
                             # internal have priority over the given ones via attrs
                             self.internal = internal or ['versions']
                         def __getattr__(self, item):
                             if item in self.internal:
                                 return getattr(self, item)
                             try:
                                 return self.attrs[item]
                             except KeyError:
                                 raise AttributeError(
                                     '%s object has no attribute %s' % (self, item))
                         def __repr__(self):
                             return '<DB:PullRequestDisplay #%s>' % self.attrs.get('pull_request_id')
                         def versions(self):
                             return pull_request_obj.versions.order_by(
                                 PullRequestVersion.pull_request_version_id).all()
                         def is_closed(self):
                             return pull_request_obj.is_closed()
                         @property
                         def pull_request_version_id(self):
                             return getattr(pull_request_obj, 'pull_request_version_id', None)
                     attrs = StrictAttributeDict(pull_request_obj.get_api_data())
                     attrs.author = StrictAttributeDict(
                         pull_request_obj.author.get_api_data())
                     if pull_request_obj.target_repo:
                         attrs.target_repo = StrictAttributeDict(
                             pull_request_obj.target_repo.get_api_data())
                         attrs.target_repo.clone_url = pull_request_obj.target_repo.clone_url
                     if pull_request_obj.source_repo:
                         attrs.source_repo = StrictAttributeDict(
                             pull_request_obj.source_repo.get_api_data())
                         attrs.source_repo.clone_url = pull_request_obj.source_repo.clone_url
                     attrs.source_ref_parts = pull_request_obj.source_ref_parts
                     attrs.target_ref_parts = pull_request_obj.target_ref_parts
                     attrs.revisions = pull_request_obj.revisions
                     attrs.shadow_merge_ref = org_pull_request_obj.shadow_merge_ref
                     attrs.reviewer_data = org_pull_request_obj.reviewer_data
                     attrs.reviewer_data_json = org_pull_request_obj.reviewer_data_json
                     return PullRequestDisplay(attrs, internal=internal_methods)
                 def is_closed(self):
                     return self.status == self.STATUS_CLOSED
                 def __json__(self):
                     return {
                         'revisions': self.revisions,
                     }
                 def calculated_review_status(self):
                     from rhodecode.model.changeset_status import ChangesetStatusModel
                     return ChangesetStatusModel().calculated_review_status(self)
                 def reviewers_statuses(self):
                     from rhodecode.model.changeset_status import ChangesetStatusModel
                     return ChangesetStatusModel().reviewers_statuses(self)
                 @property
                 def workspace_id(self):
                     from rhodecode.model.pull_request import PullRequestModel
                     return PullRequestModel()._workspace_id(self)
                 def get_shadow_repo(self):
                     workspace_id = self.workspace_id
                     vcs_obj = self.target_repo.scm_instance()
                     shadow_repository_path = vcs_obj._get_shadow_repository_path(
                         self.target_repo.repo_id, workspace_id)
                     if os.path.isdir(shadow_repository_path):
                         return vcs_obj.get_shadow_instance(shadow_repository_path)
             class PullRequestVersion(Base, _PullRequestBase):
                 __tablename__ = 'pull_request_versions'
                 __table_args__ = (
                     base_table_args,
                 )
                 pull_request_version_id = Column(
                     'pull_request_version_id', Integer(), nullable=False, primary_key=True)
                 pull_request_id = Column(
                     'pull_request_id', Integer(),
                     ForeignKey('pull_requests.pull_request_id'), nullable=False)
                 pull_request = relationship('PullRequest')
                 def __repr__(self):
                     if self.pull_request_version_id:
                         return '<DB:PullRequestVersion #%s>' % self.pull_request_version_id
                     else:
                         return '<DB:PullRequestVersion at %#x>' % id(self)
                 @property
                 def reviewers(self):
                     return self.pull_request.reviewers
                 @property
                 def versions(self):
                     return self.pull_request.versions
                 def is_closed(self):
                     # calculate from original
                     return self.pull_request.status == self.STATUS_CLOSED
                 def calculated_review_status(self):
                     return self.pull_request.calculated_review_status()
                 def reviewers_statuses(self):
                     return self.pull_request.reviewers_statuses()
             class PullRequestReviewers(Base, BaseModel):
                 __tablename__ = 'pull_request_reviewers'
                 __table_args__ = (
                     base_table_args,
                 )
                 @hybrid_property
                 def reasons(self):
                     if not self._reasons:
                         return []
                     return self._reasons
                 @reasons.setter
                 def reasons(self, val):
                     val = val or []
                     if any(not isinstance(x, compat.string_types) for x in val):
                         raise Exception('invalid reasons type, must be list of strings')
                     self._reasons = val
                 pull_requests_reviewers_id = Column(
                     'pull_requests_reviewers_id', Integer(), nullable=False,
                     primary_key=True)
                 pull_request_id = Column(
                     "pull_request_id", Integer(),
                     ForeignKey('pull_requests.pull_request_id'), nullable=False)
                 user_id = Column(
                     "user_id", Integer(), ForeignKey('users.user_id'), nullable=True)
                 _reasons = Column(
                     'reason', MutationList.as_mutable(
                         JsonType('list', dialect_map=dict(mysql=UnicodeText(16384)))))
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 user = relationship('User')
                 pull_request = relationship('PullRequest')
                 rule_data = Column(
                     'rule_data_json',
                     JsonType(dialect_map=dict(mysql=UnicodeText(16384))))
                 def rule_user_group_data(self):
                     """
                     Returns the voting user group rule data for this reviewer
                     """
                     if self.rule_data and 'vote_rule' in self.rule_data:
                         user_group_data = {}
                         if 'rule_user_group_entry_id' in self.rule_data:
                             # means a group with voting rules !
                             user_group_data['id'] = self.rule_data['rule_user_group_entry_id']
                             user_group_data['name'] = self.rule_data['rule_name']
                             user_group_data['vote_rule'] = self.rule_data['vote_rule']
                         return user_group_data
                 def __unicode__(self):
                     return u"<%s('id:%s')>" % (self.__class__.__name__,
                                                self.pull_requests_reviewers_id)
             class Notification(Base, BaseModel):
                 __tablename__ = 'notifications'
                 __table_args__ = (
                     Index('notification_type_idx', 'type'),
                     base_table_args,
                 )
                 TYPE_CHANGESET_COMMENT = u'cs_comment'
                 TYPE_MESSAGE = u'message'
                 TYPE_MENTION = u'mention'
                 TYPE_REGISTRATION = u'registration'
                 TYPE_PULL_REQUEST = u'pull_request'
                 TYPE_PULL_REQUEST_COMMENT = u'pull_request_comment'
                 notification_id = Column('notification_id', Integer(), nullable=False, primary_key=True)
                 subject = Column('subject', Unicode(512), nullable=True)
                 body = Column('body', UnicodeText().with_variant(UnicodeText(50000), 'mysql'), nullable=True)
                 created_by = Column("created_by", Integer(), ForeignKey('users.user_id'), nullable=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 type_ = Column('type', Unicode(255))
                 created_by_user = relationship('User')
                 notifications_to_users = relationship('UserNotification', lazy='joined',
                                                       cascade="all, delete, delete-orphan")
                 @property
                 def recipients(self):
                     return [x.user for x in UserNotification.query()\
                             .filter(UserNotification.notification == self)\
                             .order_by(UserNotification.user_id.asc()).all()]
                 @classmethod
                 def create(cls, created_by, subject, body, recipients, type_=None):
                     if type_ is None:
                         type_ = Notification.TYPE_MESSAGE
                     notification = cls()
                     notification.created_by_user = created_by
                     notification.subject = subject
                     notification.body = body
                     notification.type_ = type_
                     notification.created_on = datetime.datetime.now()
                     # For each recipient link the created notification to his account
                     for u in recipients:
                         assoc = UserNotification()
                         assoc.user_id = u.user_id
                         assoc.notification = notification
                         # if created_by is inside recipients mark his notification
                         # as read
                         if u.user_id == created_by.user_id:
                             assoc.read = True
                         Session().add(assoc)
                     Session().add(notification)
                     return notification
             class UserNotification(Base, BaseModel):
                 __tablename__ = 'user_to_notification'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'notification_id'),
                     base_table_args
                 )
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
                 notification_id = Column("notification_id", Integer(), ForeignKey('notifications.notification_id'), primary_key=True)
                 read = Column('read', Boolean, default=False)
                 sent_on = Column('sent_on', DateTime(timezone=False), nullable=True, unique=None)
                 user = relationship('User', lazy="joined")
                 notification = relationship('Notification', lazy="joined",
                                             order_by=lambda: Notification.created_on.desc(),)
                 def mark_as_read(self):
                     self.read = True
                     Session().add(self)
             class Gist(Base, BaseModel):
                 __tablename__ = 'gists'
                 __table_args__ = (
                     Index('g_gist_access_id_idx', 'gist_access_id'),
                     Index('g_created_on_idx', 'created_on'),
                     base_table_args
                 )
                 GIST_PUBLIC = u'public'
                 GIST_PRIVATE = u'private'
                 DEFAULT_FILENAME = u'gistfile1.txt'
                 ACL_LEVEL_PUBLIC = u'acl_public'
                 ACL_LEVEL_PRIVATE = u'acl_private'
                 gist_id = Column('gist_id', Integer(), primary_key=True)
                 gist_access_id = Column('gist_access_id', Unicode(250))
                 gist_description = Column('gist_description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 gist_owner = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True)
                 gist_expires = Column('gist_expires', Float(53), nullable=False)
                 gist_type = Column('gist_type', Unicode(128), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 acl_level = Column('acl_level', Unicode(128), nullable=True)
                 owner = relationship('User')
                 def __repr__(self):
                     return '<Gist:[%s]%s>' % (self.gist_type, self.gist_access_id)
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.gist_description)
                 @classmethod
                 def get_or_404(cls, id_):
                     from pyramid.httpexceptions import HTTPNotFound
                     res = cls.query().filter(cls.gist_access_id == id_).scalar()
                     if not res:
                         raise HTTPNotFound()
                     return res
                 @classmethod
                 def get_by_access_id(cls, gist_access_id):
                     return cls.query().filter(cls.gist_access_id == gist_access_id).scalar()
                 def gist_url(self):
                     from rhodecode.model.gist import GistModel
                     return GistModel().get_url(self)
                 @classmethod
                 def base_path(cls):
                     """
                     Returns base path when all gists are stored
                     :param cls:
                     """
                     from rhodecode.model.gist import GIST_STORE_LOC
                     q = Session().query(RhodeCodeUi)\
                         .filter(RhodeCodeUi.ui_key == URL_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return os.path.join(q.one().ui_value, GIST_STORE_LOC)
                 def get_api_data(self):
                     """
                     Common function for generating gist related data for API
                     """
                     gist = self
                     data = {
                         'gist_id': gist.gist_id,
                         'type': gist.gist_type,
                         'access_id': gist.gist_access_id,
                         'description': gist.gist_description,
                         'url': gist.gist_url(),
                         'expires': gist.gist_expires,
                         'created_on': gist.created_on,
                         'modified_at': gist.modified_at,
                         'content': None,
                         'acl_level': gist.acl_level,
                     }
                     return data
                 def __json__(self):
                     data = dict(
                     )
                     data.update(self.get_api_data())
                     return data
                 # SCM functions
                 def scm_instance(self, **kwargs):
                     full_repo_path = os.path.join(self.base_path(), self.gist_access_id)
                     return get_vcs_instance(
                         repo_path=safe_str(full_repo_path), create=False)
             class ExternalIdentity(Base, BaseModel):
                 __tablename__ = 'external_identities'
                 __table_args__ = (
                     Index('local_user_id_idx', 'local_user_id'),
                     Index('external_id_idx', 'external_id'),
                     base_table_args
                 )
                 external_id = Column('external_id', Unicode(255), default=u'', primary_key=True)
                 external_username = Column('external_username', Unicode(1024), default=u'')
                 local_user_id = Column('local_user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
                 provider_name = Column('provider_name', Unicode(255), default=u'', primary_key=True)
                 access_token = Column('access_token', String(1024), default=u'')
                 alt_token = Column('alt_token', String(1024), default=u'')
                 token_secret = Column('token_secret', String(1024), default=u'')
                 @classmethod
                 def by_external_id_and_provider(cls, external_id, provider_name, local_user_id=None):
                     """
                     Returns ExternalIdentity instance based on search params
                     :param external_id:
                     :param provider_name:
                     :return: ExternalIdentity
                     """
                     query = cls.query()
                     query = query.filter(cls.external_id == external_id)
                     query = query.filter(cls.provider_name == provider_name)
                     if local_user_id:
                         query = query.filter(cls.local_user_id == local_user_id)
                     return query.first()
                 @classmethod
                 def user_by_external_id_and_provider(cls, external_id, provider_name):
                     """
                     Returns User instance based on search params
                     :param external_id:
                     :param provider_name:
                     :return: User
                     """
                     query = User.query()
                     query = query.filter(cls.external_id == external_id)
                     query = query.filter(cls.provider_name == provider_name)
                     query = query.filter(User.user_id == cls.local_user_id)
                     return query.first()
                 @classmethod
                 def by_local_user_id(cls, local_user_id):
                     """
                     Returns all tokens for user
                     :param local_user_id:
                     :return: ExternalIdentity
                     """
                     query = cls.query()
                     query = query.filter(cls.local_user_id == local_user_id)
                     return query
                 @classmethod
                 def load_provider_plugin(cls, plugin_id):
                     from rhodecode.authentication.base import loadplugin
                     _plugin_id = 'egg:rhodecode-enterprise-ee#{}'.format(plugin_id)
                     auth_plugin = loadplugin(_plugin_id)
                     return auth_plugin
             class Integration(Base, BaseModel):
                 __tablename__ = 'integrations'
                 __table_args__ = (
                     base_table_args
                 )
                 integration_id = Column('integration_id', Integer(), primary_key=True)
                 integration_type = Column('integration_type', String(255))
                 enabled = Column('enabled', Boolean(), nullable=False)
                 name = Column('name', String(255), nullable=False)
                 child_repos_only = Column('child_repos_only', Boolean(), nullable=False,
                     default=False)
                 settings = Column(
                     'settings_json', MutationObj.as_mutable(
                         JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
                 repo_id = Column(
                     'repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 repo_group_id = Column(
                     'repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 @property
                 def scope(self):
                     if self.repo:
                         return repr(self.repo)
                     if self.repo_group:
                         if self.child_repos_only:
                             return repr(self.repo_group) + ' (child repos only)'
                         else:
                             return repr(self.repo_group) + ' (recursive)'
                     if self.child_repos_only:
                         return 'root_repos'
                     return 'global'
                 def __repr__(self):
                     return '<Integration(%r, %r)>' % (self.integration_type, self.scope)
             class RepoReviewRuleUser(Base, BaseModel):
                 __tablename__ = 'repo_review_rules_users'
                 __table_args__ = (
                     base_table_args
                 )
                 repo_review_rule_user_id = Column('repo_review_rule_user_id', Integer(), primary_key=True)
                 repo_review_rule_id = Column("repo_review_rule_id", Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False)
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 user = relationship('User')
                 def rule_data(self):
                     return {
                         'mandatory': self.mandatory
                     }
             class RepoReviewRuleUserGroup(Base, BaseModel):
                 __tablename__ = 'repo_review_rules_users_groups'
                 __table_args__ = (
                     base_table_args
                 )
                 VOTE_RULE_ALL = -1
                 repo_review_rule_users_group_id = Column('repo_review_rule_users_group_id', Integer(), primary_key=True)
                 repo_review_rule_id = Column("repo_review_rule_id", Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
                 users_group_id = Column("users_group_id", Integer(),ForeignKey('users_groups.users_group_id'), nullable=False)
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 vote_rule = Column("vote_rule", Integer(), nullable=True, default=VOTE_RULE_ALL)
                 users_group = relationship('UserGroup')
                 def rule_data(self):
                     return {
                         'mandatory': self.mandatory,
                         'vote_rule': self.vote_rule
                     }
                 @property
                 def vote_rule_label(self):
                     if not self.vote_rule or self.vote_rule == self.VOTE_RULE_ALL:
                         return 'all must vote'
                     else:
                         return 'min. vote {}'.format(self.vote_rule)
             class RepoReviewRule(Base, BaseModel):
                 __tablename__ = 'repo_review_rules'
                 __table_args__ = (
                     base_table_args
                 )
                 repo_review_rule_id = Column(
                     'repo_review_rule_id', Integer(), primary_key=True)
                 repo_id = Column(
                     "repo_id", Integer(), ForeignKey('repositories.repo_id'))
                 repo = relationship('Repository', backref='review_rules')
                 review_rule_name = Column('review_rule_name', String(255))
                 _branch_pattern = Column("branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default=u'*')  # glob
                 _target_branch_pattern = Column("target_branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default=u'*')  # glob
                 _file_pattern = Column("file_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default=u'*')  # glob
                 use_authors_for_review = Column("use_authors_for_review", Boolean(), nullable=False, default=False)
                 forbid_author_to_review = Column("forbid_author_to_review", Boolean(), nullable=False, default=False)
                 forbid_commit_author_to_review = Column("forbid_commit_author_to_review", Boolean(), nullable=False, default=False)
                 forbid_adding_reviewers = Column("forbid_adding_reviewers", Boolean(), nullable=False, default=False)
                 rule_users = relationship('RepoReviewRuleUser')
                 rule_user_groups = relationship('RepoReviewRuleUserGroup')
                 def _validate_pattern(self, value):
                     re.compile('^' + glob2re(value) + '$')
                 @hybrid_property
                 def source_branch_pattern(self):
                     return self._branch_pattern or '*'
                 @source_branch_pattern.setter
                 def source_branch_pattern(self, value):
                     self._validate_pattern(value)
                     self._branch_pattern = value or '*'
                 @hybrid_property
                 def target_branch_pattern(self):
                     return self._target_branch_pattern or '*'
                 @target_branch_pattern.setter
                 def target_branch_pattern(self, value):
                     self._validate_pattern(value)
                     self._target_branch_pattern = value or '*'
                 @hybrid_property
                 def file_pattern(self):
                     return self._file_pattern or '*'
                 @file_pattern.setter
                 def file_pattern(self, value):
                     self._validate_pattern(value)
                     self._file_pattern = value or '*'
                 def matches(self, source_branch, target_branch, files_changed):
                     """
                     Check if this review rule matches a branch/files in a pull request
                     :param source_branch: source branch name for the commit
                     :param target_branch: target branch name for the commit
                     :param files_changed: list of file paths changed in the pull request
                     """
                     source_branch = source_branch or ''
                     target_branch = target_branch or ''
                     files_changed = files_changed or []
                     branch_matches = True
                     if source_branch or target_branch:
                         if self.source_branch_pattern == '*':
                             source_branch_match = True
                         else:
                             if self.source_branch_pattern.startswith('re:'):
                                 source_pattern = self.source_branch_pattern[3:]
                             else:
                                 source_pattern = '^' + glob2re(self.source_branch_pattern) + '$'
                             source_branch_regex = re.compile(source_pattern)
                             source_branch_match = bool(source_branch_regex.search(source_branch))
                         if self.target_branch_pattern == '*':
                             target_branch_match = True
                         else:
                             if self.target_branch_pattern.startswith('re:'):
                                 target_pattern = self.target_branch_pattern[3:]
                             else:
                                 target_pattern = '^' + glob2re(self.target_branch_pattern) + '$'
                             target_branch_regex = re.compile(target_pattern)
                             target_branch_match = bool(target_branch_regex.search(target_branch))
                         branch_matches = source_branch_match and target_branch_match
                     files_matches = True
                     if self.file_pattern != '*':
                         files_matches = False
                         if self.file_pattern.startswith('re:'):
                             file_pattern = self.file_pattern[3:]
                         else:
                             file_pattern = glob2re(self.file_pattern)
                         file_regex = re.compile(file_pattern)
                         for filename in files_changed:
                             if file_regex.search(filename):
                                 files_matches = True
                                 break
                     return branch_matches and files_matches
                 @property
                 def review_users(self):
                     """ Returns the users which this rule applies to """
                     users = collections.OrderedDict()
                     for rule_user in self.rule_users:
                         if rule_user.user.active:
                             if rule_user.user not in users:
                                 users[rule_user.user.username] = {
                                     'user': rule_user.user,
                                     'source': 'user',
                                     'source_data': {},
                                     'data': rule_user.rule_data()
                                 }
                     for rule_user_group in self.rule_user_groups:
                         source_data = {
                             'user_group_id': rule_user_group.users_group.users_group_id,
                             'name': rule_user_group.users_group.users_group_name,
                             'members': len(rule_user_group.users_group.members)
                         }
                         for member in rule_user_group.users_group.members:
                             if member.user.active:
                                 key = member.user.username
                                 if key in users:
                                     # skip this member as we have him already
                                     # this prevents from override the "first" matched
                                     # users with duplicates in multiple groups
                                     continue
                                 users[key] = {
                                     'user': member.user,
                                     'source': 'user_group',
                                     'source_data': source_data,
                                     'data': rule_user_group.rule_data()
                                 }
                     return users
                 def user_group_vote_rule(self, user_id):
                     rules = []
                     if not self.rule_user_groups:
                         return rules
                     for user_group in self.rule_user_groups:
                         user_group_members = [x.user_id for x in user_group.users_group.members]
                         if user_id in user_group_members:
                             rules.append(user_group)
                     return rules
                 def __repr__(self):
                     return '<RepoReviewerRule(id=%r, repo=%r)>' % (
                         self.repo_review_rule_id, self.repo)
             class ScheduleEntry(Base, BaseModel):
                 __tablename__ = 'schedule_entries'
                 __table_args__ = (
                     UniqueConstraint('schedule_name', name='s_schedule_name_idx'),
                     UniqueConstraint('task_uid', name='s_task_uid_idx'),
                     base_table_args,
                 )
                 schedule_types = ['crontab', 'timedelta', 'integer']
                 schedule_entry_id = Column('schedule_entry_id', Integer(), primary_key=True)
                 schedule_name = Column("schedule_name", String(255), nullable=False, unique=None, default=None)
                 schedule_description = Column("schedule_description", String(10000), nullable=True, unique=None, default=None)
                 schedule_enabled = Column("schedule_enabled", Boolean(), nullable=False, unique=None, default=True)
                 _schedule_type = Column("schedule_type", String(255), nullable=False, unique=None, default=None)
                 schedule_definition = Column('schedule_definition_json', MutationObj.as_mutable(JsonType(default=lambda: "", dialect_map=dict(mysql=LONGTEXT()))))
                 schedule_last_run = Column('schedule_last_run', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 schedule_total_run_count = Column('schedule_total_run_count', Integer(), nullable=True, unique=None, default=0)
                 # task
                 task_uid = Column("task_uid", String(255), nullable=False, unique=None, default=None)
                 task_dot_notation = Column("task_dot_notation", String(4096), nullable=False, unique=None, default=None)
                 task_args = Column('task_args_json', MutationObj.as_mutable(JsonType(default=list, dialect_map=dict(mysql=LONGTEXT()))))
                 task_kwargs = Column('task_kwargs_json', MutationObj.as_mutable(JsonType(default=dict, dialect_map=dict(mysql=LONGTEXT()))))
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 updated_on = Column('updated_on', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 @hybrid_property
                 def schedule_type(self):
                     return self._schedule_type
                 @schedule_type.setter
                 def schedule_type(self, val):
                     if val not in self.schedule_types:
                         raise ValueError('Value must be on of `{}` and got `{}`'.format(
                             val, self.schedule_type))
                     self._schedule_type = val
                 @classmethod
                 def get_uid(cls, obj):
                     args = obj.task_args
                     kwargs = obj.task_kwargs
                     if isinstance(args, JsonRaw):
                         try:
                             args = json.loads(args)
                         except ValueError:
                             args = tuple()
                     if isinstance(kwargs, JsonRaw):
                         try:
                             kwargs = json.loads(kwargs)
                         except ValueError:
                             kwargs = dict()
                     dot_notation = obj.task_dot_notation
                     val = '.'.join(map(safe_str, [
                         sorted(dot_notation), args, sorted(kwargs.items())]))
                     return hashlib.sha1(val).hexdigest()
                 @classmethod
                 def get_by_schedule_name(cls, schedule_name):
                     return cls.query().filter(cls.schedule_name == schedule_name).scalar()
                 @classmethod
                 def get_by_schedule_id(cls, schedule_id):
                     return cls.query().filter(cls.schedule_entry_id == schedule_id).scalar()
                 @property
                 def task(self):
                     return self.task_dot_notation
                 @property
                 def schedule(self):
                     from rhodecode.lib.celerylib.utils import raw_2_schedule
                     schedule = raw_2_schedule(self.schedule_definition, self.schedule_type)
                     return schedule
                 @property
                 def args(self):
                     try:
                         return list(self.task_args or [])
                     except ValueError:
                         return list()
                 @property
                 def kwargs(self):
                     try:
                         return dict(self.task_kwargs or {})
                     except ValueError:
                         return dict()
                 def _as_raw(self, val):
                     if hasattr(val, 'de_coerce'):
                         val = val.de_coerce()
                         if val:
                             val = json.dumps(val)
                     return val
                 @property
                 def schedule_definition_raw(self):
                     return self._as_raw(self.schedule_definition)
                 @property
                 def args_raw(self):
                     return self._as_raw(self.task_args)
                 @property
                 def kwargs_raw(self):
                     return self._as_raw(self.task_kwargs)
                 def __repr__(self):
                     return '<DB:ScheduleEntry({}:{})>'.format(
                         self.schedule_entry_id, self.schedule_name)
             @event.listens_for(ScheduleEntry, 'before_update')
             def update_task_uid(mapper, connection, target):
                 target.task_uid = ScheduleEntry.get_uid(target)
             @event.listens_for(ScheduleEntry, 'before_insert')
             def set_task_uid(mapper, connection, target):
                 target.task_uid = ScheduleEntry.get_uid(target)
             class _BaseBranchPerms(BaseModel):
                 @classmethod
                 def compute_hash(cls, value):
                     return sha1_safe(value)
                 @hybrid_property
                 def branch_pattern(self):
                     return self._branch_pattern or '*'
                 @hybrid_property
                 def branch_hash(self):
                     return self._branch_hash
                 def _validate_glob(self, value):
                     re.compile('^' + glob2re(value) + '$')
                 @branch_pattern.setter
                 def branch_pattern(self, value):
                     self._validate_glob(value)
                     self._branch_pattern = value or '*'
                     # set the Hash when setting the branch pattern
                     self._branch_hash = self.compute_hash(self._branch_pattern)
                 def matches(self, branch):
                     """
                     Check if this the branch matches entry
                     :param branch: branch name for the commit
                     """
                     branch = branch or ''
                     branch_matches = True
                     if branch:
                         branch_regex = re.compile('^' + glob2re(self.branch_pattern) + '$')
                         branch_matches = bool(branch_regex.search(branch))
                     return branch_matches
             class UserToRepoBranchPermission(Base, _BaseBranchPerms):
                 __tablename__ = 'user_to_repo_branch_permissions'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True,}
                 )
                 branch_rule_id = Column('branch_rule_id', Integer(), primary_key=True)
                 repository_id = Column('repository_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 repo = relationship('Repository', backref='user_branch_perms')
                 permission_id = Column('permission_id', Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 permission = relationship('Permission')
                 rule_to_perm_id = Column('rule_to_perm_id', Integer(), ForeignKey('repo_to_perm.repo_to_perm_id'), nullable=False, unique=None, default=None)
                 user_repo_to_perm = relationship('UserRepoToPerm')
                 rule_order = Column('rule_order', Integer(), nullable=False)
                 _branch_pattern = Column('branch_pattern', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), default=u'*')  # glob
                 _branch_hash = Column('branch_hash', UnicodeText().with_variant(UnicodeText(2048), 'mysql'))
                 def __unicode__(self):
                     return u'<UserBranchPermission(%s => %r)>' % (
                         self.user_repo_to_perm, self.branch_pattern)
             class UserGroupToRepoBranchPermission(Base, _BaseBranchPerms):
                 __tablename__ = 'user_group_to_repo_branch_permissions'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True,}
                 )
                 branch_rule_id = Column('branch_rule_id', Integer(), primary_key=True)
                 repository_id = Column('repository_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 repo = relationship('Repository', backref='user_group_branch_perms')
                 permission_id = Column('permission_id', Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 permission = relationship('Permission')
                 rule_to_perm_id = Column('rule_to_perm_id', Integer(), ForeignKey('users_group_repo_to_perm.users_group_to_perm_id'), nullable=False, unique=None, default=None)
                 user_group_repo_to_perm = relationship('UserGroupRepoToPerm')
                 rule_order = Column('rule_order', Integer(), nullable=False)
                 _branch_pattern = Column('branch_pattern', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), default=u'*')  # glob
                 _branch_hash = Column('branch_hash', UnicodeText().with_variant(UnicodeText(2048), 'mysql'))
                 def __unicode__(self):
                     return u'<UserBranchPermission(%s => %r)>' % (
                         self.user_group_repo_to_perm, self.branch_pattern)
             class DbMigrateVersion(Base, BaseModel):
                 __tablename__ = 'db_migrate_version'
                 __table_args__ = (
                     base_table_args,
                 )
                 repository_id = Column('repository_id', String(250), primary_key=True)
                 repository_path = Column('repository_path', Text)
                 version = Column('version', Integer)
                 @classmethod
                 def set_version(cls, version):
                     """
                     Helper for forcing a different version, usually for debugging purposes via ishell.
                     """
                     ver = DbMigrateVersion.query().first()
                     ver.version = version
                     Session().commit()
             class DbSession(Base, BaseModel):
                 __tablename__ = 'db_session'
                 __table_args__ = (
                     base_table_args,
                 )
                 def __repr__(self):
                     return '<DB:DbSession({})>'.format(self.id)
                 id = Column('id', Integer())
                 namespace = Column('namespace', String(255), primary_key=True)
                 accessed = Column('accessed', DateTime, nullable=False)
                 created = Column('created', DateTime, nullable=False)
                 data = Column('data', PickleType, nullable=False)

rhodecode/lib/dbmigrate/schema/db_4_16_0_1.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Database Models for RhodeCode Enterprise
             """
             import re
             import os
             import time
             import hashlib
             import logging
             import datetime
             import warnings
             import ipaddress
             import functools
             import traceback
             import collections
             from sqlalchemy import (
                 or_, and_, not_, func, TypeDecorator, event,
                 Index, Sequence, UniqueConstraint, ForeignKey, CheckConstraint, Column,
                 Boolean, String, Unicode, UnicodeText, DateTime, Integer, LargeBinary,
                 Text, Float, PickleType)
             from sqlalchemy.sql.expression import true, false
             from sqlalchemy.sql.functions import coalesce, count  # pragma: no cover
             from sqlalchemy.orm import (
                 relationship, joinedload, class_mapper, validates, aliased)
             from sqlalchemy.ext.declarative import declared_attr
             from sqlalchemy.ext.hybrid import hybrid_property
             from sqlalchemy.exc import IntegrityError  # pragma: no cover
             from sqlalchemy.dialects.mysql import LONGTEXT
             from zope.cachedescriptors.property import Lazy as LazyProperty
             from pyramid import compat
             from pyramid.threadlocal import get_current_request
             from rhodecode.translation import _
             from rhodecode.lib.vcs import get_vcs_instance
             from rhodecode.lib.vcs.backends.base import EmptyCommit, Reference
             from rhodecode.lib.utils2 import (
                 str2bool, safe_str, get_commit_safe, safe_unicode, sha1_safe,
                 time_to_datetime, aslist, Optional, safe_int, get_clone_url, AttributeDict,
                 glob2re, StrictAttributeDict, cleaned_uri)
             from rhodecode.lib.jsonalchemy import MutationObj, MutationList, JsonType, \
                 JsonRaw
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.caching_query import FromCache
             from rhodecode.lib.encrypt import AESCipher
             from rhodecode.model.meta import Base, Session
             URL_SEP = '/'
             log = logging.getLogger(__name__)
             # =============================================================================
             # BASE CLASSES
             # =============================================================================
             # this is propagated from .ini file rhodecode.encrypted_values.secret or
             # beaker.session.secret if first is not set.
             # and initialized at environment.py
             ENCRYPTION_KEY = None
             # used to sort permissions by types, '#' used here is not allowed to be in
             # usernames, and it's very early in sorted string.printable table.
             PERMISSION_TYPE_SORT = {
                 'admin': '####',
                 'write': '###',
                 'read':  '##',
                 'none':  '#',
             }
             def display_user_sort(obj):
                 """
                 Sort function used to sort permissions in .permissions() function of
                 Repository, RepoGroup, UserGroup. Also it put the default user in front
                 of all other resources
                 """
                 if obj.username == User.DEFAULT_USER:
                     return '#####'
                 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
                 return prefix + obj.username
             def display_user_group_sort(obj):
                 """
                 Sort function used to sort permissions in .permissions() function of
                 Repository, RepoGroup, UserGroup. Also it put the default user in front
                 of all other resources
                 """
                 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
                 return prefix + obj.users_group_name
             def _hash_key(k):
                 return sha1_safe(k)
             def in_filter_generator(qry, items, limit=500):
                 """
                 Splits IN() into multiple with OR
                 e.g.::
                 cnt = Repository.query().filter(
                     or_(
                         *in_filter_generator(Repository.repo_id, range(100000))
                     )).count()
                 """
                 if not items:
                     # empty list will cause empty query which might cause security issues
                     # this can lead to hidden unpleasant results
                     items = [-1]
                 parts = []
                 for chunk in xrange(0, len(items), limit):
                     parts.append(
                         qry.in_(items[chunk: chunk + limit])
                     )
                 return parts
             base_table_args = {
                 'extend_existing': True,
                 'mysql_engine': 'InnoDB',
                 'mysql_charset': 'utf8',
                 'sqlite_autoincrement': True
             }
             class EncryptedTextValue(TypeDecorator):
                 """
                 Special column for encrypted long text data, use like::
                     value = Column("encrypted_value", EncryptedValue(), nullable=False)
                 This column is intelligent so if value is in unencrypted form it return
                 unencrypted form, but on save it always encrypts
                 """
                 impl = Text
                 def process_bind_param(self, value, dialect):
                     if not value:
                         return value
                     if value.startswith('enc$aes$') or value.startswith('enc$aes_hmac$'):
                         # protect against double encrypting if someone manually starts
                         # doing
                         raise ValueError('value needs to be in unencrypted format, ie. '
                                          'not starting with enc$aes')
                     return 'enc$aes_hmac$%s' % AESCipher(
                         ENCRYPTION_KEY, hmac=True).encrypt(value)
                 def process_result_value(self, value, dialect):
                     import rhodecode
                     if not value:
                         return value
                     parts = value.split('$', 3)
                     if not len(parts) == 3:
                         # probably not encrypted values
                         return value
                     else:
                         if parts[0] != 'enc':
                             # parts ok but without our header ?
                             return value
                         enc_strict_mode = str2bool(rhodecode.CONFIG.get(
                             'rhodecode.encrypted_values.strict') or True)
                         # at that stage we know it's our encryption
                         if parts[1] == 'aes':
                             decrypted_data = AESCipher(ENCRYPTION_KEY).decrypt(parts[2])
                         elif parts[1] == 'aes_hmac':
                             decrypted_data = AESCipher(
                                 ENCRYPTION_KEY, hmac=True,
                                 strict_verification=enc_strict_mode).decrypt(parts[2])
                         else:
                             raise ValueError(
                                 'Encryption type part is wrong, must be `aes` '
                                 'or `aes_hmac`, got `%s` instead' % (parts[1]))
                         return decrypted_data
             class BaseModel(object):
                 """
                 Base Model for all classes
                 """
                 @classmethod
                 def _get_keys(cls):
                     """return column names for this model """
                     return class_mapper(cls).c.keys()
                 def get_dict(self):
                     """
                     return dict with keys and values corresponding
                     to this model data """
                     d = {}
                     for k in self._get_keys():
                         d[k] = getattr(self, k)
                     # also use __json__() if present to get additional fields
                     _json_attr = getattr(self, '__json__', None)
                     if _json_attr:
                         # update with attributes from __json__
                         if callable(_json_attr):
                             _json_attr = _json_attr()
                         for k, val in _json_attr.iteritems():
                             d[k] = val
                     return d
                 def get_appstruct(self):
                     """return list with keys and values tuples corresponding
                     to this model data """
                     lst = []
                     for k in self._get_keys():
                         lst.append((k, getattr(self, k),))
                     return lst
                 def populate_obj(self, populate_dict):
                     """populate model with data from given populate_dict"""
                     for k in self._get_keys():
                         if k in populate_dict:
                             setattr(self, k, populate_dict[k])
                 @classmethod
                 def query(cls):
                     return Session().query(cls)
                 @classmethod
                 def get(cls, id_):
                     if id_:
                         return cls.query().get(id_)
                 @classmethod
                 def get_or_404(cls, id_):
                     from pyramid.httpexceptions import HTTPNotFound
                     try:
                         id_ = int(id_)
                     except (TypeError, ValueError):
                         raise HTTPNotFound()
                     res = cls.query().get(id_)
                     if not res:
                         raise HTTPNotFound()
                     return res
                 @classmethod
                 def getAll(cls):
                     # deprecated and left for backward compatibility
                     return cls.get_all()
                 @classmethod
                 def get_all(cls):
                     return cls.query().all()
                 @classmethod
                 def delete(cls, id_):
                     obj = cls.query().get(id_)
                     Session().delete(obj)
                 @classmethod
                 def identity_cache(cls, session, attr_name, value):
                     exist_in_session = []
                     for (item_cls, pkey), instance in session.identity_map.items():
                         if cls == item_cls and getattr(instance, attr_name) == value:
                             exist_in_session.append(instance)
                     if exist_in_session:
                         if len(exist_in_session) == 1:
                             return exist_in_session[0]
                         log.exception(
                             'multiple objects with attr %s and '
                             'value %s found with same name: %r',
                             attr_name, value, exist_in_session)
                 def __repr__(self):
                     if hasattr(self, '__unicode__'):
                         # python repr needs to return str
                         try:
                             return safe_str(self.__unicode__())
                         except UnicodeDecodeError:
                             pass
                     return '<DB:%s>' % (self.__class__.__name__)
             class RhodeCodeSetting(Base, BaseModel):
                 __tablename__ = 'rhodecode_settings'
                 __table_args__ = (
                     UniqueConstraint('app_settings_name'),
                     base_table_args
                 )
                 SETTINGS_TYPES = {
                     'str': safe_str,
                     'int': safe_int,
                     'unicode': safe_unicode,
                     'bool': str2bool,
                     'list': functools.partial(aslist, sep=',')
                 }
                 DEFAULT_UPDATE_URL = 'https://rhodecode.com/api/v1/info/versions'
                 GLOBAL_CONF_KEY = 'app_settings'
                 app_settings_id = Column("app_settings_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 app_settings_name = Column("app_settings_name", String(255), nullable=True, unique=None, default=None)
                 _app_settings_value = Column("app_settings_value", String(4096), nullable=True, unique=None, default=None)
                 _app_settings_type = Column("app_settings_type", String(255), nullable=True, unique=None, default=None)
                 def __init__(self, key='', val='', type='unicode'):
                     self.app_settings_name = key
                     self.app_settings_type = type
                     self.app_settings_value = val
                 @validates('_app_settings_value')
                 def validate_settings_value(self, key, val):
                     assert type(val) == unicode
                     return val
                 @hybrid_property
                 def app_settings_value(self):
                     v = self._app_settings_value
                     _type = self.app_settings_type
                     if _type:
                         _type = self.app_settings_type.split('.')[0]
                         # decode the encrypted value
                         if 'encrypted' in self.app_settings_type:
                             cipher = EncryptedTextValue()
                             v = safe_unicode(cipher.process_result_value(v, None))
                     converter = self.SETTINGS_TYPES.get(_type) or \
                         self.SETTINGS_TYPES['unicode']
                     return converter(v)
                 @app_settings_value.setter
                 def app_settings_value(self, val):
                     """
                     Setter that will always make sure we use unicode in app_settings_value
                     :param val:
                     """
                     val = safe_unicode(val)
                     # encode the encrypted value
                     if 'encrypted' in self.app_settings_type:
                         cipher = EncryptedTextValue()
                         val = safe_unicode(cipher.process_bind_param(val, None))
                     self._app_settings_value = val
                 @hybrid_property
                 def app_settings_type(self):
                     return self._app_settings_type
                 @app_settings_type.setter
                 def app_settings_type(self, val):
                     if val.split('.')[0] not in self.SETTINGS_TYPES:
                         raise Exception('type must be one of %s got %s'
                                         % (self.SETTINGS_TYPES.keys(), val))
                     self._app_settings_type = val
                 @classmethod
                 def get_by_prefix(cls, prefix):
                     return RhodeCodeSetting.query()\
                         .filter(RhodeCodeSetting.app_settings_name.startswith(prefix))\
                         .all()
                 def __unicode__(self):
                     return u"<%s('%s:%s[%s]')>" % (
                         self.__class__.__name__,
                         self.app_settings_name, self.app_settings_value,
                         self.app_settings_type
                     )
             class RhodeCodeUi(Base, BaseModel):
                 __tablename__ = 'rhodecode_ui'
                 __table_args__ = (
                     UniqueConstraint('ui_key'),
                     base_table_args
                 )
                 HOOK_REPO_SIZE = 'changegroup.repo_size'
                 # HG
                 HOOK_PRE_PULL = 'preoutgoing.pre_pull'
                 HOOK_PULL = 'outgoing.pull_logger'
                 HOOK_PRE_PUSH = 'prechangegroup.pre_push'
                 HOOK_PRETX_PUSH = 'pretxnchangegroup.pre_push'
                 HOOK_PUSH = 'changegroup.push_logger'
                 HOOK_PUSH_KEY = 'pushkey.key_push'
                 # TODO: johbo: Unify way how hooks are configured for git and hg,
                 # git part is currently hardcoded.
                 # SVN PATTERNS
                 SVN_BRANCH_ID = 'vcs_svn_branch'
                 SVN_TAG_ID = 'vcs_svn_tag'
                 ui_id = Column(
                     "ui_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 ui_section = Column(
                     "ui_section", String(255), nullable=True, unique=None, default=None)
                 ui_key = Column(
                     "ui_key", String(255), nullable=True, unique=None, default=None)
                 ui_value = Column(
                     "ui_value", String(255), nullable=True, unique=None, default=None)
                 ui_active = Column(
                     "ui_active", Boolean(), nullable=True, unique=None, default=True)
                 def __repr__(self):
                     return '<%s[%s]%s=>%s]>' % (self.__class__.__name__, self.ui_section,
                                                 self.ui_key, self.ui_value)
             class RepoRhodeCodeSetting(Base, BaseModel):
                 __tablename__ = 'repo_rhodecode_settings'
                 __table_args__ = (
                     UniqueConstraint(
                         'app_settings_name', 'repository_id',
                         name='uq_repo_rhodecode_setting_name_repo_id'),
                     base_table_args
                 )
                 repository_id = Column(
                     "repository_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=False)
                 app_settings_id = Column(
                     "app_settings_id", Integer(), nullable=False, unique=True,
                     default=None, primary_key=True)
                 app_settings_name = Column(
                     "app_settings_name", String(255), nullable=True, unique=None,
                     default=None)
                 _app_settings_value = Column(
                     "app_settings_value", String(4096), nullable=True, unique=None,
                     default=None)
                 _app_settings_type = Column(
                     "app_settings_type", String(255), nullable=True, unique=None,
                     default=None)
                 repository = relationship('Repository')
                 def __init__(self, repository_id, key='', val='', type='unicode'):
                     self.repository_id = repository_id
                     self.app_settings_name = key
                     self.app_settings_type = type
                     self.app_settings_value = val
                 @validates('_app_settings_value')
                 def validate_settings_value(self, key, val):
                     assert type(val) == unicode
                     return val
                 @hybrid_property
                 def app_settings_value(self):
                     v = self._app_settings_value
                     type_ = self.app_settings_type
                     SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
                     converter = SETTINGS_TYPES.get(type_) or SETTINGS_TYPES['unicode']
                     return converter(v)
                 @app_settings_value.setter
                 def app_settings_value(self, val):
                     """
                     Setter that will always make sure we use unicode in app_settings_value
                     :param val:
                     """
                     self._app_settings_value = safe_unicode(val)
                 @hybrid_property
                 def app_settings_type(self):
                     return self._app_settings_type
                 @app_settings_type.setter
                 def app_settings_type(self, val):
                     SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
                     if val not in SETTINGS_TYPES:
                         raise Exception('type must be one of %s got %s'
                                         % (SETTINGS_TYPES.keys(), val))
                     self._app_settings_type = val
                 def __unicode__(self):
                     return u"<%s('%s:%s:%s[%s]')>" % (
                         self.__class__.__name__, self.repository.repo_name,
                         self.app_settings_name, self.app_settings_value,
                         self.app_settings_type
                     )
             class RepoRhodeCodeUi(Base, BaseModel):
                 __tablename__ = 'repo_rhodecode_ui'
                 __table_args__ = (
                     UniqueConstraint(
                         'repository_id', 'ui_section', 'ui_key',
                         name='uq_repo_rhodecode_ui_repository_id_section_key'),
                     base_table_args
                 )
                 repository_id = Column(
                     "repository_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=False)
                 ui_id = Column(
                     "ui_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 ui_section = Column(
                     "ui_section", String(255), nullable=True, unique=None, default=None)
                 ui_key = Column(
                     "ui_key", String(255), nullable=True, unique=None, default=None)
                 ui_value = Column(
                     "ui_value", String(255), nullable=True, unique=None, default=None)
                 ui_active = Column(
                     "ui_active", Boolean(), nullable=True, unique=None, default=True)
                 repository = relationship('Repository')
                 def __repr__(self):
                     return '<%s[%s:%s]%s=>%s]>' % (
                         self.__class__.__name__, self.repository.repo_name,
                         self.ui_section, self.ui_key, self.ui_value)
             class User(Base, BaseModel):
                 __tablename__ = 'users'
                 __table_args__ = (
                     UniqueConstraint('username'), UniqueConstraint('email'),
                     Index('u_username_idx', 'username'),
                     Index('u_email_idx', 'email'),
                     base_table_args
                 )
                 DEFAULT_USER = 'default'
                 DEFAULT_USER_EMAIL = 'anonymous@rhodecode.org'
                 DEFAULT_GRAVATAR_URL = 'https://secure.gravatar.com/avatar/{md5email}?d=identicon&s={size}'
                 user_id = Column("user_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 username = Column("username", String(255), nullable=True, unique=None, default=None)
                 password = Column("password", String(255), nullable=True, unique=None, default=None)
                 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 admin = Column("admin", Boolean(), nullable=True, unique=None, default=False)
                 name = Column("firstname", String(255), nullable=True, unique=None, default=None)
                 lastname = Column("lastname", String(255), nullable=True, unique=None, default=None)
                 _email = Column("email", String(255), nullable=True, unique=None, default=None)
                 last_login = Column("last_login", DateTime(timezone=False), nullable=True, unique=None, default=None)
                 last_activity = Column('last_activity', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 extern_type = Column("extern_type", String(255), nullable=True, unique=None, default=None)
                 extern_name = Column("extern_name", String(255), nullable=True, unique=None, default=None)
                 _api_key = Column("api_key", String(255), nullable=True, unique=None, default=None)
                 inherit_default_permissions = Column("inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 _user_data = Column("user_data", LargeBinary(), nullable=True)  # JSON data
                 user_log = relationship('UserLog')
                 user_perms = relationship('UserToPerm', primaryjoin="User.user_id==UserToPerm.user_id", cascade='all')
                 repositories = relationship('Repository')
                 repository_groups = relationship('RepoGroup')
                 user_groups = relationship('UserGroup')
                 user_followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_user_id==User.user_id', cascade='all')
                 followings = relationship('UserFollowing', primaryjoin='UserFollowing.user_id==User.user_id', cascade='all')
                 repo_to_perm = relationship('UserRepoToPerm', primaryjoin='UserRepoToPerm.user_id==User.user_id', cascade='all')
                 repo_group_to_perm = relationship('UserRepoGroupToPerm', primaryjoin='UserRepoGroupToPerm.user_id==User.user_id', cascade='all')
                 user_group_to_perm = relationship('UserUserGroupToPerm', primaryjoin='UserUserGroupToPerm.user_id==User.user_id', cascade='all')
                 group_member = relationship('UserGroupMember', cascade='all')
                 notifications = relationship('UserNotification', cascade='all')
                 # notifications assigned to this user
                 user_created_notifications = relationship('Notification', cascade='all')
                 # comments created by this user
                 user_comments = relationship('ChangesetComment', cascade='all')
                 # user profile extra info
                 user_emails = relationship('UserEmailMap', cascade='all')
                 user_ip_map = relationship('UserIpMap', cascade='all')
                 user_auth_tokens = relationship('UserApiKeys', cascade='all')
                 user_ssh_keys = relationship('UserSshKeys', cascade='all')
                 # gists
                 user_gists = relationship('Gist', cascade='all')
                 # user pull requests
                 user_pull_requests = relationship('PullRequest', cascade='all')
                 # external identities
                 extenal_identities = relationship(
                     'ExternalIdentity',
                     primaryjoin="User.user_id==ExternalIdentity.local_user_id",
                     cascade='all')
                 # review rules
                 user_review_rules = relationship('RepoReviewRuleUser', cascade='all')
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
                                                   self.user_id, self.username)
                 @hybrid_property
                 def email(self):
                     return self._email
                 @email.setter
                 def email(self, val):
                     self._email = val.lower() if val else None
                 @hybrid_property
                 def first_name(self):
                     from rhodecode.lib import helpers as h
                     if self.name:
                         return h.escape(self.name)
                     return self.name
                 @hybrid_property
                 def last_name(self):
                     from rhodecode.lib import helpers as h
                     if self.lastname:
                         return h.escape(self.lastname)
                     return self.lastname
                 @hybrid_property
                 def api_key(self):
                     """
                     Fetch if exist an auth-token with role ALL connected to this user
                     """
                     user_auth_token = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == self.user_id)\
                         .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_ALL).first()
                     if user_auth_token:
                         user_auth_token = user_auth_token.api_key
                     return user_auth_token
                 @api_key.setter
                 def api_key(self, val):
                     # don't allow to set API key this is deprecated for now
                     self._api_key = None
                 @property
                 def reviewer_pull_requests(self):
                     return PullRequestReviewers.query() \
                         .options(joinedload(PullRequestReviewers.pull_request)) \
                         .filter(PullRequestReviewers.user_id == self.user_id) \
                         .all()
                 @property
                 def firstname(self):
                     # alias for future
                     return self.name
                 @property
                 def emails(self):
                     other = UserEmailMap.query()\
                         .filter(UserEmailMap.user == self) \
                         .order_by(UserEmailMap.email_id.asc()) \
                         .all()
                     return [self.email] + [x.email for x in other]
                 @property
                 def auth_tokens(self):
                     auth_tokens = self.get_auth_tokens()
                     return [x.api_key for x in auth_tokens]
                 def get_auth_tokens(self):
                     return UserApiKeys.query()\
                         .filter(UserApiKeys.user == self)\
                         .order_by(UserApiKeys.user_api_key_id.asc())\
                         .all()
                 @LazyProperty
                 def feed_token(self):
                     return self.get_feed_token()
                 def get_feed_token(self, cache=True):
                     feed_tokens = UserApiKeys.query()\
                         .filter(UserApiKeys.user == self)\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_FEED)
                     if cache:
                         feed_tokens = feed_tokens.options(
                             FromCache("sql_cache_short", "get_user_feed_token_%s" % self.user_id))
                     feed_tokens = feed_tokens.all()
                     if feed_tokens:
                         return feed_tokens[0].api_key
                     return 'NO_FEED_TOKEN_AVAILABLE'
                 @classmethod
                 def get(cls, user_id, cache=False):
                     if not user_id:
                         return
                     user = cls.query()
                     if cache:
                         user = user.options(
                             FromCache("sql_cache_short", "get_users_%s" % user_id))
                     return user.get(user_id)
                 @classmethod
                 def extra_valid_auth_tokens(cls, user, role=None):
                     tokens = UserApiKeys.query().filter(UserApiKeys.user == user)\
                             .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))
                     if role:
                         tokens = tokens.filter(or_(UserApiKeys.role == role,
                                                    UserApiKeys.role == UserApiKeys.ROLE_ALL))
                     return tokens.all()
                 def authenticate_by_token(self, auth_token, roles=None, scope_repo_id=None):
                     from rhodecode.lib import auth
                     log.debug('Trying to authenticate user: %s via auth-token, '
                               'and roles: %s', self, roles)
                     if not auth_token:
                         return False
                     crypto_backend = auth.crypto_backend()
                     roles = (roles or []) + [UserApiKeys.ROLE_ALL]
                     tokens_q = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == self.user_id)\
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time()))
                     tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles))
                     plain_tokens = []
                     hash_tokens = []
                     user_tokens = tokens_q.all()
                     log.debug('Found %s user tokens to check for authentication', len(user_tokens))
                     for token in user_tokens:
                         log.debug('AUTH_TOKEN: checking if user token with id `%s` matches',
                                   token.user_api_key_id)
                         # verify scope first, since it's way faster than hash calculation of
                         # encrypted tokens
                         if token.repo_id:
                             # token has a scope, we need to verify it
                             if scope_repo_id != token.repo_id:
                                 log.debug(
                                     'AUTH_TOKEN: scope mismatch, token has a set repo scope: %s, '
                                     'and calling scope is:%s, skipping further checks',
                                      token.repo, scope_repo_id)
                                 # token has a scope, and it doesn't match, skip token
                                 continue
                         if token.api_key.startswith(crypto_backend.ENC_PREF):
                             hash_tokens.append(token.api_key)
                         else:
                             plain_tokens.append(token.api_key)
                     is_plain_match = auth_token in plain_tokens
                     if is_plain_match:
                         return True
                     for hashed in hash_tokens:
                         # NOTE(marcink): this is expensive to calculate, but most secure
                         match = crypto_backend.hash_check(auth_token, hashed)
                         if match:
                             return True
                     return False
                 @property
                 def ip_addresses(self):
                     ret = UserIpMap.query().filter(UserIpMap.user == self).all()
                     return [x.ip_addr for x in ret]
                 @property
                 def username_and_name(self):
                     return '%s (%s %s)' % (self.username, self.first_name, self.last_name)
                 @property
                 def username_or_name_or_email(self):
                     full_name = self.full_name if self.full_name is not ' ' else None
                     return self.username or full_name or self.email
                 @property
                 def full_name(self):
                     return '%s %s' % (self.first_name, self.last_name)
                 @property
                 def full_name_or_username(self):
                     return ('%s %s' % (self.first_name, self.last_name)
                             if (self.first_name and self.last_name) else self.username)
                 @property
                 def full_contact(self):
                     return '%s %s <%s>' % (self.first_name, self.last_name, self.email)
                 @property
                 def short_contact(self):
                     return '%s %s' % (self.first_name, self.last_name)
                 @property
                 def is_admin(self):
                     return self.admin
                 def AuthUser(self, **kwargs):
                     """
                     Returns instance of AuthUser for this user
                     """
                     from rhodecode.lib.auth import AuthUser
                     return AuthUser(user_id=self.user_id, username=self.username, **kwargs)
                 @hybrid_property
                 def user_data(self):
                     if not self._user_data:
                         return {}
                     try:
                         return json.loads(self._user_data)
                     except TypeError:
                         return {}
                 @user_data.setter
                 def user_data(self, val):
                     if not isinstance(val, dict):
                         raise Exception('user_data must be dict, got %s' % type(val))
                     try:
                         self._user_data = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @classmethod
                 def get_by_username(cls, username, case_insensitive=False,
                                     cache=False, identity_cache=False):
                     session = Session()
                     if case_insensitive:
                         q = cls.query().filter(
                             func.lower(cls.username) == func.lower(username))
                     else:
                         q = cls.query().filter(cls.username == username)
                     if cache:
                         if identity_cache:
                             val = cls.identity_cache(session, 'username', username)
                             if val:
                                 return val
                         else:
                             cache_key = "get_user_by_name_%s" % _hash_key(username)
                             q = q.options(
                                 FromCache("sql_cache_short", cache_key))
                     return q.scalar()
                 @classmethod
                 def get_by_auth_token(cls, auth_token, cache=False):
                     q = UserApiKeys.query()\
                         .filter(UserApiKeys.api_key == auth_token)\
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time()))
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", "get_auth_token_%s" % auth_token))
                     match = q.first()
                     if match:
                         return match.user
                 @classmethod
                 def get_by_email(cls, email, case_insensitive=False, cache=False):
                     if case_insensitive:
                         q = cls.query().filter(func.lower(cls.email) == func.lower(email))
                     else:
                         q = cls.query().filter(cls.email == email)
                     email_key = _hash_key(email)
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", "get_email_key_%s" % email_key))
                     ret = q.scalar()
                     if ret is None:
                         q = UserEmailMap.query()
                         # try fetching in alternate email map
                         if case_insensitive:
                             q = q.filter(func.lower(UserEmailMap.email) == func.lower(email))
                         else:
                             q = q.filter(UserEmailMap.email == email)
                         q = q.options(joinedload(UserEmailMap.user))
                         if cache:
                             q = q.options(
                                 FromCache("sql_cache_short", "get_email_map_key_%s" % email_key))
                         ret = getattr(q.scalar(), 'user', None)
                     return ret
                 @classmethod
                 def get_from_cs_author(cls, author):
                     """
                     Tries to get User objects out of commit author string
                     :param author:
                     """
                     from rhodecode.lib.helpers import email, author_name
                     # Valid email in the attribute passed, see if they're in the system
                     _email = email(author)
                     if _email:
                         user = cls.get_by_email(_email, case_insensitive=True)
                         if user:
                             return user
                     # Maybe we can match by username?
                     _author = author_name(author)
                     user = cls.get_by_username(_author, case_insensitive=True)
                     if user:
                         return user
                 def update_userdata(self, **kwargs):
                     usr = self
                     old = usr.user_data
                     old.update(**kwargs)
                     usr.user_data = old
                     Session().add(usr)
                     log.debug('updated userdata with ', kwargs)
                 def update_lastlogin(self):
                     """Update user lastlogin"""
                     self.last_login = datetime.datetime.now()
                     Session().add(self)
                     log.debug('updated user %s lastlogin', self.username)
                 def update_password(self, new_password):
                     from rhodecode.lib.auth import get_crypt_password
                     self.password = get_crypt_password(new_password)
                     Session().add(self)
                 @classmethod
                 def get_first_super_admin(cls):
                     user = User.query()\
                         .filter(User.admin == true()) \
                         .order_by(User.user_id.asc()) \
                         .first()
                     if user is None:
                         raise Exception('FATAL: Missing administrative account!')
                     return user
                 @classmethod
                 def get_all_super_admins(cls, only_active=False):
                     """
                     Returns all admin accounts sorted by username
                     """
                     qry = User.query().filter(User.admin == true()).order_by(User.username.asc())
                     if only_active:
                         qry = qry.filter(User.active == true())
                     return qry.all()
                 @classmethod
                 def get_default_user(cls, cache=False, refresh=False):
                     user = User.get_by_username(User.DEFAULT_USER, cache=cache)
                     if user is None:
                         raise Exception('FATAL: Missing default account!')
                     if refresh:
                         # The default user might be based on outdated state which
                         # has been loaded from the cache.
                         # A call to refresh() ensures that the
                         # latest state from the database is used.
                         Session().refresh(user)
                     return user
                 def _get_default_perms(self, user, suffix=''):
                     from rhodecode.model.permission import PermissionModel
                     return PermissionModel().get_default_perms(user.user_perms, suffix)
                 def get_default_perms(self, suffix=''):
                     return self._get_default_perms(self, suffix)
                 def get_api_data(self, include_secrets=False, details='full'):
                     """
                     Common function for generating user related data for API
                     :param include_secrets: By default secrets in the API data will be replaced
                        by a placeholder value to prevent exposing this data by accident. In case
                        this data shall be exposed, set this flag to ``True``.
                     :param details: details can be 'basic|full' basic gives only a subset of
                        the available user information that includes user_id, name and emails.
                     """
                     user = self
                     user_data = self.user_data
                     data = {
                         'user_id': user.user_id,
                         'username': user.username,
                         'firstname': user.name,
                         'lastname': user.lastname,
                         'email': user.email,
                         'emails': user.emails,
                     }
                     if details == 'basic':
                         return data
                     auth_token_length = 40
                     auth_token_replacement = '*' * auth_token_length
                     extras = {
                         'auth_tokens': [auth_token_replacement],
                         'active': user.active,
                         'admin': user.admin,
                         'extern_type': user.extern_type,
                         'extern_name': user.extern_name,
                         'last_login': user.last_login,
                         'last_activity': user.last_activity,
                         'ip_addresses': user.ip_addresses,
                         'language': user_data.get('language')
                     }
                     data.update(extras)
                     if include_secrets:
                         data['auth_tokens'] = user.auth_tokens
                     return data
                 def __json__(self):
                     data = {
                         'full_name': self.full_name,
                         'full_name_or_username': self.full_name_or_username,
                         'short_contact': self.short_contact,
                         'full_contact': self.full_contact,
                     }
                     data.update(self.get_api_data())
                     return data
             class UserApiKeys(Base, BaseModel):
                 __tablename__ = 'user_api_keys'
                 __table_args__ = (
                     Index('uak_api_key_idx', 'api_key', unique=True),
                     Index('uak_api_key_expires_idx', 'api_key', 'expires'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 # ApiKey role
                 ROLE_ALL = 'token_role_all'
                 ROLE_HTTP = 'token_role_http'
                 ROLE_VCS = 'token_role_vcs'
                 ROLE_API = 'token_role_api'
                 ROLE_FEED = 'token_role_feed'
                 ROLE_PASSWORD_RESET = 'token_password_reset'
                 ROLES = [ROLE_ALL, ROLE_HTTP, ROLE_VCS, ROLE_API, ROLE_FEED]
                 user_api_key_id = Column("user_api_key_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 api_key = Column("api_key", String(255), nullable=False, unique=True)
                 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 expires = Column('expires', Float(53), nullable=False)
                 role = Column('role', String(255), nullable=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 # scope columns
                 repo_id = Column(
                     'repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 repo_group_id = Column(
                     'repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 user = relationship('User', lazy='joined')
                 def __unicode__(self):
                     return u"<%s('%s')>" % (self.__class__.__name__, self.role)
                 def __json__(self):
                     data = {
                         'auth_token': self.api_key,
                         'role': self.role,
                         'scope': self.scope_humanized,
                         'expired': self.expired
                     }
                     return data
                 def get_api_data(self, include_secrets=False):
                     data = self.__json__()
                     if include_secrets:
                         return data
                     else:
                         data['auth_token'] = self.token_obfuscated
                         return data
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @property
                 def expired(self):
                     if self.expires == -1:
                         return False
                     return time.time() > self.expires
                 @classmethod
                 def _get_role_name(cls, role):
                     return {
                         cls.ROLE_ALL: _('all'),
                         cls.ROLE_HTTP: _('http/web interface'),
                         cls.ROLE_VCS: _('vcs (git/hg/svn protocol)'),
                         cls.ROLE_API: _('api calls'),
                         cls.ROLE_FEED: _('feed access'),
                     }.get(role, role)
                 @property
                 def role_humanized(self):
                     return self._get_role_name(self.role)
                 def _get_scope(self):
                     if self.repo:
                         return 'Repository: {}'.format(self.repo.repo_name)
                     if self.repo_group:
                         return 'RepositoryGroup: {} (recursive)'.format(self.repo_group.group_name)
                     return 'Global'
                 @property
                 def scope_humanized(self):
                     return self._get_scope()
                 @property
                 def token_obfuscated(self):
                     if self.api_key:
                         return self.api_key[:4] + "****"
             class UserEmailMap(Base, BaseModel):
                 __tablename__ = 'user_email_map'
                 __table_args__ = (
                     Index('uem_email_idx', 'email'),
                     UniqueConstraint('email'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 email_id = Column("email_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 _email = Column("email", String(255), nullable=True, unique=False, default=None)
                 user = relationship('User', lazy='joined')
                 @validates('_email')
                 def validate_email(self, key, email):
                     # check if this email is not main one
                     main_email = Session().query(User).filter(User.email == email).scalar()
                     if main_email is not None:
                         raise AttributeError('email %s is present is user table' % email)
                     return email
                 @hybrid_property
                 def email(self):
                     return self._email
                 @email.setter
                 def email(self, val):
                     self._email = val.lower() if val else None
             class UserIpMap(Base, BaseModel):
                 __tablename__ = 'user_ip_map'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'ip_addr'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 ip_addr = Column("ip_addr", String(255), nullable=True, unique=False, default=None)
                 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 description = Column("description", String(10000), nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @classmethod
                 def _get_ip_range(cls, ip_addr):
                     net = ipaddress.ip_network(safe_unicode(ip_addr), strict=False)
                     return [str(net.network_address), str(net.broadcast_address)]
                 def __json__(self):
                     return {
                       'ip_addr': self.ip_addr,
                       'ip_range': self._get_ip_range(self.ip_addr),
                     }
                 def __unicode__(self):
                     return u"<%s('user_id:%s=>%s')>" % (self.__class__.__name__,
                                                         self.user_id, self.ip_addr)
             class UserSshKeys(Base, BaseModel):
                 __tablename__ = 'user_ssh_keys'
                 __table_args__ = (
                     Index('usk_ssh_key_fingerprint_idx', 'ssh_key_fingerprint'),
                     UniqueConstraint('ssh_key_fingerprint'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 ssh_key_id = Column('ssh_key_id', Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 ssh_key_data = Column('ssh_key_data', String(10240), nullable=False, unique=None, default=None)
                 ssh_key_fingerprint = Column('ssh_key_fingerprint', String(255), nullable=False, unique=None, default=None)
                 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 accessed_on = Column('accessed_on', DateTime(timezone=False), nullable=True, default=None)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 def __json__(self):
                     data = {
                         'ssh_fingerprint': self.ssh_key_fingerprint,
                         'description': self.description,
                         'created_on': self.created_on
                     }
                     return data
                 def get_api_data(self):
                     data = self.__json__()
                     return data
             class UserLog(Base, BaseModel):
                 __tablename__ = 'user_logs'
                 __table_args__ = (
                     base_table_args,
                 )
                 VERSION_1 = 'v1'
                 VERSION_2 = 'v2'
                 VERSIONS = [VERSION_1, VERSION_2]
                 user_log_id = Column("user_log_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id',ondelete='SET NULL'), nullable=True, unique=None, default=None)
                 username = Column("username", String(255), nullable=True, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id', ondelete='SET NULL'), nullable=True, unique=None, default=None)
                 repository_name = Column("repository_name", String(255), nullable=True, unique=None, default=None)
                 user_ip = Column("user_ip", String(255), nullable=True, unique=None, default=None)
                 action = Column("action", Text().with_variant(Text(1200000), 'mysql'), nullable=True, unique=None, default=None)
                 action_date = Column("action_date", DateTime(timezone=False), nullable=True, unique=None, default=None)
                 version = Column("version", String(255), nullable=True, default=VERSION_1)
                 user_data = Column('user_data_json', MutationObj.as_mutable(JsonType(dialect_map=dict(mysql=LONGTEXT()))))
                 action_data = Column('action_data_json', MutationObj.as_mutable(JsonType(dialect_map=dict(mysql=LONGTEXT()))))
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (
                         self.__class__.__name__, self.repository_name, self.action)
                 def __json__(self):
                     return {
                         'user_id': self.user_id,
                         'username': self.username,
                         'repository_id': self.repository_id,
                         'repository_name': self.repository_name,
                         'user_ip': self.user_ip,
                         'action_date': self.action_date,
                         'action': self.action,
                     }
                 @hybrid_property
                 def entry_id(self):
                     return self.user_log_id
                 @property
                 def action_as_day(self):
                     return datetime.date(*self.action_date.timetuple()[:3])
                 user = relationship('User')
                 repository = relationship('Repository', cascade='')
             class UserGroup(Base, BaseModel):
                 __tablename__ = 'users_groups'
                 __table_args__ = (
                     base_table_args,
                 )
                 users_group_id = Column("users_group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_name = Column("users_group_name", String(255), nullable=False, unique=True, default=None)
                 user_group_description = Column("user_group_description", String(10000), nullable=True, unique=None, default=None)
                 users_group_active = Column("users_group_active", Boolean(), nullable=True, unique=None, default=None)
                 inherit_default_permissions = Column("users_group_inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 _group_data = Column("group_data", LargeBinary(), nullable=True)  # JSON data
                 members = relationship('UserGroupMember', cascade="all, delete, delete-orphan", lazy="joined")
                 users_group_to_perm = relationship('UserGroupToPerm', cascade='all')
                 users_group_repo_to_perm = relationship('UserGroupRepoToPerm', cascade='all')
                 users_group_repo_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
                 user_user_group_to_perm = relationship('UserUserGroupToPerm', cascade='all')
                 user_group_user_group_to_perm = relationship('UserGroupUserGroupToPerm ', primaryjoin="UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id", cascade='all')
                 user_group_review_rules = relationship('RepoReviewRuleUserGroup', cascade='all')
                 user = relationship('User', primaryjoin="User.user_id==UserGroup.user_id")
                 @classmethod
                 def _load_group_data(cls, column):
                     if not column:
                         return {}
                     try:
                         return json.loads(column) or {}
                     except TypeError:
                         return {}
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.user_group_description)
                 @hybrid_property
                 def group_data(self):
                     return self._load_group_data(self._group_data)
                 @group_data.expression
                 def group_data(self, **kwargs):
                     return self._group_data
                 @group_data.setter
                 def group_data(self, val):
                     try:
                         self._group_data = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @classmethod
                 def _load_sync(cls, group_data):
                     if group_data:
                         return group_data.get('extern_type')
                 @property
                 def sync(self):
                     return self._load_sync(self.group_data)
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
                                                   self.users_group_id,
                                                   self.users_group_name)
                 @classmethod
                 def get_by_group_name(cls, group_name, cache=False,
                                       case_insensitive=False):
                     if case_insensitive:
                         q = cls.query().filter(func.lower(cls.users_group_name) ==
                                                func.lower(group_name))
                     else:
                         q = cls.query().filter(cls.users_group_name == group_name)
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", "get_group_%s" % _hash_key(group_name)))
                     return q.scalar()
                 @classmethod
                 def get(cls, user_group_id, cache=False):
                     if not user_group_id:
                         return
                     user_group = cls.query()
                     if cache:
                         user_group = user_group.options(
                             FromCache("sql_cache_short", "get_users_group_%s" % user_group_id))
                     return user_group.get(user_group_id)
                 def permissions(self, with_admins=True, with_owner=True,
                                 expand_from_user_groups=False):
                     """
                     Permissions for user groups
                     """
                     _admin_perm = 'usergroup.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     q = UserUserGroupToPerm.query().filter(UserUserGroupToPerm.user_group == self)
                     q = q.options(joinedload(UserUserGroupToPerm.user_group),
                                   joinedload(UserUserGroupToPerm.user),
                                   joinedload(UserUserGroupToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     user_groups_rows = []
                     if expand_from_user_groups:
                         for ug in self.permission_user_groups(with_members=True):
                             for user_data in ug.members:
                                 user_groups_rows.append(user_data)
                     return super_admin_rows + owner_row + perm_rows + user_groups_rows
                 def permission_user_groups(self, with_members=False):
                     q = UserGroupUserGroupToPerm.query()\
                         .filter(UserGroupUserGroupToPerm.target_user_group == self)
                     q = q.options(joinedload(UserGroupUserGroupToPerm.user_group),
                                   joinedload(UserGroupUserGroupToPerm.target_user_group),
                                   joinedload(UserGroupUserGroupToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         entry = AttributeDict(_user_group.user_group.get_dict())
                         entry.permission = _user_group.permission.permission_name
                         if with_members:
                             entry.members = [x.user.get_dict()
                                              for x in _user_group.users_group.members]
                         perm_rows.append(entry)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def _get_default_perms(self, user_group, suffix=''):
                     from rhodecode.model.permission import PermissionModel
                     return PermissionModel().get_default_perms(user_group.users_group_to_perm, suffix)
                 def get_default_perms(self, suffix=''):
                     return self._get_default_perms(self, suffix)
                 def get_api_data(self, with_group_members=True, include_secrets=False):
                     """
                     :param include_secrets: See :meth:`User.get_api_data`, this parameter is
                        basically forwarded.
                     """
                     user_group = self
                     data = {
                         'users_group_id': user_group.users_group_id,
                         'group_name': user_group.users_group_name,
                         'group_description': user_group.user_group_description,
                         'active': user_group.users_group_active,
                         'owner': user_group.user.username,
                         'sync': user_group.sync,
                         'owner_email': user_group.user.email,
                     }
                     if with_group_members:
                         users = []
                         for user in user_group.members:
                             user = user.user
                             users.append(user.get_api_data(include_secrets=include_secrets))
                         data['users'] = users
                     return data
             class UserGroupMember(Base, BaseModel):
                 __tablename__ = 'users_groups_members'
                 __table_args__ = (
                     base_table_args,
                 )
                 users_group_member_id = Column("users_group_member_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 users_group = relationship('UserGroup')
                 def __init__(self, gr_id='', u_id=''):
                     self.users_group_id = gr_id
                     self.user_id = u_id
             class RepositoryField(Base, BaseModel):
                 __tablename__ = 'repositories_fields'
                 __table_args__ = (
                     UniqueConstraint('repository_id', 'field_key'),  # no-multi field
                     base_table_args,
                 )
                 PREFIX = 'ex_'  # prefix used in form to not conflict with already existing fields
                 repo_field_id = Column("repo_field_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 field_key = Column("field_key", String(250))
                 field_label = Column("field_label", String(1024), nullable=False)
                 field_value = Column("field_value", String(10000), nullable=False)
                 field_desc = Column("field_desc", String(1024), nullable=False)
                 field_type = Column("field_type", String(255), nullable=False, unique=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 repository = relationship('Repository')
                 @property
                 def field_key_prefixed(self):
                     return 'ex_%s' % self.field_key
                 @classmethod
                 def un_prefix_key(cls, key):
                     if key.startswith(cls.PREFIX):
                         return key[len(cls.PREFIX):]
                     return key
                 @classmethod
                 def get_by_key_name(cls, key, repo):
                     row = cls.query()\
                             .filter(cls.repository == repo)\
                             .filter(cls.field_key == key).scalar()
                     return row
             class Repository(Base, BaseModel):
                 __tablename__ = 'repositories'
                 __table_args__ = (
                     Index('r_repo_name_idx', 'repo_name', mysql_length=255),
                     base_table_args,
                 )
                 DEFAULT_CLONE_URI = '{scheme}://{user}@{netloc}/{repo}'
                 DEFAULT_CLONE_URI_ID = '{scheme}://{user}@{netloc}/_{repoid}'
                 DEFAULT_CLONE_URI_SSH = 'ssh://{sys_user}@{hostname}/{repo}'
                 STATE_CREATED = 'repo_state_created'
                 STATE_PENDING = 'repo_state_pending'
                 STATE_ERROR = 'repo_state_error'
                 LOCK_AUTOMATIC = 'lock_auto'
                 LOCK_API = 'lock_api'
                 LOCK_WEB = 'lock_web'
                 LOCK_PULL = 'lock_pull'
                 NAME_SEP = URL_SEP
                 repo_id = Column(
                     "repo_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 _repo_name = Column(
                     "repo_name", Text(), nullable=False, default=None)
                 _repo_name_hash = Column(
                     "repo_name_hash", String(255), nullable=False, unique=True)
                 repo_state = Column("repo_state", String(255), nullable=True)
                 clone_uri = Column(
                     "clone_uri", EncryptedTextValue(), nullable=True, unique=False,
                     default=None)
                 push_uri = Column(
                     "push_uri", EncryptedTextValue(), nullable=True, unique=False,
                     default=None)
                 repo_type = Column(
                     "repo_type", String(255), nullable=False, unique=False, default=None)
                 user_id = Column(
                     "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
                     unique=False, default=None)
                 private = Column(
                     "private", Boolean(), nullable=True, unique=None, default=None)
                 archived = Column(
                     "archived", Boolean(), nullable=True, unique=None, default=None)
                 enable_statistics = Column(
                     "statistics", Boolean(), nullable=True, unique=None, default=True)
                 enable_downloads = Column(
                     "downloads", Boolean(), nullable=True, unique=None, default=True)
                 description = Column(
                     "description", String(10000), nullable=True, unique=None, default=None)
                 created_on = Column(
                     'created_on', DateTime(timezone=False), nullable=True, unique=None,
                     default=datetime.datetime.now)
                 updated_on = Column(
                     'updated_on', DateTime(timezone=False), nullable=True, unique=None,
                     default=datetime.datetime.now)
                 _landing_revision = Column(
                     "landing_revision", String(255), nullable=False, unique=False,
                     default=None)
                 enable_locking = Column(
                     "enable_locking", Boolean(), nullable=False, unique=None,
                     default=False)
                 _locked = Column(
                     "locked", String(255), nullable=True, unique=False, default=None)
                 _changeset_cache = Column(
                     "changeset_cache", LargeBinary(), nullable=True)  # JSON data
                 fork_id = Column(
                     "fork_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=False, default=None)
                 group_id = Column(
                     "group_id", Integer(), ForeignKey('groups.group_id'), nullable=True,
                     unique=False, default=None)
                 user = relationship('User', lazy='joined')
                 fork = relationship('Repository', remote_side=repo_id, lazy='joined')
                 group = relationship('RepoGroup', lazy='joined')
                 repo_to_perm = relationship(
                     'UserRepoToPerm', cascade='all',
                     order_by='UserRepoToPerm.repo_to_perm_id')
                 users_group_to_perm = relationship('UserGroupRepoToPerm', cascade='all')
                 stats = relationship('Statistics', cascade='all', uselist=False)
                 followers = relationship(
                     'UserFollowing',
                     primaryjoin='UserFollowing.follows_repo_id==Repository.repo_id',
                     cascade='all')
                 extra_fields = relationship(
                     'RepositoryField', cascade="all, delete, delete-orphan")
                 logs = relationship('UserLog')
                 comments = relationship(
                     'ChangesetComment', cascade="all, delete, delete-orphan")
                 pull_requests_source = relationship(
                     'PullRequest',
                     primaryjoin='PullRequest.source_repo_id==Repository.repo_id',
                     cascade="all, delete, delete-orphan")
                 pull_requests_target = relationship(
                     'PullRequest',
                     primaryjoin='PullRequest.target_repo_id==Repository.repo_id',
                     cascade="all, delete, delete-orphan")
                 ui = relationship('RepoRhodeCodeUi', cascade="all")
                 settings = relationship('RepoRhodeCodeSetting', cascade="all")
                 integrations = relationship('Integration',
                                             cascade="all, delete, delete-orphan")
                 scoped_tokens = relationship('UserApiKeys', cascade="all")
                 def __unicode__(self):
                     return u"<%s('%s:%s')>" % (self.__class__.__name__, self.repo_id,
                                                safe_unicode(self.repo_name))
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @hybrid_property
                 def landing_rev(self):
                     # always should return [rev_type, rev]
                     if self._landing_revision:
                         _rev_info = self._landing_revision.split(':')
                         if len(_rev_info) < 2:
                             _rev_info.insert(0, 'rev')
                         return [_rev_info[0], _rev_info[1]]
                     return [None, None]
                 @landing_rev.setter
                 def landing_rev(self, val):
                     if ':' not in val:
                         raise ValueError('value must be delimited with `:` and consist '
                                          'of <rev_type>:<rev>, got %s instead' % val)
                     self._landing_revision = val
                 @hybrid_property
                 def locked(self):
                     if self._locked:
                         user_id, timelocked, reason = self._locked.split(':')
                         lock_values = int(user_id), timelocked, reason
                     else:
                         lock_values = [None, None, None]
                     return lock_values
                 @locked.setter
                 def locked(self, val):
                     if val and isinstance(val, (list, tuple)):
                         self._locked = ':'.join(map(str, val))
                     else:
                         self._locked = None
                 @hybrid_property
                 def changeset_cache(self):
                     from rhodecode.lib.vcs.backends.base import EmptyCommit
                     dummy = EmptyCommit().__json__()
                     if not self._changeset_cache:
                         return dummy
                     try:
                         return json.loads(self._changeset_cache)
                     except TypeError:
                         return dummy
                     except Exception:
                         log.error(traceback.format_exc())
                         return dummy
                 @changeset_cache.setter
                 def changeset_cache(self, val):
                     try:
                         self._changeset_cache = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @hybrid_property
                 def repo_name(self):
                     return self._repo_name
                 @repo_name.setter
                 def repo_name(self, value):
                     self._repo_name = value
                     self._repo_name_hash = hashlib.sha1(safe_str(value)).hexdigest()
                 @classmethod
                 def normalize_repo_name(cls, repo_name):
                     """
                     Normalizes os specific repo_name to the format internally stored inside
                     database using URL_SEP
                     :param cls:
                     :param repo_name:
                     """
                     return cls.NAME_SEP.join(repo_name.split(os.sep))
                 @classmethod
                 def get_by_repo_name(cls, repo_name, cache=False, identity_cache=False):
                     session = Session()
                     q = session.query(cls).filter(cls.repo_name == repo_name)
                     if cache:
                         if identity_cache:
                             val = cls.identity_cache(session, 'repo_name', repo_name)
                             if val:
                                 return val
                         else:
                             cache_key = "get_repo_by_name_%s" % _hash_key(repo_name)
                             q = q.options(
                                 FromCache("sql_cache_short", cache_key))
                     return q.scalar()
                 @classmethod
                 def get_by_id_or_repo_name(cls, repoid):
                     if isinstance(repoid, (int, long)):
                         try:
                             repo = cls.get(repoid)
                         except ValueError:
                             repo = None
                     else:
                         repo = cls.get_by_repo_name(repoid)
                     return repo
                 @classmethod
                 def get_by_full_path(cls, repo_full_path):
                     repo_name = repo_full_path.split(cls.base_path(), 1)[-1]
                     repo_name = cls.normalize_repo_name(repo_name)
                     return cls.get_by_repo_name(repo_name.strip(URL_SEP))
                 @classmethod
                 def get_repo_forks(cls, repo_id):
                     return cls.query().filter(Repository.fork_id == repo_id)
                 @classmethod
                 def base_path(cls):
                     """
                     Returns base path when all repos are stored
                     :param cls:
                     """
                     q = Session().query(RhodeCodeUi)\
                         .filter(RhodeCodeUi.ui_key == cls.NAME_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return q.one().ui_value
                 @classmethod
                 def get_all_repos(cls, user_id=Optional(None), group_id=Optional(None),
                                   case_insensitive=True, archived=False):
                     q = Repository.query()
                     if not archived:
                         q = q.filter(Repository.archived.isnot(true()))
                     if not isinstance(user_id, Optional):
                         q = q.filter(Repository.user_id == user_id)
                     if not isinstance(group_id, Optional):
                         q = q.filter(Repository.group_id == group_id)
                     if case_insensitive:
                         q = q.order_by(func.lower(Repository.repo_name))
                     else:
                         q = q.order_by(Repository.repo_name)
                     return q.all()
                 @property
                 def forks(self):
                     """
                     Return forks of this repo
                     """
                     return Repository.get_repo_forks(self.repo_id)
                 @property
                 def parent(self):
                     """
                     Returns fork parent
                     """
                     return self.fork
                 @property
                 def just_name(self):
                     return self.repo_name.split(self.NAME_SEP)[-1]
                 @property
                 def groups_with_parents(self):
                     groups = []
                     if self.group is None:
                         return groups
                     cur_gr = self.group
                     groups.insert(0, cur_gr)
                     while 1:
                         gr = getattr(cur_gr, 'parent_group', None)
                         cur_gr = cur_gr.parent_group
                         if gr is None:
                             break
                         groups.insert(0, gr)
                     return groups
                 @property
                 def groups_and_repo(self):
                     return self.groups_with_parents, self
                 @LazyProperty
                 def repo_path(self):
                     """
                     Returns base full path for that repository means where it actually
                     exists on a filesystem
                     """
                     q = Session().query(RhodeCodeUi).filter(
                         RhodeCodeUi.ui_key == self.NAME_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return q.one().ui_value
                 @property
                 def repo_full_path(self):
                     p = [self.repo_path]
                     # we need to split the name by / since this is how we store the
                     # names in the database, but that eventually needs to be converted
                     # into a valid system path
                     p += self.repo_name.split(self.NAME_SEP)
                     return os.path.join(*map(safe_unicode, p))
                 @property
                 def cache_keys(self):
                     """
                     Returns associated cache keys for that repo
                     """
                     invalidation_namespace = CacheKey.REPO_INVALIDATION_NAMESPACE.format(
                         repo_id=self.repo_id)
                     return CacheKey.query()\
                         .filter(CacheKey.cache_args == invalidation_namespace)\
                         .order_by(CacheKey.cache_key)\
                         .all()
                 @property
                 def cached_diffs_relative_dir(self):
                     """
                     Return a relative to the repository store path of cached diffs
                     used for safe display for users, who shouldn't know the absolute store
                     path
                     """
                     return os.path.join(
                         os.path.dirname(self.repo_name),
                         self.cached_diffs_dir.split(os.path.sep)[-1])
                 @property
                 def cached_diffs_dir(self):
                     path = self.repo_full_path
                     return os.path.join(
                         os.path.dirname(path),
                         '.__shadow_diff_cache_repo_{}'.format(self.repo_id))
                 def cached_diffs(self):
                     diff_cache_dir = self.cached_diffs_dir
                     if os.path.isdir(diff_cache_dir):
                         return os.listdir(diff_cache_dir)
                     return []
                 def shadow_repos(self):
                     shadow_repos_pattern = '.__shadow_repo_{}'.format(self.repo_id)
                     return [
                         x for x in os.listdir(os.path.dirname(self.repo_full_path))
                         if x.startswith(shadow_repos_pattern)]
                 def get_new_name(self, repo_name):
                     """
                     returns new full repository name based on assigned group and new new
                     :param group_name:
                     """
                     path_prefix = self.group.full_path_splitted if self.group else []
                     return self.NAME_SEP.join(path_prefix + [repo_name])
                 @property
                 def _config(self):
                     """
                     Returns db based config object.
                     """
                     from rhodecode.lib.utils import make_db_config
                     return make_db_config(clear_session=False, repo=self)
                 def permissions(self, with_admins=True, with_owner=True,
                                 expand_from_user_groups=False):
                     """
                     Permissions for repositories
                     """
                     _admin_perm = 'repository.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         usr.permission_id = None
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 usr.permission_id = None
                                 super_admin_rows.append(usr)
                     q = UserRepoToPerm.query().filter(UserRepoToPerm.repository == self)
                     q = q.options(joinedload(UserRepoToPerm.repository),
                                   joinedload(UserRepoToPerm.user),
                                   joinedload(UserRepoToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         # also check if this permission is maybe used by branch_permissions
                         if _usr.branch_perm_entry:
                             usr.branch_rules = [x.branch_rule_id for x in _usr.branch_perm_entry]
                         usr.permission = _usr.permission.permission_name
                         usr.permission_id = _usr.repo_to_perm_id
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     user_groups_rows = []
                     if expand_from_user_groups:
                         for ug in self.permission_user_groups(with_members=True):
                             for user_data in ug.members:
                                 user_groups_rows.append(user_data)
                     return super_admin_rows + owner_row + perm_rows + user_groups_rows
                 def permission_user_groups(self, with_members=True):
                     q = UserGroupRepoToPerm.query()\
                         .filter(UserGroupRepoToPerm.repository == self)
                     q = q.options(joinedload(UserGroupRepoToPerm.repository),
                                   joinedload(UserGroupRepoToPerm.users_group),
                                   joinedload(UserGroupRepoToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         entry = AttributeDict(_user_group.users_group.get_dict())
                         entry.permission = _user_group.permission.permission_name
                         if with_members:
                             entry.members = [x.user.get_dict()
                                              for x in _user_group.users_group.members]
                         perm_rows.append(entry)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def get_api_data(self, include_secrets=False):
                     """
                     Common function for generating repo api data
                     :param include_secrets: See :meth:`User.get_api_data`.
                     """
                     # TODO: mikhail: Here there is an anti-pattern, we probably need to
                     # move this methods on models level.
                     from rhodecode.model.settings import SettingsModel
                     from rhodecode.model.repo import RepoModel
                     repo = self
                     _user_id, _time, _reason = self.locked
                     data = {
                         'repo_id': repo.repo_id,
                         'repo_name': repo.repo_name,
                         'repo_type': repo.repo_type,
                         'clone_uri': repo.clone_uri or '',
                         'push_uri': repo.push_uri or '',
                         'url': RepoModel().get_url(self),
                         'private': repo.private,
                         'created_on': repo.created_on,
                         'description': repo.description_safe,
                         'landing_rev': repo.landing_rev,
                         'owner': repo.user.username,
                         'fork_of': repo.fork.repo_name if repo.fork else None,
                         'fork_of_id': repo.fork.repo_id if repo.fork else None,
                         'enable_statistics': repo.enable_statistics,
                         'enable_locking': repo.enable_locking,
                         'enable_downloads': repo.enable_downloads,
                         'last_changeset': repo.changeset_cache,
                         'locked_by': User.get(_user_id).get_api_data(
                             include_secrets=include_secrets) if _user_id else None,
                         'locked_date': time_to_datetime(_time) if _time else None,
                         'lock_reason': _reason if _reason else None,
                     }
                     # TODO: mikhail: should be per-repo settings here
                     rc_config = SettingsModel().get_all_settings()
                     repository_fields = str2bool(
                         rc_config.get('rhodecode_repository_fields'))
                     if repository_fields:
                         for f in self.extra_fields:
                             data[f.field_key_prefixed] = f.field_value
                     return data
                 @classmethod
                 def lock(cls, repo, user_id, lock_time=None, lock_reason=None):
                     if not lock_time:
                         lock_time = time.time()
                     if not lock_reason:
                         lock_reason = cls.LOCK_AUTOMATIC
                     repo.locked = [user_id, lock_time, lock_reason]
                     Session().add(repo)
                     Session().commit()
                 @classmethod
                 def unlock(cls, repo):
                     repo.locked = None
                     Session().add(repo)
                     Session().commit()
                 @classmethod
                 def getlock(cls, repo):
                     return repo.locked
                 def is_user_lock(self, user_id):
                     if self.lock[0]:
                         lock_user_id = safe_int(self.lock[0])
                         user_id = safe_int(user_id)
                         # both are ints, and they are equal
                         return all([lock_user_id, user_id]) and lock_user_id == user_id
                     return False
                 def get_locking_state(self, action, user_id, only_when_enabled=True):
                     """
                     Checks locking on this repository, if locking is enabled and lock is
                     present returns a tuple of make_lock, locked, locked_by.
                     make_lock can have 3 states None (do nothing) True, make lock
                     False release lock, This value is later propagated to hooks, which
                     do the locking. Think about this as signals passed to hooks what to do.
                     """
                     # TODO: johbo: This is part of the business logic and should be moved
                     # into the RepositoryModel.
                     if action not in ('push', 'pull'):
                         raise ValueError("Invalid action value: %s" % repr(action))
                     # defines if locked error should be thrown to user
                     currently_locked = False
                     # defines if new lock should be made, tri-state
                     make_lock = None
                     repo = self
                     user = User.get(user_id)
                     lock_info = repo.locked
                     if repo and (repo.enable_locking or not only_when_enabled):
                         if action == 'push':
                             # check if it's already locked !, if it is compare users
                             locked_by_user_id = lock_info[0]
                             if user.user_id == locked_by_user_id:
                                 log.debug(
                                     'Got `push` action from user %s, now unlocking', user)
                                 # unlock if we have push from user who locked
                                 make_lock = False
                             else:
                                 # we're not the same user who locked, ban with
                                 # code defined in settings (default is 423 HTTP Locked) !
                                 log.debug('Repo %s is currently locked by %s', repo, user)
                                 currently_locked = True
                         elif action == 'pull':
                             # [0] user [1] date
                             if lock_info[0] and lock_info[1]:
                                 log.debug('Repo %s is currently locked by %s', repo, user)
                                 currently_locked = True
                             else:
                                 log.debug('Setting lock on repo %s by %s', repo, user)
                                 make_lock = True
                     else:
                         log.debug('Repository %s do not have locking enabled', repo)
                     log.debug('FINAL locking values make_lock:%s,locked:%s,locked_by:%s',
                               make_lock, currently_locked, lock_info)
                     from rhodecode.lib.auth import HasRepoPermissionAny
                     perm_check = HasRepoPermissionAny('repository.write', 'repository.admin')
                     if make_lock and not perm_check(repo_name=repo.repo_name, user=user):
                         # if we don't have at least write permission we cannot make a lock
                         log.debug('lock state reset back to FALSE due to lack '
                                   'of at least read permission')
                         make_lock = False
                     return make_lock, currently_locked, lock_info
                 @property
                 def last_db_change(self):
                     return self.updated_on
                 @property
                 def clone_uri_hidden(self):
                     clone_uri = self.clone_uri
                     if clone_uri:
                         import urlobject
                         url_obj = urlobject.URLObject(cleaned_uri(clone_uri))
                         if url_obj.password:
                             clone_uri = url_obj.with_password('*****')
                     return clone_uri
                 @property
                 def push_uri_hidden(self):
                     push_uri = self.push_uri
                     if push_uri:
                         import urlobject
                         url_obj = urlobject.URLObject(cleaned_uri(push_uri))
                         if url_obj.password:
                             push_uri = url_obj.with_password('*****')
                     return push_uri
                 def clone_url(self, **override):
                     from rhodecode.model.settings import SettingsModel
                     uri_tmpl = None
                     if 'with_id' in override:
                         uri_tmpl = self.DEFAULT_CLONE_URI_ID
                         del override['with_id']
                     if 'uri_tmpl' in override:
                         uri_tmpl = override['uri_tmpl']
                         del override['uri_tmpl']
                     ssh = False
                     if 'ssh' in override:
                         ssh = True
                         del override['ssh']
                     # we didn't override our tmpl from **overrides
                     if not uri_tmpl:
                         rc_config = SettingsModel().get_all_settings(cache=True)
                         if ssh:
                             uri_tmpl = rc_config.get(
                                 'rhodecode_clone_uri_ssh_tmpl') or self.DEFAULT_CLONE_URI_SSH
                         else:
                             uri_tmpl = rc_config.get(
                                 'rhodecode_clone_uri_tmpl') or self.DEFAULT_CLONE_URI
                     request = get_current_request()
                     return get_clone_url(request=request,
                                          uri_tmpl=uri_tmpl,
                                          repo_name=self.repo_name,
                                          repo_id=self.repo_id, **override)
                 def set_state(self, state):
                     self.repo_state = state
                     Session().add(self)
                 #==========================================================================
                 # SCM PROPERTIES
                 #==========================================================================
                 def get_commit(self, commit_id=None, commit_idx=None, pre_load=None):
                     return get_commit_safe(
                         self.scm_instance(), commit_id, commit_idx, pre_load=pre_load)
                 def get_changeset(self, rev=None, pre_load=None):
                     warnings.warn("Use get_commit", DeprecationWarning)
                     commit_id = None
                     commit_idx = None
                     if isinstance(rev, compat.string_types):
                         commit_id = rev
                     else:
                         commit_idx = rev
                     return self.get_commit(commit_id=commit_id, commit_idx=commit_idx,
                                            pre_load=pre_load)
                 def get_landing_commit(self):
                     """
                     Returns landing commit, or if that doesn't exist returns the tip
                     """
                     _rev_type, _rev = self.landing_rev
                     commit = self.get_commit(_rev)
                     if isinstance(commit, EmptyCommit):
                         return self.get_commit()
                     return commit
                 def update_commit_cache(self, cs_cache=None, config=None):
                     """
                     Update cache of last changeset for repository, keys should be::
                         short_id
                         raw_id
                         revision
                         parents
                         message
                         date
                         author
                     :param cs_cache:
                     """
                     from rhodecode.lib.vcs.backends.base import BaseChangeset
                     if cs_cache is None:
                         # use no-cache version here
                         scm_repo = self.scm_instance(cache=False, config=config)
                         empty = not scm_repo or scm_repo.is_empty()
                         if not empty:
                             cs_cache = scm_repo.get_commit(
                                 pre_load=["author", "date", "message", "parents"])
                         else:
                             cs_cache = EmptyCommit()
                     if isinstance(cs_cache, BaseChangeset):
                         cs_cache = cs_cache.__json__()
                     def is_outdated(new_cs_cache):
                         if (new_cs_cache['raw_id'] != self.changeset_cache['raw_id'] or
                             new_cs_cache['revision'] != self.changeset_cache['revision']):
                             return True
                         return False
                     # check if we have maybe already latest cached revision
                     if is_outdated(cs_cache) or not self.changeset_cache:
                         _default = datetime.datetime.utcnow()
                         last_change = cs_cache.get('date') or _default
                         if self.updated_on and self.updated_on > last_change:
                             # we check if last update is newer than the new value
                             # if yes, we use the current timestamp instead. Imagine you get
                             # old commit pushed 1y ago, we'd set last update 1y to ago.
                             last_change = _default
                         log.debug('updated repo %s with new commit cache %s',
                                   self.repo_name, cs_cache)
                         self.updated_on = last_change
                         self.changeset_cache = cs_cache
                         Session().add(self)
                         Session().commit()
                     else:
                         log.debug('Skipping update_commit_cache for repo:`%s` '
                                   'commit already with latest changes', self.repo_name)
                 @property
                 def tip(self):
                     return self.get_commit('tip')
                 @property
                 def author(self):
                     return self.tip.author
                 @property
                 def last_change(self):
                     return self.scm_instance().last_change
                 def get_comments(self, revisions=None):
                     """
                     Returns comments for this repository grouped by revisions
                     :param revisions: filter query by revisions only
                     """
                     cmts = ChangesetComment.query()\
                         .filter(ChangesetComment.repo == self)
                     if revisions:
                         cmts = cmts.filter(ChangesetComment.revision.in_(revisions))
                     grouped = collections.defaultdict(list)
                     for cmt in cmts.all():
                         grouped[cmt.revision].append(cmt)
                     return grouped
                 def statuses(self, revisions=None):
                     """
                     Returns statuses for this repository
                     :param revisions: list of revisions to get statuses for
                     """
                     statuses = ChangesetStatus.query()\
                         .filter(ChangesetStatus.repo == self)\
                         .filter(ChangesetStatus.version == 0)
                     if revisions:
                         # Try doing the filtering in chunks to avoid hitting limits
                         size = 500
                         status_results = []
                         for chunk in xrange(0, len(revisions), size):
                             status_results += statuses.filter(
                                 ChangesetStatus.revision.in_(
                                     revisions[chunk: chunk+size])
                             ).all()
                     else:
                         status_results = statuses.all()
                     grouped = {}
                     # maybe we have open new pullrequest without a status?
                     stat = ChangesetStatus.STATUS_UNDER_REVIEW
                     status_lbl = ChangesetStatus.get_status_lbl(stat)
                     for pr in PullRequest.query().filter(PullRequest.source_repo == self).all():
                         for rev in pr.revisions:
                             pr_id = pr.pull_request_id
                             pr_repo = pr.target_repo.repo_name
                             grouped[rev] = [stat, status_lbl, pr_id, pr_repo]
                     for stat in status_results:
                         pr_id = pr_repo = None
                         if stat.pull_request:
                             pr_id = stat.pull_request.pull_request_id
                             pr_repo = stat.pull_request.target_repo.repo_name
                         grouped[stat.revision] = [str(stat.status), stat.status_lbl,
                                                   pr_id, pr_repo]
                     return grouped
                 # ==========================================================================
                 # SCM CACHE INSTANCE
                 # ==========================================================================
                 def scm_instance(self, **kwargs):
                     import rhodecode
                     # Passing a config will not hit the cache currently only used
                     # for repo2dbmapper
                     config = kwargs.pop('config', None)
                     cache = kwargs.pop('cache', None)
                     full_cache = str2bool(rhodecode.CONFIG.get('vcs_full_cache'))
                     # if cache is NOT defined use default global, else we have a full
                     # control over cache behaviour
                     if cache is None and full_cache and not config:
                         return self._get_instance_cached()
                     return self._get_instance(cache=bool(cache), config=config)
                 def _get_instance_cached(self):
                     from rhodecode.lib import rc_cache
                     cache_namespace_uid = 'cache_repo_instance.{}'.format(self.repo_id)
                     invalidation_namespace = CacheKey.REPO_INVALIDATION_NAMESPACE.format(
                         repo_id=self.repo_id)
                     region = rc_cache.get_or_create_region('cache_repo_longterm', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid)
                     def get_instance_cached(repo_id, context_id):
                         return self._get_instance()
                     # we must use thread scoped cache here,
                     # because each thread of gevent needs it's own not shared connection and cache
                     # we also alter `args` so the cache key is individual for every green thread.
                     inv_context_manager = rc_cache.InvalidationContext(
                         uid=cache_namespace_uid, invalidation_namespace=invalidation_namespace,
                         thread_scoped=True)
                     with inv_context_manager as invalidation_context:
                         args = (self.repo_id, inv_context_manager.cache_key)
                         # re-compute and store cache if we get invalidate signal
                         if invalidation_context.should_invalidate():
                             instance = get_instance_cached.refresh(*args)
                         else:
                             instance = get_instance_cached(*args)
                         log.debug(
-                            'Repo instance fetched in %.3fs', inv_context_manager.compute_time)
+                            'Repo instance fetched in %.4fs', inv_context_manager.compute_time)
                         return instance
                 def _get_instance(self, cache=True, config=None):
                     config = config or self._config
                     custom_wire = {
                         'cache': cache  # controls the vcs.remote cache
                     }
                     repo = get_vcs_instance(
                         repo_path=safe_str(self.repo_full_path),
                         config=config,
                         with_wire=custom_wire,
                         create=False,
                         _vcs_alias=self.repo_type)
                     return repo
                 def __json__(self):
                     return {'landing_rev': self.landing_rev}
                 def get_dict(self):
                     # Since we transformed `repo_name` to a hybrid property, we need to
                     # keep compatibility with the code which uses `repo_name` field.
                     result = super(Repository, self).get_dict()
                     result['repo_name'] = result.pop('_repo_name', None)
                     return result
             class RepoGroup(Base, BaseModel):
                 __tablename__ = 'groups'
                 __table_args__ = (
                     UniqueConstraint('group_name', 'group_parent_id'),
                     base_table_args,
                 )
                 __mapper_args__ = {'order_by': 'group_name'}
                 CHOICES_SEPARATOR = '/'  # used to generate select2 choices for nested groups
                 group_id = Column("group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 group_name = Column("group_name", String(255), nullable=False, unique=True, default=None)
                 group_parent_id = Column("group_parent_id", Integer(), ForeignKey('groups.group_id'), nullable=True, unique=None, default=None)
                 group_description = Column("group_description", String(10000), nullable=True, unique=None, default=None)
                 enable_locking = Column("enable_locking", Boolean(), nullable=False, unique=None, default=False)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 updated_on = Column('updated_on', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
                 personal = Column('personal', Boolean(), nullable=True, unique=None, default=None)
                 repo_group_to_perm = relationship('UserRepoGroupToPerm', cascade='all', order_by='UserRepoGroupToPerm.group_to_perm_id')
                 users_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
                 parent_group = relationship('RepoGroup', remote_side=group_id)
                 user = relationship('User')
                 integrations = relationship('Integration',
                                             cascade="all, delete, delete-orphan")
                 def __init__(self, group_name='', parent_group=None):
                     self.group_name = group_name
                     self.parent_group = parent_group
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (
                         self.__class__.__name__, self.group_id, self.group_name)
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.group_description)
                 @classmethod
                 def _generate_choice(cls, repo_group):
                     from webhelpers.html import literal as _literal
                     _name = lambda k: _literal(cls.CHOICES_SEPARATOR.join(k))
                     return repo_group.group_id, _name(repo_group.full_path_splitted)
                 @classmethod
                 def groups_choices(cls, groups=None, show_empty_group=True):
                     if not groups:
                         groups = cls.query().all()
                     repo_groups = []
                     if show_empty_group:
                         repo_groups = [(-1, u'-- %s --' % _('No parent'))]
                     repo_groups.extend([cls._generate_choice(x) for x in groups])
                     repo_groups = sorted(
                         repo_groups, key=lambda t: t[1].split(cls.CHOICES_SEPARATOR)[0])
                     return repo_groups
                 @classmethod
                 def url_sep(cls):
                     return URL_SEP
                 @classmethod
                 def get_by_group_name(cls, group_name, cache=False, case_insensitive=False):
                     if case_insensitive:
                         gr = cls.query().filter(func.lower(cls.group_name)
                                                 == func.lower(group_name))
                     else:
                         gr = cls.query().filter(cls.group_name == group_name)
                     if cache:
                         name_key = _hash_key(group_name)
                         gr = gr.options(
                             FromCache("sql_cache_short", "get_group_%s" % name_key))
                     return gr.scalar()
                 @classmethod
                 def get_user_personal_repo_group(cls, user_id):
                     user = User.get(user_id)
                     if user.username == User.DEFAULT_USER:
                         return None
                     return cls.query()\
                         .filter(cls.personal == true()) \
                         .filter(cls.user == user) \
                         .order_by(cls.group_id.asc()) \
                         .first()
                 @classmethod
                 def get_all_repo_groups(cls, user_id=Optional(None), group_id=Optional(None),
                                         case_insensitive=True):
                     q = RepoGroup.query()
                     if not isinstance(user_id, Optional):
                         q = q.filter(RepoGroup.user_id == user_id)
                     if not isinstance(group_id, Optional):
                         q = q.filter(RepoGroup.group_parent_id == group_id)
                     if case_insensitive:
                         q = q.order_by(func.lower(RepoGroup.group_name))
                     else:
                         q = q.order_by(RepoGroup.group_name)
                     return q.all()
                 @property
                 def parents(self):
                     parents_recursion_limit = 10
                     groups = []
                     if self.parent_group is None:
                         return groups
                     cur_gr = self.parent_group
                     groups.insert(0, cur_gr)
                     cnt = 0
                     while 1:
                         cnt += 1
                         gr = getattr(cur_gr, 'parent_group', None)
                         cur_gr = cur_gr.parent_group
                         if gr is None:
                             break
                         if cnt == parents_recursion_limit:
                             # this will prevent accidental infinit loops
                             log.error('more than %s parents found for group %s, stopping '
                                       'recursive parent fetching', parents_recursion_limit, self)
                             break
                         groups.insert(0, gr)
                     return groups
                 @property
                 def last_db_change(self):
                     return self.updated_on
                 @property
                 def children(self):
                     return RepoGroup.query().filter(RepoGroup.parent_group == self)
                 @property
                 def name(self):
                     return self.group_name.split(RepoGroup.url_sep())[-1]
                 @property
                 def full_path(self):
                     return self.group_name
                 @property
                 def full_path_splitted(self):
                     return self.group_name.split(RepoGroup.url_sep())
                 @property
                 def repositories(self):
                     return Repository.query()\
                             .filter(Repository.group == self)\
                             .order_by(Repository.repo_name)
                 @property
                 def repositories_recursive_count(self):
                     cnt = self.repositories.count()
                     def children_count(group):
                         cnt = 0
                         for child in group.children:
                             cnt += child.repositories.count()
                             cnt += children_count(child)
                         return cnt
                     return cnt + children_count(self)
                 def _recursive_objects(self, include_repos=True):
                     all_ = []
                     def _get_members(root_gr):
                         if include_repos:
                             for r in root_gr.repositories:
                                 all_.append(r)
                         childs = root_gr.children.all()
                         if childs:
                             for gr in childs:
                                 all_.append(gr)
                                 _get_members(gr)
                     _get_members(self)
                     return [self] + all_
                 def recursive_groups_and_repos(self):
                     """
                     Recursive return all groups, with repositories in those groups
                     """
                     return self._recursive_objects()
                 def recursive_groups(self):
                     """
                     Returns all children groups for this group including children of children
                     """
                     return self._recursive_objects(include_repos=False)
                 def get_new_name(self, group_name):
                     """
                     returns new full group name based on parent and new name
                     :param group_name:
                     """
                     path_prefix = (self.parent_group.full_path_splitted if
                                    self.parent_group else [])
                     return RepoGroup.url_sep().join(path_prefix + [group_name])
                 def permissions(self, with_admins=True, with_owner=True,
                                 expand_from_user_groups=False):
                     """
                     Permissions for repository groups
                     """
                     _admin_perm = 'group.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     q = UserRepoGroupToPerm.query().filter(UserRepoGroupToPerm.group == self)
                     q = q.options(joinedload(UserRepoGroupToPerm.group),
                                   joinedload(UserRepoGroupToPerm.user),
                                   joinedload(UserRepoGroupToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     user_groups_rows = []
                     if expand_from_user_groups:
                         for ug in self.permission_user_groups(with_members=True):
                             for user_data in ug.members:
                                 user_groups_rows.append(user_data)
                     return super_admin_rows + owner_row + perm_rows + user_groups_rows
                 def permission_user_groups(self, with_members=False):
                     q = UserGroupRepoGroupToPerm.query()\
                         .filter(UserGroupRepoGroupToPerm.group == self)
                     q = q.options(joinedload(UserGroupRepoGroupToPerm.group),
                                   joinedload(UserGroupRepoGroupToPerm.users_group),
                                   joinedload(UserGroupRepoGroupToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         entry = AttributeDict(_user_group.users_group.get_dict())
                         entry.permission = _user_group.permission.permission_name
                         if with_members:
                             entry.members = [x.user.get_dict()
                                              for x in _user_group.users_group.members]
                         perm_rows.append(entry)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def get_api_data(self):
                     """
                     Common function for generating api data
                     """
                     group = self
                     data = {
                         'group_id': group.group_id,
                         'group_name': group.group_name,
                         'group_description': group.description_safe,
                         'parent_group': group.parent_group.group_name if group.parent_group else None,
                         'repositories': [x.repo_name for x in group.repositories],
                         'owner': group.user.username,
                     }
                     return data
             class Permission(Base, BaseModel):
                 __tablename__ = 'permissions'
                 __table_args__ = (
                     Index('p_perm_name_idx', 'permission_name'),
                     base_table_args,
                 )
                 PERMS = [
                     ('hg.admin', _('RhodeCode Super Administrator')),
                     ('repository.none', _('Repository no access')),
                     ('repository.read', _('Repository read access')),
                     ('repository.write', _('Repository write access')),
                     ('repository.admin', _('Repository admin access')),
                     ('group.none', _('Repository group no access')),
                     ('group.read', _('Repository group read access')),
                     ('group.write', _('Repository group write access')),
                     ('group.admin', _('Repository group admin access')),
                     ('usergroup.none', _('User group no access')),
                     ('usergroup.read', _('User group read access')),
                     ('usergroup.write', _('User group write access')),
                     ('usergroup.admin', _('User group admin access')),
                     ('branch.none', _('Branch no permissions')),
                     ('branch.merge', _('Branch access by web merge')),
                     ('branch.push', _('Branch access by push')),
                     ('branch.push_force', _('Branch access by push with force')),
                     ('hg.repogroup.create.false', _('Repository Group creation disabled')),
                     ('hg.repogroup.create.true', _('Repository Group creation enabled')),
                     ('hg.usergroup.create.false', _('User Group creation disabled')),
                     ('hg.usergroup.create.true', _('User Group creation enabled')),
                     ('hg.create.none', _('Repository creation disabled')),
                     ('hg.create.repository', _('Repository creation enabled')),
                     ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')),
                     ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')),
                     ('hg.fork.none', _('Repository forking disabled')),
                     ('hg.fork.repository', _('Repository forking enabled')),
                     ('hg.register.none', _('Registration disabled')),
                     ('hg.register.manual_activate', _('User Registration with manual account activation')),
                     ('hg.register.auto_activate', _('User Registration with automatic account activation')),
                     ('hg.password_reset.enabled', _('Password reset enabled')),
                     ('hg.password_reset.hidden', _('Password reset hidden')),
                     ('hg.password_reset.disabled', _('Password reset disabled')),
                     ('hg.extern_activate.manual', _('Manual activation of external account')),
                     ('hg.extern_activate.auto', _('Automatic activation of external account')),
                     ('hg.inherit_default_perms.false', _('Inherit object permissions from default user disabled')),
                     ('hg.inherit_default_perms.true', _('Inherit object permissions from default user enabled')),
                 ]
                 # definition of system default permissions for DEFAULT user, created on
                 # system setup
                 DEFAULT_USER_PERMISSIONS = [
                     # object perms
                     'repository.read',
                     'group.read',
                     'usergroup.read',
                     # branch, for backward compat we need same value as before so forced pushed
                     'branch.push_force',
                     # global
                     'hg.create.repository',
                     'hg.repogroup.create.false',
                     'hg.usergroup.create.false',
                     'hg.create.write_on_repogroup.true',
                     'hg.fork.repository',
                     'hg.register.manual_activate',
                     'hg.password_reset.enabled',
                     'hg.extern_activate.auto',
                     'hg.inherit_default_perms.true',
                 ]
                 # defines which permissions are more important higher the more important
                 # Weight defines which permissions are more important.
                 # The higher number the more important.
                 PERM_WEIGHTS = {
                     'repository.none': 0,
                     'repository.read': 1,
                     'repository.write': 3,
                     'repository.admin': 4,
                     'group.none': 0,
                     'group.read': 1,
                     'group.write': 3,
                     'group.admin': 4,
                     'usergroup.none': 0,
                     'usergroup.read': 1,
                     'usergroup.write': 3,
                     'usergroup.admin': 4,
                     'branch.none': 0,
                     'branch.merge': 1,
                     'branch.push': 3,
                     'branch.push_force': 4,
                     'hg.repogroup.create.false': 0,
                     'hg.repogroup.create.true': 1,
                     'hg.usergroup.create.false': 0,
                     'hg.usergroup.create.true': 1,
                     'hg.fork.none': 0,
                     'hg.fork.repository': 1,
                     'hg.create.none': 0,
                     'hg.create.repository': 1
                 }
                 permission_id = Column("permission_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 permission_name = Column("permission_name", String(255), nullable=True, unique=None, default=None)
                 permission_longname = Column("permission_longname", String(255), nullable=True, unique=None, default=None)
                 def __unicode__(self):
                     return u"<%s('%s:%s')>" % (
                         self.__class__.__name__, self.permission_id, self.permission_name
                     )
                 @classmethod
                 def get_by_key(cls, key):
                     return cls.query().filter(cls.permission_name == key).scalar()
                 @classmethod
                 def get_default_repo_perms(cls, user_id, repo_id=None):
                     q = Session().query(UserRepoToPerm, Repository, Permission)\
                         .join((Permission, UserRepoToPerm.permission_id == Permission.permission_id))\
                         .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\
                         .filter(UserRepoToPerm.user_id == user_id)
                     if repo_id:
                         q = q.filter(UserRepoToPerm.repository_id == repo_id)
                     return q.all()
                 @classmethod
                 def get_default_repo_branch_perms(cls, user_id, repo_id=None):
                     q = Session().query(UserToRepoBranchPermission, UserRepoToPerm, Permission) \
                         .join(
                             Permission,
                             UserToRepoBranchPermission.permission_id == Permission.permission_id) \
                         .join(
                             UserRepoToPerm,
                             UserToRepoBranchPermission.rule_to_perm_id == UserRepoToPerm.repo_to_perm_id) \
                         .filter(UserRepoToPerm.user_id == user_id)
                     if repo_id:
                         q = q.filter(UserToRepoBranchPermission.repository_id == repo_id)
                     return q.order_by(UserToRepoBranchPermission.rule_order).all()
                 @classmethod
                 def get_default_repo_perms_from_user_group(cls, user_id, repo_id=None):
                     q = Session().query(UserGroupRepoToPerm, Repository, Permission)\
                         .join(
                             Permission,
                             UserGroupRepoToPerm.permission_id == Permission.permission_id)\
                         .join(
                             Repository,
                             UserGroupRepoToPerm.repository_id == Repository.repo_id)\
                         .join(
                             UserGroup,
                             UserGroupRepoToPerm.users_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupRepoToPerm.users_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_id:
                         q = q.filter(UserGroupRepoToPerm.repository_id == repo_id)
                     return q.all()
                 @classmethod
                 def get_default_repo_branch_perms_from_user_group(cls, user_id, repo_id=None):
                     q = Session().query(UserGroupToRepoBranchPermission, UserGroupRepoToPerm, Permission) \
                         .join(
                             Permission,
                             UserGroupToRepoBranchPermission.permission_id == Permission.permission_id) \
                         .join(
                             UserGroupRepoToPerm,
                             UserGroupToRepoBranchPermission.rule_to_perm_id == UserGroupRepoToPerm.users_group_to_perm_id) \
                         .join(
                             UserGroup,
                             UserGroupRepoToPerm.users_group_id == UserGroup.users_group_id) \
                         .join(
                             UserGroupMember,
                             UserGroupRepoToPerm.users_group_id == UserGroupMember.users_group_id) \
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_id:
                         q = q.filter(UserGroupToRepoBranchPermission.repository_id == repo_id)
                     return q.order_by(UserGroupToRepoBranchPermission.rule_order).all()
                 @classmethod
                 def get_default_group_perms(cls, user_id, repo_group_id=None):
                     q = Session().query(UserRepoGroupToPerm, RepoGroup, Permission)\
                         .join(
                             Permission,
                             UserRepoGroupToPerm.permission_id == Permission.permission_id)\
                         .join(
                             RepoGroup,
                             UserRepoGroupToPerm.group_id == RepoGroup.group_id)\
                         .filter(UserRepoGroupToPerm.user_id == user_id)
                     if repo_group_id:
                         q = q.filter(UserRepoGroupToPerm.group_id == repo_group_id)
                     return q.all()
                 @classmethod
                 def get_default_group_perms_from_user_group(
                         cls, user_id, repo_group_id=None):
                     q = Session().query(UserGroupRepoGroupToPerm, RepoGroup, Permission)\
                         .join(
                             Permission,
                             UserGroupRepoGroupToPerm.permission_id ==
                             Permission.permission_id)\
                         .join(
                             RepoGroup,
                             UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id)\
                         .join(
                             UserGroup,
                             UserGroupRepoGroupToPerm.users_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupRepoGroupToPerm.users_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_group_id:
                         q = q.filter(UserGroupRepoGroupToPerm.group_id == repo_group_id)
                     return q.all()
                 @classmethod
                 def get_default_user_group_perms(cls, user_id, user_group_id=None):
                     q = Session().query(UserUserGroupToPerm, UserGroup, Permission)\
                         .join((Permission, UserUserGroupToPerm.permission_id == Permission.permission_id))\
                         .join((UserGroup, UserUserGroupToPerm.user_group_id == UserGroup.users_group_id))\
                         .filter(UserUserGroupToPerm.user_id == user_id)
                     if user_group_id:
                         q = q.filter(UserUserGroupToPerm.user_group_id == user_group_id)
                     return q.all()
                 @classmethod
                 def get_default_user_group_perms_from_user_group(
                         cls, user_id, user_group_id=None):
                     TargetUserGroup = aliased(UserGroup, name='target_user_group')
                     q = Session().query(UserGroupUserGroupToPerm, UserGroup, Permission)\
                         .join(
                             Permission,
                             UserGroupUserGroupToPerm.permission_id ==
                             Permission.permission_id)\
                         .join(
                             TargetUserGroup,
                             UserGroupUserGroupToPerm.target_user_group_id ==
                             TargetUserGroup.users_group_id)\
                         .join(
                             UserGroup,
                             UserGroupUserGroupToPerm.user_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupUserGroupToPerm.user_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if user_group_id:
                         q = q.filter(
                             UserGroupUserGroupToPerm.user_group_id == user_group_id)
                     return q.all()
             class UserRepoToPerm(Base, BaseModel):
                 __tablename__ = 'repo_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'repository_id', 'permission_id'),
                     base_table_args
                 )
                 repo_to_perm_id = Column("repo_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 repository = relationship('Repository')
                 permission = relationship('Permission')
                 branch_perm_entry = relationship('UserToRepoBranchPermission', cascade="all, delete, delete-orphan", lazy='joined')
                 @classmethod
                 def create(cls, user, repository, permission):
                     n = cls()
                     n.user = user
                     n.repository = repository
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.repository)
             class UserUserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_user_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'user_group_id', 'permission_id'),
                     base_table_args
                 )
                 user_user_group_to_perm_id = Column("user_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 user_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, user_group, permission):
                     n = cls()
                     n.user = user
                     n.user_group = user_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.user_group)
             class UserToPerm(Base, BaseModel):
                 __tablename__ = 'user_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'permission_id'),
                     base_table_args
                 )
                 user_to_perm_id = Column("user_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 permission = relationship('Permission', lazy='joined')
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.permission)
             class UserGroupRepoToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_repo_to_perm'
                 __table_args__ = (
                     UniqueConstraint('repository_id', 'users_group_id', 'permission_id'),
                     base_table_args
                 )
                 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 repository = relationship('Repository')
                 user_group_branch_perms = relationship('UserGroupToRepoBranchPermission', cascade='all')
                 @classmethod
                 def create(cls, users_group, repository, permission):
                     n = cls()
                     n.users_group = users_group
                     n.repository = repository
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupRepoToPerm:%s => %s >' % (self.users_group, self.repository)
             class UserGroupUserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_group_user_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('target_user_group_id', 'user_group_id', 'permission_id'),
                     CheckConstraint('target_user_group_id != user_group_id'),
                     base_table_args
                 )
                 user_group_user_group_to_perm_id = Column("user_group_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 target_user_group_id = Column("target_user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 target_user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id')
                 user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.user_group_id==UserGroup.users_group_id')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, target_user_group, user_group, permission):
                     n = cls()
                     n.target_user_group = target_user_group
                     n.user_group = user_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupUserGroup:%s => %s >' % (self.target_user_group, self.user_group)
             class UserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('users_group_id', 'permission_id',),
                     base_table_args
                 )
                 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
             class UserRepoGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_repo_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'group_id', 'permission_id'),
                     base_table_args
                 )
                 group_to_perm_id = Column("group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 group = relationship('RepoGroup')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, repository_group, permission):
                     n = cls()
                     n.user = user
                     n.group = repository_group
                     n.permission = permission
                     Session().add(n)
                     return n
             class UserGroupRepoGroupToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_repo_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('users_group_id', 'group_id'),
                     base_table_args
                 )
                 users_group_repo_group_to_perm_id = Column("users_group_repo_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 group = relationship('RepoGroup')
                 @classmethod
                 def create(cls, user_group, repository_group, permission):
                     n = cls()
                     n.users_group = user_group
                     n.group = repository_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupRepoGroupToPerm:%s => %s >' % (self.users_group, self.group)
             class Statistics(Base, BaseModel):
                 __tablename__ = 'statistics'
                 __table_args__ = (
                      base_table_args
                 )
                 stat_id = Column("stat_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=True, default=None)
                 stat_on_revision = Column("stat_on_revision", Integer(), nullable=False)
                 commit_activity = Column("commit_activity", LargeBinary(1000000), nullable=False)#JSON data
                 commit_activity_combined = Column("commit_activity_combined", LargeBinary(), nullable=False)#JSON data
                 languages = Column("languages", LargeBinary(1000000), nullable=False)#JSON data
                 repository = relationship('Repository', single_parent=True)
             class UserFollowing(Base, BaseModel):
                 __tablename__ = 'user_followings'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'follows_repository_id'),
                     UniqueConstraint('user_id', 'follows_user_id'),
                     base_table_args
                 )
                 user_following_id = Column("user_following_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 follows_repo_id = Column("follows_repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=None, default=None)
                 follows_user_id = Column("follows_user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 follows_from = Column('follows_from', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
                 user = relationship('User', primaryjoin='User.user_id==UserFollowing.user_id')
                 follows_user = relationship('User', primaryjoin='User.user_id==UserFollowing.follows_user_id')
                 follows_repository = relationship('Repository', order_by='Repository.repo_name')
                 @classmethod
                 def get_repo_followers(cls, repo_id):
                     return cls.query().filter(cls.follows_repo_id == repo_id)
             class CacheKey(Base, BaseModel):
                 __tablename__ = 'cache_invalidation'
                 __table_args__ = (
                     UniqueConstraint('cache_key'),
                     Index('key_idx', 'cache_key'),
                     base_table_args,
                 )
                 CACHE_TYPE_FEED = 'FEED'
                 CACHE_TYPE_README = 'README'
                 # namespaces used to register process/thread aware caches
                 REPO_INVALIDATION_NAMESPACE = 'repo_cache:{repo_id}'
                 SETTINGS_INVALIDATION_NAMESPACE = 'system_settings'
                 cache_id = Column("cache_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 cache_key = Column("cache_key", String(255), nullable=True, unique=None, default=None)
                 cache_args = Column("cache_args", String(255), nullable=True, unique=None, default=None)
                 cache_active = Column("cache_active", Boolean(), nullable=True, unique=None, default=False)
                 def __init__(self, cache_key, cache_args=''):
                     self.cache_key = cache_key
                     self.cache_args = cache_args
                     self.cache_active = False
                 def __unicode__(self):
                     return u"<%s('%s:%s[%s]')>" % (
                         self.__class__.__name__,
                         self.cache_id, self.cache_key, self.cache_active)
                 def _cache_key_partition(self):
                     prefix, repo_name, suffix = self.cache_key.partition(self.cache_args)
                     return prefix, repo_name, suffix
                 def get_prefix(self):
                     """
                     Try to extract prefix from existing cache key. The key could consist
                     of prefix, repo_name, suffix
                     """
                     # this returns prefix, repo_name, suffix
                     return self._cache_key_partition()[0]
                 def get_suffix(self):
                     """
                     get suffix that might have been used in _get_cache_key to
                     generate self.cache_key. Only used for informational purposes
                     in repo_edit.mako.
                     """
                     # prefix, repo_name, suffix
                     return self._cache_key_partition()[2]
                 @classmethod
                 def delete_all_cache(cls):
                     """
                     Delete all cache keys from database.
                     Should only be run when all instances are down and all entries
                     thus stale.
                     """
                     cls.query().delete()
                     Session().commit()
                 @classmethod
                 def set_invalidate(cls, cache_uid, delete=False):
                     """
                     Mark all caches of a repo as invalid in the database.
                     """
                     try:
                         qry = Session().query(cls).filter(cls.cache_args == cache_uid)
                         if delete:
                             qry.delete()
                             log.debug('cache objects deleted for cache args %s',
                                       safe_str(cache_uid))
                         else:
                             qry.update({"cache_active": False})
                             log.debug('cache objects marked as invalid for cache args %s',
                                       safe_str(cache_uid))
                         Session().commit()
                     except Exception:
                         log.exception(
                             'Cache key invalidation failed for cache args %s',
                             safe_str(cache_uid))
                         Session().rollback()
                 @classmethod
                 def get_active_cache(cls, cache_key):
                     inv_obj = cls.query().filter(cls.cache_key == cache_key).scalar()
                     if inv_obj:
                         return inv_obj
                     return None
             class ChangesetComment(Base, BaseModel):
                 __tablename__ = 'changeset_comments'
                 __table_args__ = (
                     Index('cc_revision_idx', 'revision'),
                     base_table_args,
                 )
                 COMMENT_OUTDATED = u'comment_outdated'
                 COMMENT_TYPE_NOTE = u'note'
                 COMMENT_TYPE_TODO = u'todo'
                 COMMENT_TYPES = [COMMENT_TYPE_NOTE, COMMENT_TYPE_TODO]
                 comment_id = Column('comment_id', Integer(), nullable=False, primary_key=True)
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
                 revision = Column('revision', String(40), nullable=True)
                 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
                 pull_request_version_id = Column("pull_request_version_id", Integer(), ForeignKey('pull_request_versions.pull_request_version_id'), nullable=True)
                 line_no = Column('line_no', Unicode(10), nullable=True)
                 hl_lines = Column('hl_lines', Unicode(512), nullable=True)
                 f_path = Column('f_path', Unicode(1000), nullable=True)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
                 text = Column('text', UnicodeText().with_variant(UnicodeText(25000), 'mysql'), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 renderer = Column('renderer', Unicode(64), nullable=True)
                 display_state = Column('display_state',  Unicode(128), nullable=True)
                 comment_type = Column('comment_type',  Unicode(128), nullable=True, default=COMMENT_TYPE_NOTE)
                 resolved_comment_id = Column('resolved_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'), nullable=True)
                 resolved_comment = relationship('ChangesetComment', remote_side=comment_id, back_populates='resolved_by')
                 resolved_by = relationship('ChangesetComment', back_populates='resolved_comment')
                 author = relationship('User', lazy='joined')
                 repo = relationship('Repository')
                 status_change = relationship('ChangesetStatus', cascade="all, delete, delete-orphan", lazy='joined')
                 pull_request = relationship('PullRequest', lazy='joined')
                 pull_request_version = relationship('PullRequestVersion')
                 @classmethod
                 def get_users(cls, revision=None, pull_request_id=None):
                     """
                     Returns user associated with this ChangesetComment. ie those
                     who actually commented
                     :param cls:
                     :param revision:
                     """
                     q = Session().query(User)\
                             .join(ChangesetComment.author)
                     if revision:
                         q = q.filter(cls.revision == revision)
                     elif pull_request_id:
                         q = q.filter(cls.pull_request_id == pull_request_id)
                     return q.all()
                 @classmethod
                 def get_index_from_version(cls, pr_version, versions):
                     num_versions = [x.pull_request_version_id for x in versions]
                     try:
                         return num_versions.index(pr_version) +1
                     except (IndexError, ValueError):
                         return
                 @property
                 def outdated(self):
                     return self.display_state == self.COMMENT_OUTDATED
                 def outdated_at_version(self, version):
                     """
                     Checks if comment is outdated for given pull request version
                     """
                     return self.outdated and self.pull_request_version_id != version
                 def older_than_version(self, version):
                     """
                     Checks if comment is made from previous version than given
                     """
                     if version is None:
                         return self.pull_request_version_id is not None
                     return self.pull_request_version_id < version
                 @property
                 def resolved(self):
                     return self.resolved_by[0] if self.resolved_by else None
                 @property
                 def is_todo(self):
                     return self.comment_type == self.COMMENT_TYPE_TODO
                 @property
                 def is_inline(self):
                     return self.line_no and self.f_path
                 def get_index_version(self, versions):
                     return self.get_index_from_version(
                         self.pull_request_version_id, versions)
                 def __repr__(self):
                     if self.comment_id:
                         return '<DB:Comment #%s>' % self.comment_id
                     else:
                         return '<DB:Comment at %#x>' % id(self)
                 def get_api_data(self):
                     comment = self
                     data = {
                         'comment_id': comment.comment_id,
                         'comment_type': comment.comment_type,
                         'comment_text': comment.text,
                         'comment_status': comment.status_change,
                         'comment_f_path': comment.f_path,
                         'comment_lineno': comment.line_no,
                         'comment_author': comment.author,
                         'comment_created_on': comment.created_on
                     }
                     return data
                 def __json__(self):
                     data = dict()
                     data.update(self.get_api_data())
                     return data
             class ChangesetStatus(Base, BaseModel):
                 __tablename__ = 'changeset_statuses'
                 __table_args__ = (
                     Index('cs_revision_idx', 'revision'),
                     Index('cs_version_idx', 'version'),
                     UniqueConstraint('repo_id', 'revision', 'version'),
                     base_table_args
                 )
                 STATUS_NOT_REVIEWED = DEFAULT = 'not_reviewed'
                 STATUS_APPROVED = 'approved'
                 STATUS_REJECTED = 'rejected'
                 STATUS_UNDER_REVIEW = 'under_review'
                 STATUSES = [
                     (STATUS_NOT_REVIEWED, _("Not Reviewed")),  # (no icon) and default
                     (STATUS_APPROVED, _("Approved")),
                     (STATUS_REJECTED, _("Rejected")),
                     (STATUS_UNDER_REVIEW, _("Under Review")),
                 ]
                 changeset_status_id = Column('changeset_status_id', Integer(), nullable=False, primary_key=True)
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None)
                 revision = Column('revision', String(40), nullable=False)
                 status = Column('status', String(128), nullable=False, default=DEFAULT)
                 changeset_comment_id = Column('changeset_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'))
                 modified_at = Column('modified_at', DateTime(), nullable=False, default=datetime.datetime.now)
                 version = Column('version', Integer(), nullable=False, default=0)
                 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
                 author = relationship('User', lazy='joined')
                 repo = relationship('Repository')
                 comment = relationship('ChangesetComment', lazy='joined')
                 pull_request = relationship('PullRequest', lazy='joined')
                 def __unicode__(self):
                     return u"<%s('%s[v%s]:%s')>" % (
                         self.__class__.__name__,
                         self.status, self.version, self.author
                     )
                 @classmethod
                 def get_status_lbl(cls, value):
                     return dict(cls.STATUSES).get(value)
                 @property
                 def status_lbl(self):
                     return ChangesetStatus.get_status_lbl(self.status)
                 def get_api_data(self):
                     status = self
                     data = {
                         'status_id': status.changeset_status_id,
                         'status': status.status,
                     }
                     return data
                 def __json__(self):
                     data = dict()
                     data.update(self.get_api_data())
                     return data
             class _SetState(object):
                 """
                 Context processor allowing changing state for sensitive operation such as
                 pull request update or merge
                 """
                 def __init__(self, pull_request, pr_state, back_state=None):
                     self._pr = pull_request
                     self._org_state = back_state or pull_request.pull_request_state
                     self._pr_state = pr_state
                 def __enter__(self):
                     log.debug('StateLock: entering set state context, setting state to: `%s`',
                               self._pr_state)
                     self._pr.pull_request_state = self._pr_state
                     Session().add(self._pr)
                     Session().commit()
                 def __exit__(self, exc_type, exc_val, exc_tb):
                     log.debug('StateLock: exiting set state context, setting state to: `%s`',
                               self._org_state)
                     self._pr.pull_request_state = self._org_state
                     Session().add(self._pr)
                     Session().commit()
             class _PullRequestBase(BaseModel):
                 """
                 Common attributes of pull request and version entries.
                 """
                 # .status values
                 STATUS_NEW = u'new'
                 STATUS_OPEN = u'open'
                 STATUS_CLOSED = u'closed'
                 # available states
                 STATE_CREATING = u'creating'
                 STATE_UPDATING = u'updating'
                 STATE_MERGING = u'merging'
                 STATE_CREATED = u'created'
                 title = Column('title', Unicode(255), nullable=True)
                 description = Column(
                     'description', UnicodeText().with_variant(UnicodeText(10240), 'mysql'),
                     nullable=True)
                 description_renderer = Column('description_renderer', Unicode(64), nullable=True)
                 # new/open/closed status of pull request (not approve/reject/etc)
                 status = Column('status', Unicode(255), nullable=False, default=STATUS_NEW)
                 created_on = Column(
                     'created_on', DateTime(timezone=False), nullable=False,
                     default=datetime.datetime.now)
                 updated_on = Column(
                     'updated_on', DateTime(timezone=False), nullable=False,
                     default=datetime.datetime.now)
                 pull_request_state = Column("pull_request_state", String(255), nullable=True)
                 @declared_attr
                 def user_id(cls):
                     return Column(
                         "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
                         unique=None)
                 # 500 revisions max
                 _revisions = Column(
                     'revisions', UnicodeText().with_variant(UnicodeText(20500), 'mysql'))
                 @declared_attr
                 def source_repo_id(cls):
                     # TODO: dan: rename column to source_repo_id
                     return Column(
                         'org_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                         nullable=False)
                 _source_ref = Column('org_ref', Unicode(255), nullable=False)
                 @hybrid_property
                 def source_ref(self):
                     return self._source_ref
                 @source_ref.setter
                 def source_ref(self, val):
                     parts = (val or '').split(':')
                     if len(parts) != 3:
                         raise ValueError(
                             'Invalid reference format given: {}, expected X:Y:Z'.format(val))
                     self._source_ref = safe_unicode(val)
                 _target_ref = Column('other_ref', Unicode(255), nullable=False)
                 @hybrid_property
                 def target_ref(self):
                     return self._target_ref
                 @target_ref.setter
                 def target_ref(self, val):
                     parts = (val or '').split(':')
                     if len(parts) != 3:
                         raise ValueError(
                             'Invalid reference format given: {}, expected X:Y:Z'.format(val))
                     self._target_ref = safe_unicode(val)
                 @declared_attr
                 def target_repo_id(cls):
                     # TODO: dan: rename column to target_repo_id
                     return Column(
                         'other_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                         nullable=False)
                 _shadow_merge_ref = Column('shadow_merge_ref', Unicode(255), nullable=True)
                 # TODO: dan: rename column to last_merge_source_rev
                 _last_merge_source_rev = Column(
                     'last_merge_org_rev', String(40), nullable=True)
                 # TODO: dan: rename column to last_merge_target_rev
                 _last_merge_target_rev = Column(
                     'last_merge_other_rev', String(40), nullable=True)
                 _last_merge_status = Column('merge_status', Integer(), nullable=True)
                 merge_rev = Column('merge_rev', String(40), nullable=True)
                 reviewer_data = Column(
                     'reviewer_data_json', MutationObj.as_mutable(
                         JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
                 @property
                 def reviewer_data_json(self):
                     return json.dumps(self.reviewer_data)
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @hybrid_property
                 def revisions(self):
                     return self._revisions.split(':') if self._revisions else []
                 @revisions.setter
                 def revisions(self, val):
                     self._revisions = ':'.join(val)
                 @hybrid_property
                 def last_merge_status(self):
                     return safe_int(self._last_merge_status)
                 @last_merge_status.setter
                 def last_merge_status(self, val):
                     self._last_merge_status = val
                 @declared_attr
                 def author(cls):
                     return relationship('User', lazy='joined')
                 @declared_attr
                 def source_repo(cls):
                     return relationship(
                         'Repository',
                         primaryjoin='%s.source_repo_id==Repository.repo_id' % cls.__name__)
                 @property
                 def source_ref_parts(self):
                     return self.unicode_to_reference(self.source_ref)
                 @declared_attr
                 def target_repo(cls):
                     return relationship(
                         'Repository',
                         primaryjoin='%s.target_repo_id==Repository.repo_id' % cls.__name__)
                 @property
                 def target_ref_parts(self):
                     return self.unicode_to_reference(self.target_ref)
                 @property
                 def shadow_merge_ref(self):
                     return self.unicode_to_reference(self._shadow_merge_ref)
                 @shadow_merge_ref.setter
                 def shadow_merge_ref(self, ref):
                     self._shadow_merge_ref = self.reference_to_unicode(ref)
                 @staticmethod
                 def unicode_to_reference(raw):
                     """
                     Convert a unicode (or string) to a reference object.
                     If unicode evaluates to False it returns None.
                     """
                     if raw:
                         refs = raw.split(':')
                         return Reference(*refs)
                     else:
                         return None
                 @staticmethod
                 def reference_to_unicode(ref):
                     """
                     Convert a reference object to unicode.
                     If reference is None it returns None.
                     """
                     if ref:
                         return u':'.join(ref)
                     else:
                         return None
                 def get_api_data(self, with_merge_state=True):
                     from rhodecode.model.pull_request import PullRequestModel
                     pull_request = self
                     if with_merge_state:
                         merge_status = PullRequestModel().merge_status(pull_request)
                         merge_state = {
                             'status': merge_status[0],
                             'message': safe_unicode(merge_status[1]),
                         }
                     else:
                         merge_state = {'status': 'not_available',
                                        'message': 'not_available'}
                     merge_data = {
                         'clone_url': PullRequestModel().get_shadow_clone_url(pull_request),
                         'reference': (
                             pull_request.shadow_merge_ref._asdict()
                             if pull_request.shadow_merge_ref else None),
                     }
                     data = {
                         'pull_request_id': pull_request.pull_request_id,
                         'url': PullRequestModel().get_url(pull_request),
                         'title': pull_request.title,
                         'description': pull_request.description,
                         'status': pull_request.status,
                         'state': pull_request.pull_request_state,
                         'created_on': pull_request.created_on,
                         'updated_on': pull_request.updated_on,
                         'commit_ids': pull_request.revisions,
                         'review_status': pull_request.calculated_review_status(),
                         'mergeable': merge_state,
                         'source': {
                             'clone_url': pull_request.source_repo.clone_url(),
                             'repository': pull_request.source_repo.repo_name,
                             'reference': {
                                 'name': pull_request.source_ref_parts.name,
                                 'type': pull_request.source_ref_parts.type,
                                 'commit_id': pull_request.source_ref_parts.commit_id,
                             },
                         },
                         'target': {
                             'clone_url': pull_request.target_repo.clone_url(),
                             'repository': pull_request.target_repo.repo_name,
                             'reference': {
                                 'name': pull_request.target_ref_parts.name,
                                 'type': pull_request.target_ref_parts.type,
                                 'commit_id': pull_request.target_ref_parts.commit_id,
                             },
                         },
                         'merge': merge_data,
                         'author': pull_request.author.get_api_data(include_secrets=False,
                                                                    details='basic'),
                         'reviewers': [
                             {
                                 'user': reviewer.get_api_data(include_secrets=False,
                                                               details='basic'),
                                 'reasons': reasons,
                                 'review_status': st[0][1].status if st else 'not_reviewed',
                             }
                             for obj, reviewer, reasons, mandatory, st in
                             pull_request.reviewers_statuses()
                         ]
                     }
                     return data
                 def set_state(self, pull_request_state, final_state=None):
                     """
                     # goes from initial state to updating to initial state.
                     # initial state can be changed by specifying back_state=
                     with pull_request_obj.set_state(PullRequest.STATE_UPDATING):
                        pull_request.merge()
                     :param pull_request_state:
                     :param final_state:
                     """
                     return _SetState(self, pull_request_state, back_state=final_state)
             class PullRequest(Base, _PullRequestBase):
                 __tablename__ = 'pull_requests'
                 __table_args__ = (
                     base_table_args,
                 )
                 pull_request_id = Column(
                     'pull_request_id', Integer(), nullable=False, primary_key=True)
                 def __repr__(self):
                     if self.pull_request_id:
                         return '<DB:PullRequest #%s>' % self.pull_request_id
                     else:
                         return '<DB:PullRequest at %#x>' % id(self)
                 reviewers = relationship('PullRequestReviewers',
                                          cascade="all, delete, delete-orphan")
                 statuses = relationship('ChangesetStatus',
                                         cascade="all, delete, delete-orphan")
                 comments = relationship('ChangesetComment',
                                         cascade="all, delete, delete-orphan")
                 versions = relationship('PullRequestVersion',
                                         cascade="all, delete, delete-orphan",
                                         lazy='dynamic')
                 @classmethod
                 def get_pr_display_object(cls, pull_request_obj, org_pull_request_obj,
                                           internal_methods=None):
                     class PullRequestDisplay(object):
                         """
                         Special object wrapper for showing PullRequest data via Versions
                         It mimics PR object as close as possible. This is read only object
                         just for display
                         """
                         def __init__(self, attrs, internal=None):
                             self.attrs = attrs
                             # internal have priority over the given ones via attrs
                             self.internal = internal or ['versions']
                         def __getattr__(self, item):
                             if item in self.internal:
                                 return getattr(self, item)
                             try:
                                 return self.attrs[item]
                             except KeyError:
                                 raise AttributeError(
                                     '%s object has no attribute %s' % (self, item))
                         def __repr__(self):
                             return '<DB:PullRequestDisplay #%s>' % self.attrs.get('pull_request_id')
                         def versions(self):
                             return pull_request_obj.versions.order_by(
                                 PullRequestVersion.pull_request_version_id).all()
                         def is_closed(self):
                             return pull_request_obj.is_closed()
                         @property
                         def pull_request_version_id(self):
                             return getattr(pull_request_obj, 'pull_request_version_id', None)
                     attrs = StrictAttributeDict(pull_request_obj.get_api_data())
                     attrs.author = StrictAttributeDict(
                         pull_request_obj.author.get_api_data())
                     if pull_request_obj.target_repo:
                         attrs.target_repo = StrictAttributeDict(
                             pull_request_obj.target_repo.get_api_data())
                         attrs.target_repo.clone_url = pull_request_obj.target_repo.clone_url
                     if pull_request_obj.source_repo:
                         attrs.source_repo = StrictAttributeDict(
                             pull_request_obj.source_repo.get_api_data())
                         attrs.source_repo.clone_url = pull_request_obj.source_repo.clone_url
                     attrs.source_ref_parts = pull_request_obj.source_ref_parts
                     attrs.target_ref_parts = pull_request_obj.target_ref_parts
                     attrs.revisions = pull_request_obj.revisions
                     attrs.shadow_merge_ref = org_pull_request_obj.shadow_merge_ref
                     attrs.reviewer_data = org_pull_request_obj.reviewer_data
                     attrs.reviewer_data_json = org_pull_request_obj.reviewer_data_json
                     return PullRequestDisplay(attrs, internal=internal_methods)
                 def is_closed(self):
                     return self.status == self.STATUS_CLOSED
                 def __json__(self):
                     return {
                         'revisions': self.revisions,
                     }
                 def calculated_review_status(self):
                     from rhodecode.model.changeset_status import ChangesetStatusModel
                     return ChangesetStatusModel().calculated_review_status(self)
                 def reviewers_statuses(self):
                     from rhodecode.model.changeset_status import ChangesetStatusModel
                     return ChangesetStatusModel().reviewers_statuses(self)
                 @property
                 def workspace_id(self):
                     from rhodecode.model.pull_request import PullRequestModel
                     return PullRequestModel()._workspace_id(self)
                 def get_shadow_repo(self):
                     workspace_id = self.workspace_id
                     vcs_obj = self.target_repo.scm_instance()
                     shadow_repository_path = vcs_obj._get_shadow_repository_path(
                         self.target_repo.repo_id, workspace_id)
                     if os.path.isdir(shadow_repository_path):
                         return vcs_obj.get_shadow_instance(shadow_repository_path)
             class PullRequestVersion(Base, _PullRequestBase):
                 __tablename__ = 'pull_request_versions'
                 __table_args__ = (
                     base_table_args,
                 )
                 pull_request_version_id = Column(
                     'pull_request_version_id', Integer(), nullable=False, primary_key=True)
                 pull_request_id = Column(
                     'pull_request_id', Integer(),
                     ForeignKey('pull_requests.pull_request_id'), nullable=False)
                 pull_request = relationship('PullRequest')
                 def __repr__(self):
                     if self.pull_request_version_id:
                         return '<DB:PullRequestVersion #%s>' % self.pull_request_version_id
                     else:
                         return '<DB:PullRequestVersion at %#x>' % id(self)
                 @property
                 def reviewers(self):
                     return self.pull_request.reviewers
                 @property
                 def versions(self):
                     return self.pull_request.versions
                 def is_closed(self):
                     # calculate from original
                     return self.pull_request.status == self.STATUS_CLOSED
                 def calculated_review_status(self):
                     return self.pull_request.calculated_review_status()
                 def reviewers_statuses(self):
                     return self.pull_request.reviewers_statuses()
             class PullRequestReviewers(Base, BaseModel):
                 __tablename__ = 'pull_request_reviewers'
                 __table_args__ = (
                     base_table_args,
                 )
                 @hybrid_property
                 def reasons(self):
                     if not self._reasons:
                         return []
                     return self._reasons
                 @reasons.setter
                 def reasons(self, val):
                     val = val or []
                     if any(not isinstance(x, compat.string_types) for x in val):
                         raise Exception('invalid reasons type, must be list of strings')
                     self._reasons = val
                 pull_requests_reviewers_id = Column(
                     'pull_requests_reviewers_id', Integer(), nullable=False,
                     primary_key=True)
                 pull_request_id = Column(
                     "pull_request_id", Integer(),
                     ForeignKey('pull_requests.pull_request_id'), nullable=False)
                 user_id = Column(
                     "user_id", Integer(), ForeignKey('users.user_id'), nullable=True)
                 _reasons = Column(
                     'reason', MutationList.as_mutable(
                         JsonType('list', dialect_map=dict(mysql=UnicodeText(16384)))))
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 user = relationship('User')
                 pull_request = relationship('PullRequest')
                 rule_data = Column(
                     'rule_data_json',
                     JsonType(dialect_map=dict(mysql=UnicodeText(16384))))
                 def rule_user_group_data(self):
                     """
                     Returns the voting user group rule data for this reviewer
                     """
                     if self.rule_data and 'vote_rule' in self.rule_data:
                         user_group_data = {}
                         if 'rule_user_group_entry_id' in self.rule_data:
                             # means a group with voting rules !
                             user_group_data['id'] = self.rule_data['rule_user_group_entry_id']
                             user_group_data['name'] = self.rule_data['rule_name']
                             user_group_data['vote_rule'] = self.rule_data['vote_rule']
                         return user_group_data
                 def __unicode__(self):
                     return u"<%s('id:%s')>" % (self.__class__.__name__,
                                                self.pull_requests_reviewers_id)
             class Notification(Base, BaseModel):
                 __tablename__ = 'notifications'
                 __table_args__ = (
                     Index('notification_type_idx', 'type'),
                     base_table_args,
                 )
                 TYPE_CHANGESET_COMMENT = u'cs_comment'
                 TYPE_MESSAGE = u'message'
                 TYPE_MENTION = u'mention'
                 TYPE_REGISTRATION = u'registration'
                 TYPE_PULL_REQUEST = u'pull_request'
                 TYPE_PULL_REQUEST_COMMENT = u'pull_request_comment'
                 notification_id = Column('notification_id', Integer(), nullable=False, primary_key=True)
                 subject = Column('subject', Unicode(512), nullable=True)
                 body = Column('body', UnicodeText().with_variant(UnicodeText(50000), 'mysql'), nullable=True)
                 created_by = Column("created_by", Integer(), ForeignKey('users.user_id'), nullable=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 type_ = Column('type', Unicode(255))
                 created_by_user = relationship('User')
                 notifications_to_users = relationship('UserNotification', lazy='joined',
                                                       cascade="all, delete, delete-orphan")
                 @property
                 def recipients(self):
                     return [x.user for x in UserNotification.query()\
                             .filter(UserNotification.notification == self)\
                             .order_by(UserNotification.user_id.asc()).all()]
                 @classmethod
                 def create(cls, created_by, subject, body, recipients, type_=None):
                     if type_ is None:
                         type_ = Notification.TYPE_MESSAGE
                     notification = cls()
                     notification.created_by_user = created_by
                     notification.subject = subject
                     notification.body = body
                     notification.type_ = type_
                     notification.created_on = datetime.datetime.now()
                     # For each recipient link the created notification to his account
                     for u in recipients:
                         assoc = UserNotification()
                         assoc.user_id = u.user_id
                         assoc.notification = notification
                         # if created_by is inside recipients mark his notification
                         # as read
                         if u.user_id == created_by.user_id:
                             assoc.read = True
                         Session().add(assoc)
                     Session().add(notification)
                     return notification
             class UserNotification(Base, BaseModel):
                 __tablename__ = 'user_to_notification'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'notification_id'),
                     base_table_args
                 )
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
                 notification_id = Column("notification_id", Integer(), ForeignKey('notifications.notification_id'), primary_key=True)
                 read = Column('read', Boolean, default=False)
                 sent_on = Column('sent_on', DateTime(timezone=False), nullable=True, unique=None)
                 user = relationship('User', lazy="joined")
                 notification = relationship('Notification', lazy="joined",
                                             order_by=lambda: Notification.created_on.desc(),)
                 def mark_as_read(self):
                     self.read = True
                     Session().add(self)
             class Gist(Base, BaseModel):
                 __tablename__ = 'gists'
                 __table_args__ = (
                     Index('g_gist_access_id_idx', 'gist_access_id'),
                     Index('g_created_on_idx', 'created_on'),
                     base_table_args
                 )
                 GIST_PUBLIC = u'public'
                 GIST_PRIVATE = u'private'
                 DEFAULT_FILENAME = u'gistfile1.txt'
                 ACL_LEVEL_PUBLIC = u'acl_public'
                 ACL_LEVEL_PRIVATE = u'acl_private'
                 gist_id = Column('gist_id', Integer(), primary_key=True)
                 gist_access_id = Column('gist_access_id', Unicode(250))
                 gist_description = Column('gist_description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 gist_owner = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True)
                 gist_expires = Column('gist_expires', Float(53), nullable=False)
                 gist_type = Column('gist_type', Unicode(128), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 acl_level = Column('acl_level', Unicode(128), nullable=True)
                 owner = relationship('User')
                 def __repr__(self):
                     return '<Gist:[%s]%s>' % (self.gist_type, self.gist_access_id)
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.gist_description)
                 @classmethod
                 def get_or_404(cls, id_):
                     from pyramid.httpexceptions import HTTPNotFound
                     res = cls.query().filter(cls.gist_access_id == id_).scalar()
                     if not res:
                         raise HTTPNotFound()
                     return res
                 @classmethod
                 def get_by_access_id(cls, gist_access_id):
                     return cls.query().filter(cls.gist_access_id == gist_access_id).scalar()
                 def gist_url(self):
                     from rhodecode.model.gist import GistModel
                     return GistModel().get_url(self)
                 @classmethod
                 def base_path(cls):
                     """
                     Returns base path when all gists are stored
                     :param cls:
                     """
                     from rhodecode.model.gist import GIST_STORE_LOC
                     q = Session().query(RhodeCodeUi)\
                         .filter(RhodeCodeUi.ui_key == URL_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return os.path.join(q.one().ui_value, GIST_STORE_LOC)
                 def get_api_data(self):
                     """
                     Common function for generating gist related data for API
                     """
                     gist = self
                     data = {
                         'gist_id': gist.gist_id,
                         'type': gist.gist_type,
                         'access_id': gist.gist_access_id,
                         'description': gist.gist_description,
                         'url': gist.gist_url(),
                         'expires': gist.gist_expires,
                         'created_on': gist.created_on,
                         'modified_at': gist.modified_at,
                         'content': None,
                         'acl_level': gist.acl_level,
                     }
                     return data
                 def __json__(self):
                     data = dict(
                     )
                     data.update(self.get_api_data())
                     return data
                 # SCM functions
                 def scm_instance(self, **kwargs):
                     full_repo_path = os.path.join(self.base_path(), self.gist_access_id)
                     return get_vcs_instance(
                         repo_path=safe_str(full_repo_path), create=False)
             class ExternalIdentity(Base, BaseModel):
                 __tablename__ = 'external_identities'
                 __table_args__ = (
                     Index('local_user_id_idx', 'local_user_id'),
                     Index('external_id_idx', 'external_id'),
                     base_table_args
                 )
                 external_id = Column('external_id', Unicode(255), default=u'', primary_key=True)
                 external_username = Column('external_username', Unicode(1024), default=u'')
                 local_user_id = Column('local_user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
                 provider_name = Column('provider_name', Unicode(255), default=u'', primary_key=True)
                 access_token = Column('access_token', String(1024), default=u'')
                 alt_token = Column('alt_token', String(1024), default=u'')
                 token_secret = Column('token_secret', String(1024), default=u'')
                 @classmethod
                 def by_external_id_and_provider(cls, external_id, provider_name, local_user_id=None):
                     """
                     Returns ExternalIdentity instance based on search params
                     :param external_id:
                     :param provider_name:
                     :return: ExternalIdentity
                     """
                     query = cls.query()
                     query = query.filter(cls.external_id == external_id)
                     query = query.filter(cls.provider_name == provider_name)
                     if local_user_id:
                         query = query.filter(cls.local_user_id == local_user_id)
                     return query.first()
                 @classmethod
                 def user_by_external_id_and_provider(cls, external_id, provider_name):
                     """
                     Returns User instance based on search params
                     :param external_id:
                     :param provider_name:
                     :return: User
                     """
                     query = User.query()
                     query = query.filter(cls.external_id == external_id)
                     query = query.filter(cls.provider_name == provider_name)
                     query = query.filter(User.user_id == cls.local_user_id)
                     return query.first()
                 @classmethod
                 def by_local_user_id(cls, local_user_id):
                     """
                     Returns all tokens for user
                     :param local_user_id:
                     :return: ExternalIdentity
                     """
                     query = cls.query()
                     query = query.filter(cls.local_user_id == local_user_id)
                     return query
                 @classmethod
                 def load_provider_plugin(cls, plugin_id):
                     from rhodecode.authentication.base import loadplugin
                     _plugin_id = 'egg:rhodecode-enterprise-ee#{}'.format(plugin_id)
                     auth_plugin = loadplugin(_plugin_id)
                     return auth_plugin
             class Integration(Base, BaseModel):
                 __tablename__ = 'integrations'
                 __table_args__ = (
                     base_table_args
                 )
                 integration_id = Column('integration_id', Integer(), primary_key=True)
                 integration_type = Column('integration_type', String(255))
                 enabled = Column('enabled', Boolean(), nullable=False)
                 name = Column('name', String(255), nullable=False)
                 child_repos_only = Column('child_repos_only', Boolean(), nullable=False,
                     default=False)
                 settings = Column(
                     'settings_json', MutationObj.as_mutable(
                         JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
                 repo_id = Column(
                     'repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 repo_group_id = Column(
                     'repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 @property
                 def scope(self):
                     if self.repo:
                         return repr(self.repo)
                     if self.repo_group:
                         if self.child_repos_only:
                             return repr(self.repo_group) + ' (child repos only)'
                         else:
                             return repr(self.repo_group) + ' (recursive)'
                     if self.child_repos_only:
                         return 'root_repos'
                     return 'global'
                 def __repr__(self):
                     return '<Integration(%r, %r)>' % (self.integration_type, self.scope)
             class RepoReviewRuleUser(Base, BaseModel):
                 __tablename__ = 'repo_review_rules_users'
                 __table_args__ = (
                     base_table_args
                 )
                 repo_review_rule_user_id = Column('repo_review_rule_user_id', Integer(), primary_key=True)
                 repo_review_rule_id = Column("repo_review_rule_id", Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False)
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 user = relationship('User')
                 def rule_data(self):
                     return {
                         'mandatory': self.mandatory
                     }
             class RepoReviewRuleUserGroup(Base, BaseModel):
                 __tablename__ = 'repo_review_rules_users_groups'
                 __table_args__ = (
                     base_table_args
                 )
                 VOTE_RULE_ALL = -1
                 repo_review_rule_users_group_id = Column('repo_review_rule_users_group_id', Integer(), primary_key=True)
                 repo_review_rule_id = Column("repo_review_rule_id", Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
                 users_group_id = Column("users_group_id", Integer(),ForeignKey('users_groups.users_group_id'), nullable=False)
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 vote_rule = Column("vote_rule", Integer(), nullable=True, default=VOTE_RULE_ALL)
                 users_group = relationship('UserGroup')
                 def rule_data(self):
                     return {
                         'mandatory': self.mandatory,
                         'vote_rule': self.vote_rule
                     }
                 @property
                 def vote_rule_label(self):
                     if not self.vote_rule or self.vote_rule == self.VOTE_RULE_ALL:
                         return 'all must vote'
                     else:
                         return 'min. vote {}'.format(self.vote_rule)
             class RepoReviewRule(Base, BaseModel):
                 __tablename__ = 'repo_review_rules'
                 __table_args__ = (
                     base_table_args
                 )
                 repo_review_rule_id = Column(
                     'repo_review_rule_id', Integer(), primary_key=True)
                 repo_id = Column(
                     "repo_id", Integer(), ForeignKey('repositories.repo_id'))
                 repo = relationship('Repository', backref='review_rules')
                 review_rule_name = Column('review_rule_name', String(255))
                 _branch_pattern = Column("branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default=u'*')  # glob
                 _target_branch_pattern = Column("target_branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default=u'*')  # glob
                 _file_pattern = Column("file_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default=u'*')  # glob
                 use_authors_for_review = Column("use_authors_for_review", Boolean(), nullable=False, default=False)
                 forbid_author_to_review = Column("forbid_author_to_review", Boolean(), nullable=False, default=False)
                 forbid_commit_author_to_review = Column("forbid_commit_author_to_review", Boolean(), nullable=False, default=False)
                 forbid_adding_reviewers = Column("forbid_adding_reviewers", Boolean(), nullable=False, default=False)
                 rule_users = relationship('RepoReviewRuleUser')
                 rule_user_groups = relationship('RepoReviewRuleUserGroup')
                 def _validate_pattern(self, value):
                     re.compile('^' + glob2re(value) + '$')
                 @hybrid_property
                 def source_branch_pattern(self):
                     return self._branch_pattern or '*'
                 @source_branch_pattern.setter
                 def source_branch_pattern(self, value):
                     self._validate_pattern(value)
                     self._branch_pattern = value or '*'
                 @hybrid_property
                 def target_branch_pattern(self):
                     return self._target_branch_pattern or '*'
                 @target_branch_pattern.setter
                 def target_branch_pattern(self, value):
                     self._validate_pattern(value)
                     self._target_branch_pattern = value or '*'
                 @hybrid_property
                 def file_pattern(self):
                     return self._file_pattern or '*'
                 @file_pattern.setter
                 def file_pattern(self, value):
                     self._validate_pattern(value)
                     self._file_pattern = value or '*'
                 def matches(self, source_branch, target_branch, files_changed):
                     """
                     Check if this review rule matches a branch/files in a pull request
                     :param source_branch: source branch name for the commit
                     :param target_branch: target branch name for the commit
                     :param files_changed: list of file paths changed in the pull request
                     """
                     source_branch = source_branch or ''
                     target_branch = target_branch or ''
                     files_changed = files_changed or []
                     branch_matches = True
                     if source_branch or target_branch:
                         if self.source_branch_pattern == '*':
                             source_branch_match = True
                         else:
                             if self.source_branch_pattern.startswith('re:'):
                                 source_pattern = self.source_branch_pattern[3:]
                             else:
                                 source_pattern = '^' + glob2re(self.source_branch_pattern) + '$'
                             source_branch_regex = re.compile(source_pattern)
                             source_branch_match = bool(source_branch_regex.search(source_branch))
                         if self.target_branch_pattern == '*':
                             target_branch_match = True
                         else:
                             if self.target_branch_pattern.startswith('re:'):
                                 target_pattern = self.target_branch_pattern[3:]
                             else:
                                 target_pattern = '^' + glob2re(self.target_branch_pattern) + '$'
                             target_branch_regex = re.compile(target_pattern)
                             target_branch_match = bool(target_branch_regex.search(target_branch))
                         branch_matches = source_branch_match and target_branch_match
                     files_matches = True
                     if self.file_pattern != '*':
                         files_matches = False
                         if self.file_pattern.startswith('re:'):
                             file_pattern = self.file_pattern[3:]
                         else:
                             file_pattern = glob2re(self.file_pattern)
                         file_regex = re.compile(file_pattern)
                         for filename in files_changed:
                             if file_regex.search(filename):
                                 files_matches = True
                                 break
                     return branch_matches and files_matches
                 @property
                 def review_users(self):
                     """ Returns the users which this rule applies to """
                     users = collections.OrderedDict()
                     for rule_user in self.rule_users:
                         if rule_user.user.active:
                             if rule_user.user not in users:
                                 users[rule_user.user.username] = {
                                     'user': rule_user.user,
                                     'source': 'user',
                                     'source_data': {},
                                     'data': rule_user.rule_data()
                                 }
                     for rule_user_group in self.rule_user_groups:
                         source_data = {
                             'user_group_id': rule_user_group.users_group.users_group_id,
                             'name': rule_user_group.users_group.users_group_name,
                             'members': len(rule_user_group.users_group.members)
                         }
                         for member in rule_user_group.users_group.members:
                             if member.user.active:
                                 key = member.user.username
                                 if key in users:
                                     # skip this member as we have him already
                                     # this prevents from override the "first" matched
                                     # users with duplicates in multiple groups
                                     continue
                                 users[key] = {
                                     'user': member.user,
                                     'source': 'user_group',
                                     'source_data': source_data,
                                     'data': rule_user_group.rule_data()
                                 }
                     return users
                 def user_group_vote_rule(self, user_id):
                     rules = []
                     if not self.rule_user_groups:
                         return rules
                     for user_group in self.rule_user_groups:
                         user_group_members = [x.user_id for x in user_group.users_group.members]
                         if user_id in user_group_members:
                             rules.append(user_group)
                     return rules
                 def __repr__(self):
                     return '<RepoReviewerRule(id=%r, repo=%r)>' % (
                         self.repo_review_rule_id, self.repo)
             class ScheduleEntry(Base, BaseModel):
                 __tablename__ = 'schedule_entries'
                 __table_args__ = (
                     UniqueConstraint('schedule_name', name='s_schedule_name_idx'),
                     UniqueConstraint('task_uid', name='s_task_uid_idx'),
                     base_table_args,
                 )
                 schedule_types = ['crontab', 'timedelta', 'integer']
                 schedule_entry_id = Column('schedule_entry_id', Integer(), primary_key=True)
                 schedule_name = Column("schedule_name", String(255), nullable=False, unique=None, default=None)
                 schedule_description = Column("schedule_description", String(10000), nullable=True, unique=None, default=None)
                 schedule_enabled = Column("schedule_enabled", Boolean(), nullable=False, unique=None, default=True)
                 _schedule_type = Column("schedule_type", String(255), nullable=False, unique=None, default=None)
                 schedule_definition = Column('schedule_definition_json', MutationObj.as_mutable(JsonType(default=lambda: "", dialect_map=dict(mysql=LONGTEXT()))))
                 schedule_last_run = Column('schedule_last_run', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 schedule_total_run_count = Column('schedule_total_run_count', Integer(), nullable=True, unique=None, default=0)
                 # task
                 task_uid = Column("task_uid", String(255), nullable=False, unique=None, default=None)
                 task_dot_notation = Column("task_dot_notation", String(4096), nullable=False, unique=None, default=None)
                 task_args = Column('task_args_json', MutationObj.as_mutable(JsonType(default=list, dialect_map=dict(mysql=LONGTEXT()))))
                 task_kwargs = Column('task_kwargs_json', MutationObj.as_mutable(JsonType(default=dict, dialect_map=dict(mysql=LONGTEXT()))))
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 updated_on = Column('updated_on', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 @hybrid_property
                 def schedule_type(self):
                     return self._schedule_type
                 @schedule_type.setter
                 def schedule_type(self, val):
                     if val not in self.schedule_types:
                         raise ValueError('Value must be on of `{}` and got `{}`'.format(
                             val, self.schedule_type))
                     self._schedule_type = val
                 @classmethod
                 def get_uid(cls, obj):
                     args = obj.task_args
                     kwargs = obj.task_kwargs
                     if isinstance(args, JsonRaw):
                         try:
                             args = json.loads(args)
                         except ValueError:
                             args = tuple()
                     if isinstance(kwargs, JsonRaw):
                         try:
                             kwargs = json.loads(kwargs)
                         except ValueError:
                             kwargs = dict()
                     dot_notation = obj.task_dot_notation
                     val = '.'.join(map(safe_str, [
                         sorted(dot_notation), args, sorted(kwargs.items())]))
                     return hashlib.sha1(val).hexdigest()
                 @classmethod
                 def get_by_schedule_name(cls, schedule_name):
                     return cls.query().filter(cls.schedule_name == schedule_name).scalar()
                 @classmethod
                 def get_by_schedule_id(cls, schedule_id):
                     return cls.query().filter(cls.schedule_entry_id == schedule_id).scalar()
                 @property
                 def task(self):
                     return self.task_dot_notation
                 @property
                 def schedule(self):
                     from rhodecode.lib.celerylib.utils import raw_2_schedule
                     schedule = raw_2_schedule(self.schedule_definition, self.schedule_type)
                     return schedule
                 @property
                 def args(self):
                     try:
                         return list(self.task_args or [])
                     except ValueError:
                         return list()
                 @property
                 def kwargs(self):
                     try:
                         return dict(self.task_kwargs or {})
                     except ValueError:
                         return dict()
                 def _as_raw(self, val):
                     if hasattr(val, 'de_coerce'):
                         val = val.de_coerce()
                         if val:
                             val = json.dumps(val)
                     return val
                 @property
                 def schedule_definition_raw(self):
                     return self._as_raw(self.schedule_definition)
                 @property
                 def args_raw(self):
                     return self._as_raw(self.task_args)
                 @property
                 def kwargs_raw(self):
                     return self._as_raw(self.task_kwargs)
                 def __repr__(self):
                     return '<DB:ScheduleEntry({}:{})>'.format(
                         self.schedule_entry_id, self.schedule_name)
             @event.listens_for(ScheduleEntry, 'before_update')
             def update_task_uid(mapper, connection, target):
                 target.task_uid = ScheduleEntry.get_uid(target)
             @event.listens_for(ScheduleEntry, 'before_insert')
             def set_task_uid(mapper, connection, target):
                 target.task_uid = ScheduleEntry.get_uid(target)
             class _BaseBranchPerms(BaseModel):
                 @classmethod
                 def compute_hash(cls, value):
                     return sha1_safe(value)
                 @hybrid_property
                 def branch_pattern(self):
                     return self._branch_pattern or '*'
                 @hybrid_property
                 def branch_hash(self):
                     return self._branch_hash
                 def _validate_glob(self, value):
                     re.compile('^' + glob2re(value) + '$')
                 @branch_pattern.setter
                 def branch_pattern(self, value):
                     self._validate_glob(value)
                     self._branch_pattern = value or '*'
                     # set the Hash when setting the branch pattern
                     self._branch_hash = self.compute_hash(self._branch_pattern)
                 def matches(self, branch):
                     """
                     Check if this the branch matches entry
                     :param branch: branch name for the commit
                     """
                     branch = branch or ''
                     branch_matches = True
                     if branch:
                         branch_regex = re.compile('^' + glob2re(self.branch_pattern) + '$')
                         branch_matches = bool(branch_regex.search(branch))
                     return branch_matches
             class UserToRepoBranchPermission(Base, _BaseBranchPerms):
                 __tablename__ = 'user_to_repo_branch_permissions'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True,}
                 )
                 branch_rule_id = Column('branch_rule_id', Integer(), primary_key=True)
                 repository_id = Column('repository_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 repo = relationship('Repository', backref='user_branch_perms')
                 permission_id = Column('permission_id', Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 permission = relationship('Permission')
                 rule_to_perm_id = Column('rule_to_perm_id', Integer(), ForeignKey('repo_to_perm.repo_to_perm_id'), nullable=False, unique=None, default=None)
                 user_repo_to_perm = relationship('UserRepoToPerm')
                 rule_order = Column('rule_order', Integer(), nullable=False)
                 _branch_pattern = Column('branch_pattern', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), default=u'*')  # glob
                 _branch_hash = Column('branch_hash', UnicodeText().with_variant(UnicodeText(2048), 'mysql'))
                 def __unicode__(self):
                     return u'<UserBranchPermission(%s => %r)>' % (
                         self.user_repo_to_perm, self.branch_pattern)
             class UserGroupToRepoBranchPermission(Base, _BaseBranchPerms):
                 __tablename__ = 'user_group_to_repo_branch_permissions'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True,}
                 )
                 branch_rule_id = Column('branch_rule_id', Integer(), primary_key=True)
                 repository_id = Column('repository_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 repo = relationship('Repository', backref='user_group_branch_perms')
                 permission_id = Column('permission_id', Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 permission = relationship('Permission')
                 rule_to_perm_id = Column('rule_to_perm_id', Integer(), ForeignKey('users_group_repo_to_perm.users_group_to_perm_id'), nullable=False, unique=None, default=None)
                 user_group_repo_to_perm = relationship('UserGroupRepoToPerm')
                 rule_order = Column('rule_order', Integer(), nullable=False)
                 _branch_pattern = Column('branch_pattern', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), default=u'*')  # glob
                 _branch_hash = Column('branch_hash', UnicodeText().with_variant(UnicodeText(2048), 'mysql'))
                 def __unicode__(self):
                     return u'<UserBranchPermission(%s => %r)>' % (
                         self.user_group_repo_to_perm, self.branch_pattern)
             class UserBookmark(Base, BaseModel):
                 __tablename__ = 'user_bookmarks'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'bookmark_repo_id'),
                     UniqueConstraint('user_id', 'bookmark_repo_group_id'),
                     UniqueConstraint('user_id', 'bookmark_position'),
                     base_table_args
                 )
                 user_bookmark_id = Column("user_bookmark_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 position = Column("bookmark_position", Integer(), nullable=False)
                 title = Column("bookmark_title", String(255), nullable=True, unique=None, default=None)
                 redirect_url = Column("bookmark_redirect_url", String(10240), nullable=True, unique=None, default=None)
                 created_on = Column("created_on", DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 bookmark_repo_id = Column("bookmark_repo_id", Integer(), ForeignKey("repositories.repo_id"), nullable=True, unique=None, default=None)
                 bookmark_repo_group_id = Column("bookmark_repo_group_id", Integer(), ForeignKey("groups.group_id"), nullable=True, unique=None, default=None)
                 user = relationship("User")
                 repository = relationship("Repository")
                 repository_group = relationship("RepoGroup")
             class DbMigrateVersion(Base, BaseModel):
                 __tablename__ = 'db_migrate_version'
                 __table_args__ = (
                     base_table_args,
                 )
                 repository_id = Column('repository_id', String(250), primary_key=True)
                 repository_path = Column('repository_path', Text)
                 version = Column('version', Integer)
                 @classmethod
                 def set_version(cls, version):
                     """
                     Helper for forcing a different version, usually for debugging purposes via ishell.
                     """
                     ver = DbMigrateVersion.query().first()
                     ver.version = version
                     Session().commit()
             class DbSession(Base, BaseModel):
                 __tablename__ = 'db_session'
                 __table_args__ = (
                     base_table_args,
                 )
                 def __repr__(self):
                     return '<DB:DbSession({})>'.format(self.id)
                 id = Column('id', Integer())
                 namespace = Column('namespace', String(255), primary_key=True)
                 accessed = Column('accessed', DateTime, nullable=False)
                 created = Column('created', DateTime, nullable=False)
                 data = Column('data', PickleType, nullable=False)

rhodecode/lib/dbmigrate/schema/db_4_16_0_2.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Database Models for RhodeCode Enterprise
             """
             import re
             import os
             import time
             import hashlib
             import logging
             import datetime
             import warnings
             import ipaddress
             import functools
             import traceback
             import collections
             from sqlalchemy import (
                 or_, and_, not_, func, TypeDecorator, event,
                 Index, Sequence, UniqueConstraint, ForeignKey, CheckConstraint, Column,
                 Boolean, String, Unicode, UnicodeText, DateTime, Integer, LargeBinary,
                 Text, Float, PickleType)
             from sqlalchemy.sql.expression import true, false
             from sqlalchemy.sql.functions import coalesce, count  # pragma: no cover
             from sqlalchemy.orm import (
                 relationship, joinedload, class_mapper, validates, aliased)
             from sqlalchemy.ext.declarative import declared_attr
             from sqlalchemy.ext.hybrid import hybrid_property
             from sqlalchemy.exc import IntegrityError  # pragma: no cover
             from sqlalchemy.dialects.mysql import LONGTEXT
             from zope.cachedescriptors.property import Lazy as LazyProperty
             from pyramid import compat
             from pyramid.threadlocal import get_current_request
             from rhodecode.translation import _
             from rhodecode.lib.vcs import get_vcs_instance
             from rhodecode.lib.vcs.backends.base import EmptyCommit, Reference
             from rhodecode.lib.utils2 import (
                 str2bool, safe_str, get_commit_safe, safe_unicode, sha1_safe,
                 time_to_datetime, aslist, Optional, safe_int, get_clone_url, AttributeDict,
                 glob2re, StrictAttributeDict, cleaned_uri)
             from rhodecode.lib.jsonalchemy import MutationObj, MutationList, JsonType, \
                 JsonRaw
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.caching_query import FromCache
             from rhodecode.lib.encrypt import AESCipher
             from rhodecode.model.meta import Base, Session
             URL_SEP = '/'
             log = logging.getLogger(__name__)
             # =============================================================================
             # BASE CLASSES
             # =============================================================================
             # this is propagated from .ini file rhodecode.encrypted_values.secret or
             # beaker.session.secret if first is not set.
             # and initialized at environment.py
             ENCRYPTION_KEY = None
             # used to sort permissions by types, '#' used here is not allowed to be in
             # usernames, and it's very early in sorted string.printable table.
             PERMISSION_TYPE_SORT = {
                 'admin': '####',
                 'write': '###',
                 'read':  '##',
                 'none':  '#',
             }
             def display_user_sort(obj):
                 """
                 Sort function used to sort permissions in .permissions() function of
                 Repository, RepoGroup, UserGroup. Also it put the default user in front
                 of all other resources
                 """
                 if obj.username == User.DEFAULT_USER:
                     return '#####'
                 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
                 return prefix + obj.username
             def display_user_group_sort(obj):
                 """
                 Sort function used to sort permissions in .permissions() function of
                 Repository, RepoGroup, UserGroup. Also it put the default user in front
                 of all other resources
                 """
                 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
                 return prefix + obj.users_group_name
             def _hash_key(k):
                 return sha1_safe(k)
             def in_filter_generator(qry, items, limit=500):
                 """
                 Splits IN() into multiple with OR
                 e.g.::
                 cnt = Repository.query().filter(
                     or_(
                         *in_filter_generator(Repository.repo_id, range(100000))
                     )).count()
                 """
                 if not items:
                     # empty list will cause empty query which might cause security issues
                     # this can lead to hidden unpleasant results
                     items = [-1]
                 parts = []
                 for chunk in xrange(0, len(items), limit):
                     parts.append(
                         qry.in_(items[chunk: chunk + limit])
                     )
                 return parts
             base_table_args = {
                 'extend_existing': True,
                 'mysql_engine': 'InnoDB',
                 'mysql_charset': 'utf8',
                 'sqlite_autoincrement': True
             }
             class EncryptedTextValue(TypeDecorator):
                 """
                 Special column for encrypted long text data, use like::
                     value = Column("encrypted_value", EncryptedValue(), nullable=False)
                 This column is intelligent so if value is in unencrypted form it return
                 unencrypted form, but on save it always encrypts
                 """
                 impl = Text
                 def process_bind_param(self, value, dialect):
                     if not value:
                         return value
                     if value.startswith('enc$aes$') or value.startswith('enc$aes_hmac$'):
                         # protect against double encrypting if someone manually starts
                         # doing
                         raise ValueError('value needs to be in unencrypted format, ie. '
                                          'not starting with enc$aes')
                     return 'enc$aes_hmac$%s' % AESCipher(
                         ENCRYPTION_KEY, hmac=True).encrypt(value)
                 def process_result_value(self, value, dialect):
                     import rhodecode
                     if not value:
                         return value
                     parts = value.split('$', 3)
                     if not len(parts) == 3:
                         # probably not encrypted values
                         return value
                     else:
                         if parts[0] != 'enc':
                             # parts ok but without our header ?
                             return value
                         enc_strict_mode = str2bool(rhodecode.CONFIG.get(
                             'rhodecode.encrypted_values.strict') or True)
                         # at that stage we know it's our encryption
                         if parts[1] == 'aes':
                             decrypted_data = AESCipher(ENCRYPTION_KEY).decrypt(parts[2])
                         elif parts[1] == 'aes_hmac':
                             decrypted_data = AESCipher(
                                 ENCRYPTION_KEY, hmac=True,
                                 strict_verification=enc_strict_mode).decrypt(parts[2])
                         else:
                             raise ValueError(
                                 'Encryption type part is wrong, must be `aes` '
                                 'or `aes_hmac`, got `%s` instead' % (parts[1]))
                         return decrypted_data
             class BaseModel(object):
                 """
                 Base Model for all classes
                 """
                 @classmethod
                 def _get_keys(cls):
                     """return column names for this model """
                     return class_mapper(cls).c.keys()
                 def get_dict(self):
                     """
                     return dict with keys and values corresponding
                     to this model data """
                     d = {}
                     for k in self._get_keys():
                         d[k] = getattr(self, k)
                     # also use __json__() if present to get additional fields
                     _json_attr = getattr(self, '__json__', None)
                     if _json_attr:
                         # update with attributes from __json__
                         if callable(_json_attr):
                             _json_attr = _json_attr()
                         for k, val in _json_attr.iteritems():
                             d[k] = val
                     return d
                 def get_appstruct(self):
                     """return list with keys and values tuples corresponding
                     to this model data """
                     lst = []
                     for k in self._get_keys():
                         lst.append((k, getattr(self, k),))
                     return lst
                 def populate_obj(self, populate_dict):
                     """populate model with data from given populate_dict"""
                     for k in self._get_keys():
                         if k in populate_dict:
                             setattr(self, k, populate_dict[k])
                 @classmethod
                 def query(cls):
                     return Session().query(cls)
                 @classmethod
                 def get(cls, id_):
                     if id_:
                         return cls.query().get(id_)
                 @classmethod
                 def get_or_404(cls, id_):
                     from pyramid.httpexceptions import HTTPNotFound
                     try:
                         id_ = int(id_)
                     except (TypeError, ValueError):
                         raise HTTPNotFound()
                     res = cls.query().get(id_)
                     if not res:
                         raise HTTPNotFound()
                     return res
                 @classmethod
                 def getAll(cls):
                     # deprecated and left for backward compatibility
                     return cls.get_all()
                 @classmethod
                 def get_all(cls):
                     return cls.query().all()
                 @classmethod
                 def delete(cls, id_):
                     obj = cls.query().get(id_)
                     Session().delete(obj)
                 @classmethod
                 def identity_cache(cls, session, attr_name, value):
                     exist_in_session = []
                     for (item_cls, pkey), instance in session.identity_map.items():
                         if cls == item_cls and getattr(instance, attr_name) == value:
                             exist_in_session.append(instance)
                     if exist_in_session:
                         if len(exist_in_session) == 1:
                             return exist_in_session[0]
                         log.exception(
                             'multiple objects with attr %s and '
                             'value %s found with same name: %r',
                             attr_name, value, exist_in_session)
                 def __repr__(self):
                     if hasattr(self, '__unicode__'):
                         # python repr needs to return str
                         try:
                             return safe_str(self.__unicode__())
                         except UnicodeDecodeError:
                             pass
                     return '<DB:%s>' % (self.__class__.__name__)
             class RhodeCodeSetting(Base, BaseModel):
                 __tablename__ = 'rhodecode_settings'
                 __table_args__ = (
                     UniqueConstraint('app_settings_name'),
                     base_table_args
                 )
                 SETTINGS_TYPES = {
                     'str': safe_str,
                     'int': safe_int,
                     'unicode': safe_unicode,
                     'bool': str2bool,
                     'list': functools.partial(aslist, sep=',')
                 }
                 DEFAULT_UPDATE_URL = 'https://rhodecode.com/api/v1/info/versions'
                 GLOBAL_CONF_KEY = 'app_settings'
                 app_settings_id = Column("app_settings_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 app_settings_name = Column("app_settings_name", String(255), nullable=True, unique=None, default=None)
                 _app_settings_value = Column("app_settings_value", String(4096), nullable=True, unique=None, default=None)
                 _app_settings_type = Column("app_settings_type", String(255), nullable=True, unique=None, default=None)
                 def __init__(self, key='', val='', type='unicode'):
                     self.app_settings_name = key
                     self.app_settings_type = type
                     self.app_settings_value = val
                 @validates('_app_settings_value')
                 def validate_settings_value(self, key, val):
                     assert type(val) == unicode
                     return val
                 @hybrid_property
                 def app_settings_value(self):
                     v = self._app_settings_value
                     _type = self.app_settings_type
                     if _type:
                         _type = self.app_settings_type.split('.')[0]
                         # decode the encrypted value
                         if 'encrypted' in self.app_settings_type:
                             cipher = EncryptedTextValue()
                             v = safe_unicode(cipher.process_result_value(v, None))
                     converter = self.SETTINGS_TYPES.get(_type) or \
                         self.SETTINGS_TYPES['unicode']
                     return converter(v)
                 @app_settings_value.setter
                 def app_settings_value(self, val):
                     """
                     Setter that will always make sure we use unicode in app_settings_value
                     :param val:
                     """
                     val = safe_unicode(val)
                     # encode the encrypted value
                     if 'encrypted' in self.app_settings_type:
                         cipher = EncryptedTextValue()
                         val = safe_unicode(cipher.process_bind_param(val, None))
                     self._app_settings_value = val
                 @hybrid_property
                 def app_settings_type(self):
                     return self._app_settings_type
                 @app_settings_type.setter
                 def app_settings_type(self, val):
                     if val.split('.')[0] not in self.SETTINGS_TYPES:
                         raise Exception('type must be one of %s got %s'
                                         % (self.SETTINGS_TYPES.keys(), val))
                     self._app_settings_type = val
                 @classmethod
                 def get_by_prefix(cls, prefix):
                     return RhodeCodeSetting.query()\
                         .filter(RhodeCodeSetting.app_settings_name.startswith(prefix))\
                         .all()
                 def __unicode__(self):
                     return u"<%s('%s:%s[%s]')>" % (
                         self.__class__.__name__,
                         self.app_settings_name, self.app_settings_value,
                         self.app_settings_type
                     )
             class RhodeCodeUi(Base, BaseModel):
                 __tablename__ = 'rhodecode_ui'
                 __table_args__ = (
                     UniqueConstraint('ui_key'),
                     base_table_args
                 )
                 HOOK_REPO_SIZE = 'changegroup.repo_size'
                 # HG
                 HOOK_PRE_PULL = 'preoutgoing.pre_pull'
                 HOOK_PULL = 'outgoing.pull_logger'
                 HOOK_PRE_PUSH = 'prechangegroup.pre_push'
                 HOOK_PRETX_PUSH = 'pretxnchangegroup.pre_push'
                 HOOK_PUSH = 'changegroup.push_logger'
                 HOOK_PUSH_KEY = 'pushkey.key_push'
                 # TODO: johbo: Unify way how hooks are configured for git and hg,
                 # git part is currently hardcoded.
                 # SVN PATTERNS
                 SVN_BRANCH_ID = 'vcs_svn_branch'
                 SVN_TAG_ID = 'vcs_svn_tag'
                 ui_id = Column(
                     "ui_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 ui_section = Column(
                     "ui_section", String(255), nullable=True, unique=None, default=None)
                 ui_key = Column(
                     "ui_key", String(255), nullable=True, unique=None, default=None)
                 ui_value = Column(
                     "ui_value", String(255), nullable=True, unique=None, default=None)
                 ui_active = Column(
                     "ui_active", Boolean(), nullable=True, unique=None, default=True)
                 def __repr__(self):
                     return '<%s[%s]%s=>%s]>' % (self.__class__.__name__, self.ui_section,
                                                 self.ui_key, self.ui_value)
             class RepoRhodeCodeSetting(Base, BaseModel):
                 __tablename__ = 'repo_rhodecode_settings'
                 __table_args__ = (
                     UniqueConstraint(
                         'app_settings_name', 'repository_id',
                         name='uq_repo_rhodecode_setting_name_repo_id'),
                     base_table_args
                 )
                 repository_id = Column(
                     "repository_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=False)
                 app_settings_id = Column(
                     "app_settings_id", Integer(), nullable=False, unique=True,
                     default=None, primary_key=True)
                 app_settings_name = Column(
                     "app_settings_name", String(255), nullable=True, unique=None,
                     default=None)
                 _app_settings_value = Column(
                     "app_settings_value", String(4096), nullable=True, unique=None,
                     default=None)
                 _app_settings_type = Column(
                     "app_settings_type", String(255), nullable=True, unique=None,
                     default=None)
                 repository = relationship('Repository')
                 def __init__(self, repository_id, key='', val='', type='unicode'):
                     self.repository_id = repository_id
                     self.app_settings_name = key
                     self.app_settings_type = type
                     self.app_settings_value = val
                 @validates('_app_settings_value')
                 def validate_settings_value(self, key, val):
                     assert type(val) == unicode
                     return val
                 @hybrid_property
                 def app_settings_value(self):
                     v = self._app_settings_value
                     type_ = self.app_settings_type
                     SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
                     converter = SETTINGS_TYPES.get(type_) or SETTINGS_TYPES['unicode']
                     return converter(v)
                 @app_settings_value.setter
                 def app_settings_value(self, val):
                     """
                     Setter that will always make sure we use unicode in app_settings_value
                     :param val:
                     """
                     self._app_settings_value = safe_unicode(val)
                 @hybrid_property
                 def app_settings_type(self):
                     return self._app_settings_type
                 @app_settings_type.setter
                 def app_settings_type(self, val):
                     SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
                     if val not in SETTINGS_TYPES:
                         raise Exception('type must be one of %s got %s'
                                         % (SETTINGS_TYPES.keys(), val))
                     self._app_settings_type = val
                 def __unicode__(self):
                     return u"<%s('%s:%s:%s[%s]')>" % (
                         self.__class__.__name__, self.repository.repo_name,
                         self.app_settings_name, self.app_settings_value,
                         self.app_settings_type
                     )
             class RepoRhodeCodeUi(Base, BaseModel):
                 __tablename__ = 'repo_rhodecode_ui'
                 __table_args__ = (
                     UniqueConstraint(
                         'repository_id', 'ui_section', 'ui_key',
                         name='uq_repo_rhodecode_ui_repository_id_section_key'),
                     base_table_args
                 )
                 repository_id = Column(
                     "repository_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=False)
                 ui_id = Column(
                     "ui_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 ui_section = Column(
                     "ui_section", String(255), nullable=True, unique=None, default=None)
                 ui_key = Column(
                     "ui_key", String(255), nullable=True, unique=None, default=None)
                 ui_value = Column(
                     "ui_value", String(255), nullable=True, unique=None, default=None)
                 ui_active = Column(
                     "ui_active", Boolean(), nullable=True, unique=None, default=True)
                 repository = relationship('Repository')
                 def __repr__(self):
                     return '<%s[%s:%s]%s=>%s]>' % (
                         self.__class__.__name__, self.repository.repo_name,
                         self.ui_section, self.ui_key, self.ui_value)
             class User(Base, BaseModel):
                 __tablename__ = 'users'
                 __table_args__ = (
                     UniqueConstraint('username'), UniqueConstraint('email'),
                     Index('u_username_idx', 'username'),
                     Index('u_email_idx', 'email'),
                     base_table_args
                 )
                 DEFAULT_USER = 'default'
                 DEFAULT_USER_EMAIL = 'anonymous@rhodecode.org'
                 DEFAULT_GRAVATAR_URL = 'https://secure.gravatar.com/avatar/{md5email}?d=identicon&s={size}'
                 user_id = Column("user_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 username = Column("username", String(255), nullable=True, unique=None, default=None)
                 password = Column("password", String(255), nullable=True, unique=None, default=None)
                 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 admin = Column("admin", Boolean(), nullable=True, unique=None, default=False)
                 name = Column("firstname", String(255), nullable=True, unique=None, default=None)
                 lastname = Column("lastname", String(255), nullable=True, unique=None, default=None)
                 _email = Column("email", String(255), nullable=True, unique=None, default=None)
                 last_login = Column("last_login", DateTime(timezone=False), nullable=True, unique=None, default=None)
                 last_activity = Column('last_activity', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 extern_type = Column("extern_type", String(255), nullable=True, unique=None, default=None)
                 extern_name = Column("extern_name", String(255), nullable=True, unique=None, default=None)
                 _api_key = Column("api_key", String(255), nullable=True, unique=None, default=None)
                 inherit_default_permissions = Column("inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 _user_data = Column("user_data", LargeBinary(), nullable=True)  # JSON data
                 user_log = relationship('UserLog')
                 user_perms = relationship('UserToPerm', primaryjoin="User.user_id==UserToPerm.user_id", cascade='all')
                 repositories = relationship('Repository')
                 repository_groups = relationship('RepoGroup')
                 user_groups = relationship('UserGroup')
                 user_followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_user_id==User.user_id', cascade='all')
                 followings = relationship('UserFollowing', primaryjoin='UserFollowing.user_id==User.user_id', cascade='all')
                 repo_to_perm = relationship('UserRepoToPerm', primaryjoin='UserRepoToPerm.user_id==User.user_id', cascade='all')
                 repo_group_to_perm = relationship('UserRepoGroupToPerm', primaryjoin='UserRepoGroupToPerm.user_id==User.user_id', cascade='all')
                 user_group_to_perm = relationship('UserUserGroupToPerm', primaryjoin='UserUserGroupToPerm.user_id==User.user_id', cascade='all')
                 group_member = relationship('UserGroupMember', cascade='all')
                 notifications = relationship('UserNotification', cascade='all')
                 # notifications assigned to this user
                 user_created_notifications = relationship('Notification', cascade='all')
                 # comments created by this user
                 user_comments = relationship('ChangesetComment', cascade='all')
                 # user profile extra info
                 user_emails = relationship('UserEmailMap', cascade='all')
                 user_ip_map = relationship('UserIpMap', cascade='all')
                 user_auth_tokens = relationship('UserApiKeys', cascade='all')
                 user_ssh_keys = relationship('UserSshKeys', cascade='all')
                 # gists
                 user_gists = relationship('Gist', cascade='all')
                 # user pull requests
                 user_pull_requests = relationship('PullRequest', cascade='all')
                 # external identities
                 extenal_identities = relationship(
                     'ExternalIdentity',
                     primaryjoin="User.user_id==ExternalIdentity.local_user_id",
                     cascade='all')
                 # review rules
                 user_review_rules = relationship('RepoReviewRuleUser', cascade='all')
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
                                                   self.user_id, self.username)
                 @hybrid_property
                 def email(self):
                     return self._email
                 @email.setter
                 def email(self, val):
                     self._email = val.lower() if val else None
                 @hybrid_property
                 def first_name(self):
                     from rhodecode.lib import helpers as h
                     if self.name:
                         return h.escape(self.name)
                     return self.name
                 @hybrid_property
                 def last_name(self):
                     from rhodecode.lib import helpers as h
                     if self.lastname:
                         return h.escape(self.lastname)
                     return self.lastname
                 @hybrid_property
                 def api_key(self):
                     """
                     Fetch if exist an auth-token with role ALL connected to this user
                     """
                     user_auth_token = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == self.user_id)\
                         .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_ALL).first()
                     if user_auth_token:
                         user_auth_token = user_auth_token.api_key
                     return user_auth_token
                 @api_key.setter
                 def api_key(self, val):
                     # don't allow to set API key this is deprecated for now
                     self._api_key = None
                 @property
                 def reviewer_pull_requests(self):
                     return PullRequestReviewers.query() \
                         .options(joinedload(PullRequestReviewers.pull_request)) \
                         .filter(PullRequestReviewers.user_id == self.user_id) \
                         .all()
                 @property
                 def firstname(self):
                     # alias for future
                     return self.name
                 @property
                 def emails(self):
                     other = UserEmailMap.query()\
                         .filter(UserEmailMap.user == self) \
                         .order_by(UserEmailMap.email_id.asc()) \
                         .all()
                     return [self.email] + [x.email for x in other]
                 @property
                 def auth_tokens(self):
                     auth_tokens = self.get_auth_tokens()
                     return [x.api_key for x in auth_tokens]
                 def get_auth_tokens(self):
                     return UserApiKeys.query()\
                         .filter(UserApiKeys.user == self)\
                         .order_by(UserApiKeys.user_api_key_id.asc())\
                         .all()
                 @LazyProperty
                 def feed_token(self):
                     return self.get_feed_token()
                 def get_feed_token(self, cache=True):
                     feed_tokens = UserApiKeys.query()\
                         .filter(UserApiKeys.user == self)\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_FEED)
                     if cache:
                         feed_tokens = feed_tokens.options(
                             FromCache("sql_cache_short", "get_user_feed_token_%s" % self.user_id))
                     feed_tokens = feed_tokens.all()
                     if feed_tokens:
                         return feed_tokens[0].api_key
                     return 'NO_FEED_TOKEN_AVAILABLE'
                 @classmethod
                 def get(cls, user_id, cache=False):
                     if not user_id:
                         return
                     user = cls.query()
                     if cache:
                         user = user.options(
                             FromCache("sql_cache_short", "get_users_%s" % user_id))
                     return user.get(user_id)
                 @classmethod
                 def extra_valid_auth_tokens(cls, user, role=None):
                     tokens = UserApiKeys.query().filter(UserApiKeys.user == user)\
                             .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))
                     if role:
                         tokens = tokens.filter(or_(UserApiKeys.role == role,
                                                    UserApiKeys.role == UserApiKeys.ROLE_ALL))
                     return tokens.all()
                 def authenticate_by_token(self, auth_token, roles=None, scope_repo_id=None):
                     from rhodecode.lib import auth
                     log.debug('Trying to authenticate user: %s via auth-token, '
                               'and roles: %s', self, roles)
                     if not auth_token:
                         return False
                     crypto_backend = auth.crypto_backend()
                     roles = (roles or []) + [UserApiKeys.ROLE_ALL]
                     tokens_q = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == self.user_id)\
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time()))
                     tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles))
                     plain_tokens = []
                     hash_tokens = []
                     user_tokens = tokens_q.all()
                     log.debug('Found %s user tokens to check for authentication', len(user_tokens))
                     for token in user_tokens:
                         log.debug('AUTH_TOKEN: checking if user token with id `%s` matches',
                                   token.user_api_key_id)
                         # verify scope first, since it's way faster than hash calculation of
                         # encrypted tokens
                         if token.repo_id:
                             # token has a scope, we need to verify it
                             if scope_repo_id != token.repo_id:
                                 log.debug(
                                     'AUTH_TOKEN: scope mismatch, token has a set repo scope: %s, '
                                     'and calling scope is:%s, skipping further checks',
                                      token.repo, scope_repo_id)
                                 # token has a scope, and it doesn't match, skip token
                                 continue
                         if token.api_key.startswith(crypto_backend.ENC_PREF):
                             hash_tokens.append(token.api_key)
                         else:
                             plain_tokens.append(token.api_key)
                     is_plain_match = auth_token in plain_tokens
                     if is_plain_match:
                         return True
                     for hashed in hash_tokens:
                         # NOTE(marcink): this is expensive to calculate, but most secure
                         match = crypto_backend.hash_check(auth_token, hashed)
                         if match:
                             return True
                     return False
                 @property
                 def ip_addresses(self):
                     ret = UserIpMap.query().filter(UserIpMap.user == self).all()
                     return [x.ip_addr for x in ret]
                 @property
                 def username_and_name(self):
                     return '%s (%s %s)' % (self.username, self.first_name, self.last_name)
                 @property
                 def username_or_name_or_email(self):
                     full_name = self.full_name if self.full_name is not ' ' else None
                     return self.username or full_name or self.email
                 @property
                 def full_name(self):
                     return '%s %s' % (self.first_name, self.last_name)
                 @property
                 def full_name_or_username(self):
                     return ('%s %s' % (self.first_name, self.last_name)
                             if (self.first_name and self.last_name) else self.username)
                 @property
                 def full_contact(self):
                     return '%s %s <%s>' % (self.first_name, self.last_name, self.email)
                 @property
                 def short_contact(self):
                     return '%s %s' % (self.first_name, self.last_name)
                 @property
                 def is_admin(self):
                     return self.admin
                 def AuthUser(self, **kwargs):
                     """
                     Returns instance of AuthUser for this user
                     """
                     from rhodecode.lib.auth import AuthUser
                     return AuthUser(user_id=self.user_id, username=self.username, **kwargs)
                 @hybrid_property
                 def user_data(self):
                     if not self._user_data:
                         return {}
                     try:
                         return json.loads(self._user_data)
                     except TypeError:
                         return {}
                 @user_data.setter
                 def user_data(self, val):
                     if not isinstance(val, dict):
                         raise Exception('user_data must be dict, got %s' % type(val))
                     try:
                         self._user_data = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @classmethod
                 def get_by_username(cls, username, case_insensitive=False,
                                     cache=False, identity_cache=False):
                     session = Session()
                     if case_insensitive:
                         q = cls.query().filter(
                             func.lower(cls.username) == func.lower(username))
                     else:
                         q = cls.query().filter(cls.username == username)
                     if cache:
                         if identity_cache:
                             val = cls.identity_cache(session, 'username', username)
                             if val:
                                 return val
                         else:
                             cache_key = "get_user_by_name_%s" % _hash_key(username)
                             q = q.options(
                                 FromCache("sql_cache_short", cache_key))
                     return q.scalar()
                 @classmethod
                 def get_by_auth_token(cls, auth_token, cache=False):
                     q = UserApiKeys.query()\
                         .filter(UserApiKeys.api_key == auth_token)\
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time()))
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", "get_auth_token_%s" % auth_token))
                     match = q.first()
                     if match:
                         return match.user
                 @classmethod
                 def get_by_email(cls, email, case_insensitive=False, cache=False):
                     if case_insensitive:
                         q = cls.query().filter(func.lower(cls.email) == func.lower(email))
                     else:
                         q = cls.query().filter(cls.email == email)
                     email_key = _hash_key(email)
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", "get_email_key_%s" % email_key))
                     ret = q.scalar()
                     if ret is None:
                         q = UserEmailMap.query()
                         # try fetching in alternate email map
                         if case_insensitive:
                             q = q.filter(func.lower(UserEmailMap.email) == func.lower(email))
                         else:
                             q = q.filter(UserEmailMap.email == email)
                         q = q.options(joinedload(UserEmailMap.user))
                         if cache:
                             q = q.options(
                                 FromCache("sql_cache_short", "get_email_map_key_%s" % email_key))
                         ret = getattr(q.scalar(), 'user', None)
                     return ret
                 @classmethod
                 def get_from_cs_author(cls, author):
                     """
                     Tries to get User objects out of commit author string
                     :param author:
                     """
                     from rhodecode.lib.helpers import email, author_name
                     # Valid email in the attribute passed, see if they're in the system
                     _email = email(author)
                     if _email:
                         user = cls.get_by_email(_email, case_insensitive=True)
                         if user:
                             return user
                     # Maybe we can match by username?
                     _author = author_name(author)
                     user = cls.get_by_username(_author, case_insensitive=True)
                     if user:
                         return user
                 def update_userdata(self, **kwargs):
                     usr = self
                     old = usr.user_data
                     old.update(**kwargs)
                     usr.user_data = old
                     Session().add(usr)
                     log.debug('updated userdata with ', kwargs)
                 def update_lastlogin(self):
                     """Update user lastlogin"""
                     self.last_login = datetime.datetime.now()
                     Session().add(self)
                     log.debug('updated user %s lastlogin', self.username)
                 def update_password(self, new_password):
                     from rhodecode.lib.auth import get_crypt_password
                     self.password = get_crypt_password(new_password)
                     Session().add(self)
                 @classmethod
                 def get_first_super_admin(cls):
                     user = User.query()\
                         .filter(User.admin == true()) \
                         .order_by(User.user_id.asc()) \
                         .first()
                     if user is None:
                         raise Exception('FATAL: Missing administrative account!')
                     return user
                 @classmethod
                 def get_all_super_admins(cls, only_active=False):
                     """
                     Returns all admin accounts sorted by username
                     """
                     qry = User.query().filter(User.admin == true()).order_by(User.username.asc())
                     if only_active:
                         qry = qry.filter(User.active == true())
                     return qry.all()
                 @classmethod
                 def get_default_user(cls, cache=False, refresh=False):
                     user = User.get_by_username(User.DEFAULT_USER, cache=cache)
                     if user is None:
                         raise Exception('FATAL: Missing default account!')
                     if refresh:
                         # The default user might be based on outdated state which
                         # has been loaded from the cache.
                         # A call to refresh() ensures that the
                         # latest state from the database is used.
                         Session().refresh(user)
                     return user
                 def _get_default_perms(self, user, suffix=''):
                     from rhodecode.model.permission import PermissionModel
                     return PermissionModel().get_default_perms(user.user_perms, suffix)
                 def get_default_perms(self, suffix=''):
                     return self._get_default_perms(self, suffix)
                 def get_api_data(self, include_secrets=False, details='full'):
                     """
                     Common function for generating user related data for API
                     :param include_secrets: By default secrets in the API data will be replaced
                        by a placeholder value to prevent exposing this data by accident. In case
                        this data shall be exposed, set this flag to ``True``.
                     :param details: details can be 'basic|full' basic gives only a subset of
                        the available user information that includes user_id, name and emails.
                     """
                     user = self
                     user_data = self.user_data
                     data = {
                         'user_id': user.user_id,
                         'username': user.username,
                         'firstname': user.name,
                         'lastname': user.lastname,
                         'email': user.email,
                         'emails': user.emails,
                     }
                     if details == 'basic':
                         return data
                     auth_token_length = 40
                     auth_token_replacement = '*' * auth_token_length
                     extras = {
                         'auth_tokens': [auth_token_replacement],
                         'active': user.active,
                         'admin': user.admin,
                         'extern_type': user.extern_type,
                         'extern_name': user.extern_name,
                         'last_login': user.last_login,
                         'last_activity': user.last_activity,
                         'ip_addresses': user.ip_addresses,
                         'language': user_data.get('language')
                     }
                     data.update(extras)
                     if include_secrets:
                         data['auth_tokens'] = user.auth_tokens
                     return data
                 def __json__(self):
                     data = {
                         'full_name': self.full_name,
                         'full_name_or_username': self.full_name_or_username,
                         'short_contact': self.short_contact,
                         'full_contact': self.full_contact,
                     }
                     data.update(self.get_api_data())
                     return data
             class UserApiKeys(Base, BaseModel):
                 __tablename__ = 'user_api_keys'
                 __table_args__ = (
                     Index('uak_api_key_idx', 'api_key', unique=True),
                     Index('uak_api_key_expires_idx', 'api_key', 'expires'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 # ApiKey role
                 ROLE_ALL = 'token_role_all'
                 ROLE_HTTP = 'token_role_http'
                 ROLE_VCS = 'token_role_vcs'
                 ROLE_API = 'token_role_api'
                 ROLE_FEED = 'token_role_feed'
                 ROLE_PASSWORD_RESET = 'token_password_reset'
                 ROLES = [ROLE_ALL, ROLE_HTTP, ROLE_VCS, ROLE_API, ROLE_FEED]
                 user_api_key_id = Column("user_api_key_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 api_key = Column("api_key", String(255), nullable=False, unique=True)
                 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 expires = Column('expires', Float(53), nullable=False)
                 role = Column('role', String(255), nullable=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 # scope columns
                 repo_id = Column(
                     'repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 repo_group_id = Column(
                     'repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 user = relationship('User', lazy='joined')
                 def __unicode__(self):
                     return u"<%s('%s')>" % (self.__class__.__name__, self.role)
                 def __json__(self):
                     data = {
                         'auth_token': self.api_key,
                         'role': self.role,
                         'scope': self.scope_humanized,
                         'expired': self.expired
                     }
                     return data
                 def get_api_data(self, include_secrets=False):
                     data = self.__json__()
                     if include_secrets:
                         return data
                     else:
                         data['auth_token'] = self.token_obfuscated
                         return data
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @property
                 def expired(self):
                     if self.expires == -1:
                         return False
                     return time.time() > self.expires
                 @classmethod
                 def _get_role_name(cls, role):
                     return {
                         cls.ROLE_ALL: _('all'),
                         cls.ROLE_HTTP: _('http/web interface'),
                         cls.ROLE_VCS: _('vcs (git/hg/svn protocol)'),
                         cls.ROLE_API: _('api calls'),
                         cls.ROLE_FEED: _('feed access'),
                     }.get(role, role)
                 @property
                 def role_humanized(self):
                     return self._get_role_name(self.role)
                 def _get_scope(self):
                     if self.repo:
                         return 'Repository: {}'.format(self.repo.repo_name)
                     if self.repo_group:
                         return 'RepositoryGroup: {} (recursive)'.format(self.repo_group.group_name)
                     return 'Global'
                 @property
                 def scope_humanized(self):
                     return self._get_scope()
                 @property
                 def token_obfuscated(self):
                     if self.api_key:
                         return self.api_key[:4] + "****"
             class UserEmailMap(Base, BaseModel):
                 __tablename__ = 'user_email_map'
                 __table_args__ = (
                     Index('uem_email_idx', 'email'),
                     UniqueConstraint('email'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 email_id = Column("email_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 _email = Column("email", String(255), nullable=True, unique=False, default=None)
                 user = relationship('User', lazy='joined')
                 @validates('_email')
                 def validate_email(self, key, email):
                     # check if this email is not main one
                     main_email = Session().query(User).filter(User.email == email).scalar()
                     if main_email is not None:
                         raise AttributeError('email %s is present is user table' % email)
                     return email
                 @hybrid_property
                 def email(self):
                     return self._email
                 @email.setter
                 def email(self, val):
                     self._email = val.lower() if val else None
             class UserIpMap(Base, BaseModel):
                 __tablename__ = 'user_ip_map'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'ip_addr'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 ip_addr = Column("ip_addr", String(255), nullable=True, unique=False, default=None)
                 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 description = Column("description", String(10000), nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @classmethod
                 def _get_ip_range(cls, ip_addr):
                     net = ipaddress.ip_network(safe_unicode(ip_addr), strict=False)
                     return [str(net.network_address), str(net.broadcast_address)]
                 def __json__(self):
                     return {
                       'ip_addr': self.ip_addr,
                       'ip_range': self._get_ip_range(self.ip_addr),
                     }
                 def __unicode__(self):
                     return u"<%s('user_id:%s=>%s')>" % (self.__class__.__name__,
                                                         self.user_id, self.ip_addr)
             class UserSshKeys(Base, BaseModel):
                 __tablename__ = 'user_ssh_keys'
                 __table_args__ = (
                     Index('usk_ssh_key_fingerprint_idx', 'ssh_key_fingerprint'),
                     UniqueConstraint('ssh_key_fingerprint'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 ssh_key_id = Column('ssh_key_id', Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 ssh_key_data = Column('ssh_key_data', String(10240), nullable=False, unique=None, default=None)
                 ssh_key_fingerprint = Column('ssh_key_fingerprint', String(255), nullable=False, unique=None, default=None)
                 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 accessed_on = Column('accessed_on', DateTime(timezone=False), nullable=True, default=None)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 def __json__(self):
                     data = {
                         'ssh_fingerprint': self.ssh_key_fingerprint,
                         'description': self.description,
                         'created_on': self.created_on
                     }
                     return data
                 def get_api_data(self):
                     data = self.__json__()
                     return data
             class UserLog(Base, BaseModel):
                 __tablename__ = 'user_logs'
                 __table_args__ = (
                     base_table_args,
                 )
                 VERSION_1 = 'v1'
                 VERSION_2 = 'v2'
                 VERSIONS = [VERSION_1, VERSION_2]
                 user_log_id = Column("user_log_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id',ondelete='SET NULL'), nullable=True, unique=None, default=None)
                 username = Column("username", String(255), nullable=True, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id', ondelete='SET NULL'), nullable=True, unique=None, default=None)
                 repository_name = Column("repository_name", String(255), nullable=True, unique=None, default=None)
                 user_ip = Column("user_ip", String(255), nullable=True, unique=None, default=None)
                 action = Column("action", Text().with_variant(Text(1200000), 'mysql'), nullable=True, unique=None, default=None)
                 action_date = Column("action_date", DateTime(timezone=False), nullable=True, unique=None, default=None)
                 version = Column("version", String(255), nullable=True, default=VERSION_1)
                 user_data = Column('user_data_json', MutationObj.as_mutable(JsonType(dialect_map=dict(mysql=LONGTEXT()))))
                 action_data = Column('action_data_json', MutationObj.as_mutable(JsonType(dialect_map=dict(mysql=LONGTEXT()))))
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (
                         self.__class__.__name__, self.repository_name, self.action)
                 def __json__(self):
                     return {
                         'user_id': self.user_id,
                         'username': self.username,
                         'repository_id': self.repository_id,
                         'repository_name': self.repository_name,
                         'user_ip': self.user_ip,
                         'action_date': self.action_date,
                         'action': self.action,
                     }
                 @hybrid_property
                 def entry_id(self):
                     return self.user_log_id
                 @property
                 def action_as_day(self):
                     return datetime.date(*self.action_date.timetuple()[:3])
                 user = relationship('User')
                 repository = relationship('Repository', cascade='')
             class UserGroup(Base, BaseModel):
                 __tablename__ = 'users_groups'
                 __table_args__ = (
                     base_table_args,
                 )
                 users_group_id = Column("users_group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_name = Column("users_group_name", String(255), nullable=False, unique=True, default=None)
                 user_group_description = Column("user_group_description", String(10000), nullable=True, unique=None, default=None)
                 users_group_active = Column("users_group_active", Boolean(), nullable=True, unique=None, default=None)
                 inherit_default_permissions = Column("users_group_inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 _group_data = Column("group_data", LargeBinary(), nullable=True)  # JSON data
                 members = relationship('UserGroupMember', cascade="all, delete, delete-orphan", lazy="joined")
                 users_group_to_perm = relationship('UserGroupToPerm', cascade='all')
                 users_group_repo_to_perm = relationship('UserGroupRepoToPerm', cascade='all')
                 users_group_repo_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
                 user_user_group_to_perm = relationship('UserUserGroupToPerm', cascade='all')
                 user_group_user_group_to_perm = relationship('UserGroupUserGroupToPerm ', primaryjoin="UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id", cascade='all')
                 user_group_review_rules = relationship('RepoReviewRuleUserGroup', cascade='all')
                 user = relationship('User', primaryjoin="User.user_id==UserGroup.user_id")
                 @classmethod
                 def _load_group_data(cls, column):
                     if not column:
                         return {}
                     try:
                         return json.loads(column) or {}
                     except TypeError:
                         return {}
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.user_group_description)
                 @hybrid_property
                 def group_data(self):
                     return self._load_group_data(self._group_data)
                 @group_data.expression
                 def group_data(self, **kwargs):
                     return self._group_data
                 @group_data.setter
                 def group_data(self, val):
                     try:
                         self._group_data = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @classmethod
                 def _load_sync(cls, group_data):
                     if group_data:
                         return group_data.get('extern_type')
                 @property
                 def sync(self):
                     return self._load_sync(self.group_data)
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
                                                   self.users_group_id,
                                                   self.users_group_name)
                 @classmethod
                 def get_by_group_name(cls, group_name, cache=False,
                                       case_insensitive=False):
                     if case_insensitive:
                         q = cls.query().filter(func.lower(cls.users_group_name) ==
                                                func.lower(group_name))
                     else:
                         q = cls.query().filter(cls.users_group_name == group_name)
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", "get_group_%s" % _hash_key(group_name)))
                     return q.scalar()
                 @classmethod
                 def get(cls, user_group_id, cache=False):
                     if not user_group_id:
                         return
                     user_group = cls.query()
                     if cache:
                         user_group = user_group.options(
                             FromCache("sql_cache_short", "get_users_group_%s" % user_group_id))
                     return user_group.get(user_group_id)
                 def permissions(self, with_admins=True, with_owner=True,
                                 expand_from_user_groups=False):
                     """
                     Permissions for user groups
                     """
                     _admin_perm = 'usergroup.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     q = UserUserGroupToPerm.query().filter(UserUserGroupToPerm.user_group == self)
                     q = q.options(joinedload(UserUserGroupToPerm.user_group),
                                   joinedload(UserUserGroupToPerm.user),
                                   joinedload(UserUserGroupToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     user_groups_rows = []
                     if expand_from_user_groups:
                         for ug in self.permission_user_groups(with_members=True):
                             for user_data in ug.members:
                                 user_groups_rows.append(user_data)
                     return super_admin_rows + owner_row + perm_rows + user_groups_rows
                 def permission_user_groups(self, with_members=False):
                     q = UserGroupUserGroupToPerm.query()\
                         .filter(UserGroupUserGroupToPerm.target_user_group == self)
                     q = q.options(joinedload(UserGroupUserGroupToPerm.user_group),
                                   joinedload(UserGroupUserGroupToPerm.target_user_group),
                                   joinedload(UserGroupUserGroupToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         entry = AttributeDict(_user_group.user_group.get_dict())
                         entry.permission = _user_group.permission.permission_name
                         if with_members:
                             entry.members = [x.user.get_dict()
                                              for x in _user_group.users_group.members]
                         perm_rows.append(entry)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def _get_default_perms(self, user_group, suffix=''):
                     from rhodecode.model.permission import PermissionModel
                     return PermissionModel().get_default_perms(user_group.users_group_to_perm, suffix)
                 def get_default_perms(self, suffix=''):
                     return self._get_default_perms(self, suffix)
                 def get_api_data(self, with_group_members=True, include_secrets=False):
                     """
                     :param include_secrets: See :meth:`User.get_api_data`, this parameter is
                        basically forwarded.
                     """
                     user_group = self
                     data = {
                         'users_group_id': user_group.users_group_id,
                         'group_name': user_group.users_group_name,
                         'group_description': user_group.user_group_description,
                         'active': user_group.users_group_active,
                         'owner': user_group.user.username,
                         'sync': user_group.sync,
                         'owner_email': user_group.user.email,
                     }
                     if with_group_members:
                         users = []
                         for user in user_group.members:
                             user = user.user
                             users.append(user.get_api_data(include_secrets=include_secrets))
                         data['users'] = users
                     return data
             class UserGroupMember(Base, BaseModel):
                 __tablename__ = 'users_groups_members'
                 __table_args__ = (
                     base_table_args,
                 )
                 users_group_member_id = Column("users_group_member_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 users_group = relationship('UserGroup')
                 def __init__(self, gr_id='', u_id=''):
                     self.users_group_id = gr_id
                     self.user_id = u_id
             class RepositoryField(Base, BaseModel):
                 __tablename__ = 'repositories_fields'
                 __table_args__ = (
                     UniqueConstraint('repository_id', 'field_key'),  # no-multi field
                     base_table_args,
                 )
                 PREFIX = 'ex_'  # prefix used in form to not conflict with already existing fields
                 repo_field_id = Column("repo_field_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 field_key = Column("field_key", String(250))
                 field_label = Column("field_label", String(1024), nullable=False)
                 field_value = Column("field_value", String(10000), nullable=False)
                 field_desc = Column("field_desc", String(1024), nullable=False)
                 field_type = Column("field_type", String(255), nullable=False, unique=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 repository = relationship('Repository')
                 @property
                 def field_key_prefixed(self):
                     return 'ex_%s' % self.field_key
                 @classmethod
                 def un_prefix_key(cls, key):
                     if key.startswith(cls.PREFIX):
                         return key[len(cls.PREFIX):]
                     return key
                 @classmethod
                 def get_by_key_name(cls, key, repo):
                     row = cls.query()\
                             .filter(cls.repository == repo)\
                             .filter(cls.field_key == key).scalar()
                     return row
             class Repository(Base, BaseModel):
                 __tablename__ = 'repositories'
                 __table_args__ = (
                     Index('r_repo_name_idx', 'repo_name', mysql_length=255),
                     base_table_args,
                 )
                 DEFAULT_CLONE_URI = '{scheme}://{user}@{netloc}/{repo}'
                 DEFAULT_CLONE_URI_ID = '{scheme}://{user}@{netloc}/_{repoid}'
                 DEFAULT_CLONE_URI_SSH = 'ssh://{sys_user}@{hostname}/{repo}'
                 STATE_CREATED = 'repo_state_created'
                 STATE_PENDING = 'repo_state_pending'
                 STATE_ERROR = 'repo_state_error'
                 LOCK_AUTOMATIC = 'lock_auto'
                 LOCK_API = 'lock_api'
                 LOCK_WEB = 'lock_web'
                 LOCK_PULL = 'lock_pull'
                 NAME_SEP = URL_SEP
                 repo_id = Column(
                     "repo_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 _repo_name = Column(
                     "repo_name", Text(), nullable=False, default=None)
                 _repo_name_hash = Column(
                     "repo_name_hash", String(255), nullable=False, unique=True)
                 repo_state = Column("repo_state", String(255), nullable=True)
                 clone_uri = Column(
                     "clone_uri", EncryptedTextValue(), nullable=True, unique=False,
                     default=None)
                 push_uri = Column(
                     "push_uri", EncryptedTextValue(), nullable=True, unique=False,
                     default=None)
                 repo_type = Column(
                     "repo_type", String(255), nullable=False, unique=False, default=None)
                 user_id = Column(
                     "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
                     unique=False, default=None)
                 private = Column(
                     "private", Boolean(), nullable=True, unique=None, default=None)
                 archived = Column(
                     "archived", Boolean(), nullable=True, unique=None, default=None)
                 enable_statistics = Column(
                     "statistics", Boolean(), nullable=True, unique=None, default=True)
                 enable_downloads = Column(
                     "downloads", Boolean(), nullable=True, unique=None, default=True)
                 description = Column(
                     "description", String(10000), nullable=True, unique=None, default=None)
                 created_on = Column(
                     'created_on', DateTime(timezone=False), nullable=True, unique=None,
                     default=datetime.datetime.now)
                 updated_on = Column(
                     'updated_on', DateTime(timezone=False), nullable=True, unique=None,
                     default=datetime.datetime.now)
                 _landing_revision = Column(
                     "landing_revision", String(255), nullable=False, unique=False,
                     default=None)
                 enable_locking = Column(
                     "enable_locking", Boolean(), nullable=False, unique=None,
                     default=False)
                 _locked = Column(
                     "locked", String(255), nullable=True, unique=False, default=None)
                 _changeset_cache = Column(
                     "changeset_cache", LargeBinary(), nullable=True)  # JSON data
                 fork_id = Column(
                     "fork_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=False, default=None)
                 group_id = Column(
                     "group_id", Integer(), ForeignKey('groups.group_id'), nullable=True,
                     unique=False, default=None)
                 user = relationship('User', lazy='joined')
                 fork = relationship('Repository', remote_side=repo_id, lazy='joined')
                 group = relationship('RepoGroup', lazy='joined')
                 repo_to_perm = relationship(
                     'UserRepoToPerm', cascade='all',
                     order_by='UserRepoToPerm.repo_to_perm_id')
                 users_group_to_perm = relationship('UserGroupRepoToPerm', cascade='all')
                 stats = relationship('Statistics', cascade='all', uselist=False)
                 followers = relationship(
                     'UserFollowing',
                     primaryjoin='UserFollowing.follows_repo_id==Repository.repo_id',
                     cascade='all')
                 extra_fields = relationship(
                     'RepositoryField', cascade="all, delete, delete-orphan")
                 logs = relationship('UserLog')
                 comments = relationship(
                     'ChangesetComment', cascade="all, delete, delete-orphan")
                 pull_requests_source = relationship(
                     'PullRequest',
                     primaryjoin='PullRequest.source_repo_id==Repository.repo_id',
                     cascade="all, delete, delete-orphan")
                 pull_requests_target = relationship(
                     'PullRequest',
                     primaryjoin='PullRequest.target_repo_id==Repository.repo_id',
                     cascade="all, delete, delete-orphan")
                 ui = relationship('RepoRhodeCodeUi', cascade="all")
                 settings = relationship('RepoRhodeCodeSetting', cascade="all")
                 integrations = relationship('Integration',
                                             cascade="all, delete, delete-orphan")
                 scoped_tokens = relationship('UserApiKeys', cascade="all")
                 def __unicode__(self):
                     return u"<%s('%s:%s')>" % (self.__class__.__name__, self.repo_id,
                                                safe_unicode(self.repo_name))
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @hybrid_property
                 def landing_rev(self):
                     # always should return [rev_type, rev]
                     if self._landing_revision:
                         _rev_info = self._landing_revision.split(':')
                         if len(_rev_info) < 2:
                             _rev_info.insert(0, 'rev')
                         return [_rev_info[0], _rev_info[1]]
                     return [None, None]
                 @landing_rev.setter
                 def landing_rev(self, val):
                     if ':' not in val:
                         raise ValueError('value must be delimited with `:` and consist '
                                          'of <rev_type>:<rev>, got %s instead' % val)
                     self._landing_revision = val
                 @hybrid_property
                 def locked(self):
                     if self._locked:
                         user_id, timelocked, reason = self._locked.split(':')
                         lock_values = int(user_id), timelocked, reason
                     else:
                         lock_values = [None, None, None]
                     return lock_values
                 @locked.setter
                 def locked(self, val):
                     if val and isinstance(val, (list, tuple)):
                         self._locked = ':'.join(map(str, val))
                     else:
                         self._locked = None
                 @hybrid_property
                 def changeset_cache(self):
                     from rhodecode.lib.vcs.backends.base import EmptyCommit
                     dummy = EmptyCommit().__json__()
                     if not self._changeset_cache:
                         return dummy
                     try:
                         return json.loads(self._changeset_cache)
                     except TypeError:
                         return dummy
                     except Exception:
                         log.error(traceback.format_exc())
                         return dummy
                 @changeset_cache.setter
                 def changeset_cache(self, val):
                     try:
                         self._changeset_cache = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @hybrid_property
                 def repo_name(self):
                     return self._repo_name
                 @repo_name.setter
                 def repo_name(self, value):
                     self._repo_name = value
                     self._repo_name_hash = hashlib.sha1(safe_str(value)).hexdigest()
                 @classmethod
                 def normalize_repo_name(cls, repo_name):
                     """
                     Normalizes os specific repo_name to the format internally stored inside
                     database using URL_SEP
                     :param cls:
                     :param repo_name:
                     """
                     return cls.NAME_SEP.join(repo_name.split(os.sep))
                 @classmethod
                 def get_by_repo_name(cls, repo_name, cache=False, identity_cache=False):
                     session = Session()
                     q = session.query(cls).filter(cls.repo_name == repo_name)
                     if cache:
                         if identity_cache:
                             val = cls.identity_cache(session, 'repo_name', repo_name)
                             if val:
                                 return val
                         else:
                             cache_key = "get_repo_by_name_%s" % _hash_key(repo_name)
                             q = q.options(
                                 FromCache("sql_cache_short", cache_key))
                     return q.scalar()
                 @classmethod
                 def get_by_id_or_repo_name(cls, repoid):
                     if isinstance(repoid, (int, long)):
                         try:
                             repo = cls.get(repoid)
                         except ValueError:
                             repo = None
                     else:
                         repo = cls.get_by_repo_name(repoid)
                     return repo
                 @classmethod
                 def get_by_full_path(cls, repo_full_path):
                     repo_name = repo_full_path.split(cls.base_path(), 1)[-1]
                     repo_name = cls.normalize_repo_name(repo_name)
                     return cls.get_by_repo_name(repo_name.strip(URL_SEP))
                 @classmethod
                 def get_repo_forks(cls, repo_id):
                     return cls.query().filter(Repository.fork_id == repo_id)
                 @classmethod
                 def base_path(cls):
                     """
                     Returns base path when all repos are stored
                     :param cls:
                     """
                     q = Session().query(RhodeCodeUi)\
                         .filter(RhodeCodeUi.ui_key == cls.NAME_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return q.one().ui_value
                 @classmethod
                 def get_all_repos(cls, user_id=Optional(None), group_id=Optional(None),
                                   case_insensitive=True, archived=False):
                     q = Repository.query()
                     if not archived:
                         q = q.filter(Repository.archived.isnot(true()))
                     if not isinstance(user_id, Optional):
                         q = q.filter(Repository.user_id == user_id)
                     if not isinstance(group_id, Optional):
                         q = q.filter(Repository.group_id == group_id)
                     if case_insensitive:
                         q = q.order_by(func.lower(Repository.repo_name))
                     else:
                         q = q.order_by(Repository.repo_name)
                     return q.all()
                 @property
                 def forks(self):
                     """
                     Return forks of this repo
                     """
                     return Repository.get_repo_forks(self.repo_id)
                 @property
                 def parent(self):
                     """
                     Returns fork parent
                     """
                     return self.fork
                 @property
                 def just_name(self):
                     return self.repo_name.split(self.NAME_SEP)[-1]
                 @property
                 def groups_with_parents(self):
                     groups = []
                     if self.group is None:
                         return groups
                     cur_gr = self.group
                     groups.insert(0, cur_gr)
                     while 1:
                         gr = getattr(cur_gr, 'parent_group', None)
                         cur_gr = cur_gr.parent_group
                         if gr is None:
                             break
                         groups.insert(0, gr)
                     return groups
                 @property
                 def groups_and_repo(self):
                     return self.groups_with_parents, self
                 @LazyProperty
                 def repo_path(self):
                     """
                     Returns base full path for that repository means where it actually
                     exists on a filesystem
                     """
                     q = Session().query(RhodeCodeUi).filter(
                         RhodeCodeUi.ui_key == self.NAME_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return q.one().ui_value
                 @property
                 def repo_full_path(self):
                     p = [self.repo_path]
                     # we need to split the name by / since this is how we store the
                     # names in the database, but that eventually needs to be converted
                     # into a valid system path
                     p += self.repo_name.split(self.NAME_SEP)
                     return os.path.join(*map(safe_unicode, p))
                 @property
                 def cache_keys(self):
                     """
                     Returns associated cache keys for that repo
                     """
                     invalidation_namespace = CacheKey.REPO_INVALIDATION_NAMESPACE.format(
                         repo_id=self.repo_id)
                     return CacheKey.query()\
                         .filter(CacheKey.cache_args == invalidation_namespace)\
                         .order_by(CacheKey.cache_key)\
                         .all()
                 @property
                 def cached_diffs_relative_dir(self):
                     """
                     Return a relative to the repository store path of cached diffs
                     used for safe display for users, who shouldn't know the absolute store
                     path
                     """
                     return os.path.join(
                         os.path.dirname(self.repo_name),
                         self.cached_diffs_dir.split(os.path.sep)[-1])
                 @property
                 def cached_diffs_dir(self):
                     path = self.repo_full_path
                     return os.path.join(
                         os.path.dirname(path),
                         '.__shadow_diff_cache_repo_{}'.format(self.repo_id))
                 def cached_diffs(self):
                     diff_cache_dir = self.cached_diffs_dir
                     if os.path.isdir(diff_cache_dir):
                         return os.listdir(diff_cache_dir)
                     return []
                 def shadow_repos(self):
                     shadow_repos_pattern = '.__shadow_repo_{}'.format(self.repo_id)
                     return [
                         x for x in os.listdir(os.path.dirname(self.repo_full_path))
                         if x.startswith(shadow_repos_pattern)]
                 def get_new_name(self, repo_name):
                     """
                     returns new full repository name based on assigned group and new new
                     :param group_name:
                     """
                     path_prefix = self.group.full_path_splitted if self.group else []
                     return self.NAME_SEP.join(path_prefix + [repo_name])
                 @property
                 def _config(self):
                     """
                     Returns db based config object.
                     """
                     from rhodecode.lib.utils import make_db_config
                     return make_db_config(clear_session=False, repo=self)
                 def permissions(self, with_admins=True, with_owner=True,
                                 expand_from_user_groups=False):
                     """
                     Permissions for repositories
                     """
                     _admin_perm = 'repository.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         usr.permission_id = None
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 usr.permission_id = None
                                 super_admin_rows.append(usr)
                     q = UserRepoToPerm.query().filter(UserRepoToPerm.repository == self)
                     q = q.options(joinedload(UserRepoToPerm.repository),
                                   joinedload(UserRepoToPerm.user),
                                   joinedload(UserRepoToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         # also check if this permission is maybe used by branch_permissions
                         if _usr.branch_perm_entry:
                             usr.branch_rules = [x.branch_rule_id for x in _usr.branch_perm_entry]
                         usr.permission = _usr.permission.permission_name
                         usr.permission_id = _usr.repo_to_perm_id
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     user_groups_rows = []
                     if expand_from_user_groups:
                         for ug in self.permission_user_groups(with_members=True):
                             for user_data in ug.members:
                                 user_groups_rows.append(user_data)
                     return super_admin_rows + owner_row + perm_rows + user_groups_rows
                 def permission_user_groups(self, with_members=True):
                     q = UserGroupRepoToPerm.query()\
                         .filter(UserGroupRepoToPerm.repository == self)
                     q = q.options(joinedload(UserGroupRepoToPerm.repository),
                                   joinedload(UserGroupRepoToPerm.users_group),
                                   joinedload(UserGroupRepoToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         entry = AttributeDict(_user_group.users_group.get_dict())
                         entry.permission = _user_group.permission.permission_name
                         if with_members:
                             entry.members = [x.user.get_dict()
                                              for x in _user_group.users_group.members]
                         perm_rows.append(entry)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def get_api_data(self, include_secrets=False):
                     """
                     Common function for generating repo api data
                     :param include_secrets: See :meth:`User.get_api_data`.
                     """
                     # TODO: mikhail: Here there is an anti-pattern, we probably need to
                     # move this methods on models level.
                     from rhodecode.model.settings import SettingsModel
                     from rhodecode.model.repo import RepoModel
                     repo = self
                     _user_id, _time, _reason = self.locked
                     data = {
                         'repo_id': repo.repo_id,
                         'repo_name': repo.repo_name,
                         'repo_type': repo.repo_type,
                         'clone_uri': repo.clone_uri or '',
                         'push_uri': repo.push_uri or '',
                         'url': RepoModel().get_url(self),
                         'private': repo.private,
                         'created_on': repo.created_on,
                         'description': repo.description_safe,
                         'landing_rev': repo.landing_rev,
                         'owner': repo.user.username,
                         'fork_of': repo.fork.repo_name if repo.fork else None,
                         'fork_of_id': repo.fork.repo_id if repo.fork else None,
                         'enable_statistics': repo.enable_statistics,
                         'enable_locking': repo.enable_locking,
                         'enable_downloads': repo.enable_downloads,
                         'last_changeset': repo.changeset_cache,
                         'locked_by': User.get(_user_id).get_api_data(
                             include_secrets=include_secrets) if _user_id else None,
                         'locked_date': time_to_datetime(_time) if _time else None,
                         'lock_reason': _reason if _reason else None,
                     }
                     # TODO: mikhail: should be per-repo settings here
                     rc_config = SettingsModel().get_all_settings()
                     repository_fields = str2bool(
                         rc_config.get('rhodecode_repository_fields'))
                     if repository_fields:
                         for f in self.extra_fields:
                             data[f.field_key_prefixed] = f.field_value
                     return data
                 @classmethod
                 def lock(cls, repo, user_id, lock_time=None, lock_reason=None):
                     if not lock_time:
                         lock_time = time.time()
                     if not lock_reason:
                         lock_reason = cls.LOCK_AUTOMATIC
                     repo.locked = [user_id, lock_time, lock_reason]
                     Session().add(repo)
                     Session().commit()
                 @classmethod
                 def unlock(cls, repo):
                     repo.locked = None
                     Session().add(repo)
                     Session().commit()
                 @classmethod
                 def getlock(cls, repo):
                     return repo.locked
                 def is_user_lock(self, user_id):
                     if self.lock[0]:
                         lock_user_id = safe_int(self.lock[0])
                         user_id = safe_int(user_id)
                         # both are ints, and they are equal
                         return all([lock_user_id, user_id]) and lock_user_id == user_id
                     return False
                 def get_locking_state(self, action, user_id, only_when_enabled=True):
                     """
                     Checks locking on this repository, if locking is enabled and lock is
                     present returns a tuple of make_lock, locked, locked_by.
                     make_lock can have 3 states None (do nothing) True, make lock
                     False release lock, This value is later propagated to hooks, which
                     do the locking. Think about this as signals passed to hooks what to do.
                     """
                     # TODO: johbo: This is part of the business logic and should be moved
                     # into the RepositoryModel.
                     if action not in ('push', 'pull'):
                         raise ValueError("Invalid action value: %s" % repr(action))
                     # defines if locked error should be thrown to user
                     currently_locked = False
                     # defines if new lock should be made, tri-state
                     make_lock = None
                     repo = self
                     user = User.get(user_id)
                     lock_info = repo.locked
                     if repo and (repo.enable_locking or not only_when_enabled):
                         if action == 'push':
                             # check if it's already locked !, if it is compare users
                             locked_by_user_id = lock_info[0]
                             if user.user_id == locked_by_user_id:
                                 log.debug(
                                     'Got `push` action from user %s, now unlocking', user)
                                 # unlock if we have push from user who locked
                                 make_lock = False
                             else:
                                 # we're not the same user who locked, ban with
                                 # code defined in settings (default is 423 HTTP Locked) !
                                 log.debug('Repo %s is currently locked by %s', repo, user)
                                 currently_locked = True
                         elif action == 'pull':
                             # [0] user [1] date
                             if lock_info[0] and lock_info[1]:
                                 log.debug('Repo %s is currently locked by %s', repo, user)
                                 currently_locked = True
                             else:
                                 log.debug('Setting lock on repo %s by %s', repo, user)
                                 make_lock = True
                     else:
                         log.debug('Repository %s do not have locking enabled', repo)
                     log.debug('FINAL locking values make_lock:%s,locked:%s,locked_by:%s',
                               make_lock, currently_locked, lock_info)
                     from rhodecode.lib.auth import HasRepoPermissionAny
                     perm_check = HasRepoPermissionAny('repository.write', 'repository.admin')
                     if make_lock and not perm_check(repo_name=repo.repo_name, user=user):
                         # if we don't have at least write permission we cannot make a lock
                         log.debug('lock state reset back to FALSE due to lack '
                                   'of at least read permission')
                         make_lock = False
                     return make_lock, currently_locked, lock_info
                 @property
                 def last_db_change(self):
                     return self.updated_on
                 @property
                 def clone_uri_hidden(self):
                     clone_uri = self.clone_uri
                     if clone_uri:
                         import urlobject
                         url_obj = urlobject.URLObject(cleaned_uri(clone_uri))
                         if url_obj.password:
                             clone_uri = url_obj.with_password('*****')
                     return clone_uri
                 @property
                 def push_uri_hidden(self):
                     push_uri = self.push_uri
                     if push_uri:
                         import urlobject
                         url_obj = urlobject.URLObject(cleaned_uri(push_uri))
                         if url_obj.password:
                             push_uri = url_obj.with_password('*****')
                     return push_uri
                 def clone_url(self, **override):
                     from rhodecode.model.settings import SettingsModel
                     uri_tmpl = None
                     if 'with_id' in override:
                         uri_tmpl = self.DEFAULT_CLONE_URI_ID
                         del override['with_id']
                     if 'uri_tmpl' in override:
                         uri_tmpl = override['uri_tmpl']
                         del override['uri_tmpl']
                     ssh = False
                     if 'ssh' in override:
                         ssh = True
                         del override['ssh']
                     # we didn't override our tmpl from **overrides
                     if not uri_tmpl:
                         rc_config = SettingsModel().get_all_settings(cache=True)
                         if ssh:
                             uri_tmpl = rc_config.get(
                                 'rhodecode_clone_uri_ssh_tmpl') or self.DEFAULT_CLONE_URI_SSH
                         else:
                             uri_tmpl = rc_config.get(
                                 'rhodecode_clone_uri_tmpl') or self.DEFAULT_CLONE_URI
                     request = get_current_request()
                     return get_clone_url(request=request,
                                          uri_tmpl=uri_tmpl,
                                          repo_name=self.repo_name,
                                          repo_id=self.repo_id, **override)
                 def set_state(self, state):
                     self.repo_state = state
                     Session().add(self)
                 #==========================================================================
                 # SCM PROPERTIES
                 #==========================================================================
                 def get_commit(self, commit_id=None, commit_idx=None, pre_load=None):
                     return get_commit_safe(
                         self.scm_instance(), commit_id, commit_idx, pre_load=pre_load)
                 def get_changeset(self, rev=None, pre_load=None):
                     warnings.warn("Use get_commit", DeprecationWarning)
                     commit_id = None
                     commit_idx = None
                     if isinstance(rev, compat.string_types):
                         commit_id = rev
                     else:
                         commit_idx = rev
                     return self.get_commit(commit_id=commit_id, commit_idx=commit_idx,
                                            pre_load=pre_load)
                 def get_landing_commit(self):
                     """
                     Returns landing commit, or if that doesn't exist returns the tip
                     """
                     _rev_type, _rev = self.landing_rev
                     commit = self.get_commit(_rev)
                     if isinstance(commit, EmptyCommit):
                         return self.get_commit()
                     return commit
                 def update_commit_cache(self, cs_cache=None, config=None):
                     """
                     Update cache of last changeset for repository, keys should be::
                         short_id
                         raw_id
                         revision
                         parents
                         message
                         date
                         author
                     :param cs_cache:
                     """
                     from rhodecode.lib.vcs.backends.base import BaseChangeset
                     if cs_cache is None:
                         # use no-cache version here
                         scm_repo = self.scm_instance(cache=False, config=config)
                         empty = not scm_repo or scm_repo.is_empty()
                         if not empty:
                             cs_cache = scm_repo.get_commit(
                                 pre_load=["author", "date", "message", "parents"])
                         else:
                             cs_cache = EmptyCommit()
                     if isinstance(cs_cache, BaseChangeset):
                         cs_cache = cs_cache.__json__()
                     def is_outdated(new_cs_cache):
                         if (new_cs_cache['raw_id'] != self.changeset_cache['raw_id'] or
                             new_cs_cache['revision'] != self.changeset_cache['revision']):
                             return True
                         return False
                     # check if we have maybe already latest cached revision
                     if is_outdated(cs_cache) or not self.changeset_cache:
                         _default = datetime.datetime.utcnow()
                         last_change = cs_cache.get('date') or _default
                         if self.updated_on and self.updated_on > last_change:
                             # we check if last update is newer than the new value
                             # if yes, we use the current timestamp instead. Imagine you get
                             # old commit pushed 1y ago, we'd set last update 1y to ago.
                             last_change = _default
                         log.debug('updated repo %s with new commit cache %s',
                                   self.repo_name, cs_cache)
                         self.updated_on = last_change
                         self.changeset_cache = cs_cache
                         Session().add(self)
                         Session().commit()
                     else:
                         log.debug('Skipping update_commit_cache for repo:`%s` '
                                   'commit already with latest changes', self.repo_name)
                 @property
                 def tip(self):
                     return self.get_commit('tip')
                 @property
                 def author(self):
                     return self.tip.author
                 @property
                 def last_change(self):
                     return self.scm_instance().last_change
                 def get_comments(self, revisions=None):
                     """
                     Returns comments for this repository grouped by revisions
                     :param revisions: filter query by revisions only
                     """
                     cmts = ChangesetComment.query()\
                         .filter(ChangesetComment.repo == self)
                     if revisions:
                         cmts = cmts.filter(ChangesetComment.revision.in_(revisions))
                     grouped = collections.defaultdict(list)
                     for cmt in cmts.all():
                         grouped[cmt.revision].append(cmt)
                     return grouped
                 def statuses(self, revisions=None):
                     """
                     Returns statuses for this repository
                     :param revisions: list of revisions to get statuses for
                     """
                     statuses = ChangesetStatus.query()\
                         .filter(ChangesetStatus.repo == self)\
                         .filter(ChangesetStatus.version == 0)
                     if revisions:
                         # Try doing the filtering in chunks to avoid hitting limits
                         size = 500
                         status_results = []
                         for chunk in xrange(0, len(revisions), size):
                             status_results += statuses.filter(
                                 ChangesetStatus.revision.in_(
                                     revisions[chunk: chunk+size])
                             ).all()
                     else:
                         status_results = statuses.all()
                     grouped = {}
                     # maybe we have open new pullrequest without a status?
                     stat = ChangesetStatus.STATUS_UNDER_REVIEW
                     status_lbl = ChangesetStatus.get_status_lbl(stat)
                     for pr in PullRequest.query().filter(PullRequest.source_repo == self).all():
                         for rev in pr.revisions:
                             pr_id = pr.pull_request_id
                             pr_repo = pr.target_repo.repo_name
                             grouped[rev] = [stat, status_lbl, pr_id, pr_repo]
                     for stat in status_results:
                         pr_id = pr_repo = None
                         if stat.pull_request:
                             pr_id = stat.pull_request.pull_request_id
                             pr_repo = stat.pull_request.target_repo.repo_name
                         grouped[stat.revision] = [str(stat.status), stat.status_lbl,
                                                   pr_id, pr_repo]
                     return grouped
                 # ==========================================================================
                 # SCM CACHE INSTANCE
                 # ==========================================================================
                 def scm_instance(self, **kwargs):
                     import rhodecode
                     # Passing a config will not hit the cache currently only used
                     # for repo2dbmapper
                     config = kwargs.pop('config', None)
                     cache = kwargs.pop('cache', None)
                     full_cache = str2bool(rhodecode.CONFIG.get('vcs_full_cache'))
                     # if cache is NOT defined use default global, else we have a full
                     # control over cache behaviour
                     if cache is None and full_cache and not config:
                         return self._get_instance_cached()
                     return self._get_instance(cache=bool(cache), config=config)
                 def _get_instance_cached(self):
                     from rhodecode.lib import rc_cache
                     cache_namespace_uid = 'cache_repo_instance.{}'.format(self.repo_id)
                     invalidation_namespace = CacheKey.REPO_INVALIDATION_NAMESPACE.format(
                         repo_id=self.repo_id)
                     region = rc_cache.get_or_create_region('cache_repo_longterm', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid)
                     def get_instance_cached(repo_id, context_id):
                         return self._get_instance()
                     # we must use thread scoped cache here,
                     # because each thread of gevent needs it's own not shared connection and cache
                     # we also alter `args` so the cache key is individual for every green thread.
                     inv_context_manager = rc_cache.InvalidationContext(
                         uid=cache_namespace_uid, invalidation_namespace=invalidation_namespace,
                         thread_scoped=True)
                     with inv_context_manager as invalidation_context:
                         args = (self.repo_id, inv_context_manager.cache_key)
                         # re-compute and store cache if we get invalidate signal
                         if invalidation_context.should_invalidate():
                             instance = get_instance_cached.refresh(*args)
                         else:
                             instance = get_instance_cached(*args)
                         log.debug(
-                            'Repo instance fetched in %.3fs', inv_context_manager.compute_time)
+                            'Repo instance fetched in %.4fs', inv_context_manager.compute_time)
                         return instance
                 def _get_instance(self, cache=True, config=None):
                     config = config or self._config
                     custom_wire = {
                         'cache': cache  # controls the vcs.remote cache
                     }
                     repo = get_vcs_instance(
                         repo_path=safe_str(self.repo_full_path),
                         config=config,
                         with_wire=custom_wire,
                         create=False,
                         _vcs_alias=self.repo_type)
                     return repo
                 def __json__(self):
                     return {'landing_rev': self.landing_rev}
                 def get_dict(self):
                     # Since we transformed `repo_name` to a hybrid property, we need to
                     # keep compatibility with the code which uses `repo_name` field.
                     result = super(Repository, self).get_dict()
                     result['repo_name'] = result.pop('_repo_name', None)
                     return result
             class RepoGroup(Base, BaseModel):
                 __tablename__ = 'groups'
                 __table_args__ = (
                     UniqueConstraint('group_name', 'group_parent_id'),
                     base_table_args,
                 )
                 __mapper_args__ = {'order_by': 'group_name'}
                 CHOICES_SEPARATOR = '/'  # used to generate select2 choices for nested groups
                 group_id = Column("group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 group_name = Column("group_name", String(255), nullable=False, unique=True, default=None)
                 group_parent_id = Column("group_parent_id", Integer(), ForeignKey('groups.group_id'), nullable=True, unique=None, default=None)
                 group_description = Column("group_description", String(10000), nullable=True, unique=None, default=None)
                 enable_locking = Column("enable_locking", Boolean(), nullable=False, unique=None, default=False)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 updated_on = Column('updated_on', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
                 personal = Column('personal', Boolean(), nullable=True, unique=None, default=None)
                 repo_group_to_perm = relationship('UserRepoGroupToPerm', cascade='all', order_by='UserRepoGroupToPerm.group_to_perm_id')
                 users_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
                 parent_group = relationship('RepoGroup', remote_side=group_id)
                 user = relationship('User')
                 integrations = relationship('Integration',
                                             cascade="all, delete, delete-orphan")
                 def __init__(self, group_name='', parent_group=None):
                     self.group_name = group_name
                     self.parent_group = parent_group
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (
                         self.__class__.__name__, self.group_id, self.group_name)
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.group_description)
                 @classmethod
                 def _generate_choice(cls, repo_group):
                     from webhelpers.html import literal as _literal
                     _name = lambda k: _literal(cls.CHOICES_SEPARATOR.join(k))
                     return repo_group.group_id, _name(repo_group.full_path_splitted)
                 @classmethod
                 def groups_choices(cls, groups=None, show_empty_group=True):
                     if not groups:
                         groups = cls.query().all()
                     repo_groups = []
                     if show_empty_group:
                         repo_groups = [(-1, u'-- %s --' % _('No parent'))]
                     repo_groups.extend([cls._generate_choice(x) for x in groups])
                     repo_groups = sorted(
                         repo_groups, key=lambda t: t[1].split(cls.CHOICES_SEPARATOR)[0])
                     return repo_groups
                 @classmethod
                 def url_sep(cls):
                     return URL_SEP
                 @classmethod
                 def get_by_group_name(cls, group_name, cache=False, case_insensitive=False):
                     if case_insensitive:
                         gr = cls.query().filter(func.lower(cls.group_name)
                                                 == func.lower(group_name))
                     else:
                         gr = cls.query().filter(cls.group_name == group_name)
                     if cache:
                         name_key = _hash_key(group_name)
                         gr = gr.options(
                             FromCache("sql_cache_short", "get_group_%s" % name_key))
                     return gr.scalar()
                 @classmethod
                 def get_user_personal_repo_group(cls, user_id):
                     user = User.get(user_id)
                     if user.username == User.DEFAULT_USER:
                         return None
                     return cls.query()\
                         .filter(cls.personal == true()) \
                         .filter(cls.user == user) \
                         .order_by(cls.group_id.asc()) \
                         .first()
                 @classmethod
                 def get_all_repo_groups(cls, user_id=Optional(None), group_id=Optional(None),
                                         case_insensitive=True):
                     q = RepoGroup.query()
                     if not isinstance(user_id, Optional):
                         q = q.filter(RepoGroup.user_id == user_id)
                     if not isinstance(group_id, Optional):
                         q = q.filter(RepoGroup.group_parent_id == group_id)
                     if case_insensitive:
                         q = q.order_by(func.lower(RepoGroup.group_name))
                     else:
                         q = q.order_by(RepoGroup.group_name)
                     return q.all()
                 @property
                 def parents(self):
                     parents_recursion_limit = 10
                     groups = []
                     if self.parent_group is None:
                         return groups
                     cur_gr = self.parent_group
                     groups.insert(0, cur_gr)
                     cnt = 0
                     while 1:
                         cnt += 1
                         gr = getattr(cur_gr, 'parent_group', None)
                         cur_gr = cur_gr.parent_group
                         if gr is None:
                             break
                         if cnt == parents_recursion_limit:
                             # this will prevent accidental infinit loops
                             log.error('more than %s parents found for group %s, stopping '
                                       'recursive parent fetching', parents_recursion_limit, self)
                             break
                         groups.insert(0, gr)
                     return groups
                 @property
                 def last_db_change(self):
                     return self.updated_on
                 @property
                 def children(self):
                     return RepoGroup.query().filter(RepoGroup.parent_group == self)
                 @property
                 def name(self):
                     return self.group_name.split(RepoGroup.url_sep())[-1]
                 @property
                 def full_path(self):
                     return self.group_name
                 @property
                 def full_path_splitted(self):
                     return self.group_name.split(RepoGroup.url_sep())
                 @property
                 def repositories(self):
                     return Repository.query()\
                             .filter(Repository.group == self)\
                             .order_by(Repository.repo_name)
                 @property
                 def repositories_recursive_count(self):
                     cnt = self.repositories.count()
                     def children_count(group):
                         cnt = 0
                         for child in group.children:
                             cnt += child.repositories.count()
                             cnt += children_count(child)
                         return cnt
                     return cnt + children_count(self)
                 def _recursive_objects(self, include_repos=True):
                     all_ = []
                     def _get_members(root_gr):
                         if include_repos:
                             for r in root_gr.repositories:
                                 all_.append(r)
                         childs = root_gr.children.all()
                         if childs:
                             for gr in childs:
                                 all_.append(gr)
                                 _get_members(gr)
                     _get_members(self)
                     return [self] + all_
                 def recursive_groups_and_repos(self):
                     """
                     Recursive return all groups, with repositories in those groups
                     """
                     return self._recursive_objects()
                 def recursive_groups(self):
                     """
                     Returns all children groups for this group including children of children
                     """
                     return self._recursive_objects(include_repos=False)
                 def get_new_name(self, group_name):
                     """
                     returns new full group name based on parent and new name
                     :param group_name:
                     """
                     path_prefix = (self.parent_group.full_path_splitted if
                                    self.parent_group else [])
                     return RepoGroup.url_sep().join(path_prefix + [group_name])
                 def permissions(self, with_admins=True, with_owner=True,
                                 expand_from_user_groups=False):
                     """
                     Permissions for repository groups
                     """
                     _admin_perm = 'group.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     q = UserRepoGroupToPerm.query().filter(UserRepoGroupToPerm.group == self)
                     q = q.options(joinedload(UserRepoGroupToPerm.group),
                                   joinedload(UserRepoGroupToPerm.user),
                                   joinedload(UserRepoGroupToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     user_groups_rows = []
                     if expand_from_user_groups:
                         for ug in self.permission_user_groups(with_members=True):
                             for user_data in ug.members:
                                 user_groups_rows.append(user_data)
                     return super_admin_rows + owner_row + perm_rows + user_groups_rows
                 def permission_user_groups(self, with_members=False):
                     q = UserGroupRepoGroupToPerm.query()\
                         .filter(UserGroupRepoGroupToPerm.group == self)
                     q = q.options(joinedload(UserGroupRepoGroupToPerm.group),
                                   joinedload(UserGroupRepoGroupToPerm.users_group),
                                   joinedload(UserGroupRepoGroupToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         entry = AttributeDict(_user_group.users_group.get_dict())
                         entry.permission = _user_group.permission.permission_name
                         if with_members:
                             entry.members = [x.user.get_dict()
                                              for x in _user_group.users_group.members]
                         perm_rows.append(entry)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def get_api_data(self):
                     """
                     Common function for generating api data
                     """
                     group = self
                     data = {
                         'group_id': group.group_id,
                         'group_name': group.group_name,
                         'group_description': group.description_safe,
                         'parent_group': group.parent_group.group_name if group.parent_group else None,
                         'repositories': [x.repo_name for x in group.repositories],
                         'owner': group.user.username,
                     }
                     return data
             class Permission(Base, BaseModel):
                 __tablename__ = 'permissions'
                 __table_args__ = (
                     Index('p_perm_name_idx', 'permission_name'),
                     base_table_args,
                 )
                 PERMS = [
                     ('hg.admin', _('RhodeCode Super Administrator')),
                     ('repository.none', _('Repository no access')),
                     ('repository.read', _('Repository read access')),
                     ('repository.write', _('Repository write access')),
                     ('repository.admin', _('Repository admin access')),
                     ('group.none', _('Repository group no access')),
                     ('group.read', _('Repository group read access')),
                     ('group.write', _('Repository group write access')),
                     ('group.admin', _('Repository group admin access')),
                     ('usergroup.none', _('User group no access')),
                     ('usergroup.read', _('User group read access')),
                     ('usergroup.write', _('User group write access')),
                     ('usergroup.admin', _('User group admin access')),
                     ('branch.none', _('Branch no permissions')),
                     ('branch.merge', _('Branch access by web merge')),
                     ('branch.push', _('Branch access by push')),
                     ('branch.push_force', _('Branch access by push with force')),
                     ('hg.repogroup.create.false', _('Repository Group creation disabled')),
                     ('hg.repogroup.create.true', _('Repository Group creation enabled')),
                     ('hg.usergroup.create.false', _('User Group creation disabled')),
                     ('hg.usergroup.create.true', _('User Group creation enabled')),
                     ('hg.create.none', _('Repository creation disabled')),
                     ('hg.create.repository', _('Repository creation enabled')),
                     ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')),
                     ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')),
                     ('hg.fork.none', _('Repository forking disabled')),
                     ('hg.fork.repository', _('Repository forking enabled')),
                     ('hg.register.none', _('Registration disabled')),
                     ('hg.register.manual_activate', _('User Registration with manual account activation')),
                     ('hg.register.auto_activate', _('User Registration with automatic account activation')),
                     ('hg.password_reset.enabled', _('Password reset enabled')),
                     ('hg.password_reset.hidden', _('Password reset hidden')),
                     ('hg.password_reset.disabled', _('Password reset disabled')),
                     ('hg.extern_activate.manual', _('Manual activation of external account')),
                     ('hg.extern_activate.auto', _('Automatic activation of external account')),
                     ('hg.inherit_default_perms.false', _('Inherit object permissions from default user disabled')),
                     ('hg.inherit_default_perms.true', _('Inherit object permissions from default user enabled')),
                 ]
                 # definition of system default permissions for DEFAULT user, created on
                 # system setup
                 DEFAULT_USER_PERMISSIONS = [
                     # object perms
                     'repository.read',
                     'group.read',
                     'usergroup.read',
                     # branch, for backward compat we need same value as before so forced pushed
                     'branch.push_force',
                     # global
                     'hg.create.repository',
                     'hg.repogroup.create.false',
                     'hg.usergroup.create.false',
                     'hg.create.write_on_repogroup.true',
                     'hg.fork.repository',
                     'hg.register.manual_activate',
                     'hg.password_reset.enabled',
                     'hg.extern_activate.auto',
                     'hg.inherit_default_perms.true',
                 ]
                 # defines which permissions are more important higher the more important
                 # Weight defines which permissions are more important.
                 # The higher number the more important.
                 PERM_WEIGHTS = {
                     'repository.none': 0,
                     'repository.read': 1,
                     'repository.write': 3,
                     'repository.admin': 4,
                     'group.none': 0,
                     'group.read': 1,
                     'group.write': 3,
                     'group.admin': 4,
                     'usergroup.none': 0,
                     'usergroup.read': 1,
                     'usergroup.write': 3,
                     'usergroup.admin': 4,
                     'branch.none': 0,
                     'branch.merge': 1,
                     'branch.push': 3,
                     'branch.push_force': 4,
                     'hg.repogroup.create.false': 0,
                     'hg.repogroup.create.true': 1,
                     'hg.usergroup.create.false': 0,
                     'hg.usergroup.create.true': 1,
                     'hg.fork.none': 0,
                     'hg.fork.repository': 1,
                     'hg.create.none': 0,
                     'hg.create.repository': 1
                 }
                 permission_id = Column("permission_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 permission_name = Column("permission_name", String(255), nullable=True, unique=None, default=None)
                 permission_longname = Column("permission_longname", String(255), nullable=True, unique=None, default=None)
                 def __unicode__(self):
                     return u"<%s('%s:%s')>" % (
                         self.__class__.__name__, self.permission_id, self.permission_name
                     )
                 @classmethod
                 def get_by_key(cls, key):
                     return cls.query().filter(cls.permission_name == key).scalar()
                 @classmethod
                 def get_default_repo_perms(cls, user_id, repo_id=None):
                     q = Session().query(UserRepoToPerm, Repository, Permission)\
                         .join((Permission, UserRepoToPerm.permission_id == Permission.permission_id))\
                         .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\
                         .filter(UserRepoToPerm.user_id == user_id)
                     if repo_id:
                         q = q.filter(UserRepoToPerm.repository_id == repo_id)
                     return q.all()
                 @classmethod
                 def get_default_repo_branch_perms(cls, user_id, repo_id=None):
                     q = Session().query(UserToRepoBranchPermission, UserRepoToPerm, Permission) \
                         .join(
                             Permission,
                             UserToRepoBranchPermission.permission_id == Permission.permission_id) \
                         .join(
                             UserRepoToPerm,
                             UserToRepoBranchPermission.rule_to_perm_id == UserRepoToPerm.repo_to_perm_id) \
                         .filter(UserRepoToPerm.user_id == user_id)
                     if repo_id:
                         q = q.filter(UserToRepoBranchPermission.repository_id == repo_id)
                     return q.order_by(UserToRepoBranchPermission.rule_order).all()
                 @classmethod
                 def get_default_repo_perms_from_user_group(cls, user_id, repo_id=None):
                     q = Session().query(UserGroupRepoToPerm, Repository, Permission)\
                         .join(
                             Permission,
                             UserGroupRepoToPerm.permission_id == Permission.permission_id)\
                         .join(
                             Repository,
                             UserGroupRepoToPerm.repository_id == Repository.repo_id)\
                         .join(
                             UserGroup,
                             UserGroupRepoToPerm.users_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupRepoToPerm.users_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_id:
                         q = q.filter(UserGroupRepoToPerm.repository_id == repo_id)
                     return q.all()
                 @classmethod
                 def get_default_repo_branch_perms_from_user_group(cls, user_id, repo_id=None):
                     q = Session().query(UserGroupToRepoBranchPermission, UserGroupRepoToPerm, Permission) \
                         .join(
                             Permission,
                             UserGroupToRepoBranchPermission.permission_id == Permission.permission_id) \
                         .join(
                             UserGroupRepoToPerm,
                             UserGroupToRepoBranchPermission.rule_to_perm_id == UserGroupRepoToPerm.users_group_to_perm_id) \
                         .join(
                             UserGroup,
                             UserGroupRepoToPerm.users_group_id == UserGroup.users_group_id) \
                         .join(
                             UserGroupMember,
                             UserGroupRepoToPerm.users_group_id == UserGroupMember.users_group_id) \
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_id:
                         q = q.filter(UserGroupToRepoBranchPermission.repository_id == repo_id)
                     return q.order_by(UserGroupToRepoBranchPermission.rule_order).all()
                 @classmethod
                 def get_default_group_perms(cls, user_id, repo_group_id=None):
                     q = Session().query(UserRepoGroupToPerm, RepoGroup, Permission)\
                         .join(
                             Permission,
                             UserRepoGroupToPerm.permission_id == Permission.permission_id)\
                         .join(
                             RepoGroup,
                             UserRepoGroupToPerm.group_id == RepoGroup.group_id)\
                         .filter(UserRepoGroupToPerm.user_id == user_id)
                     if repo_group_id:
                         q = q.filter(UserRepoGroupToPerm.group_id == repo_group_id)
                     return q.all()
                 @classmethod
                 def get_default_group_perms_from_user_group(
                         cls, user_id, repo_group_id=None):
                     q = Session().query(UserGroupRepoGroupToPerm, RepoGroup, Permission)\
                         .join(
                             Permission,
                             UserGroupRepoGroupToPerm.permission_id ==
                             Permission.permission_id)\
                         .join(
                             RepoGroup,
                             UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id)\
                         .join(
                             UserGroup,
                             UserGroupRepoGroupToPerm.users_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupRepoGroupToPerm.users_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_group_id:
                         q = q.filter(UserGroupRepoGroupToPerm.group_id == repo_group_id)
                     return q.all()
                 @classmethod
                 def get_default_user_group_perms(cls, user_id, user_group_id=None):
                     q = Session().query(UserUserGroupToPerm, UserGroup, Permission)\
                         .join((Permission, UserUserGroupToPerm.permission_id == Permission.permission_id))\
                         .join((UserGroup, UserUserGroupToPerm.user_group_id == UserGroup.users_group_id))\
                         .filter(UserUserGroupToPerm.user_id == user_id)
                     if user_group_id:
                         q = q.filter(UserUserGroupToPerm.user_group_id == user_group_id)
                     return q.all()
                 @classmethod
                 def get_default_user_group_perms_from_user_group(
                         cls, user_id, user_group_id=None):
                     TargetUserGroup = aliased(UserGroup, name='target_user_group')
                     q = Session().query(UserGroupUserGroupToPerm, UserGroup, Permission)\
                         .join(
                             Permission,
                             UserGroupUserGroupToPerm.permission_id ==
                             Permission.permission_id)\
                         .join(
                             TargetUserGroup,
                             UserGroupUserGroupToPerm.target_user_group_id ==
                             TargetUserGroup.users_group_id)\
                         .join(
                             UserGroup,
                             UserGroupUserGroupToPerm.user_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupUserGroupToPerm.user_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if user_group_id:
                         q = q.filter(
                             UserGroupUserGroupToPerm.user_group_id == user_group_id)
                     return q.all()
             class UserRepoToPerm(Base, BaseModel):
                 __tablename__ = 'repo_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'repository_id', 'permission_id'),
                     base_table_args
                 )
                 repo_to_perm_id = Column("repo_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 repository = relationship('Repository')
                 permission = relationship('Permission')
                 branch_perm_entry = relationship('UserToRepoBranchPermission', cascade="all, delete, delete-orphan", lazy='joined')
                 @classmethod
                 def create(cls, user, repository, permission):
                     n = cls()
                     n.user = user
                     n.repository = repository
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.repository)
             class UserUserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_user_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'user_group_id', 'permission_id'),
                     base_table_args
                 )
                 user_user_group_to_perm_id = Column("user_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 user_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, user_group, permission):
                     n = cls()
                     n.user = user
                     n.user_group = user_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.user_group)
             class UserToPerm(Base, BaseModel):
                 __tablename__ = 'user_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'permission_id'),
                     base_table_args
                 )
                 user_to_perm_id = Column("user_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 permission = relationship('Permission', lazy='joined')
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.permission)
             class UserGroupRepoToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_repo_to_perm'
                 __table_args__ = (
                     UniqueConstraint('repository_id', 'users_group_id', 'permission_id'),
                     base_table_args
                 )
                 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 repository = relationship('Repository')
                 user_group_branch_perms = relationship('UserGroupToRepoBranchPermission', cascade='all')
                 @classmethod
                 def create(cls, users_group, repository, permission):
                     n = cls()
                     n.users_group = users_group
                     n.repository = repository
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupRepoToPerm:%s => %s >' % (self.users_group, self.repository)
             class UserGroupUserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_group_user_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('target_user_group_id', 'user_group_id', 'permission_id'),
                     CheckConstraint('target_user_group_id != user_group_id'),
                     base_table_args
                 )
                 user_group_user_group_to_perm_id = Column("user_group_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 target_user_group_id = Column("target_user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 target_user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id')
                 user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.user_group_id==UserGroup.users_group_id')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, target_user_group, user_group, permission):
                     n = cls()
                     n.target_user_group = target_user_group
                     n.user_group = user_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupUserGroup:%s => %s >' % (self.target_user_group, self.user_group)
             class UserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('users_group_id', 'permission_id',),
                     base_table_args
                 )
                 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
             class UserRepoGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_repo_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'group_id', 'permission_id'),
                     base_table_args
                 )
                 group_to_perm_id = Column("group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 group = relationship('RepoGroup')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, repository_group, permission):
                     n = cls()
                     n.user = user
                     n.group = repository_group
                     n.permission = permission
                     Session().add(n)
                     return n
             class UserGroupRepoGroupToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_repo_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('users_group_id', 'group_id'),
                     base_table_args
                 )
                 users_group_repo_group_to_perm_id = Column("users_group_repo_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 group = relationship('RepoGroup')
                 @classmethod
                 def create(cls, user_group, repository_group, permission):
                     n = cls()
                     n.users_group = user_group
                     n.group = repository_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupRepoGroupToPerm:%s => %s >' % (self.users_group, self.group)
             class Statistics(Base, BaseModel):
                 __tablename__ = 'statistics'
                 __table_args__ = (
                      base_table_args
                 )
                 stat_id = Column("stat_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=True, default=None)
                 stat_on_revision = Column("stat_on_revision", Integer(), nullable=False)
                 commit_activity = Column("commit_activity", LargeBinary(1000000), nullable=False)#JSON data
                 commit_activity_combined = Column("commit_activity_combined", LargeBinary(), nullable=False)#JSON data
                 languages = Column("languages", LargeBinary(1000000), nullable=False)#JSON data
                 repository = relationship('Repository', single_parent=True)
             class UserFollowing(Base, BaseModel):
                 __tablename__ = 'user_followings'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'follows_repository_id'),
                     UniqueConstraint('user_id', 'follows_user_id'),
                     base_table_args
                 )
                 user_following_id = Column("user_following_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 follows_repo_id = Column("follows_repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=None, default=None)
                 follows_user_id = Column("follows_user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 follows_from = Column('follows_from', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
                 user = relationship('User', primaryjoin='User.user_id==UserFollowing.user_id')
                 follows_user = relationship('User', primaryjoin='User.user_id==UserFollowing.follows_user_id')
                 follows_repository = relationship('Repository', order_by='Repository.repo_name')
                 @classmethod
                 def get_repo_followers(cls, repo_id):
                     return cls.query().filter(cls.follows_repo_id == repo_id)
             class CacheKey(Base, BaseModel):
                 __tablename__ = 'cache_invalidation'
                 __table_args__ = (
                     UniqueConstraint('cache_key'),
                     Index('key_idx', 'cache_key'),
                     base_table_args,
                 )
                 CACHE_TYPE_FEED = 'FEED'
                 CACHE_TYPE_README = 'README'
                 # namespaces used to register process/thread aware caches
                 REPO_INVALIDATION_NAMESPACE = 'repo_cache:{repo_id}'
                 SETTINGS_INVALIDATION_NAMESPACE = 'system_settings'
                 cache_id = Column("cache_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 cache_key = Column("cache_key", String(255), nullable=True, unique=None, default=None)
                 cache_args = Column("cache_args", String(255), nullable=True, unique=None, default=None)
                 cache_active = Column("cache_active", Boolean(), nullable=True, unique=None, default=False)
                 def __init__(self, cache_key, cache_args=''):
                     self.cache_key = cache_key
                     self.cache_args = cache_args
                     self.cache_active = False
                 def __unicode__(self):
                     return u"<%s('%s:%s[%s]')>" % (
                         self.__class__.__name__,
                         self.cache_id, self.cache_key, self.cache_active)
                 def _cache_key_partition(self):
                     prefix, repo_name, suffix = self.cache_key.partition(self.cache_args)
                     return prefix, repo_name, suffix
                 def get_prefix(self):
                     """
                     Try to extract prefix from existing cache key. The key could consist
                     of prefix, repo_name, suffix
                     """
                     # this returns prefix, repo_name, suffix
                     return self._cache_key_partition()[0]
                 def get_suffix(self):
                     """
                     get suffix that might have been used in _get_cache_key to
                     generate self.cache_key. Only used for informational purposes
                     in repo_edit.mako.
                     """
                     # prefix, repo_name, suffix
                     return self._cache_key_partition()[2]
                 @classmethod
                 def delete_all_cache(cls):
                     """
                     Delete all cache keys from database.
                     Should only be run when all instances are down and all entries
                     thus stale.
                     """
                     cls.query().delete()
                     Session().commit()
                 @classmethod
                 def set_invalidate(cls, cache_uid, delete=False):
                     """
                     Mark all caches of a repo as invalid in the database.
                     """
                     try:
                         qry = Session().query(cls).filter(cls.cache_args == cache_uid)
                         if delete:
                             qry.delete()
                             log.debug('cache objects deleted for cache args %s',
                                       safe_str(cache_uid))
                         else:
                             qry.update({"cache_active": False})
                             log.debug('cache objects marked as invalid for cache args %s',
                                       safe_str(cache_uid))
                         Session().commit()
                     except Exception:
                         log.exception(
                             'Cache key invalidation failed for cache args %s',
                             safe_str(cache_uid))
                         Session().rollback()
                 @classmethod
                 def get_active_cache(cls, cache_key):
                     inv_obj = cls.query().filter(cls.cache_key == cache_key).scalar()
                     if inv_obj:
                         return inv_obj
                     return None
             class ChangesetComment(Base, BaseModel):
                 __tablename__ = 'changeset_comments'
                 __table_args__ = (
                     Index('cc_revision_idx', 'revision'),
                     base_table_args,
                 )
                 COMMENT_OUTDATED = u'comment_outdated'
                 COMMENT_TYPE_NOTE = u'note'
                 COMMENT_TYPE_TODO = u'todo'
                 COMMENT_TYPES = [COMMENT_TYPE_NOTE, COMMENT_TYPE_TODO]
                 comment_id = Column('comment_id', Integer(), nullable=False, primary_key=True)
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
                 revision = Column('revision', String(40), nullable=True)
                 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
                 pull_request_version_id = Column("pull_request_version_id", Integer(), ForeignKey('pull_request_versions.pull_request_version_id'), nullable=True)
                 line_no = Column('line_no', Unicode(10), nullable=True)
                 hl_lines = Column('hl_lines', Unicode(512), nullable=True)
                 f_path = Column('f_path', Unicode(1000), nullable=True)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
                 text = Column('text', UnicodeText().with_variant(UnicodeText(25000), 'mysql'), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 renderer = Column('renderer', Unicode(64), nullable=True)
                 display_state = Column('display_state',  Unicode(128), nullable=True)
                 comment_type = Column('comment_type',  Unicode(128), nullable=True, default=COMMENT_TYPE_NOTE)
                 resolved_comment_id = Column('resolved_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'), nullable=True)
                 resolved_comment = relationship('ChangesetComment', remote_side=comment_id, back_populates='resolved_by')
                 resolved_by = relationship('ChangesetComment', back_populates='resolved_comment')
                 author = relationship('User', lazy='joined')
                 repo = relationship('Repository')
                 status_change = relationship('ChangesetStatus', cascade="all, delete, delete-orphan", lazy='joined')
                 pull_request = relationship('PullRequest', lazy='joined')
                 pull_request_version = relationship('PullRequestVersion')
                 @classmethod
                 def get_users(cls, revision=None, pull_request_id=None):
                     """
                     Returns user associated with this ChangesetComment. ie those
                     who actually commented
                     :param cls:
                     :param revision:
                     """
                     q = Session().query(User)\
                             .join(ChangesetComment.author)
                     if revision:
                         q = q.filter(cls.revision == revision)
                     elif pull_request_id:
                         q = q.filter(cls.pull_request_id == pull_request_id)
                     return q.all()
                 @classmethod
                 def get_index_from_version(cls, pr_version, versions):
                     num_versions = [x.pull_request_version_id for x in versions]
                     try:
                         return num_versions.index(pr_version) +1
                     except (IndexError, ValueError):
                         return
                 @property
                 def outdated(self):
                     return self.display_state == self.COMMENT_OUTDATED
                 def outdated_at_version(self, version):
                     """
                     Checks if comment is outdated for given pull request version
                     """
                     return self.outdated and self.pull_request_version_id != version
                 def older_than_version(self, version):
                     """
                     Checks if comment is made from previous version than given
                     """
                     if version is None:
                         return self.pull_request_version_id is not None
                     return self.pull_request_version_id < version
                 @property
                 def resolved(self):
                     return self.resolved_by[0] if self.resolved_by else None
                 @property
                 def is_todo(self):
                     return self.comment_type == self.COMMENT_TYPE_TODO
                 @property
                 def is_inline(self):
                     return self.line_no and self.f_path
                 def get_index_version(self, versions):
                     return self.get_index_from_version(
                         self.pull_request_version_id, versions)
                 def __repr__(self):
                     if self.comment_id:
                         return '<DB:Comment #%s>' % self.comment_id
                     else:
                         return '<DB:Comment at %#x>' % id(self)
                 def get_api_data(self):
                     comment = self
                     data = {
                         'comment_id': comment.comment_id,
                         'comment_type': comment.comment_type,
                         'comment_text': comment.text,
                         'comment_status': comment.status_change,
                         'comment_f_path': comment.f_path,
                         'comment_lineno': comment.line_no,
                         'comment_author': comment.author,
                         'comment_created_on': comment.created_on,
                         'comment_resolved_by': self.resolved
                     }
                     return data
                 def __json__(self):
                     data = dict()
                     data.update(self.get_api_data())
                     return data
             class ChangesetStatus(Base, BaseModel):
                 __tablename__ = 'changeset_statuses'
                 __table_args__ = (
                     Index('cs_revision_idx', 'revision'),
                     Index('cs_version_idx', 'version'),
                     UniqueConstraint('repo_id', 'revision', 'version'),
                     base_table_args
                 )
                 STATUS_NOT_REVIEWED = DEFAULT = 'not_reviewed'
                 STATUS_APPROVED = 'approved'
                 STATUS_REJECTED = 'rejected'
                 STATUS_UNDER_REVIEW = 'under_review'
                 STATUSES = [
                     (STATUS_NOT_REVIEWED, _("Not Reviewed")),  # (no icon) and default
                     (STATUS_APPROVED, _("Approved")),
                     (STATUS_REJECTED, _("Rejected")),
                     (STATUS_UNDER_REVIEW, _("Under Review")),
                 ]
                 changeset_status_id = Column('changeset_status_id', Integer(), nullable=False, primary_key=True)
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None)
                 revision = Column('revision', String(40), nullable=False)
                 status = Column('status', String(128), nullable=False, default=DEFAULT)
                 changeset_comment_id = Column('changeset_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'))
                 modified_at = Column('modified_at', DateTime(), nullable=False, default=datetime.datetime.now)
                 version = Column('version', Integer(), nullable=False, default=0)
                 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
                 author = relationship('User', lazy='joined')
                 repo = relationship('Repository')
                 comment = relationship('ChangesetComment', lazy='joined')
                 pull_request = relationship('PullRequest', lazy='joined')
                 def __unicode__(self):
                     return u"<%s('%s[v%s]:%s')>" % (
                         self.__class__.__name__,
                         self.status, self.version, self.author
                     )
                 @classmethod
                 def get_status_lbl(cls, value):
                     return dict(cls.STATUSES).get(value)
                 @property
                 def status_lbl(self):
                     return ChangesetStatus.get_status_lbl(self.status)
                 def get_api_data(self):
                     status = self
                     data = {
                         'status_id': status.changeset_status_id,
                         'status': status.status,
                     }
                     return data
                 def __json__(self):
                     data = dict()
                     data.update(self.get_api_data())
                     return data
             class _SetState(object):
                 """
                 Context processor allowing changing state for sensitive operation such as
                 pull request update or merge
                 """
                 def __init__(self, pull_request, pr_state, back_state=None):
                     self._pr = pull_request
                     self._org_state = back_state or pull_request.pull_request_state
                     self._pr_state = pr_state
                 def __enter__(self):
                     log.debug('StateLock: entering set state context, setting state to: `%s`',
                               self._pr_state)
                     self._pr.pull_request_state = self._pr_state
                     Session().add(self._pr)
                     Session().commit()
                 def __exit__(self, exc_type, exc_val, exc_tb):
                     log.debug('StateLock: exiting set state context, setting state to: `%s`',
                               self._org_state)
                     self._pr.pull_request_state = self._org_state
                     Session().add(self._pr)
                     Session().commit()
             class _PullRequestBase(BaseModel):
                 """
                 Common attributes of pull request and version entries.
                 """
                 # .status values
                 STATUS_NEW = u'new'
                 STATUS_OPEN = u'open'
                 STATUS_CLOSED = u'closed'
                 # available states
                 STATE_CREATING = u'creating'
                 STATE_UPDATING = u'updating'
                 STATE_MERGING = u'merging'
                 STATE_CREATED = u'created'
                 title = Column('title', Unicode(255), nullable=True)
                 description = Column(
                     'description', UnicodeText().with_variant(UnicodeText(10240), 'mysql'),
                     nullable=True)
                 description_renderer = Column('description_renderer', Unicode(64), nullable=True)
                 # new/open/closed status of pull request (not approve/reject/etc)
                 status = Column('status', Unicode(255), nullable=False, default=STATUS_NEW)
                 created_on = Column(
                     'created_on', DateTime(timezone=False), nullable=False,
                     default=datetime.datetime.now)
                 updated_on = Column(
                     'updated_on', DateTime(timezone=False), nullable=False,
                     default=datetime.datetime.now)
                 pull_request_state = Column("pull_request_state", String(255), nullable=True)
                 @declared_attr
                 def user_id(cls):
                     return Column(
                         "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
                         unique=None)
                 # 500 revisions max
                 _revisions = Column(
                     'revisions', UnicodeText().with_variant(UnicodeText(20500), 'mysql'))
                 @declared_attr
                 def source_repo_id(cls):
                     # TODO: dan: rename column to source_repo_id
                     return Column(
                         'org_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                         nullable=False)
                 _source_ref = Column('org_ref', Unicode(255), nullable=False)
                 @hybrid_property
                 def source_ref(self):
                     return self._source_ref
                 @source_ref.setter
                 def source_ref(self, val):
                     parts = (val or '').split(':')
                     if len(parts) != 3:
                         raise ValueError(
                             'Invalid reference format given: {}, expected X:Y:Z'.format(val))
                     self._source_ref = safe_unicode(val)
                 _target_ref = Column('other_ref', Unicode(255), nullable=False)
                 @hybrid_property
                 def target_ref(self):
                     return self._target_ref
                 @target_ref.setter
                 def target_ref(self, val):
                     parts = (val or '').split(':')
                     if len(parts) != 3:
                         raise ValueError(
                             'Invalid reference format given: {}, expected X:Y:Z'.format(val))
                     self._target_ref = safe_unicode(val)
                 @declared_attr
                 def target_repo_id(cls):
                     # TODO: dan: rename column to target_repo_id
                     return Column(
                         'other_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                         nullable=False)
                 _shadow_merge_ref = Column('shadow_merge_ref', Unicode(255), nullable=True)
                 # TODO: dan: rename column to last_merge_source_rev
                 _last_merge_source_rev = Column(
                     'last_merge_org_rev', String(40), nullable=True)
                 # TODO: dan: rename column to last_merge_target_rev
                 _last_merge_target_rev = Column(
                     'last_merge_other_rev', String(40), nullable=True)
                 _last_merge_status = Column('merge_status', Integer(), nullable=True)
                 merge_rev = Column('merge_rev', String(40), nullable=True)
                 reviewer_data = Column(
                     'reviewer_data_json', MutationObj.as_mutable(
                         JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
                 @property
                 def reviewer_data_json(self):
                     return json.dumps(self.reviewer_data)
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @hybrid_property
                 def revisions(self):
                     return self._revisions.split(':') if self._revisions else []
                 @revisions.setter
                 def revisions(self, val):
                     self._revisions = ':'.join(val)
                 @hybrid_property
                 def last_merge_status(self):
                     return safe_int(self._last_merge_status)
                 @last_merge_status.setter
                 def last_merge_status(self, val):
                     self._last_merge_status = val
                 @declared_attr
                 def author(cls):
                     return relationship('User', lazy='joined')
                 @declared_attr
                 def source_repo(cls):
                     return relationship(
                         'Repository',
                         primaryjoin='%s.source_repo_id==Repository.repo_id' % cls.__name__)
                 @property
                 def source_ref_parts(self):
                     return self.unicode_to_reference(self.source_ref)
                 @declared_attr
                 def target_repo(cls):
                     return relationship(
                         'Repository',
                         primaryjoin='%s.target_repo_id==Repository.repo_id' % cls.__name__)
                 @property
                 def target_ref_parts(self):
                     return self.unicode_to_reference(self.target_ref)
                 @property
                 def shadow_merge_ref(self):
                     return self.unicode_to_reference(self._shadow_merge_ref)
                 @shadow_merge_ref.setter
                 def shadow_merge_ref(self, ref):
                     self._shadow_merge_ref = self.reference_to_unicode(ref)
                 @staticmethod
                 def unicode_to_reference(raw):
                     """
                     Convert a unicode (or string) to a reference object.
                     If unicode evaluates to False it returns None.
                     """
                     if raw:
                         refs = raw.split(':')
                         return Reference(*refs)
                     else:
                         return None
                 @staticmethod
                 def reference_to_unicode(ref):
                     """
                     Convert a reference object to unicode.
                     If reference is None it returns None.
                     """
                     if ref:
                         return u':'.join(ref)
                     else:
                         return None
                 def get_api_data(self, with_merge_state=True):
                     from rhodecode.model.pull_request import PullRequestModel
                     pull_request = self
                     if with_merge_state:
                         merge_status = PullRequestModel().merge_status(pull_request)
                         merge_state = {
                             'status': merge_status[0],
                             'message': safe_unicode(merge_status[1]),
                         }
                     else:
                         merge_state = {'status': 'not_available',
                                        'message': 'not_available'}
                     merge_data = {
                         'clone_url': PullRequestModel().get_shadow_clone_url(pull_request),
                         'reference': (
                             pull_request.shadow_merge_ref._asdict()
                             if pull_request.shadow_merge_ref else None),
                     }
                     data = {
                         'pull_request_id': pull_request.pull_request_id,
                         'url': PullRequestModel().get_url(pull_request),
                         'title': pull_request.title,
                         'description': pull_request.description,
                         'status': pull_request.status,
                         'state': pull_request.pull_request_state,
                         'created_on': pull_request.created_on,
                         'updated_on': pull_request.updated_on,
                         'commit_ids': pull_request.revisions,
                         'review_status': pull_request.calculated_review_status(),
                         'mergeable': merge_state,
                         'source': {
                             'clone_url': pull_request.source_repo.clone_url(),
                             'repository': pull_request.source_repo.repo_name,
                             'reference': {
                                 'name': pull_request.source_ref_parts.name,
                                 'type': pull_request.source_ref_parts.type,
                                 'commit_id': pull_request.source_ref_parts.commit_id,
                             },
                         },
                         'target': {
                             'clone_url': pull_request.target_repo.clone_url(),
                             'repository': pull_request.target_repo.repo_name,
                             'reference': {
                                 'name': pull_request.target_ref_parts.name,
                                 'type': pull_request.target_ref_parts.type,
                                 'commit_id': pull_request.target_ref_parts.commit_id,
                             },
                         },
                         'merge': merge_data,
                         'author': pull_request.author.get_api_data(include_secrets=False,
                                                                    details='basic'),
                         'reviewers': [
                             {
                                 'user': reviewer.get_api_data(include_secrets=False,
                                                               details='basic'),
                                 'reasons': reasons,
                                 'review_status': st[0][1].status if st else 'not_reviewed',
                             }
                             for obj, reviewer, reasons, mandatory, st in
                             pull_request.reviewers_statuses()
                         ]
                     }
                     return data
                 def set_state(self, pull_request_state, final_state=None):
                     """
                     # goes from initial state to updating to initial state.
                     # initial state can be changed by specifying back_state=
                     with pull_request_obj.set_state(PullRequest.STATE_UPDATING):
                        pull_request.merge()
                     :param pull_request_state:
                     :param final_state:
                     """
                     return _SetState(self, pull_request_state, back_state=final_state)
             class PullRequest(Base, _PullRequestBase):
                 __tablename__ = 'pull_requests'
                 __table_args__ = (
                     base_table_args,
                 )
                 pull_request_id = Column(
                     'pull_request_id', Integer(), nullable=False, primary_key=True)
                 def __repr__(self):
                     if self.pull_request_id:
                         return '<DB:PullRequest #%s>' % self.pull_request_id
                     else:
                         return '<DB:PullRequest at %#x>' % id(self)
                 reviewers = relationship('PullRequestReviewers',
                                          cascade="all, delete, delete-orphan")
                 statuses = relationship('ChangesetStatus',
                                         cascade="all, delete, delete-orphan")
                 comments = relationship('ChangesetComment',
                                         cascade="all, delete, delete-orphan")
                 versions = relationship('PullRequestVersion',
                                         cascade="all, delete, delete-orphan",
                                         lazy='dynamic')
                 @classmethod
                 def get_pr_display_object(cls, pull_request_obj, org_pull_request_obj,
                                           internal_methods=None):
                     class PullRequestDisplay(object):
                         """
                         Special object wrapper for showing PullRequest data via Versions
                         It mimics PR object as close as possible. This is read only object
                         just for display
                         """
                         def __init__(self, attrs, internal=None):
                             self.attrs = attrs
                             # internal have priority over the given ones via attrs
                             self.internal = internal or ['versions']
                         def __getattr__(self, item):
                             if item in self.internal:
                                 return getattr(self, item)
                             try:
                                 return self.attrs[item]
                             except KeyError:
                                 raise AttributeError(
                                     '%s object has no attribute %s' % (self, item))
                         def __repr__(self):
                             return '<DB:PullRequestDisplay #%s>' % self.attrs.get('pull_request_id')
                         def versions(self):
                             return pull_request_obj.versions.order_by(
                                 PullRequestVersion.pull_request_version_id).all()
                         def is_closed(self):
                             return pull_request_obj.is_closed()
                         @property
                         def pull_request_version_id(self):
                             return getattr(pull_request_obj, 'pull_request_version_id', None)
                     attrs = StrictAttributeDict(pull_request_obj.get_api_data())
                     attrs.author = StrictAttributeDict(
                         pull_request_obj.author.get_api_data())
                     if pull_request_obj.target_repo:
                         attrs.target_repo = StrictAttributeDict(
                             pull_request_obj.target_repo.get_api_data())
                         attrs.target_repo.clone_url = pull_request_obj.target_repo.clone_url
                     if pull_request_obj.source_repo:
                         attrs.source_repo = StrictAttributeDict(
                             pull_request_obj.source_repo.get_api_data())
                         attrs.source_repo.clone_url = pull_request_obj.source_repo.clone_url
                     attrs.source_ref_parts = pull_request_obj.source_ref_parts
                     attrs.target_ref_parts = pull_request_obj.target_ref_parts
                     attrs.revisions = pull_request_obj.revisions
                     attrs.shadow_merge_ref = org_pull_request_obj.shadow_merge_ref
                     attrs.reviewer_data = org_pull_request_obj.reviewer_data
                     attrs.reviewer_data_json = org_pull_request_obj.reviewer_data_json
                     return PullRequestDisplay(attrs, internal=internal_methods)
                 def is_closed(self):
                     return self.status == self.STATUS_CLOSED
                 def __json__(self):
                     return {
                         'revisions': self.revisions,
                     }
                 def calculated_review_status(self):
                     from rhodecode.model.changeset_status import ChangesetStatusModel
                     return ChangesetStatusModel().calculated_review_status(self)
                 def reviewers_statuses(self):
                     from rhodecode.model.changeset_status import ChangesetStatusModel
                     return ChangesetStatusModel().reviewers_statuses(self)
                 @property
                 def workspace_id(self):
                     from rhodecode.model.pull_request import PullRequestModel
                     return PullRequestModel()._workspace_id(self)
                 def get_shadow_repo(self):
                     workspace_id = self.workspace_id
                     vcs_obj = self.target_repo.scm_instance()
                     shadow_repository_path = vcs_obj._get_shadow_repository_path(
                         self.target_repo.repo_id, workspace_id)
                     if os.path.isdir(shadow_repository_path):
                         return vcs_obj.get_shadow_instance(shadow_repository_path)
             class PullRequestVersion(Base, _PullRequestBase):
                 __tablename__ = 'pull_request_versions'
                 __table_args__ = (
                     base_table_args,
                 )
                 pull_request_version_id = Column(
                     'pull_request_version_id', Integer(), nullable=False, primary_key=True)
                 pull_request_id = Column(
                     'pull_request_id', Integer(),
                     ForeignKey('pull_requests.pull_request_id'), nullable=False)
                 pull_request = relationship('PullRequest')
                 def __repr__(self):
                     if self.pull_request_version_id:
                         return '<DB:PullRequestVersion #%s>' % self.pull_request_version_id
                     else:
                         return '<DB:PullRequestVersion at %#x>' % id(self)
                 @property
                 def reviewers(self):
                     return self.pull_request.reviewers
                 @property
                 def versions(self):
                     return self.pull_request.versions
                 def is_closed(self):
                     # calculate from original
                     return self.pull_request.status == self.STATUS_CLOSED
                 def calculated_review_status(self):
                     return self.pull_request.calculated_review_status()
                 def reviewers_statuses(self):
                     return self.pull_request.reviewers_statuses()
             class PullRequestReviewers(Base, BaseModel):
                 __tablename__ = 'pull_request_reviewers'
                 __table_args__ = (
                     base_table_args,
                 )
                 @hybrid_property
                 def reasons(self):
                     if not self._reasons:
                         return []
                     return self._reasons
                 @reasons.setter
                 def reasons(self, val):
                     val = val or []
                     if any(not isinstance(x, compat.string_types) for x in val):
                         raise Exception('invalid reasons type, must be list of strings')
                     self._reasons = val
                 pull_requests_reviewers_id = Column(
                     'pull_requests_reviewers_id', Integer(), nullable=False,
                     primary_key=True)
                 pull_request_id = Column(
                     "pull_request_id", Integer(),
                     ForeignKey('pull_requests.pull_request_id'), nullable=False)
                 user_id = Column(
                     "user_id", Integer(), ForeignKey('users.user_id'), nullable=True)
                 _reasons = Column(
                     'reason', MutationList.as_mutable(
                         JsonType('list', dialect_map=dict(mysql=UnicodeText(16384)))))
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 user = relationship('User')
                 pull_request = relationship('PullRequest')
                 rule_data = Column(
                     'rule_data_json',
                     JsonType(dialect_map=dict(mysql=UnicodeText(16384))))
                 def rule_user_group_data(self):
                     """
                     Returns the voting user group rule data for this reviewer
                     """
                     if self.rule_data and 'vote_rule' in self.rule_data:
                         user_group_data = {}
                         if 'rule_user_group_entry_id' in self.rule_data:
                             # means a group with voting rules !
                             user_group_data['id'] = self.rule_data['rule_user_group_entry_id']
                             user_group_data['name'] = self.rule_data['rule_name']
                             user_group_data['vote_rule'] = self.rule_data['vote_rule']
                         return user_group_data
                 def __unicode__(self):
                     return u"<%s('id:%s')>" % (self.__class__.__name__,
                                                self.pull_requests_reviewers_id)
             class Notification(Base, BaseModel):
                 __tablename__ = 'notifications'
                 __table_args__ = (
                     Index('notification_type_idx', 'type'),
                     base_table_args,
                 )
                 TYPE_CHANGESET_COMMENT = u'cs_comment'
                 TYPE_MESSAGE = u'message'
                 TYPE_MENTION = u'mention'
                 TYPE_REGISTRATION = u'registration'
                 TYPE_PULL_REQUEST = u'pull_request'
                 TYPE_PULL_REQUEST_COMMENT = u'pull_request_comment'
                 notification_id = Column('notification_id', Integer(), nullable=False, primary_key=True)
                 subject = Column('subject', Unicode(512), nullable=True)
                 body = Column('body', UnicodeText().with_variant(UnicodeText(50000), 'mysql'), nullable=True)
                 created_by = Column("created_by", Integer(), ForeignKey('users.user_id'), nullable=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 type_ = Column('type', Unicode(255))
                 created_by_user = relationship('User')
                 notifications_to_users = relationship('UserNotification', lazy='joined',
                                                       cascade="all, delete, delete-orphan")
                 @property
                 def recipients(self):
                     return [x.user for x in UserNotification.query()\
                             .filter(UserNotification.notification == self)\
                             .order_by(UserNotification.user_id.asc()).all()]
                 @classmethod
                 def create(cls, created_by, subject, body, recipients, type_=None):
                     if type_ is None:
                         type_ = Notification.TYPE_MESSAGE
                     notification = cls()
                     notification.created_by_user = created_by
                     notification.subject = subject
                     notification.body = body
                     notification.type_ = type_
                     notification.created_on = datetime.datetime.now()
                     # For each recipient link the created notification to his account
                     for u in recipients:
                         assoc = UserNotification()
                         assoc.user_id = u.user_id
                         assoc.notification = notification
                         # if created_by is inside recipients mark his notification
                         # as read
                         if u.user_id == created_by.user_id:
                             assoc.read = True
                         Session().add(assoc)
                     Session().add(notification)
                     return notification
             class UserNotification(Base, BaseModel):
                 __tablename__ = 'user_to_notification'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'notification_id'),
                     base_table_args
                 )
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
                 notification_id = Column("notification_id", Integer(), ForeignKey('notifications.notification_id'), primary_key=True)
                 read = Column('read', Boolean, default=False)
                 sent_on = Column('sent_on', DateTime(timezone=False), nullable=True, unique=None)
                 user = relationship('User', lazy="joined")
                 notification = relationship('Notification', lazy="joined",
                                             order_by=lambda: Notification.created_on.desc(),)
                 def mark_as_read(self):
                     self.read = True
                     Session().add(self)
             class Gist(Base, BaseModel):
                 __tablename__ = 'gists'
                 __table_args__ = (
                     Index('g_gist_access_id_idx', 'gist_access_id'),
                     Index('g_created_on_idx', 'created_on'),
                     base_table_args
                 )
                 GIST_PUBLIC = u'public'
                 GIST_PRIVATE = u'private'
                 DEFAULT_FILENAME = u'gistfile1.txt'
                 ACL_LEVEL_PUBLIC = u'acl_public'
                 ACL_LEVEL_PRIVATE = u'acl_private'
                 gist_id = Column('gist_id', Integer(), primary_key=True)
                 gist_access_id = Column('gist_access_id', Unicode(250))
                 gist_description = Column('gist_description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 gist_owner = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True)
                 gist_expires = Column('gist_expires', Float(53), nullable=False)
                 gist_type = Column('gist_type', Unicode(128), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 acl_level = Column('acl_level', Unicode(128), nullable=True)
                 owner = relationship('User')
                 def __repr__(self):
                     return '<Gist:[%s]%s>' % (self.gist_type, self.gist_access_id)
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.gist_description)
                 @classmethod
                 def get_or_404(cls, id_):
                     from pyramid.httpexceptions import HTTPNotFound
                     res = cls.query().filter(cls.gist_access_id == id_).scalar()
                     if not res:
                         raise HTTPNotFound()
                     return res
                 @classmethod
                 def get_by_access_id(cls, gist_access_id):
                     return cls.query().filter(cls.gist_access_id == gist_access_id).scalar()
                 def gist_url(self):
                     from rhodecode.model.gist import GistModel
                     return GistModel().get_url(self)
                 @classmethod
                 def base_path(cls):
                     """
                     Returns base path when all gists are stored
                     :param cls:
                     """
                     from rhodecode.model.gist import GIST_STORE_LOC
                     q = Session().query(RhodeCodeUi)\
                         .filter(RhodeCodeUi.ui_key == URL_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return os.path.join(q.one().ui_value, GIST_STORE_LOC)
                 def get_api_data(self):
                     """
                     Common function for generating gist related data for API
                     """
                     gist = self
                     data = {
                         'gist_id': gist.gist_id,
                         'type': gist.gist_type,
                         'access_id': gist.gist_access_id,
                         'description': gist.gist_description,
                         'url': gist.gist_url(),
                         'expires': gist.gist_expires,
                         'created_on': gist.created_on,
                         'modified_at': gist.modified_at,
                         'content': None,
                         'acl_level': gist.acl_level,
                     }
                     return data
                 def __json__(self):
                     data = dict(
                     )
                     data.update(self.get_api_data())
                     return data
                 # SCM functions
                 def scm_instance(self, **kwargs):
                     full_repo_path = os.path.join(self.base_path(), self.gist_access_id)
                     return get_vcs_instance(
                         repo_path=safe_str(full_repo_path), create=False)
             class ExternalIdentity(Base, BaseModel):
                 __tablename__ = 'external_identities'
                 __table_args__ = (
                     Index('local_user_id_idx', 'local_user_id'),
                     Index('external_id_idx', 'external_id'),
                     base_table_args
                 )
                 external_id = Column('external_id', Unicode(255), default=u'', primary_key=True)
                 external_username = Column('external_username', Unicode(1024), default=u'')
                 local_user_id = Column('local_user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
                 provider_name = Column('provider_name', Unicode(255), default=u'', primary_key=True)
                 access_token = Column('access_token', String(1024), default=u'')
                 alt_token = Column('alt_token', String(1024), default=u'')
                 token_secret = Column('token_secret', String(1024), default=u'')
                 @classmethod
                 def by_external_id_and_provider(cls, external_id, provider_name, local_user_id=None):
                     """
                     Returns ExternalIdentity instance based on search params
                     :param external_id:
                     :param provider_name:
                     :return: ExternalIdentity
                     """
                     query = cls.query()
                     query = query.filter(cls.external_id == external_id)
                     query = query.filter(cls.provider_name == provider_name)
                     if local_user_id:
                         query = query.filter(cls.local_user_id == local_user_id)
                     return query.first()
                 @classmethod
                 def user_by_external_id_and_provider(cls, external_id, provider_name):
                     """
                     Returns User instance based on search params
                     :param external_id:
                     :param provider_name:
                     :return: User
                     """
                     query = User.query()
                     query = query.filter(cls.external_id == external_id)
                     query = query.filter(cls.provider_name == provider_name)
                     query = query.filter(User.user_id == cls.local_user_id)
                     return query.first()
                 @classmethod
                 def by_local_user_id(cls, local_user_id):
                     """
                     Returns all tokens for user
                     :param local_user_id:
                     :return: ExternalIdentity
                     """
                     query = cls.query()
                     query = query.filter(cls.local_user_id == local_user_id)
                     return query
                 @classmethod
                 def load_provider_plugin(cls, plugin_id):
                     from rhodecode.authentication.base import loadplugin
                     _plugin_id = 'egg:rhodecode-enterprise-ee#{}'.format(plugin_id)
                     auth_plugin = loadplugin(_plugin_id)
                     return auth_plugin
             class Integration(Base, BaseModel):
                 __tablename__ = 'integrations'
                 __table_args__ = (
                     base_table_args
                 )
                 integration_id = Column('integration_id', Integer(), primary_key=True)
                 integration_type = Column('integration_type', String(255))
                 enabled = Column('enabled', Boolean(), nullable=False)
                 name = Column('name', String(255), nullable=False)
                 child_repos_only = Column('child_repos_only', Boolean(), nullable=False,
                     default=False)
                 settings = Column(
                     'settings_json', MutationObj.as_mutable(
                         JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
                 repo_id = Column(
                     'repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 repo_group_id = Column(
                     'repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 @property
                 def scope(self):
                     if self.repo:
                         return repr(self.repo)
                     if self.repo_group:
                         if self.child_repos_only:
                             return repr(self.repo_group) + ' (child repos only)'
                         else:
                             return repr(self.repo_group) + ' (recursive)'
                     if self.child_repos_only:
                         return 'root_repos'
                     return 'global'
                 def __repr__(self):
                     return '<Integration(%r, %r)>' % (self.integration_type, self.scope)
             class RepoReviewRuleUser(Base, BaseModel):
                 __tablename__ = 'repo_review_rules_users'
                 __table_args__ = (
                     base_table_args
                 )
                 repo_review_rule_user_id = Column('repo_review_rule_user_id', Integer(), primary_key=True)
                 repo_review_rule_id = Column("repo_review_rule_id", Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False)
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 user = relationship('User')
                 def rule_data(self):
                     return {
                         'mandatory': self.mandatory
                     }
             class RepoReviewRuleUserGroup(Base, BaseModel):
                 __tablename__ = 'repo_review_rules_users_groups'
                 __table_args__ = (
                     base_table_args
                 )
                 VOTE_RULE_ALL = -1
                 repo_review_rule_users_group_id = Column('repo_review_rule_users_group_id', Integer(), primary_key=True)
                 repo_review_rule_id = Column("repo_review_rule_id", Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
                 users_group_id = Column("users_group_id", Integer(),ForeignKey('users_groups.users_group_id'), nullable=False)
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 vote_rule = Column("vote_rule", Integer(), nullable=True, default=VOTE_RULE_ALL)
                 users_group = relationship('UserGroup')
                 def rule_data(self):
                     return {
                         'mandatory': self.mandatory,
                         'vote_rule': self.vote_rule
                     }
                 @property
                 def vote_rule_label(self):
                     if not self.vote_rule or self.vote_rule == self.VOTE_RULE_ALL:
                         return 'all must vote'
                     else:
                         return 'min. vote {}'.format(self.vote_rule)
             class RepoReviewRule(Base, BaseModel):
                 __tablename__ = 'repo_review_rules'
                 __table_args__ = (
                     base_table_args
                 )
                 repo_review_rule_id = Column(
                     'repo_review_rule_id', Integer(), primary_key=True)
                 repo_id = Column(
                     "repo_id", Integer(), ForeignKey('repositories.repo_id'))
                 repo = relationship('Repository', backref='review_rules')
                 review_rule_name = Column('review_rule_name', String(255))
                 _branch_pattern = Column("branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default=u'*')  # glob
                 _target_branch_pattern = Column("target_branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default=u'*')  # glob
                 _file_pattern = Column("file_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default=u'*')  # glob
                 use_authors_for_review = Column("use_authors_for_review", Boolean(), nullable=False, default=False)
                 forbid_author_to_review = Column("forbid_author_to_review", Boolean(), nullable=False, default=False)
                 forbid_commit_author_to_review = Column("forbid_commit_author_to_review", Boolean(), nullable=False, default=False)
                 forbid_adding_reviewers = Column("forbid_adding_reviewers", Boolean(), nullable=False, default=False)
                 rule_users = relationship('RepoReviewRuleUser')
                 rule_user_groups = relationship('RepoReviewRuleUserGroup')
                 def _validate_pattern(self, value):
                     re.compile('^' + glob2re(value) + '$')
                 @hybrid_property
                 def source_branch_pattern(self):
                     return self._branch_pattern or '*'
                 @source_branch_pattern.setter
                 def source_branch_pattern(self, value):
                     self._validate_pattern(value)
                     self._branch_pattern = value or '*'
                 @hybrid_property
                 def target_branch_pattern(self):
                     return self._target_branch_pattern or '*'
                 @target_branch_pattern.setter
                 def target_branch_pattern(self, value):
                     self._validate_pattern(value)
                     self._target_branch_pattern = value or '*'
                 @hybrid_property
                 def file_pattern(self):
                     return self._file_pattern or '*'
                 @file_pattern.setter
                 def file_pattern(self, value):
                     self._validate_pattern(value)
                     self._file_pattern = value or '*'
                 def matches(self, source_branch, target_branch, files_changed):
                     """
                     Check if this review rule matches a branch/files in a pull request
                     :param source_branch: source branch name for the commit
                     :param target_branch: target branch name for the commit
                     :param files_changed: list of file paths changed in the pull request
                     """
                     source_branch = source_branch or ''
                     target_branch = target_branch or ''
                     files_changed = files_changed or []
                     branch_matches = True
                     if source_branch or target_branch:
                         if self.source_branch_pattern == '*':
                             source_branch_match = True
                         else:
                             if self.source_branch_pattern.startswith('re:'):
                                 source_pattern = self.source_branch_pattern[3:]
                             else:
                                 source_pattern = '^' + glob2re(self.source_branch_pattern) + '$'
                             source_branch_regex = re.compile(source_pattern)
                             source_branch_match = bool(source_branch_regex.search(source_branch))
                         if self.target_branch_pattern == '*':
                             target_branch_match = True
                         else:
                             if self.target_branch_pattern.startswith('re:'):
                                 target_pattern = self.target_branch_pattern[3:]
                             else:
                                 target_pattern = '^' + glob2re(self.target_branch_pattern) + '$'
                             target_branch_regex = re.compile(target_pattern)
                             target_branch_match = bool(target_branch_regex.search(target_branch))
                         branch_matches = source_branch_match and target_branch_match
                     files_matches = True
                     if self.file_pattern != '*':
                         files_matches = False
                         if self.file_pattern.startswith('re:'):
                             file_pattern = self.file_pattern[3:]
                         else:
                             file_pattern = glob2re(self.file_pattern)
                         file_regex = re.compile(file_pattern)
                         for filename in files_changed:
                             if file_regex.search(filename):
                                 files_matches = True
                                 break
                     return branch_matches and files_matches
                 @property
                 def review_users(self):
                     """ Returns the users which this rule applies to """
                     users = collections.OrderedDict()
                     for rule_user in self.rule_users:
                         if rule_user.user.active:
                             if rule_user.user not in users:
                                 users[rule_user.user.username] = {
                                     'user': rule_user.user,
                                     'source': 'user',
                                     'source_data': {},
                                     'data': rule_user.rule_data()
                                 }
                     for rule_user_group in self.rule_user_groups:
                         source_data = {
                             'user_group_id': rule_user_group.users_group.users_group_id,
                             'name': rule_user_group.users_group.users_group_name,
                             'members': len(rule_user_group.users_group.members)
                         }
                         for member in rule_user_group.users_group.members:
                             if member.user.active:
                                 key = member.user.username
                                 if key in users:
                                     # skip this member as we have him already
                                     # this prevents from override the "first" matched
                                     # users with duplicates in multiple groups
                                     continue
                                 users[key] = {
                                     'user': member.user,
                                     'source': 'user_group',
                                     'source_data': source_data,
                                     'data': rule_user_group.rule_data()
                                 }
                     return users
                 def user_group_vote_rule(self, user_id):
                     rules = []
                     if not self.rule_user_groups:
                         return rules
                     for user_group in self.rule_user_groups:
                         user_group_members = [x.user_id for x in user_group.users_group.members]
                         if user_id in user_group_members:
                             rules.append(user_group)
                     return rules
                 def __repr__(self):
                     return '<RepoReviewerRule(id=%r, repo=%r)>' % (
                         self.repo_review_rule_id, self.repo)
             class ScheduleEntry(Base, BaseModel):
                 __tablename__ = 'schedule_entries'
                 __table_args__ = (
                     UniqueConstraint('schedule_name', name='s_schedule_name_idx'),
                     UniqueConstraint('task_uid', name='s_task_uid_idx'),
                     base_table_args,
                 )
                 schedule_types = ['crontab', 'timedelta', 'integer']
                 schedule_entry_id = Column('schedule_entry_id', Integer(), primary_key=True)
                 schedule_name = Column("schedule_name", String(255), nullable=False, unique=None, default=None)
                 schedule_description = Column("schedule_description", String(10000), nullable=True, unique=None, default=None)
                 schedule_enabled = Column("schedule_enabled", Boolean(), nullable=False, unique=None, default=True)
                 _schedule_type = Column("schedule_type", String(255), nullable=False, unique=None, default=None)
                 schedule_definition = Column('schedule_definition_json', MutationObj.as_mutable(JsonType(default=lambda: "", dialect_map=dict(mysql=LONGTEXT()))))
                 schedule_last_run = Column('schedule_last_run', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 schedule_total_run_count = Column('schedule_total_run_count', Integer(), nullable=True, unique=None, default=0)
                 # task
                 task_uid = Column("task_uid", String(255), nullable=False, unique=None, default=None)
                 task_dot_notation = Column("task_dot_notation", String(4096), nullable=False, unique=None, default=None)
                 task_args = Column('task_args_json', MutationObj.as_mutable(JsonType(default=list, dialect_map=dict(mysql=LONGTEXT()))))
                 task_kwargs = Column('task_kwargs_json', MutationObj.as_mutable(JsonType(default=dict, dialect_map=dict(mysql=LONGTEXT()))))
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 updated_on = Column('updated_on', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 @hybrid_property
                 def schedule_type(self):
                     return self._schedule_type
                 @schedule_type.setter
                 def schedule_type(self, val):
                     if val not in self.schedule_types:
                         raise ValueError('Value must be on of `{}` and got `{}`'.format(
                             val, self.schedule_type))
                     self._schedule_type = val
                 @classmethod
                 def get_uid(cls, obj):
                     args = obj.task_args
                     kwargs = obj.task_kwargs
                     if isinstance(args, JsonRaw):
                         try:
                             args = json.loads(args)
                         except ValueError:
                             args = tuple()
                     if isinstance(kwargs, JsonRaw):
                         try:
                             kwargs = json.loads(kwargs)
                         except ValueError:
                             kwargs = dict()
                     dot_notation = obj.task_dot_notation
                     val = '.'.join(map(safe_str, [
                         sorted(dot_notation), args, sorted(kwargs.items())]))
                     return hashlib.sha1(val).hexdigest()
                 @classmethod
                 def get_by_schedule_name(cls, schedule_name):
                     return cls.query().filter(cls.schedule_name == schedule_name).scalar()
                 @classmethod
                 def get_by_schedule_id(cls, schedule_id):
                     return cls.query().filter(cls.schedule_entry_id == schedule_id).scalar()
                 @property
                 def task(self):
                     return self.task_dot_notation
                 @property
                 def schedule(self):
                     from rhodecode.lib.celerylib.utils import raw_2_schedule
                     schedule = raw_2_schedule(self.schedule_definition, self.schedule_type)
                     return schedule
                 @property
                 def args(self):
                     try:
                         return list(self.task_args or [])
                     except ValueError:
                         return list()
                 @property
                 def kwargs(self):
                     try:
                         return dict(self.task_kwargs or {})
                     except ValueError:
                         return dict()
                 def _as_raw(self, val):
                     if hasattr(val, 'de_coerce'):
                         val = val.de_coerce()
                         if val:
                             val = json.dumps(val)
                     return val
                 @property
                 def schedule_definition_raw(self):
                     return self._as_raw(self.schedule_definition)
                 @property
                 def args_raw(self):
                     return self._as_raw(self.task_args)
                 @property
                 def kwargs_raw(self):
                     return self._as_raw(self.task_kwargs)
                 def __repr__(self):
                     return '<DB:ScheduleEntry({}:{})>'.format(
                         self.schedule_entry_id, self.schedule_name)
             @event.listens_for(ScheduleEntry, 'before_update')
             def update_task_uid(mapper, connection, target):
                 target.task_uid = ScheduleEntry.get_uid(target)
             @event.listens_for(ScheduleEntry, 'before_insert')
             def set_task_uid(mapper, connection, target):
                 target.task_uid = ScheduleEntry.get_uid(target)
             class _BaseBranchPerms(BaseModel):
                 @classmethod
                 def compute_hash(cls, value):
                     return sha1_safe(value)
                 @hybrid_property
                 def branch_pattern(self):
                     return self._branch_pattern or '*'
                 @hybrid_property
                 def branch_hash(self):
                     return self._branch_hash
                 def _validate_glob(self, value):
                     re.compile('^' + glob2re(value) + '$')
                 @branch_pattern.setter
                 def branch_pattern(self, value):
                     self._validate_glob(value)
                     self._branch_pattern = value or '*'
                     # set the Hash when setting the branch pattern
                     self._branch_hash = self.compute_hash(self._branch_pattern)
                 def matches(self, branch):
                     """
                     Check if this the branch matches entry
                     :param branch: branch name for the commit
                     """
                     branch = branch or ''
                     branch_matches = True
                     if branch:
                         branch_regex = re.compile('^' + glob2re(self.branch_pattern) + '$')
                         branch_matches = bool(branch_regex.search(branch))
                     return branch_matches
             class UserToRepoBranchPermission(Base, _BaseBranchPerms):
                 __tablename__ = 'user_to_repo_branch_permissions'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True,}
                 )
                 branch_rule_id = Column('branch_rule_id', Integer(), primary_key=True)
                 repository_id = Column('repository_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 repo = relationship('Repository', backref='user_branch_perms')
                 permission_id = Column('permission_id', Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 permission = relationship('Permission')
                 rule_to_perm_id = Column('rule_to_perm_id', Integer(), ForeignKey('repo_to_perm.repo_to_perm_id'), nullable=False, unique=None, default=None)
                 user_repo_to_perm = relationship('UserRepoToPerm')
                 rule_order = Column('rule_order', Integer(), nullable=False)
                 _branch_pattern = Column('branch_pattern', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), default=u'*')  # glob
                 _branch_hash = Column('branch_hash', UnicodeText().with_variant(UnicodeText(2048), 'mysql'))
                 def __unicode__(self):
                     return u'<UserBranchPermission(%s => %r)>' % (
                         self.user_repo_to_perm, self.branch_pattern)
             class UserGroupToRepoBranchPermission(Base, _BaseBranchPerms):
                 __tablename__ = 'user_group_to_repo_branch_permissions'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True,}
                 )
                 branch_rule_id = Column('branch_rule_id', Integer(), primary_key=True)
                 repository_id = Column('repository_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 repo = relationship('Repository', backref='user_group_branch_perms')
                 permission_id = Column('permission_id', Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 permission = relationship('Permission')
                 rule_to_perm_id = Column('rule_to_perm_id', Integer(), ForeignKey('users_group_repo_to_perm.users_group_to_perm_id'), nullable=False, unique=None, default=None)
                 user_group_repo_to_perm = relationship('UserGroupRepoToPerm')
                 rule_order = Column('rule_order', Integer(), nullable=False)
                 _branch_pattern = Column('branch_pattern', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), default=u'*')  # glob
                 _branch_hash = Column('branch_hash', UnicodeText().with_variant(UnicodeText(2048), 'mysql'))
                 def __unicode__(self):
                     return u'<UserBranchPermission(%s => %r)>' % (
                         self.user_group_repo_to_perm, self.branch_pattern)
             class UserBookmark(Base, BaseModel):
                 __tablename__ = 'user_bookmarks'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'bookmark_repo_id'),
                     UniqueConstraint('user_id', 'bookmark_repo_group_id'),
                     UniqueConstraint('user_id', 'bookmark_position'),
                     base_table_args
                 )
                 user_bookmark_id = Column("user_bookmark_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 position = Column("bookmark_position", Integer(), nullable=False)
                 title = Column("bookmark_title", String(255), nullable=True, unique=None, default=None)
                 redirect_url = Column("bookmark_redirect_url", String(10240), nullable=True, unique=None, default=None)
                 created_on = Column("created_on", DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 bookmark_repo_id = Column("bookmark_repo_id", Integer(), ForeignKey("repositories.repo_id"), nullable=True, unique=None, default=None)
                 bookmark_repo_group_id = Column("bookmark_repo_group_id", Integer(), ForeignKey("groups.group_id"), nullable=True, unique=None, default=None)
                 user = relationship("User")
                 repository = relationship("Repository")
                 repository_group = relationship("RepoGroup")
                 @classmethod
                 def get_by_position_for_user(cls, position, user_id):
                     return cls.query() \
                         .filter(UserBookmark.user_id == user_id) \
                         .filter(UserBookmark.position == position).scalar()
                 @classmethod
                 def get_bookmarks_for_user(cls, user_id):
                     return cls.query() \
                         .filter(UserBookmark.user_id == user_id) \
                         .options(joinedload(UserBookmark.repository)) \
                         .options(joinedload(UserBookmark.repository_group)) \
                         .order_by(UserBookmark.position.asc()) \
                         .all()
                 def __unicode__(self):
                     return u'<UserBookmark(%d @ %r)>' % (self.position, self.redirect_url)
             class FileStore(Base, BaseModel):
                 __tablename__ = 'file_store'
                 __table_args__ = (
                     base_table_args
                 )
                 file_store_id = Column('file_store_id', Integer(), primary_key=True)
                 file_uid = Column('file_uid', String(1024), nullable=False)
                 file_display_name = Column('file_display_name', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), nullable=True)
                 file_description = Column('file_description', UnicodeText().with_variant(UnicodeText(10240), 'mysql'), nullable=True)
                 file_org_name = Column('file_org_name', UnicodeText().with_variant(UnicodeText(10240), 'mysql'), nullable=False)
                 # sha256 hash
                 file_hash = Column('file_hash', String(512), nullable=False)
                 file_size = Column('file_size', Integer(), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 accessed_on = Column('accessed_on', DateTime(timezone=False), nullable=True)
                 accessed_count = Column('accessed_count', Integer(), default=0)
                 enabled = Column('enabled', Boolean(), nullable=False, default=True)
                 # if repo/repo_group reference is set, check for permissions
                 check_acl = Column('check_acl', Boolean(), nullable=False, default=True)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
                 upload_user = relationship('User', lazy='joined', primaryjoin='User.user_id==FileStore.user_id')
                 # scope limited to user, which requester have access to
                 scope_user_id = Column(
                     'scope_user_id', Integer(), ForeignKey('users.user_id'),
                     nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined', primaryjoin='User.user_id==FileStore.scope_user_id')
                 # scope limited to user group, which requester have access to
                 scope_user_group_id = Column(
                     'scope_user_group_id', Integer(), ForeignKey('users_groups.users_group_id'),
                     nullable=True, unique=None, default=None)
                 user_group = relationship('UserGroup', lazy='joined')
                 # scope limited to repo, which requester have access to
                 scope_repo_id = Column(
                     'scope_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 # scope limited to repo group, which requester have access to
                 scope_repo_group_id = Column(
                     'scope_repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 def __repr__(self):
                     return '<FileStore({})>'.format(self.file_store_id)
             class DbMigrateVersion(Base, BaseModel):
                 __tablename__ = 'db_migrate_version'
                 __table_args__ = (
                     base_table_args,
                 )
                 repository_id = Column('repository_id', String(250), primary_key=True)
                 repository_path = Column('repository_path', Text)
                 version = Column('version', Integer)
                 @classmethod
                 def set_version(cls, version):
                     """
                     Helper for forcing a different version, usually for debugging purposes via ishell.
                     """
                     ver = DbMigrateVersion.query().first()
                     ver.version = version
                     Session().commit()
             class DbSession(Base, BaseModel):
                 __tablename__ = 'db_session'
                 __table_args__ = (
                     base_table_args,
                 )
                 def __repr__(self):
                     return '<DB:DbSession({})>'.format(self.id)
                 id = Column('id', Integer())
                 namespace = Column('namespace', String(255), primary_key=True)
                 accessed = Column('accessed', DateTime, nullable=False)
                 created = Column('created', DateTime, nullable=False)
                 data = Column('data', PickleType, nullable=False)

rhodecode/lib/diffs.py

0 +2 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Set of diffing helpers, previously part of vcs
             """
             import os
             import re
             import bz2
             import time
             import collections
             import difflib
             import logging
             import cPickle as pickle
             from itertools import tee, imap
             from rhodecode.lib.vcs.exceptions import VCSError
             from rhodecode.lib.vcs.nodes import FileNode, SubModuleNode
             from rhodecode.lib.utils2 import safe_unicode, safe_str
             log = logging.getLogger(__name__)
             # define max context, a file with more than this numbers of lines is unusable
             # in browser anyway
             MAX_CONTEXT = 20 * 1024
             DEFAULT_CONTEXT = 3
             def get_diff_context(request):
                 return MAX_CONTEXT if request.GET.get('fullcontext', '') == '1' else DEFAULT_CONTEXT
             def get_diff_whitespace_flag(request):
                 return request.GET.get('ignorews', '') == '1'
             class OPS(object):
                 ADD = 'A'
                 MOD = 'M'
                 DEL = 'D'
             def get_gitdiff(filenode_old, filenode_new, ignore_whitespace=True, context=3):
                 """
                 Returns git style diff between given ``filenode_old`` and ``filenode_new``.
                 :param ignore_whitespace: ignore whitespaces in diff
                 """
                 # make sure we pass in default context
                 context = context or 3
                 # protect against IntOverflow when passing HUGE context
                 if context > MAX_CONTEXT:
                     context = MAX_CONTEXT
                 submodules = filter(lambda o: isinstance(o, SubModuleNode),
                                     [filenode_new, filenode_old])
                 if submodules:
                     return ''
                 for filenode in (filenode_old, filenode_new):
                     if not isinstance(filenode, FileNode):
                         raise VCSError(
                             "Given object should be FileNode object, not %s"
                             % filenode.__class__)
                 repo = filenode_new.commit.repository
                 old_commit = filenode_old.commit or repo.EMPTY_COMMIT
                 new_commit = filenode_new.commit
                 vcs_gitdiff = repo.get_diff(
                     old_commit, new_commit, filenode_new.path,
                     ignore_whitespace, context, path1=filenode_old.path)
                 return vcs_gitdiff
             NEW_FILENODE = 1
             DEL_FILENODE = 2
             MOD_FILENODE = 3
             RENAMED_FILENODE = 4
             COPIED_FILENODE = 5
             CHMOD_FILENODE = 6
             BIN_FILENODE = 7
             class LimitedDiffContainer(object):
                 def __init__(self, diff_limit, cur_diff_size, diff):
                     self.diff = diff
                     self.diff_limit = diff_limit
                     self.cur_diff_size = cur_diff_size
                 def __getitem__(self, key):
                     return self.diff.__getitem__(key)
                 def __iter__(self):
                     for l in self.diff:
                         yield l
             class Action(object):
                 """
                 Contains constants for the action value of the lines in a parsed diff.
                 """
                 ADD = 'add'
                 DELETE = 'del'
                 UNMODIFIED = 'unmod'
                 CONTEXT = 'context'
                 OLD_NO_NL = 'old-no-nl'
                 NEW_NO_NL = 'new-no-nl'
             class DiffProcessor(object):
                 """
                 Give it a unified or git diff and it returns a list of the files that were
                 mentioned in the diff together with a dict of meta information that
                 can be used to render it in a HTML template.
                 .. note:: Unicode handling
                    The original diffs are a byte sequence and can contain filenames
                    in mixed encodings. This class generally returns `unicode` objects
                    since the result is intended for presentation to the user.
                 """
                 _chunk_re = re.compile(r'^@@ -(\d+)(?:,(\d+))? \+(\d+)(?:,(\d+))? @@(.*)')
                 _newline_marker = re.compile(r'^\\ No newline at end of file')
                 # used for inline highlighter word split
                 _token_re = re.compile(r'()(&gt;|&lt;|&amp;|\W+?)')
                 # collapse ranges of commits over given number
                 _collapse_commits_over = 5
                 def __init__(self, diff, format='gitdiff', diff_limit=None,
                              file_limit=None, show_full_diff=True):
                     """
                     :param diff: A `Diff` object representing a diff from a vcs backend
                     :param format: format of diff passed, `udiff` or `gitdiff`
                     :param diff_limit: define the size of diff that is considered "big"
                         based on that parameter cut off will be triggered, set to None
                         to show full diff
                     """
                     self._diff = diff
                     self._format = format
                     self.adds = 0
                     self.removes = 0
                     # calculate diff size
                     self.diff_limit = diff_limit
                     self.file_limit = file_limit
                     self.show_full_diff = show_full_diff
                     self.cur_diff_size = 0
                     self.parsed = False
                     self.parsed_diff = []
                     log.debug('Initialized DiffProcessor with %s mode', format)
                     if format == 'gitdiff':
                         self.differ = self._highlight_line_difflib
                         self._parser = self._parse_gitdiff
                     else:
                         self.differ = self._highlight_line_udiff
                         self._parser = self._new_parse_gitdiff
                 def _copy_iterator(self):
                     """
                     make a fresh copy of generator, we should not iterate thru
                     an original as it's needed for repeating operations on
                     this instance of DiffProcessor
                     """
                     self.__udiff, iterator_copy = tee(self.__udiff)
                     return iterator_copy
                 def _escaper(self, string):
                     """
                     Escaper for diff escapes special chars and checks the diff limit
                     :param string:
                     """
                     self.cur_diff_size += len(string)
                     if not self.show_full_diff and (self.cur_diff_size > self.diff_limit):
                         raise DiffLimitExceeded('Diff Limit Exceeded')
                     return string \
                         .replace('&', '&amp;')\
                         .replace('<', '&lt;')\
                         .replace('>', '&gt;')
                 def _line_counter(self, l):
                     """
                     Checks each line and bumps total adds/removes for this diff
                     :param l:
                     """
                     if l.startswith('+') and not l.startswith('+++'):
                         self.adds += 1
                     elif l.startswith('-') and not l.startswith('---'):
                         self.removes += 1
                     return safe_unicode(l)
                 def _highlight_line_difflib(self, line, next_):
                     """
                     Highlight inline changes in both lines.
                     """
                     if line['action'] == Action.DELETE:
                         old, new = line, next_
                     else:
                         old, new = next_, line
                     oldwords = self._token_re.split(old['line'])
                     newwords = self._token_re.split(new['line'])
                     sequence = difflib.SequenceMatcher(None, oldwords, newwords)
                     oldfragments, newfragments = [], []
                     for tag, i1, i2, j1, j2 in sequence.get_opcodes():
                         oldfrag = ''.join(oldwords[i1:i2])
                         newfrag = ''.join(newwords[j1:j2])
                         if tag != 'equal':
                             if oldfrag:
                                 oldfrag = '<del>%s</del>' % oldfrag
                             if newfrag:
                                 newfrag = '<ins>%s</ins>' % newfrag
                         oldfragments.append(oldfrag)
                         newfragments.append(newfrag)
                     old['line'] = "".join(oldfragments)
                     new['line'] = "".join(newfragments)
                 def _highlight_line_udiff(self, line, next_):
                     """
                     Highlight inline changes in both lines.
                     """
                     start = 0
                     limit = min(len(line['line']), len(next_['line']))
                     while start < limit and line['line'][start] == next_['line'][start]:
                         start += 1
                     end = -1
                     limit -= start
                     while -end <= limit and line['line'][end] == next_['line'][end]:
                         end -= 1
                     end += 1
                     if start or end:
                         def do(l):
                             last = end + len(l['line'])
                             if l['action'] == Action.ADD:
                                 tag = 'ins'
                             else:
                                 tag = 'del'
                             l['line'] = '%s<%s>%s</%s>%s' % (
                                 l['line'][:start],
                                 tag,
                                 l['line'][start:last],
                                 tag,
                                 l['line'][last:]
                             )
                         do(line)
                         do(next_)
                 def _clean_line(self, line, command):
                     if command in ['+', '-', ' ']:
                         # only modify the line if it's actually a diff thing
                         line = line[1:]
                     return line
                 def _parse_gitdiff(self, inline_diff=True):
                     _files = []
                     diff_container = lambda arg: arg
                     for chunk in self._diff.chunks():
                         head = chunk.header
                         diff = imap(self._escaper, self.diff_splitter(chunk.diff))
                         raw_diff = chunk.raw
                         limited_diff = False
                         exceeds_limit = False
                         op = None
                         stats = {
                             'added': 0,
                             'deleted': 0,
                             'binary': False,
                             'ops': {},
                         }
                         if head['deleted_file_mode']:
                             op = OPS.DEL
                             stats['binary'] = True
                             stats['ops'][DEL_FILENODE] = 'deleted file'
                         elif head['new_file_mode']:
                             op = OPS.ADD
                             stats['binary'] = True
                             stats['ops'][NEW_FILENODE] = 'new file %s' % head['new_file_mode']
                         else:  # modify operation, can be copy, rename or chmod
                             # CHMOD
                             if head['new_mode'] and head['old_mode']:
                                 op = OPS.MOD
                                 stats['binary'] = True
                                 stats['ops'][CHMOD_FILENODE] = (
                                     'modified file chmod %s => %s' % (
                                         head['old_mode'], head['new_mode']))
                             # RENAME
                             if head['rename_from'] != head['rename_to']:
                                 op = OPS.MOD
                                 stats['binary'] = True
                                 stats['ops'][RENAMED_FILENODE] = (
                                     'file renamed from %s to %s' % (
                                         head['rename_from'], head['rename_to']))
                             # COPY
                             if head.get('copy_from') and head.get('copy_to'):
                                 op = OPS.MOD
                                 stats['binary'] = True
                                 stats['ops'][COPIED_FILENODE] = (
                                     'file copied from %s to %s' % (
                                         head['copy_from'], head['copy_to']))
                             # If our new parsed headers didn't match anything fallback to
                             # old style detection
                             if op is None:
                                 if not head['a_file'] and head['b_file']:
                                     op = OPS.ADD
                                     stats['binary'] = True
                                     stats['ops'][NEW_FILENODE] = 'new file'
                                 elif head['a_file'] and not head['b_file']:
                                     op = OPS.DEL
                                     stats['binary'] = True
                                     stats['ops'][DEL_FILENODE] = 'deleted file'
                             # it's not ADD not DELETE
                             if op is None:
                                 op = OPS.MOD
                                 stats['binary'] = True
                                 stats['ops'][MOD_FILENODE] = 'modified file'
                         # a real non-binary diff
                         if head['a_file'] or head['b_file']:
                             try:
                                 raw_diff, chunks, _stats = self._parse_lines(diff)
                                 stats['binary'] = False
                                 stats['added'] = _stats[0]
                                 stats['deleted'] = _stats[1]
                                 # explicit mark that it's a modified file
                                 if op == OPS.MOD:
                                     stats['ops'][MOD_FILENODE] = 'modified file'
                                 exceeds_limit = len(raw_diff) > self.file_limit
                                 # changed from _escaper function so we validate size of
                                 # each file instead of the whole diff
                                 # diff will hide big files but still show small ones
                                 # from my tests, big files are fairly safe to be parsed
                                 # but the browser is the bottleneck
                                 if not self.show_full_diff and exceeds_limit:
                                     raise DiffLimitExceeded('File Limit Exceeded')
                             except DiffLimitExceeded:
                                 diff_container = lambda _diff: \
                                     LimitedDiffContainer(
                                         self.diff_limit, self.cur_diff_size, _diff)
                                 exceeds_limit = len(raw_diff) > self.file_limit
                                 limited_diff = True
                                 chunks = []
                         else:  # GIT format binary patch, or possibly empty diff
                             if head['bin_patch']:
                                 # we have operation already extracted, but we mark simply
                                 # it's a diff we wont show for binary files
                                 stats['ops'][BIN_FILENODE] = 'binary diff hidden'
                             chunks = []
                         if chunks and not self.show_full_diff and op == OPS.DEL:
                             # if not full diff mode show deleted file contents
                             # TODO: anderson: if the view is not too big, there is no way
                             # to see the content of the file
                             chunks = []
                         chunks.insert(0, [{
                                               'old_lineno': '',
                                               'new_lineno': '',
                                               'action': Action.CONTEXT,
                                               'line': msg,
                                           } for _op, msg in stats['ops'].iteritems()
                                           if _op not in [MOD_FILENODE]])
                         _files.append({
                             'filename': safe_unicode(head['b_path']),
                             'old_revision': head['a_blob_id'],
                             'new_revision': head['b_blob_id'],
                             'chunks': chunks,
                             'raw_diff': safe_unicode(raw_diff),
                             'operation': op,
                             'stats': stats,
                             'exceeds_limit': exceeds_limit,
                             'is_limited_diff': limited_diff,
                         })
                     sorter = lambda info: {OPS.ADD: 0, OPS.MOD: 1,
                                            OPS.DEL: 2}.get(info['operation'])
                     if not inline_diff:
                         return diff_container(sorted(_files, key=sorter))
                     # highlight inline changes
                     for diff_data in _files:
                         for chunk in diff_data['chunks']:
                             lineiter = iter(chunk)
                             try:
                                 while 1:
                                     line = lineiter.next()
                                     if line['action'] not in (
                                             Action.UNMODIFIED, Action.CONTEXT):
                                         nextline = lineiter.next()
                                         if nextline['action'] in ['unmod', 'context'] or \
                                            nextline['action'] == line['action']:
                                             continue
                                         self.differ(line, nextline)
                             except StopIteration:
                                 pass
                     return diff_container(sorted(_files, key=sorter))
                 def _check_large_diff(self):
                     log.debug('Diff exceeds current diff_limit of %s', self.diff_limit)
                     if not self.show_full_diff and (self.cur_diff_size > self.diff_limit):
                         raise DiffLimitExceeded('Diff Limit `%s` Exceeded', self.diff_limit)
                 # FIXME: NEWDIFFS: dan: this replaces _parse_gitdiff
                 def _new_parse_gitdiff(self, inline_diff=True):
                     _files = []
                     # this can be overriden later to a LimitedDiffContainer type
                     diff_container = lambda arg: arg
                     for chunk in self._diff.chunks():
                         head = chunk.header
                         log.debug('parsing diff %r', head)
                         raw_diff = chunk.raw
                         limited_diff = False
                         exceeds_limit = False
                         op = None
                         stats = {
                             'added': 0,
                             'deleted': 0,
                             'binary': False,
                             'old_mode': None,
                             'new_mode': None,
                             'ops': {},
                         }
                         if head['old_mode']:
                             stats['old_mode'] = head['old_mode']
                         if head['new_mode']:
                             stats['new_mode'] = head['new_mode']
                         if head['b_mode']:
                             stats['new_mode'] = head['b_mode']
                         # delete file
                         if head['deleted_file_mode']:
                             op = OPS.DEL
                             stats['binary'] = True
                             stats['ops'][DEL_FILENODE] = 'deleted file'
                         # new file
                         elif head['new_file_mode']:
                             op = OPS.ADD
                             stats['binary'] = True
                             stats['old_mode'] = None
                             stats['new_mode'] = head['new_file_mode']
                             stats['ops'][NEW_FILENODE] = 'new file %s' % head['new_file_mode']
                         # modify operation, can be copy, rename or chmod
                         else:
                             # CHMOD
                             if head['new_mode'] and head['old_mode']:
                                 op = OPS.MOD
                                 stats['binary'] = True
                                 stats['ops'][CHMOD_FILENODE] = (
                                     'modified file chmod %s => %s' % (
                                         head['old_mode'], head['new_mode']))
                             # RENAME
                             if head['rename_from'] != head['rename_to']:
                                 op = OPS.MOD
                                 stats['binary'] = True
                                 stats['renamed'] = (head['rename_from'], head['rename_to'])
                                 stats['ops'][RENAMED_FILENODE] = (
                                     'file renamed from %s to %s' % (
                                         head['rename_from'], head['rename_to']))
                             # COPY
                             if head.get('copy_from') and head.get('copy_to'):
                                 op = OPS.MOD
                                 stats['binary'] = True
                                 stats['copied'] = (head['copy_from'], head['copy_to'])
                                 stats['ops'][COPIED_FILENODE] = (
                                     'file copied from %s to %s' % (
                                         head['copy_from'], head['copy_to']))
                             # If our new parsed headers didn't match anything fallback to
                             # old style detection
                             if op is None:
                                 if not head['a_file'] and head['b_file']:
                                     op = OPS.ADD
                                     stats['binary'] = True
                                     stats['new_file'] = True
                                     stats['ops'][NEW_FILENODE] = 'new file'
                                 elif head['a_file'] and not head['b_file']:
                                     op = OPS.DEL
                                     stats['binary'] = True
                                     stats['ops'][DEL_FILENODE] = 'deleted file'
                             # it's not ADD not DELETE
                             if op is None:
                                 op = OPS.MOD
                                 stats['binary'] = True
                                 stats['ops'][MOD_FILENODE] = 'modified file'
                         # a real non-binary diff
                         if head['a_file'] or head['b_file']:
                             # simulate splitlines, so we keep the line end part
                             diff = self.diff_splitter(chunk.diff)
                             # append each file to the diff size
                             raw_chunk_size = len(raw_diff)
                             exceeds_limit = raw_chunk_size > self.file_limit
                             self.cur_diff_size += raw_chunk_size
                             try:
                                 # Check each file instead of the whole diff.
                                 # Diff will hide big files but still show small ones.
                                 # From the tests big files are fairly safe to be parsed
                                 # but the browser is the bottleneck.
                                 if not self.show_full_diff and exceeds_limit:
                                     log.debug('File `%s` exceeds current file_limit of %s',
                                               safe_unicode(head['b_path']), self.file_limit)
                                     raise DiffLimitExceeded(
                                         'File Limit %s Exceeded', self.file_limit)
                                 self._check_large_diff()
                                 raw_diff, chunks, _stats = self._new_parse_lines(diff)
                                 stats['binary'] = False
                                 stats['added'] = _stats[0]
                                 stats['deleted'] = _stats[1]
                                 # explicit mark that it's a modified file
                                 if op == OPS.MOD:
                                     stats['ops'][MOD_FILENODE] = 'modified file'
                             except DiffLimitExceeded:
                                 diff_container = lambda _diff: \
                                     LimitedDiffContainer(
                                         self.diff_limit, self.cur_diff_size, _diff)
                                 limited_diff = True
                                 chunks = []
                         else:  # GIT format binary patch, or possibly empty diff
                             if head['bin_patch']:
                                 # we have operation already extracted, but we mark simply
                                 # it's a diff we wont show for binary files
                                 stats['ops'][BIN_FILENODE] = 'binary diff hidden'
                             chunks = []
                         # Hide content of deleted node by setting empty chunks
                         if chunks and not self.show_full_diff and op == OPS.DEL:
                             # if not full diff mode show deleted file contents
                             # TODO: anderson: if the view is not too big, there is no way
                             # to see the content of the file
                             chunks = []
                         chunks.insert(
 , [{'old_lineno': '',
                                  'new_lineno': '',
                                  'action': Action.CONTEXT,
                                  'line': msg,
                                  } for _op, msg in stats['ops'].iteritems()
                                 if _op not in [MOD_FILENODE]])
                         original_filename = safe_unicode(head['a_path'])
                         _files.append({
                             'original_filename': original_filename,
                             'filename': safe_unicode(head['b_path']),
                             'old_revision': head['a_blob_id'],
                             'new_revision': head['b_blob_id'],
                             'chunks': chunks,
                             'raw_diff': safe_unicode(raw_diff),
                             'operation': op,
                             'stats': stats,
                             'exceeds_limit': exceeds_limit,
                             'is_limited_diff': limited_diff,
                         })
                     sorter = lambda info: {OPS.ADD: 0, OPS.MOD: 1,
                                            OPS.DEL: 2}.get(info['operation'])
                     return diff_container(sorted(_files, key=sorter))
                 # FIXME: NEWDIFFS: dan: this gets replaced by _new_parse_lines
                 def _parse_lines(self, diff_iter):
                     """
                     Parse the diff an return data for the template.
                     """
                     stats = [0, 0]
                     chunks = []
                     raw_diff = []
                     try:
                         line = diff_iter.next()
                         while line:
                             raw_diff.append(line)
                             lines = []
                             chunks.append(lines)
                             match = self._chunk_re.match(line)
                             if not match:
                                 break
                             gr = match.groups()
                             (old_line, old_end,
                              new_line, new_end) = [int(x or 1) for x in gr[:-1]]
                             old_line -= 1
                             new_line -= 1
                             context = len(gr) == 5
                             old_end += old_line
                             new_end += new_line
                             if context:
                                 # skip context only if it's first line
                                 if int(gr[0]) > 1:
                                     lines.append({
                                         'old_lineno': '...',
                                         'new_lineno': '...',
                                         'action':     Action.CONTEXT,
                                         'line':       line,
                                     })
                             line = diff_iter.next()
                             while old_line < old_end or new_line < new_end:
                                 command = ' '
                                 if line:
                                     command = line[0]
                                 affects_old = affects_new = False
                                 # ignore those if we don't expect them
                                 if command in '#@':
                                     continue
                                 elif command == '+':
                                     affects_new = True
                                     action = Action.ADD
                                     stats[0] += 1
                                 elif command == '-':
                                     affects_old = True
                                     action = Action.DELETE
                                     stats[1] += 1
                                 else:
                                     affects_old = affects_new = True
                                     action = Action.UNMODIFIED
                                 if not self._newline_marker.match(line):
                                     old_line += affects_old
                                     new_line += affects_new
                                     lines.append({
                                         'old_lineno':   affects_old and old_line or '',
                                         'new_lineno':   affects_new and new_line or '',
                                         'action':       action,
                                         'line':         self._clean_line(line, command)
                                     })
                                     raw_diff.append(line)
                                 line = diff_iter.next()
                                 if self._newline_marker.match(line):
                                     # we need to append to lines, since this is not
                                     # counted in the line specs of diff
                                     lines.append({
                                         'old_lineno':   '...',
                                         'new_lineno':   '...',
                                         'action':       Action.CONTEXT,
                                         'line':         self._clean_line(line, command)
                                     })
                     except StopIteration:
                         pass
                     return ''.join(raw_diff), chunks, stats
                 # FIXME: NEWDIFFS: dan: this replaces _parse_lines
                 def _new_parse_lines(self, diff_iter):
                     """
                     Parse the diff an return data for the template.
                     """
                     stats = [0, 0]
                     chunks = []
                     raw_diff = []
                     try:
                         line = diff_iter.next()
                         while line:
                             raw_diff.append(line)
                             # match header e.g @@ -0,0 +1 @@\n'
                             match = self._chunk_re.match(line)
                             if not match:
                                 break
                             gr = match.groups()
                             (old_line, old_end,
                              new_line, new_end) = [int(x or 1) for x in gr[:-1]]
                             lines = []
                             hunk = {
                                 'section_header': gr[-1],
                                 'source_start': old_line,
                                 'source_length': old_end,
                                 'target_start': new_line,
                                 'target_length': new_end,
                                 'lines': lines,
                             }
                             chunks.append(hunk)
                             old_line -= 1
                             new_line -= 1
                             context = len(gr) == 5
                             old_end += old_line
                             new_end += new_line
                             line = diff_iter.next()
                             while old_line < old_end or new_line < new_end:
                                 command = ' '
                                 if line:
                                     command = line[0]
                                 affects_old = affects_new = False
                                 # ignore those if we don't expect them
                                 if command in '#@':
                                     continue
                                 elif command == '+':
                                     affects_new = True
                                     action = Action.ADD
                                     stats[0] += 1
                                 elif command == '-':
                                     affects_old = True
                                     action = Action.DELETE
                                     stats[1] += 1
                                 else:
                                     affects_old = affects_new = True
                                     action = Action.UNMODIFIED
                                 if not self._newline_marker.match(line):
                                     old_line += affects_old
                                     new_line += affects_new
                                     lines.append({
                                         'old_lineno':   affects_old and old_line or '',
                                         'new_lineno':   affects_new and new_line or '',
                                         'action':       action,
                                         'line':         self._clean_line(line, command)
                                     })
                                 raw_diff.append(line)
                                 line = diff_iter.next()
                                 if self._newline_marker.match(line):
                                     # we need to append to lines, since this is not
                                     # counted in the line specs of diff
                                     if affects_old:
                                         action = Action.OLD_NO_NL
                                     elif affects_new:
                                         action = Action.NEW_NO_NL
                                     else:
                                         raise Exception('invalid context for no newline')
                                     lines.append({
                                         'old_lineno':   None,
                                         'new_lineno':   None,
                                         'action':       action,
                                         'line':         self._clean_line(line, command)
                                     })
                     except StopIteration:
                         pass
                     return ''.join(raw_diff), chunks, stats
                 def _safe_id(self, idstring):
                     """Make a string safe for including in an id attribute.
                     The HTML spec says that id attributes 'must begin with
                     a letter ([A-Za-z]) and may be followed by any number
                     of letters, digits ([0-9]), hyphens ("-"), underscores
                     ("_"), colons (":"), and periods (".")'. These regexps
                     are slightly over-zealous, in that they remove colons
                     and periods unnecessarily.
                     Whitespace is transformed into underscores, and then
                     anything which is not a hyphen or a character that
                     matches \w (alphanumerics and underscore) is removed.
                     """
                     # Transform all whitespace to underscore
                     idstring = re.sub(r'\s', "_", '%s' % idstring)
                     # Remove everything that is not a hyphen or a member of \w
                     idstring = re.sub(r'(?!-)\W', "", idstring).lower()
                     return idstring
                 @classmethod
                 def diff_splitter(cls, string):
                     """
                     Diff split that emulates .splitlines() but works only on \n
                     """
                     if not string:
                         return
                     elif string == '\n':
                         yield u'\n'
                     else:
                         has_newline = string.endswith('\n')
                         elements = string.split('\n')
                         if has_newline:
                             # skip last element as it's empty string from newlines
                             elements = elements[:-1]
                         len_elements = len(elements)
                         for cnt, line in enumerate(elements, start=1):
                             last_line = cnt == len_elements
                             if last_line and not has_newline:
                                 yield safe_unicode(line)
                             else:
                                 yield safe_unicode(line) + '\n'
                 def prepare(self, inline_diff=True):
                     """
                     Prepare the passed udiff for HTML rendering.
                     :return: A list of dicts with diff information.
                     """
                     parsed = self._parser(inline_diff=inline_diff)
                     self.parsed = True
                     self.parsed_diff = parsed
                     return parsed
                 def as_raw(self, diff_lines=None):
                     """
                     Returns raw diff as a byte string
                     """
                     return self._diff.raw
                 def as_html(self, table_class='code-difftable', line_class='line',
                             old_lineno_class='lineno old', new_lineno_class='lineno new',
                             code_class='code', enable_comments=False, parsed_lines=None):
                     """
                     Return given diff as html table with customized css classes
                     """
                     # TODO(marcink): not sure how to pass in translator
                     # here in an efficient way, leave the _ for proper gettext extraction
                     _ = lambda s: s
                     def _link_to_if(condition, label, url):
                         """
                         Generates a link if condition is meet or just the label if not.
                         """
                         if condition:
                             return '''<a href="%(url)s" class="tooltip"
                             title="%(title)s">%(label)s</a>''' % {
                                 'title': _('Click to select line'),
                                 'url': url,
                                 'label': label
                             }
                         else:
                             return label
                     if not self.parsed:
                         self.prepare()
                     diff_lines = self.parsed_diff
                     if parsed_lines:
                         diff_lines = parsed_lines
                     _html_empty = True
                     _html = []
                     _html.append('''<table class="%(table_class)s">\n''' % {
                         'table_class': table_class
                     })
                     for diff in diff_lines:
                         for line in diff['chunks']:
                             _html_empty = False
                             for change in line:
                                 _html.append('''<tr class="%(lc)s %(action)s">\n''' % {
                                     'lc': line_class,
                                     'action': change['action']
                                 })
                                 anchor_old_id = ''
                                 anchor_new_id = ''
                                 anchor_old = "%(filename)s_o%(oldline_no)s" % {
                                     'filename': self._safe_id(diff['filename']),
                                     'oldline_no': change['old_lineno']
                                 }
                                 anchor_new = "%(filename)s_n%(oldline_no)s" % {
                                     'filename': self._safe_id(diff['filename']),
                                     'oldline_no': change['new_lineno']
                                 }
                                 cond_old = (change['old_lineno'] != '...' and
                                             change['old_lineno'])
                                 cond_new = (change['new_lineno'] != '...' and
                                             change['new_lineno'])
                                 if cond_old:
                                     anchor_old_id = 'id="%s"' % anchor_old
                                 if cond_new:
                                     anchor_new_id = 'id="%s"' % anchor_new
                                 if change['action'] != Action.CONTEXT:
                                     anchor_link = True
                                 else:
                                     anchor_link = False
                                 ###########################################################
                                 # COMMENT ICONS
                                 ###########################################################
                                 _html.append('''\t<td class="add-comment-line"><span class="add-comment-content">''')
                                 if enable_comments and change['action'] != Action.CONTEXT:
                                     _html.append('''<a href="#"><span class="icon-comment-add"></span></a>''')
                                 _html.append('''</span></td><td class="comment-toggle tooltip" title="Toggle Comment Thread"><i class="icon-comment"></i></td>\n''')
                                 ###########################################################
                                 # OLD LINE NUMBER
                                 ###########################################################
                                 _html.append('''\t<td %(a_id)s class="%(olc)s">''' % {
                                     'a_id': anchor_old_id,
                                     'olc': old_lineno_class
                                 })
                                 _html.append('''%(link)s''' % {
                                     'link': _link_to_if(anchor_link, change['old_lineno'],
                                                         '#%s' % anchor_old)
                                 })
                                 _html.append('''</td>\n''')
                                 ###########################################################
                                 # NEW LINE NUMBER
                                 ###########################################################
                                 _html.append('''\t<td %(a_id)s class="%(nlc)s">''' % {
                                     'a_id': anchor_new_id,
                                     'nlc': new_lineno_class
                                 })
                                 _html.append('''%(link)s''' % {
                                     'link': _link_to_if(anchor_link, change['new_lineno'],
                                                         '#%s' % anchor_new)
                                 })
                                 _html.append('''</td>\n''')
                                 ###########################################################
                                 # CODE
                                 ###########################################################
                                 code_classes = [code_class]
                                 if (not enable_comments or
                                         change['action'] == Action.CONTEXT):
                                     code_classes.append('no-comment')
                                 _html.append('\t<td class="%s">' % ' '.join(code_classes))
                                 _html.append('''\n\t\t<pre>%(code)s</pre>\n''' % {
                                     'code': change['line']
                                 })
                                 _html.append('''\t</td>''')
                                 _html.append('''\n</tr>\n''')
                     _html.append('''</table>''')
                     if _html_empty:
                         return None
                     return ''.join(_html)
                 def stat(self):
                     """
                     Returns tuple of added, and removed lines for this instance
                     """
                     return self.adds, self.removes
                 def get_context_of_line(
                         self, path, diff_line=None, context_before=3, context_after=3):
                     """
                     Returns the context lines for the specified diff line.
                     :type diff_line: :class:`DiffLineNumber`
                     """
                     assert self.parsed, "DiffProcessor is not initialized."
                     if None not in diff_line:
                         raise ValueError(
                             "Cannot specify both line numbers: {}".format(diff_line))
                     file_diff = self._get_file_diff(path)
                     chunk, idx = self._find_chunk_line_index(file_diff, diff_line)
                     first_line_to_include = max(idx - context_before, 0)
                     first_line_after_context = idx + context_after + 1
                     context_lines = chunk[first_line_to_include:first_line_after_context]
                     line_contents = [
                         _context_line(line) for line in context_lines
                         if _is_diff_content(line)]
                     # TODO: johbo: Interim fixup, the diff chunks drop the final newline.
                     # Once they are fixed, we can drop this line here.
                     if line_contents:
                         line_contents[-1] = (
                             line_contents[-1][0], line_contents[-1][1].rstrip('\n') + '\n')
                     return line_contents
                 def find_context(self, path, context, offset=0):
                     """
                     Finds the given `context` inside of the diff.
                     Use the parameter `offset` to specify which offset the target line has
                     inside of the given `context`. This way the correct diff line will be
                     returned.
                     :param offset: Shall be used to specify the offset of the main line
                         within the given `context`.
                     """
                     if offset < 0 or offset >= len(context):
                         raise ValueError(
                             "Only positive values up to the length of the context "
                             "minus one are allowed.")
                     matches = []
                     file_diff = self._get_file_diff(path)
                     for chunk in file_diff['chunks']:
                         context_iter = iter(context)
                         for line_idx, line in enumerate(chunk):
                             try:
                                 if _context_line(line) == context_iter.next():
                                     continue
                             except StopIteration:
                                 matches.append((line_idx, chunk))
                             context_iter = iter(context)
                     # Increment position and triger StopIteration
                     # if we had a match at the end
                     line_idx += 1
                     try:
                         context_iter.next()
                     except StopIteration:
                         matches.append((line_idx, chunk))
                     effective_offset = len(context) - offset
                     found_at_diff_lines = [
                         _line_to_diff_line_number(chunk[idx - effective_offset])
                         for idx, chunk in matches]
                     return found_at_diff_lines
                 def _get_file_diff(self, path):
                     for file_diff in self.parsed_diff:
                         if file_diff['filename'] == path:
                             break
                     else:
                         raise FileNotInDiffException("File {} not in diff".format(path))
                     return file_diff
                 def _find_chunk_line_index(self, file_diff, diff_line):
                     for chunk in file_diff['chunks']:
                         for idx, line in enumerate(chunk):
                             if line['old_lineno'] == diff_line.old:
                                 return chunk, idx
                             if line['new_lineno'] == diff_line.new:
                                 return chunk, idx
                     raise LineNotInDiffException(
                         "The line {} is not part of the diff.".format(diff_line))
             def _is_diff_content(line):
                 return line['action'] in (
                     Action.UNMODIFIED, Action.ADD, Action.DELETE)
             def _context_line(line):
                 return (line['action'], line['line'])
             DiffLineNumber = collections.namedtuple('DiffLineNumber', ['old', 'new'])
             def _line_to_diff_line_number(line):
                 new_line_no = line['new_lineno'] or None
                 old_line_no = line['old_lineno'] or None
                 return DiffLineNumber(old=old_line_no, new=new_line_no)
             class FileNotInDiffException(Exception):
                 """
                 Raised when the context for a missing file is requested.
                 If you request the context for a line in a file which is not part of the
                 given diff, then this exception is raised.
                 """
             class LineNotInDiffException(Exception):
                 """
                 Raised when the context for a missing line is requested.
                 If you request the context for a line in a file and this line is not
                 part of the given diff, then this exception is raised.
                 """
             class DiffLimitExceeded(Exception):
                 pass
             # NOTE(marcink): if diffs.mako change, probably this
             # needs a bump to next version
             CURRENT_DIFF_VERSION = 'v4'
             def _cleanup_cache_file(cached_diff_file):
                 # cleanup file to not store it "damaged"
                 try:
                     os.remove(cached_diff_file)
                 except Exception:
                     log.exception('Failed to cleanup path %s', cached_diff_file)
             def cache_diff(cached_diff_file, diff, commits):
                 mode = 'plain' if 'mode:plain' in cached_diff_file else ''
                 struct = {
                     'version': CURRENT_DIFF_VERSION,
                     'diff': diff,
                     'commits': commits
                 }
                 start = time.time()
                 try:
                     if mode == 'plain':
                         with open(cached_diff_file, 'wb') as f:
                             pickle.dump(struct, f)
                     else:
                         with bz2.BZ2File(cached_diff_file, 'wb') as f:
                             pickle.dump(struct, f)
                 except Exception:
                     log.warn('Failed to save cache', exc_info=True)
                     _cleanup_cache_file(cached_diff_file)
-                log.debug('Saved diff cache under %s in %.3fs', cached_diff_file, time.time() - start)
+                log.debug('Saved diff cache under %s in %.4fs', cached_diff_file, time.time() - start)
             def load_cached_diff(cached_diff_file):
                 mode = 'plain' if 'mode:plain' in cached_diff_file else ''
                 default_struct = {
                     'version': CURRENT_DIFF_VERSION,
                     'diff': None,
                     'commits': None
                 }
                 has_cache = os.path.isfile(cached_diff_file)
                 if not has_cache:
                     log.debug('Reading diff cache file failed %s', cached_diff_file)
                     return default_struct
                 data = None
                 start = time.time()
                 try:
                     if mode == 'plain':
                         with open(cached_diff_file, 'rb') as f:
                             data = pickle.load(f)
                     else:
                         with bz2.BZ2File(cached_diff_file, 'rb') as f:
                             data = pickle.load(f)
                 except Exception:
                     log.warn('Failed to read diff cache file', exc_info=True)
                 if not data:
                     data = default_struct
                 if not isinstance(data, dict):
                     # old version of data ?
                     data = default_struct
                 # check version
                 if data.get('version') != CURRENT_DIFF_VERSION:
                     # purge cache
                     _cleanup_cache_file(cached_diff_file)
                     return default_struct
-                log.debug('Loaded diff cache from %s in %.3fs', cached_diff_file, time.time() - start)
+                log.debug('Loaded diff cache from %s in %.4fs', cached_diff_file, time.time() - start)
                 return data
             def generate_diff_cache_key(*args):
                 """
                 Helper to generate a cache key using arguments
                 """
                 def arg_mapper(input_param):
                     input_param = safe_str(input_param)
                     # we cannot allow '/' in arguments since it would allow
                     # subdirectory usage
                     input_param.replace('/', '_')
                     return input_param or None  # prevent empty string arguments
                 return '_'.join([
                     '{}' for i in range(len(args))]).format(*map(arg_mapper, args))
             def diff_cache_exist(cache_storage, *args):
                 """
                 Based on all generated arguments check and return a cache path
                 """
                 cache_key = generate_diff_cache_key(*args)
                 cache_file_path = os.path.join(cache_storage, cache_key)
                 # prevent path traversal attacks using some param that have e.g '../../'
                 if not os.path.abspath(cache_file_path).startswith(cache_storage):
                     raise ValueError('Final path must be within {}'.format(cache_storage))
                 return cache_file_path

rhodecode/lib/middleware/request_wrapper.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import time
             import logging
             from rhodecode.lib.base import get_ip_addr, get_access_path, get_user_agent
             from rhodecode.lib.utils2 import safe_str
             log = logging.getLogger(__name__)
             class RequestWrapperTween(object):
                 def __init__(self, handler, registry):
                     self.handler = handler
                     self.registry = registry
                     # one-time configuration code goes here
                 def __call__(self, request):
                     start = time.time()
                     try:
                         response = self.handler(request)
                     finally:
                         end = time.time()
                         total = end - start
                         log.info(
-                            'IP: %s %s Request to %s time: %.3fs [%s]',
+                            'IP: %s %s Request to %s time: %.4fs [%s]',
                             get_ip_addr(request.environ), request.environ.get('REQUEST_METHOD'),
                             safe_str(get_access_path(request.environ)), total,
                             get_user_agent(request. environ)
                         )
                     return response
             def includeme(config):
                 config.add_tween(
                     'rhodecode.lib.middleware.request_wrapper.RequestWrapperTween',
                 )

rhodecode/lib/middleware/simplevcs.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2014-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             SimpleVCS middleware for handling protocol request (push/clone etc.)
             It's implemented with basic auth function
             """
             import os
             import re
             import logging
             import importlib
             from functools import wraps
             from StringIO import StringIO
             from lxml import etree
             import time
             from paste.httpheaders import REMOTE_USER, AUTH_TYPE
             from pyramid.httpexceptions import (
                 HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)
             from zope.cachedescriptors.property import Lazy as LazyProperty
             import rhodecode
             from rhodecode.authentication.base import authenticate, VCS_TYPE, loadplugin
             from rhodecode.lib import rc_cache
             from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware
             from rhodecode.lib.base import (
                 BasicAuth, get_ip_addr, get_user_agent, vcs_operation_context)
             from rhodecode.lib.exceptions import (UserCreationError, NotAllowedToCreateUserError)
             from rhodecode.lib.hooks_daemon import prepare_callback_daemon
             from rhodecode.lib.middleware import appenlight
             from rhodecode.lib.middleware.utils import scm_app_http
             from rhodecode.lib.utils import is_valid_repo, SLUG_RE
             from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode
             from rhodecode.lib.vcs.conf import settings as vcs_settings
             from rhodecode.lib.vcs.backends import base
             from rhodecode.model import meta
             from rhodecode.model.db import User, Repository, PullRequest
             from rhodecode.model.scm import ScmModel
             from rhodecode.model.pull_request import PullRequestModel
             from rhodecode.model.settings import SettingsModel, VcsSettingsModel
             log = logging.getLogger(__name__)
             def extract_svn_txn_id(acl_repo_name, data):
                 """
                 Helper method for extraction of svn txn_id from submitted XML data during
                 POST operations
                 """
                 try:
                     root = etree.fromstring(data)
                     pat = re.compile(r'/txn/(?P<txn_id>.*)')
                     for el in root:
                         if el.tag == '{DAV:}source':
                             for sub_el in el:
                                 if sub_el.tag == '{DAV:}href':
                                     match = pat.search(sub_el.text)
                                     if match:
                                         svn_tx_id = match.groupdict()['txn_id']
                                         txn_id = rc_cache.utils.compute_key_from_params(
                                             acl_repo_name, svn_tx_id)
                                         return txn_id
                 except Exception:
                     log.exception('Failed to extract txn_id')
             def initialize_generator(factory):
                 """
                 Initializes the returned generator by draining its first element.
                 This can be used to give a generator an initializer, which is the code
                 up to the first yield statement. This decorator enforces that the first
                 produced element has the value ``"__init__"`` to make its special
                 purpose very explicit in the using code.
                 """
                 @wraps(factory)
                 def wrapper(*args, **kwargs):
                     gen = factory(*args, **kwargs)
                     try:
                         init = gen.next()
                     except StopIteration:
                         raise ValueError('Generator must yield at least one element.')
                     if init != "__init__":
                         raise ValueError('First yielded element must be "__init__".')
                     return gen
                 return wrapper
             class SimpleVCS(object):
                 """Common functionality for SCM HTTP handlers."""
                 SCM = 'unknown'
                 acl_repo_name = None
                 url_repo_name = None
                 vcs_repo_name = None
                 rc_extras = {}
                 # We have to handle requests to shadow repositories different than requests
                 # to normal repositories. Therefore we have to distinguish them. To do this
                 # we use this regex which will match only on URLs pointing to shadow
                 # repositories.
                 shadow_repo_re = re.compile(
                     '(?P<groups>(?:{slug_pat}/)*)'  # repo groups
                     '(?P<target>{slug_pat})/'       # target repo
                     'pull-request/(?P<pr_id>\d+)/'  # pull request
                     'repository$'                   # shadow repo
                     .format(slug_pat=SLUG_RE.pattern))
                 def __init__(self, config, registry):
                     self.registry = registry
                     self.config = config
                     # re-populated by specialized middleware
                     self.repo_vcs_config = base.Config()
                     self.rhodecode_settings = SettingsModel().get_all_settings(cache=True)
                     registry.rhodecode_settings = self.rhodecode_settings
                     # authenticate this VCS request using authfunc
                     auth_ret_code_detection = \
                         str2bool(self.config.get('auth_ret_code_detection', False))
                     self.authenticate = BasicAuth(
                         '', authenticate, registry, config.get('auth_ret_code'),
                         auth_ret_code_detection)
                     self.ip_addr = '0.0.0.0'
                 @LazyProperty
                 def global_vcs_config(self):
                     try:
                         return VcsSettingsModel().get_ui_settings_as_config_obj()
                     except Exception:
                         return base.Config()
                 @property
                 def base_path(self):
                     settings_path = self.repo_vcs_config.get(*VcsSettingsModel.PATH_SETTING)
                     if not settings_path:
                         settings_path = self.global_vcs_config.get(*VcsSettingsModel.PATH_SETTING)
                     if not settings_path:
                         # try, maybe we passed in explicitly as config option
                         settings_path = self.config.get('base_path')
                     if not settings_path:
                         raise ValueError('FATAL: base_path is empty')
                     return settings_path
                 def set_repo_names(self, environ):
                     """
                     This will populate the attributes acl_repo_name, url_repo_name,
                     vcs_repo_name and is_shadow_repo. In case of requests to normal (non
                     shadow) repositories all names are equal. In case of requests to a
                     shadow repository the acl-name points to the target repo of the pull
                     request and the vcs-name points to the shadow repo file system path.
                     The url-name is always the URL used by the vcs client program.
                     Example in case of a shadow repo:
                         acl_repo_name = RepoGroup/MyRepo
                         url_repo_name = RepoGroup/MyRepo/pull-request/3/repository
                         vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'
                     """
                     # First we set the repo name from URL for all attributes. This is the
                     # default if handling normal (non shadow) repo requests.
                     self.url_repo_name = self._get_repository_name(environ)
                     self.acl_repo_name = self.vcs_repo_name = self.url_repo_name
                     self.is_shadow_repo = False
                     # Check if this is a request to a shadow repository.
                     match = self.shadow_repo_re.match(self.url_repo_name)
                     if match:
                         match_dict = match.groupdict()
                         # Build acl repo name from regex match.
                         acl_repo_name = safe_unicode('{groups}{target}'.format(
                             groups=match_dict['groups'] or '',
                             target=match_dict['target']))
                         # Retrieve pull request instance by ID from regex match.
                         pull_request = PullRequest.get(match_dict['pr_id'])
                         # Only proceed if we got a pull request and if acl repo name from
                         # URL equals the target repo name of the pull request.
                         if pull_request and \
                                 (acl_repo_name == pull_request.target_repo.repo_name):
                             repo_id = pull_request.target_repo.repo_id
                             # Get file system path to shadow repository.
                             workspace_id = PullRequestModel()._workspace_id(pull_request)
                             target_vcs = pull_request.target_repo.scm_instance()
                             vcs_repo_name = target_vcs._get_shadow_repository_path(
                                 repo_id, workspace_id)
                             # Store names for later usage.
                             self.vcs_repo_name = vcs_repo_name
                             self.acl_repo_name = acl_repo_name
                             self.is_shadow_repo = True
                     log.debug('Setting all VCS repository names: %s', {
                         'acl_repo_name': self.acl_repo_name,
                         'url_repo_name': self.url_repo_name,
                         'vcs_repo_name': self.vcs_repo_name,
                     })
                 @property
                 def scm_app(self):
                     custom_implementation = self.config['vcs.scm_app_implementation']
                     if custom_implementation == 'http':
                         log.info('Using HTTP implementation of scm app.')
                         scm_app_impl = scm_app_http
                     else:
                         log.info('Using custom implementation of scm_app: "{}"'.format(
                             custom_implementation))
                         scm_app_impl = importlib.import_module(custom_implementation)
                     return scm_app_impl
                 def _get_by_id(self, repo_name):
                     """
                     Gets a special pattern _<ID> from clone url and tries to replace it
                     with a repository_name for support of _<ID> non changeable urls
                     """
                     data = repo_name.split('/')
                     if len(data) >= 2:
                         from rhodecode.model.repo import RepoModel
                         by_id_match = RepoModel().get_repo_by_id(repo_name)
                         if by_id_match:
                             data[1] = by_id_match.repo_name
                     return safe_str('/'.join(data))
                 def _invalidate_cache(self, repo_name):
                     """
                     Set's cache for this repository for invalidation on next access
                     :param repo_name: full repo name, also a cache key
                     """
                     ScmModel().mark_for_invalidation(repo_name)
                 def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):
                     db_repo = Repository.get_by_repo_name(repo_name)
                     if not db_repo:
                         log.debug('Repository `%s` not found inside the database.',
                                   repo_name)
                         return False
                     if db_repo.repo_type != scm_type:
                         log.warning(
                             'Repository `%s` have incorrect scm_type, expected %s got %s',
                             repo_name, db_repo.repo_type, scm_type)
                         return False
                     config = db_repo._config
                     config.set('extensions', 'largefiles', '')
                     return is_valid_repo(
                         repo_name, base_path,
                         explicit_scm=scm_type, expect_scm=scm_type, config=config)
                 def valid_and_active_user(self, user):
                     """
                     Checks if that user is not empty, and if it's actually object it checks
                     if he's active.
                     :param user: user object or None
                     :return: boolean
                     """
                     if user is None:
                         return False
                     elif user.active:
                         return True
                     return False
                 @property
                 def is_shadow_repo_dir(self):
                     return os.path.isdir(self.vcs_repo_name)
                 def _check_permission(self, action, user, auth_user, repo_name, ip_addr=None,
                                       plugin_id='', plugin_cache_active=False, cache_ttl=0):
                     """
                     Checks permissions using action (push/pull) user and repository
                     name. If plugin_cache and ttl is set it will use the plugin which
                     authenticated the user to store the cached permissions result for N
                     amount of seconds as in cache_ttl
                     :param action: push or pull action
                     :param user: user instance
                     :param repo_name: repository name
                     """
                     log.debug('AUTH_CACHE_TTL for permissions `%s` active: %s (TTL: %s)',
                               plugin_id, plugin_cache_active, cache_ttl)
                     user_id = user.user_id
                     cache_namespace_uid = 'cache_user_auth.{}'.format(user_id)
                     region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
                                                            expiration_time=cache_ttl,
                                                            condition=plugin_cache_active)
                     def compute_perm_vcs(
                             cache_name, plugin_id, action, user_id, repo_name, ip_addr):
                         log.debug('auth: calculating permission access now...')
                         # check IP
                         inherit = user.inherit_default_permissions
                         ip_allowed = AuthUser.check_ip_allowed(
                             user_id, ip_addr, inherit_from_default=inherit)
                         if ip_allowed:
                             log.info('Access for IP:%s allowed', ip_addr)
                         else:
                             return False
                         if action == 'push':
                             perms = ('repository.write', 'repository.admin')
                             if not HasPermissionAnyMiddleware(*perms)(auth_user, repo_name):
                                 return False
                         else:
                             # any other action need at least read permission
                             perms = (
                                 'repository.read', 'repository.write', 'repository.admin')
                             if not HasPermissionAnyMiddleware(*perms)(auth_user, repo_name):
                                 return False
                         return True
                     start = time.time()
                     log.debug('Running plugin `%s` permissions check', plugin_id)
                     # for environ based auth, password can be empty, but then the validation is
                     # on the server that fills in the env data needed for authentication
                     perm_result = compute_perm_vcs(
                         'vcs_permissions', plugin_id, action, user.user_id, repo_name, ip_addr)
                     auth_time = time.time() - start
-                    log.debug('Permissions for plugin `%s` completed in %.3fs, '
+                    log.debug('Permissions for plugin `%s` completed in %.4fs, '
                               'expiration time of fetched cache %.1fs.',
                               plugin_id, auth_time, cache_ttl)
                     return perm_result
                 def _get_http_scheme(self, environ):
                     try:
                         return environ['wsgi.url_scheme']
                     except Exception:
                         log.exception('Failed to read http scheme')
                         return 'http'
                 def _check_ssl(self, environ, start_response):
                     """
                     Checks the SSL check flag and returns False if SSL is not present
                     and required True otherwise
                     """
                     org_proto = environ['wsgi._org_proto']
                     # check if we have SSL required  ! if not it's a bad request !
                     require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))
                     if require_ssl and org_proto == 'http':
                         log.debug(
                             'Bad request: detected protocol is `%s` and '
                             'SSL/HTTPS is required.', org_proto)
                         return False
                     return True
                 def _get_default_cache_ttl(self):
                     # take AUTH_CACHE_TTL from the `rhodecode` auth plugin
                     plugin = loadplugin('egg:rhodecode-enterprise-ce#rhodecode')
                     plugin_settings = plugin.get_settings()
                     plugin_cache_active, cache_ttl = plugin.get_ttl_cache(
                         plugin_settings) or (False, 0)
                     return plugin_cache_active, cache_ttl
                 def __call__(self, environ, start_response):
                     try:
                         return self._handle_request(environ, start_response)
                     except Exception:
                         log.exception("Exception while handling request")
                         appenlight.track_exception(environ)
                         return HTTPInternalServerError()(environ, start_response)
                     finally:
                         meta.Session.remove()
                 def _handle_request(self, environ, start_response):
                     if not self._check_ssl(environ, start_response):
                         reason = ('SSL required, while RhodeCode was unable '
                                   'to detect this as SSL request')
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     if not self.url_repo_name:
                         log.warning('Repository name is empty: %s', self.url_repo_name)
                         # failed to get repo name, we fail now
                         return HTTPNotFound()(environ, start_response)
                     log.debug('Extracted repo name is %s', self.url_repo_name)
                     ip_addr = get_ip_addr(environ)
                     user_agent = get_user_agent(environ)
                     username = None
                     # skip passing error to error controller
                     environ['pylons.status_code_redirect'] = True
                     # ======================================================================
                     # GET ACTION PULL or PUSH
                     # ======================================================================
                     action = self._get_action(environ)
                     # ======================================================================
                     # Check if this is a request to a shadow repository of a pull request.
                     # In this case only pull action is allowed.
                     # ======================================================================
                     if self.is_shadow_repo and action != 'pull':
                         reason = 'Only pull action is allowed for shadow repositories.'
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     # Check if the shadow repo actually exists, in case someone refers
                     # to it, and it has been deleted because of successful merge.
                     if self.is_shadow_repo and not self.is_shadow_repo_dir:
                         log.debug(
                             'Shadow repo detected, and shadow repo dir `%s` is missing',
                             self.is_shadow_repo_dir)
                         return HTTPNotFound()(environ, start_response)
                     # ======================================================================
                     # CHECK ANONYMOUS PERMISSION
                     # ======================================================================
                     detect_force_push = False
                     check_branch_perms = False
                     if action in ['pull', 'push']:
                         user_obj = anonymous_user = User.get_default_user()
                         auth_user = user_obj.AuthUser()
                         username = anonymous_user.username
                         if anonymous_user.active:
                             plugin_cache_active, cache_ttl = self._get_default_cache_ttl()
                             # ONLY check permissions if the user is activated
                             anonymous_perm = self._check_permission(
                                 action, anonymous_user, auth_user, self.acl_repo_name, ip_addr,
                                 plugin_id='anonymous_access',
                                 plugin_cache_active=plugin_cache_active,
                                 cache_ttl=cache_ttl,
                             )
                         else:
                             anonymous_perm = False
                         if not anonymous_user.active or not anonymous_perm:
                             if not anonymous_user.active:
                                 log.debug('Anonymous access is disabled, running '
                                           'authentication')
                             if not anonymous_perm:
                                 log.debug('Not enough credentials to access this '
                                           'repository as anonymous user')
                             username = None
                             # ==============================================================
                             # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
                             # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                             # ==============================================================
                             # try to auth based on environ, container auth methods
                             log.debug('Running PRE-AUTH for container based authentication')
                             pre_auth = authenticate(
                                 '', '', environ, VCS_TYPE, registry=self.registry,
                                 acl_repo_name=self.acl_repo_name)
                             if pre_auth and pre_auth.get('username'):
                                 username = pre_auth['username']
                             log.debug('PRE-AUTH got %s as username', username)
                             if pre_auth:
                                 log.debug('PRE-AUTH successful from %s',
                                           pre_auth.get('auth_data', {}).get('_plugin'))
                             # If not authenticated by the container, running basic auth
                             # before inject the calling repo_name for special scope checks
                             self.authenticate.acl_repo_name = self.acl_repo_name
                             plugin_cache_active, cache_ttl = False, 0
                             plugin = None
                             if not username:
                                 self.authenticate.realm = self.authenticate.get_rc_realm()
                                 try:
                                     auth_result = self.authenticate(environ)
                                 except (UserCreationError, NotAllowedToCreateUserError) as e:
                                     log.error(e)
                                     reason = safe_str(e)
                                     return HTTPNotAcceptable(reason)(environ, start_response)
                                 if isinstance(auth_result, dict):
                                     AUTH_TYPE.update(environ, 'basic')
                                     REMOTE_USER.update(environ, auth_result['username'])
                                     username = auth_result['username']
                                     plugin = auth_result.get('auth_data', {}).get('_plugin')
                                     log.info(
                                         'MAIN-AUTH successful for user `%s` from %s plugin',
                                         username, plugin)
                                     plugin_cache_active, cache_ttl = auth_result.get(
                                         'auth_data', {}).get('_ttl_cache') or (False, 0)
                                 else:
                                     return auth_result.wsgi_application(environ, start_response)
                             # ==============================================================
                             # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                             # ==============================================================
                             user = User.get_by_username(username)
                             if not self.valid_and_active_user(user):
                                 return HTTPForbidden()(environ, start_response)
                             username = user.username
                             user_id = user.user_id
                             # check user attributes for password change flag
                             user_obj = user
                             auth_user = user_obj.AuthUser()
                             if user_obj and user_obj.username != User.DEFAULT_USER and \
                                     user_obj.user_data.get('force_password_change'):
                                 reason = 'password change required'
                                 log.debug('User not allowed to authenticate, %s', reason)
                                 return HTTPNotAcceptable(reason)(environ, start_response)
                             # check permissions for this repository
                             perm = self._check_permission(
                                 action, user, auth_user, self.acl_repo_name, ip_addr,
                                 plugin, plugin_cache_active, cache_ttl)
                             if not perm:
                                 return HTTPForbidden()(environ, start_response)
                             environ['rc_auth_user_id'] = user_id
                         if action == 'push':
                             perms = auth_user.get_branch_permissions(self.acl_repo_name)
                             if perms:
                                 check_branch_perms = True
                                 detect_force_push = True
                     # extras are injected into UI object and later available
                     # in hooks executed by RhodeCode
                     check_locking = _should_check_locking(environ.get('QUERY_STRING'))
                     extras = vcs_operation_context(
                         environ, repo_name=self.acl_repo_name, username=username,
                         action=action, scm=self.SCM, check_locking=check_locking,
                         is_shadow_repo=self.is_shadow_repo, check_branch_perms=check_branch_perms,
                         detect_force_push=detect_force_push
                     )
                     # ======================================================================
                     # REQUEST HANDLING
                     # ======================================================================
                     repo_path = os.path.join(
                         safe_str(self.base_path), safe_str(self.vcs_repo_name))
                     log.debug('Repository path is %s', repo_path)
                     fix_PATH()
                     log.info(
                         '%s action on %s repo "%s" by "%s" from %s %s',
                         action, self.SCM, safe_str(self.url_repo_name),
                         safe_str(username), ip_addr, user_agent)
                     return self._generate_vcs_response(
                         environ, start_response, repo_path, extras, action)
                 @initialize_generator
                 def _generate_vcs_response(
                         self, environ, start_response, repo_path, extras, action):
                     """
                     Returns a generator for the response content.
                     This method is implemented as a generator, so that it can trigger
                     the cache validation after all content sent back to the client. It
                     also handles the locking exceptions which will be triggered when
                     the first chunk is produced by the underlying WSGI application.
                     """
                     txn_id = ''
                     if 'CONTENT_LENGTH' in environ and environ['REQUEST_METHOD'] == 'MERGE':
                         # case for SVN, we want to re-use the callback daemon port
                         # so we use the txn_id, for this we peek the body, and still save
                         # it as wsgi.input
                         data = environ['wsgi.input'].read()
                         environ['wsgi.input'] = StringIO(data)
                         txn_id = extract_svn_txn_id(self.acl_repo_name, data)
                     callback_daemon, extras = self._prepare_callback_daemon(
                         extras, environ, action, txn_id=txn_id)
                     log.debug('HOOKS extras is %s', extras)
                     http_scheme = self._get_http_scheme(environ)
                     config = self._create_config(extras, self.acl_repo_name, scheme=http_scheme)
                     app = self._create_wsgi_app(repo_path, self.url_repo_name, config)
                     with callback_daemon:
                         app.rc_extras = extras
                         try:
                             response = app(environ, start_response)
                         finally:
                             # This statement works together with the decorator
                             # "initialize_generator" above. The decorator ensures that
                             # we hit the first yield statement before the generator is
                             # returned back to the WSGI server. This is needed to
                             # ensure that the call to "app" above triggers the
                             # needed callback to "start_response" before the
                             # generator is actually used.
                             yield "__init__"
                         # iter content
                         for chunk in response:
                             yield chunk
                         try:
                             # invalidate cache on push
                             if action == 'push':
                                 self._invalidate_cache(self.url_repo_name)
                         finally:
                             meta.Session.remove()
                 def _get_repository_name(self, environ):
                     """Get repository name out of the environmnent
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _get_action(self, environ):
                     """Map request commands into a pull or push command.
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _create_wsgi_app(self, repo_path, repo_name, config):
                     """Return the WSGI app that will finally handle the request."""
                     raise NotImplementedError()
                 def _create_config(self, extras, repo_name, scheme='http'):
                     """Create a safe config representation."""
                     raise NotImplementedError()
                 def _should_use_callback_daemon(self, extras, environ, action):
                     return True
                 def _prepare_callback_daemon(self, extras, environ, action, txn_id=None):
                     direct_calls = vcs_settings.HOOKS_DIRECT_CALLS
                     if not self._should_use_callback_daemon(extras, environ, action):
                         # disable callback daemon for actions that don't require it
                         direct_calls = True
                     return prepare_callback_daemon(
                         extras, protocol=vcs_settings.HOOKS_PROTOCOL,
                         host=vcs_settings.HOOKS_HOST, use_direct_calls=direct_calls, txn_id=txn_id)
             def _should_check_locking(query_string):
                 # this is kind of hacky, but due to how mercurial handles client-server
                 # server see all operation on commit; bookmarks, phases and
                 # obsolescence marker in different transaction, we don't want to check
                 # locking on those
                 return query_string not in ['cmd=listkeys']

rhodecode/lib/rc_cache/utils.py

0 +3 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2015-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import os
             import time
             import logging
             import functools
             import threading
             from dogpile.cache import CacheRegion
             from dogpile.cache.util import compat
             import rhodecode
             from rhodecode.lib.utils import safe_str, sha1
             from rhodecode.lib.utils2 import safe_unicode, str2bool
             from rhodecode.model.db import Session, CacheKey, IntegrityError
             from . import region_meta
             log = logging.getLogger(__name__)
             class RhodeCodeCacheRegion(CacheRegion):
                 def conditional_cache_on_arguments(
                         self, namespace=None,
                         expiration_time=None,
                         should_cache_fn=None,
                         to_str=compat.string_type,
                         function_key_generator=None,
                         condition=True):
                     """
                     Custom conditional decorator, that will not touch any dogpile internals if
                     condition isn't meet. This works a bit different than should_cache_fn
                     And it's faster in cases we don't ever want to compute cached values
                     """
                     expiration_time_is_callable = compat.callable(expiration_time)
                     if function_key_generator is None:
                         function_key_generator = self.function_key_generator
                     def decorator(fn):
                         if to_str is compat.string_type:
                             # backwards compatible
                             key_generator = function_key_generator(namespace, fn)
                         else:
                             key_generator = function_key_generator(namespace, fn, to_str=to_str)
                         @functools.wraps(fn)
                         def decorate(*arg, **kw):
                             key = key_generator(*arg, **kw)
                             @functools.wraps(fn)
                             def creator():
                                 return fn(*arg, **kw)
                             if not condition:
                                 return creator()
                             timeout = expiration_time() if expiration_time_is_callable \
                                 else expiration_time
                             return self.get_or_create(key, creator, timeout, should_cache_fn)
                         def invalidate(*arg, **kw):
                             key = key_generator(*arg, **kw)
                             self.delete(key)
                         def set_(value, *arg, **kw):
                             key = key_generator(*arg, **kw)
                             self.set(key, value)
                         def get(*arg, **kw):
                             key = key_generator(*arg, **kw)
                             return self.get(key)
                         def refresh(*arg, **kw):
                             key = key_generator(*arg, **kw)
                             value = fn(*arg, **kw)
                             self.set(key, value)
                             return value
                         decorate.set = set_
                         decorate.invalidate = invalidate
                         decorate.refresh = refresh
                         decorate.get = get
                         decorate.original = fn
                         decorate.key_generator = key_generator
                         decorate.__wrapped__ = fn
                         return decorate
                     return decorator
             def make_region(*arg, **kw):
                 return RhodeCodeCacheRegion(*arg, **kw)
             def get_default_cache_settings(settings, prefixes=None):
                 prefixes = prefixes or []
                 cache_settings = {}
                 for key in settings.keys():
                     for prefix in prefixes:
                         if key.startswith(prefix):
                             name = key.split(prefix)[1].strip()
                             val = settings[key]
                             if isinstance(val, compat.string_types):
                                 val = val.strip()
                             cache_settings[name] = val
                 return cache_settings
             def compute_key_from_params(*args):
                 """
                 Helper to compute key from given params to be used in cache manager
                 """
                 return sha1("_".join(map(safe_str, args)))
             def backend_key_generator(backend):
                 """
                 Special wrapper that also sends over the backend to the key generator
                 """
                 def wrapper(namespace, fn):
                     return key_generator(backend, namespace, fn)
                 return wrapper
             def key_generator(backend, namespace, fn):
                 fname = fn.__name__
                 def generate_key(*args):
                     backend_prefix = getattr(backend, 'key_prefix', None) or 'backend_prefix'
                     namespace_pref = namespace or 'default_namespace'
                     arg_key = compute_key_from_params(*args)
                     final_key = "{}:{}:{}_{}".format(backend_prefix, namespace_pref, fname, arg_key)
                     return final_key
                 return generate_key
             def get_or_create_region(region_name, region_namespace=None):
                 from rhodecode.lib.rc_cache.backends import FileNamespaceBackend
                 region_obj = region_meta.dogpile_cache_regions.get(region_name)
                 if not region_obj:
                     raise EnvironmentError(
                         'Region `{}` not in configured: {}.'.format(
                             region_name, region_meta.dogpile_cache_regions.keys()))
                 region_uid_name = '{}:{}'.format(region_name, region_namespace)
                 if isinstance(region_obj.actual_backend, FileNamespaceBackend):
                     region_exist = region_meta.dogpile_cache_regions.get(region_namespace)
                     if region_exist:
                         log.debug('Using already configured region: %s', region_namespace)
                         return region_exist
                     cache_dir = region_meta.dogpile_config_defaults['cache_dir']
                     expiration_time = region_obj.expiration_time
                     if not os.path.isdir(cache_dir):
                         os.makedirs(cache_dir)
                     new_region = make_region(
                         name=region_uid_name,
                         function_key_generator=backend_key_generator(region_obj.actual_backend)
                     )
                     namespace_filename = os.path.join(
                         cache_dir, "{}.cache.dbm".format(region_namespace))
                     # special type that allows 1db per namespace
                     new_region.configure(
                         backend='dogpile.cache.rc.file_namespace',
                         expiration_time=expiration_time,
                         arguments={"filename": namespace_filename}
                     )
                     # create and save in region caches
                     log.debug('configuring new region: %s', region_uid_name)
                     region_obj = region_meta.dogpile_cache_regions[region_namespace] = new_region
                 return region_obj
             def clear_cache_namespace(cache_region, cache_namespace_uid):
                 region = get_or_create_region(cache_region, cache_namespace_uid)
                 cache_keys = region.backend.list_keys(prefix=cache_namespace_uid)
                 num_delete_keys = len(cache_keys)
                 if num_delete_keys:
                     region.delete_multi(cache_keys)
                 return num_delete_keys
             class ActiveRegionCache(object):
                 def __init__(self, context, cache_data):
                     self.context = context
                     self.cache_data = cache_data
                 def should_invalidate(self):
                     return False
             class FreshRegionCache(object):
                 def __init__(self, context, cache_data):
                     self.context = context
                     self.cache_data = cache_data
                 def should_invalidate(self):
                     return True
             class InvalidationContext(object):
                 """
                 usage::
                     from rhodecode.lib import rc_cache
                     cache_namespace_uid = CacheKey.SOME_NAMESPACE.format(1)
                     region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid, condition=True)
                     def heavy_compute(cache_name, param1, param2):
                         print('COMPUTE {}, {}, {}'.format(cache_name, param1, param2))
                     # invalidation namespace is shared namespace key for all process caches
                     # we use it to send a global signal
                     invalidation_namespace = 'repo_cache:1'
                     inv_context_manager = rc_cache.InvalidationContext(
                         uid=cache_namespace_uid, invalidation_namespace=invalidation_namespace)
                     with inv_context_manager as invalidation_context:
                         args = ('one', 'two')
                         # re-compute and store cache if we get invalidate signal
                         if invalidation_context.should_invalidate():
                             result = heavy_compute.refresh(*args)
                         else:
                             result = heavy_compute(*args)
                         compute_time = inv_context_manager.compute_time
-                        log.debug('result computed in %.3fs', compute_time)
+                        log.debug('result computed in %.4fs', compute_time)
                     # To send global invalidation signal, simply run
                     CacheKey.set_invalidate(invalidation_namespace)
                 """
                 def __repr__(self):
                     return '<InvalidationContext:{}[{}]>'.format(
                         safe_str(self.cache_key), safe_str(self.uid))
                 def __init__(self, uid, invalidation_namespace='',
                              raise_exception=False, thread_scoped=None):
                     self.uid = uid
                     self.invalidation_namespace = invalidation_namespace
                     self.raise_exception = raise_exception
                     self.proc_id = safe_unicode(rhodecode.CONFIG.get('instance_id') or 'DEFAULT')
                     self.thread_id = 'global'
                     if thread_scoped is None:
                         # if we set "default" we can override this via .ini settings
                         thread_scoped = str2bool(rhodecode.CONFIG.get('cache_thread_scoped'))
                     # Append the thread id to the cache key if this invalidation context
                     # should be scoped to the current thread.
                     if thread_scoped is True:
                         self.thread_id = threading.current_thread().ident
                     self.cache_key = compute_key_from_params(uid)
                     self.cache_key = 'proc:{}|thread:{}|params:{}'.format(
                         self.proc_id, self.thread_id, self.cache_key)
                     self.compute_time = 0
                 def get_or_create_cache_obj(self, uid, invalidation_namespace=''):
                     cache_obj = CacheKey.get_active_cache(self.cache_key)
                     log.debug('Fetched cache obj %s using %s cache key.', cache_obj, self.cache_key)
                     invalidation_namespace = invalidation_namespace or self.invalidation_namespace
                     if not cache_obj:
-                        cache_obj = CacheKey(self.cache_key, cache_args=invalidation_namespace)
+                        new_cache_args = invalidation_namespace
+                        cache_obj = CacheKey(self.cache_key, cache_args=new_cache_args)
                     return cache_obj
                 def __enter__(self):
                     """
                     Test if current object is valid, and return CacheRegion function
                     that does invalidation and calculation
                     """
                     log.debug('Entering cache invalidation check context: %s', self.invalidation_namespace)
                     # register or get a new key based on uid
                     self.cache_obj = self.get_or_create_cache_obj(uid=self.uid)
                     cache_data = self.cache_obj.get_dict()
                     self._start_time = time.time()
                     if self.cache_obj.cache_active:
                         # means our cache obj is existing and marked as it's
                         # cache is not outdated, we return ActiveRegionCache
                         self.skip_cache_active_change = True
                         return ActiveRegionCache(context=self, cache_data=cache_data)
                     # the key is either not existing or set to False, we return
                     # the real invalidator which re-computes value. We additionally set
                     # the flag to actually update the Database objects
                     self.skip_cache_active_change = False
                     return FreshRegionCache(context=self, cache_data=cache_data)
                 def __exit__(self, exc_type, exc_val, exc_tb):
                     # save compute time
                     self.compute_time = time.time() - self._start_time
                     if self.skip_cache_active_change:
                         return
                     try:
                         self.cache_obj.cache_active = True
                         Session().add(self.cache_obj)
                         Session().commit()
                     except IntegrityError:
                         # if we catch integrity error, it means we inserted this object
                         # assumption is that's really an edge race-condition case and
                         # it's safe is to skip it
                         Session().rollback()
                     except Exception:
                         log.exception('Failed to commit on cache key update')
                         Session().rollback()
                         if self.raise_exception:
                             raise

rhodecode/lib/vcs/backends/git/commit.py

0 +2 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2014-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             GIT commit module
             """
             import re
             import stat
             from itertools import chain
             from StringIO import StringIO
             from zope.cachedescriptors.property import Lazy as LazyProperty
             from rhodecode.lib.datelib import utcdate_fromtimestamp
             from rhodecode.lib.utils import safe_unicode, safe_str
             from rhodecode.lib.utils2 import safe_int
             from rhodecode.lib.vcs.conf import settings
             from rhodecode.lib.vcs.backends import base
             from rhodecode.lib.vcs.exceptions import CommitError, NodeDoesNotExistError
             from rhodecode.lib.vcs.nodes import (
                 FileNode, DirNode, NodeKind, RootNode, SubModuleNode,
                 ChangedFileNodesGenerator, AddedFileNodesGenerator,
                 RemovedFileNodesGenerator, LargeFileNode)
             from rhodecode.lib.vcs.compat import configparser
             class GitCommit(base.BaseCommit):
                 """
                 Represents state of the repository at single commit id.
                 """
                 _filter_pre_load = [
                     # done through a more complex tree walk on parents
                     "affected_files",
                     # done through subprocess not remote call
                     "children",
                     # done through a more complex tree walk on parents
                     "status",
                     # mercurial specific property not supported here
                     "_file_paths",
                     # mercurial specific property not supported here
                     'obsolete',
                     # mercurial specific property not supported here
                     'phase',
                     # mercurial specific property not supported here
                     'hidden'
                 ]
                 def __init__(self, repository, raw_id, idx, pre_load=None):
                     self.repository = repository
                     self._remote = repository._remote
                     # TODO: johbo: Tweak of raw_id should not be necessary
                     self.raw_id = safe_str(raw_id)
                     self.idx = idx
                     self._set_bulk_properties(pre_load)
                     # caches
                     self._stat_modes = {}  # stat info for paths
                     self._paths = {}  # path processed with parse_tree
                     self.nodes = {}
                     self._submodules = None
                 def _set_bulk_properties(self, pre_load):
                     if not pre_load:
                         return
                     pre_load = [entry for entry in pre_load
                                 if entry not in self._filter_pre_load]
                     if not pre_load:
                         return
                     result = self._remote.bulk_request(self.raw_id, pre_load)
                     for attr, value in result.items():
                         if attr in ["author", "message"]:
                             if value:
                                 value = safe_unicode(value)
                         elif attr == "date":
                             value = utcdate_fromtimestamp(*value)
                         elif attr == "parents":
                             value = self._make_commits(value)
                         elif attr == "branch":
                             value = value[0] if value else None
                         self.__dict__[attr] = value
                 @LazyProperty
                 def _commit(self):
                     return self._remote[self.raw_id]
                 @LazyProperty
                 def _tree_id(self):
                     return self._remote[self._commit['tree']]['id']
                 @LazyProperty
                 def id(self):
                     return self.raw_id
                 @LazyProperty
                 def short_id(self):
                     return self.raw_id[:12]
                 @LazyProperty
                 def message(self):
                     return safe_unicode(self._remote.message(self.id))
                 @LazyProperty
                 def committer(self):
                     return safe_unicode(self._remote.author(self.id))
                 @LazyProperty
                 def author(self):
                     return safe_unicode(self._remote.author(self.id))
                 @LazyProperty
                 def date(self):
                     unix_ts, tz = self._remote.date(self.raw_id)
                     return utcdate_fromtimestamp(unix_ts, tz)
                 @LazyProperty
                 def status(self):
                     """
                     Returns modified, added, removed, deleted files for current commit
                     """
                     return self.changed, self.added, self.removed
                 @LazyProperty
                 def tags(self):
                     tags = [safe_unicode(name) for name,
                             commit_id in self.repository.tags.iteritems()
                             if commit_id == self.raw_id]
                     return tags
                 @LazyProperty
                 def commit_branches(self):
                     branches = []
                     for name, commit_id in self.repository.branches.iteritems():
                         if commit_id == self.raw_id:
                             branches.append(name)
                     return branches
                 @LazyProperty
                 def branch(self):
-                    branches = safe_unicode(self._remote.branch(self.raw_id))
+                    branches = self._remote.branch(self.raw_id)
                     if branches:
                         # actually commit can have multiple branches in git
                         return safe_unicode(branches[0])
                 def _get_tree_id_for_path(self, path):
                     path = safe_str(path)
                     if path in self._paths:
                         return self._paths[path]
                     tree_id = self._tree_id
                     path = path.strip('/')
                     if path == '':
                         data = [tree_id, "tree"]
                         self._paths[''] = data
                         return data
                     tree_id, tree_type, tree_mode = \
                         self._remote.tree_and_type_for_path(self.raw_id, path)
                     if tree_id is None:
                         raise self.no_node_at_path(path)
                     self._paths[path] = [tree_id, tree_type]
                     self._stat_modes[path] = tree_mode
                     if path not in self._paths:
                         raise self.no_node_at_path(path)
                     return self._paths[path]
                 def _get_kind(self, path):
                     tree_id, type_ = self._get_tree_id_for_path(path)
                     if type_ == 'blob':
                         return NodeKind.FILE
                     elif type_ == 'tree':
                         return NodeKind.DIR
                     elif type_ == 'link':
                         return NodeKind.SUBMODULE
                     return None
                 def _get_filectx(self, path):
                     path = self._fix_path(path)
                     if self._get_kind(path) != NodeKind.FILE:
                         raise CommitError(
                             "File does not exist for commit %s at  '%s'" % (self.raw_id, path))
                     return path
                 def _get_file_nodes(self):
                     return chain(*(t[2] for t in self.walk()))
                 @LazyProperty
                 def parents(self):
                     """
                     Returns list of parent commits.
                     """
                     parent_ids = self._remote.parents(self.id)
                     return self._make_commits(parent_ids)
                 @LazyProperty
                 def children(self):
                     """
                     Returns list of child commits.
                     """
                     rev_filter = settings.GIT_REV_FILTER
                     output, __ = self.repository.run_git_command(
                         ['rev-list', '--children'] + rev_filter)
                     child_ids = []
                     pat = re.compile(r'^%s' % self.raw_id)
                     for l in output.splitlines():
                         if pat.match(l):
                             found_ids = l.split(' ')[1:]
                             child_ids.extend(found_ids)
                     return self._make_commits(child_ids)
                 def _make_commits(self, commit_ids):
                     def commit_maker(_commit_id):
                         return self.repository.get_commit(commit_id=commit_id)
                     return [commit_maker(commit_id) for commit_id in commit_ids]
                 def get_file_mode(self, path):
                     """
                     Returns stat mode of the file at the given `path`.
                     """
                     path = safe_str(path)
                     # ensure path is traversed
                     self._get_tree_id_for_path(path)
                     return self._stat_modes[path]
                 def is_link(self, path):
                     return stat.S_ISLNK(self.get_file_mode(path))
                 def get_file_content(self, path):
                     """
                     Returns content of the file at given `path`.
                     """
                     tree_id, _ = self._get_tree_id_for_path(path)
                     return self._remote.blob_as_pretty_string(tree_id)
                 def get_file_size(self, path):
                     """
                     Returns size of the file at given `path`.
                     """
                     tree_id, _ = self._get_tree_id_for_path(path)
                     return self._remote.blob_raw_length(tree_id)
                 def get_path_history(self, path, limit=None, pre_load=None):
                     """
                     Returns history of file as reversed list of `GitCommit` objects for
                     which file at given `path` has been modified.
                     TODO: This function now uses an underlying 'git' command which works
                     quickly but ideally we should replace with an algorithm.
                     """
                     self._get_filectx(path)
                     f_path = safe_str(path)
                     # optimize for n==1, rev-list is much faster for that use-case
                     if limit == 1:
                         cmd = ['rev-list', '-1', self.raw_id, '--', f_path]
                     else:
                         cmd = ['log']
                         if limit:
                             cmd.extend(['-n', str(safe_int(limit, 0))])
                         cmd.extend(['--pretty=format: %H', '-s', self.raw_id, '--', f_path])
                     output, __ = self.repository.run_git_command(cmd)
                     commit_ids = re.findall(r'[0-9a-fA-F]{40}', output)
                     return [
                         self.repository.get_commit(commit_id=commit_id, pre_load=pre_load)
                         for commit_id in commit_ids]
                 def get_file_annotate(self, path, pre_load=None):
                     """
                     Returns a generator of four element tuples with
                         lineno, commit_id, commit lazy loader and line
                     TODO: This function now uses os underlying 'git' command which is
                     generally not good. Should be replaced with algorithm iterating
                     commits.
                     """
                     cmd = ['blame', '-l', '--root', '-r', self.raw_id, '--', path]
                     # -l     ==> outputs long shas (and we need all 40 characters)
                     # --root ==> doesn't put '^' character for bounderies
                     # -r commit_id ==> blames for the given commit
                     output, __ = self.repository.run_git_command(cmd)
                     for i, blame_line in enumerate(output.split('\n')[:-1]):
                         line_no = i + 1
                         commit_id, line = re.split(r' ', blame_line, 1)
                         yield (
                             line_no, commit_id,
                             lambda: self.repository.get_commit(commit_id=commit_id,
                                                                pre_load=pre_load),
                             line)
                 def get_nodes(self, path):
                     if self._get_kind(path) != NodeKind.DIR:
                         raise CommitError(
                             "Directory does not exist for commit %s at '%s'" % (self.raw_id, path))
                     path = self._fix_path(path)
                     tree_id, _ = self._get_tree_id_for_path(path)
                     dirnodes = []
                     filenodes = []
                     # extracted tree ID gives us our files...
                     for name, stat_, id_, type_ in self._remote.tree_items(tree_id):
                         if type_ == 'link':
                             url = self._get_submodule_url('/'.join((path, name)))
                             dirnodes.append(SubModuleNode(
                                 name, url=url, commit=id_, alias=self.repository.alias))
                             continue
                         if path != '':
                             obj_path = '/'.join((path, name))
                         else:
                             obj_path = name
                         if obj_path not in self._stat_modes:
                             self._stat_modes[obj_path] = stat_
                         if type_ == 'tree':
                             dirnodes.append(DirNode(obj_path, commit=self))
                         elif type_ == 'blob':
                             filenodes.append(FileNode(obj_path, commit=self, mode=stat_))
                         else:
                             raise CommitError(
                                 "Requested object should be Tree or Blob, is %s", type_)
                     nodes = dirnodes + filenodes
                     for node in nodes:
                         if node.path not in self.nodes:
                             self.nodes[node.path] = node
                     nodes.sort()
                     return nodes
                 def get_node(self, path, pre_load=None):
                     if isinstance(path, unicode):
                         path = path.encode('utf-8')
                     path = self._fix_path(path)
                     if path not in self.nodes:
                         try:
                             tree_id, type_ = self._get_tree_id_for_path(path)
                         except CommitError:
                             raise NodeDoesNotExistError(
                                 "Cannot find one of parents' directories for a given "
                                 "path: %s" % path)
                         if type_ == 'link':
                             url = self._get_submodule_url(path)
                             node = SubModuleNode(path, url=url, commit=tree_id,
                                                  alias=self.repository.alias)
                         elif type_ == 'tree':
                             if path == '':
                                 node = RootNode(commit=self)
                             else:
                                 node = DirNode(path, commit=self)
                         elif type_ == 'blob':
                             node = FileNode(path, commit=self, pre_load=pre_load)
                             self._stat_modes[path] = node.mode
                         else:
                             raise self.no_node_at_path(path)
                         # cache node
                         self.nodes[path] = node
                     return self.nodes[path]
                 def get_largefile_node(self, path):
                     tree_id, _ = self._get_tree_id_for_path(path)
                     pointer_spec = self._remote.is_large_file(tree_id)
                     if pointer_spec:
                         # content of that file regular FileNode is the hash of largefile
                         file_id = pointer_spec.get('oid_hash')
                         if self._remote.in_largefiles_store(file_id):
                             lf_path = self._remote.store_path(file_id)
                             return LargeFileNode(lf_path, commit=self, org_path=path)
                 @LazyProperty
                 def affected_files(self):
                     """
                     Gets a fast accessible file changes for given commit
                     """
                     added, modified, deleted = self._changes_cache
                     return list(added.union(modified).union(deleted))
                 @LazyProperty
                 def _changes_cache(self):
                     added = set()
                     modified = set()
                     deleted = set()
                     _r = self._remote
                     parents = self.parents
                     if not self.parents:
                         parents = [base.EmptyCommit()]
                     for parent in parents:
                         if isinstance(parent, base.EmptyCommit):
                             oid = None
                         else:
                             oid = parent.raw_id
                         changes = _r.tree_changes(oid, self.raw_id)
                         for (oldpath, newpath), (_, _), (_, _) in changes:
                             if newpath and oldpath:
                                 modified.add(newpath)
                             elif newpath and not oldpath:
                                 added.add(newpath)
                             elif not newpath and oldpath:
                                 deleted.add(oldpath)
                     return added, modified, deleted
                 def _get_paths_for_status(self, status):
                     """
                     Returns sorted list of paths for given ``status``.
                     :param status: one of: *added*, *modified* or *deleted*
                     """
                     added, modified, deleted = self._changes_cache
                     return sorted({
                         'added': list(added),
                         'modified': list(modified),
                         'deleted': list(deleted)}[status]
                     )
                 @LazyProperty
                 def added(self):
                     """
                     Returns list of added ``FileNode`` objects.
                     """
                     if not self.parents:
                         return list(self._get_file_nodes())
                     return AddedFileNodesGenerator(
                         [n for n in self._get_paths_for_status('added')], self)
                 @LazyProperty
                 def changed(self):
                     """
                     Returns list of modified ``FileNode`` objects.
                     """
                     if not self.parents:
                         return []
                     return ChangedFileNodesGenerator(
                         [n for n in self._get_paths_for_status('modified')], self)
                 @LazyProperty
                 def removed(self):
                     """
                     Returns list of removed ``FileNode`` objects.
                     """
                     if not self.parents:
                         return []
                     return RemovedFileNodesGenerator(
                         [n for n in self._get_paths_for_status('deleted')], self)
                 def _get_submodule_url(self, submodule_path):
                     git_modules_path = '.gitmodules'
                     if self._submodules is None:
                         self._submodules = {}
                         try:
                             submodules_node = self.get_node(git_modules_path)
                         except NodeDoesNotExistError:
                             return None
                         content = submodules_node.content
                         # ConfigParser fails if there are whitespaces
                         content = '\n'.join(l.strip() for l in content.split('\n'))
                         parser = configparser.ConfigParser()
                         parser.readfp(StringIO(content))
                         for section in parser.sections():
                             path = parser.get(section, 'path')
                             url = parser.get(section, 'url')
                             if path and url:
                                 self._submodules[path.strip('/')] = url
                     return self._submodules.get(submodule_path.strip('/'))

rhodecode/lib/vcs/client_http.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Client for the VCSServer implemented based on HTTP.
             """
             import copy
             import logging
             import threading
             import time
             import urllib2
             import urlparse
             import uuid
             import traceback
             import pycurl
             import msgpack
             import requests
             from requests.packages.urllib3.util.retry import Retry
             import rhodecode
             from rhodecode.lib.system_info import get_cert_path
             from rhodecode.lib.vcs import exceptions, CurlSession
             log = logging.getLogger(__name__)
             # TODO: mikhail: Keep it in sync with vcsserver's
             # HTTPApplication.ALLOWED_EXCEPTIONS
             EXCEPTIONS_MAP = {
                 'KeyError': KeyError,
                 'URLError': urllib2.URLError,
             }
             class RepoMaker(object):
                 def __init__(self, server_and_port, backend_endpoint, backend_type, session_factory):
                     self.url = urlparse.urljoin('http://%s' % server_and_port, backend_endpoint)
                     self._session_factory = session_factory
                     self.backend_type = backend_type
                 def __call__(self, path, repo_id, config, with_wire=None):
                     log.debug('%s RepoMaker call on %s', self.backend_type.upper(), path)
                     return RemoteRepo(path, repo_id, config, self.url, self._session_factory(),
                                       with_wire=with_wire)
                 def __getattr__(self, name):
                     def f(*args, **kwargs):
                         return self._call(name, *args, **kwargs)
                     return f
                 @exceptions.map_vcs_exceptions
                 def _call(self, name, *args, **kwargs):
                     payload = {
                         'id': str(uuid.uuid4()),
                         'method': name,
                         'backend': self.backend_type,
                         'params': {'args': args, 'kwargs': kwargs}
                     }
                     return _remote_call(
                         self.url, payload, EXCEPTIONS_MAP, self._session_factory())
             class ServiceConnection(object):
                 def __init__(self, server_and_port, backend_endpoint, session_factory):
                     self.url = urlparse.urljoin('http://%s' % server_and_port, backend_endpoint)
                     self._session_factory = session_factory
                 def __getattr__(self, name):
                     def f(*args, **kwargs):
                         return self._call(name, *args, **kwargs)
                     return f
                 @exceptions.map_vcs_exceptions
                 def _call(self, name, *args, **kwargs):
                     payload = {
                         'id': str(uuid.uuid4()),
                         'method': name,
                         'params': {'args': args, 'kwargs': kwargs}
                     }
                     return _remote_call(
                         self.url, payload, EXCEPTIONS_MAP, self._session_factory())
             class RemoteRepo(object):
                 def __init__(self, path, repo_id, config, url, session, with_wire=None):
                     self.url = url
                     self._session = session
                     with_wire = with_wire or {}
                     repo_state_uid = with_wire.get('repo_state_uid') or 'state'
                     self._wire = {
                         "path": path,  # repo path
                         "repo_id": repo_id,
                         "config": config,
                         "repo_state_uid": repo_state_uid,
                         "context": self._create_vcs_cache_context(path, repo_state_uid)
                     }
                     if with_wire:
                         self._wire.update(with_wire)
                     # NOTE(johbo): Trading complexity for performance. Avoiding the call to
                     # log.debug brings a few percent gain even if is is not active.
                     if log.isEnabledFor(logging.DEBUG):
                         self._call_with_logging = True
                     self.cert_dir = get_cert_path(rhodecode.CONFIG.get('__file__'))
                 def __getattr__(self, name):
                     def f(*args, **kwargs):
                         return self._call(name, *args, **kwargs)
                     return f
                 @exceptions.map_vcs_exceptions
                 def _call(self, name, *args, **kwargs):
                     # TODO: oliver: This is currently necessary pre-call since the
                     # config object is being changed for hooking scenarios
                     wire = copy.deepcopy(self._wire)
                     wire["config"] = wire["config"].serialize()
                     wire["config"].append(('vcs', 'ssl_dir', self.cert_dir))
                     payload = {
                         'id': str(uuid.uuid4()),
                         'method': name,
                         'params': {'wire': wire, 'args': args, 'kwargs': kwargs}
                     }
                     if self._call_with_logging:
                         start = time.time()
                         context_uid = wire.get('context')
                         log.debug('Calling %s@%s with args:%.10240r. wire_context: %s',
                                   self.url, name, args, context_uid)
                     result = _remote_call(self.url, payload, EXCEPTIONS_MAP, self._session)
                     if self._call_with_logging:
-                        log.debug('Call %s@%s took: %.3fs. wire_context: %s',
+                        log.debug('Call %s@%s took: %.4fs. wire_context: %s',
                                   self.url, name, time.time()-start, context_uid)
                     return result
                 def __getitem__(self, key):
                     return self.revision(key)
                 def _create_vcs_cache_context(self, *args):
                     """
                     Creates a unique string which is passed to the VCSServer on every
                     remote call. It is used as cache key in the VCSServer.
                     """
                     hash_key = '-'.join(map(str, args))
                     return str(uuid.uuid5(uuid.NAMESPACE_URL, hash_key))
                 def invalidate_vcs_cache(self):
                     """
                     This invalidates the context which is sent to the VCSServer on every
                     call to a remote method. It forces the VCSServer to create a fresh
                     repository instance on the next call to a remote method.
                     """
                     self._wire['context'] = str(uuid.uuid4())
             class RemoteObject(object):
                 def __init__(self, url, session):
                     self._url = url
                     self._session = session
                     # johbo: Trading complexity for performance. Avoiding the call to
                     # log.debug brings a few percent gain even if is is not active.
                     if log.isEnabledFor(logging.DEBUG):
                         self._call = self._call_with_logging
                 def __getattr__(self, name):
                     def f(*args, **kwargs):
                         return self._call(name, *args, **kwargs)
                     return f
                 @exceptions.map_vcs_exceptions
                 def _call(self, name, *args, **kwargs):
                     payload = {
                         'id': str(uuid.uuid4()),
                         'method': name,
                         'params': {'args': args, 'kwargs': kwargs}
                     }
                     return _remote_call(self._url, payload, EXCEPTIONS_MAP, self._session)
                 def _call_with_logging(self, name, *args, **kwargs):
                     log.debug('Calling %s@%s', self._url, name)
                     return RemoteObject._call(self, name, *args, **kwargs)
             def _remote_call(url, payload, exceptions_map, session):
                 try:
                     response = session.post(url, data=msgpack.packb(payload))
                 except pycurl.error as e:
                     msg = '{}. \npycurl traceback: {}'.format(e, traceback.format_exc())
                     raise exceptions.HttpVCSCommunicationError(msg)
                 except Exception as e:
                     message = getattr(e, 'message', '')
                     if 'Failed to connect' in message:
                         # gevent doesn't return proper pycurl errors
                         raise exceptions.HttpVCSCommunicationError(e)
                     else:
                         raise
                 if response.status_code >= 400:
                     log.error('Call to %s returned non 200 HTTP code: %s',
                               url, response.status_code)
                     raise exceptions.HttpVCSCommunicationError(repr(response.content))
                 try:
                     response = msgpack.unpackb(response.content)
                 except Exception:
                     log.exception('Failed to decode response %r', response.content)
                     raise
                 error = response.get('error')
                 if error:
                     type_ = error.get('type', 'Exception')
                     exc = exceptions_map.get(type_, Exception)
                     exc = exc(error.get('message'))
                     try:
                         exc._vcs_kind = error['_vcs_kind']
                     except KeyError:
                         pass
                     try:
                         exc._vcs_server_traceback = error['traceback']
                         exc._vcs_server_org_exc_name = error['org_exc']
                         exc._vcs_server_org_exc_tb = error['org_exc_tb']
                     except KeyError:
                         pass
                     raise exc
                 return response.get('result')
             class VcsHttpProxy(object):
                 CHUNK_SIZE = 16384
                 def __init__(self, server_and_port, backend_endpoint):
                     retries = Retry(total=5, connect=None, read=None, redirect=None)
                     adapter = requests.adapters.HTTPAdapter(max_retries=retries)
                     self.base_url = urlparse.urljoin('http://%s' % server_and_port, backend_endpoint)
                     self.session = requests.Session()
                     self.session.mount('http://', adapter)
                 def handle(self, environment, input_data, *args, **kwargs):
                     data = {
                         'environment': environment,
                         'input_data': input_data,
                         'args': args,
                         'kwargs': kwargs
                     }
                     result = self.session.post(
                         self.base_url, msgpack.packb(data), stream=True)
                     return self._get_result(result)
                 def _deserialize_and_raise(self, error):
                     exception = Exception(error['message'])
                     try:
                         exception._vcs_kind = error['_vcs_kind']
                     except KeyError:
                         pass
                     raise exception
                 def _iterate(self, result):
                     unpacker = msgpack.Unpacker()
                     for line in result.iter_content(chunk_size=self.CHUNK_SIZE):
                         unpacker.feed(line)
                         for chunk in unpacker:
                             yield chunk
                 def _get_result(self, result):
                     iterator = self._iterate(result)
                     error = iterator.next()
                     if error:
                         self._deserialize_and_raise(error)
                     status = iterator.next()
                     headers = iterator.next()
                     return iterator, status, headers
             class ThreadlocalSessionFactory(object):
                 """
                 Creates one CurlSession per thread on demand.
                 """
                 def __init__(self):
                     self._thread_local = threading.local()
                 def __call__(self):
                     if not hasattr(self._thread_local, 'curl_session'):
                         self._thread_local.curl_session = CurlSession()
                     return self._thread_local.curl_session

rhodecode/model/db.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Database Models for RhodeCode Enterprise
             """
             import re
             import os
             import time
             import string
             import hashlib
             import logging
             import datetime
             import uuid
             import warnings
             import ipaddress
             import functools
             import traceback
             import collections
             from sqlalchemy import (
                 or_, and_, not_, func, TypeDecorator, event,
                 Index, Sequence, UniqueConstraint, ForeignKey, CheckConstraint, Column,
                 Boolean, String, Unicode, UnicodeText, DateTime, Integer, LargeBinary,
                 Text, Float, PickleType)
             from sqlalchemy.sql.expression import true, false, case
             from sqlalchemy.sql.functions import coalesce, count  # pragma: no cover
             from sqlalchemy.orm import (
                 relationship, joinedload, class_mapper, validates, aliased)
             from sqlalchemy.ext.declarative import declared_attr
             from sqlalchemy.ext.hybrid import hybrid_property
             from sqlalchemy.exc import IntegrityError  # pragma: no cover
             from sqlalchemy.dialects.mysql import LONGTEXT
             from zope.cachedescriptors.property import Lazy as LazyProperty
             from pyramid import compat
             from pyramid.threadlocal import get_current_request
             from webhelpers.text import collapse, remove_formatting
             from rhodecode.translation import _
             from rhodecode.lib.vcs import get_vcs_instance
             from rhodecode.lib.vcs.backends.base import EmptyCommit, Reference
             from rhodecode.lib.utils2 import (
                 str2bool, safe_str, get_commit_safe, safe_unicode, sha1_safe,
                 time_to_datetime, aslist, Optional, safe_int, get_clone_url, AttributeDict,
                 glob2re, StrictAttributeDict, cleaned_uri, datetime_to_time, OrderedDefaultDict)
             from rhodecode.lib.jsonalchemy import MutationObj, MutationList, JsonType, \
                 JsonRaw
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.caching_query import FromCache
             from rhodecode.lib.encrypt import AESCipher, validate_and_get_enc_data
             from rhodecode.lib.encrypt2 import Encryptor
             from rhodecode.model.meta import Base, Session
             URL_SEP = '/'
             log = logging.getLogger(__name__)
             # =============================================================================
             # BASE CLASSES
             # =============================================================================
             # this is propagated from .ini file rhodecode.encrypted_values.secret or
             # beaker.session.secret if first is not set.
             # and initialized at environment.py
             ENCRYPTION_KEY = None
             # used to sort permissions by types, '#' used here is not allowed to be in
             # usernames, and it's very early in sorted string.printable table.
             PERMISSION_TYPE_SORT = {
                 'admin': '####',
                 'write': '###',
                 'read':  '##',
                 'none':  '#',
             }
             def display_user_sort(obj):
                 """
                 Sort function used to sort permissions in .permissions() function of
                 Repository, RepoGroup, UserGroup. Also it put the default user in front
                 of all other resources
                 """
                 if obj.username == User.DEFAULT_USER:
                     return '#####'
                 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
                 return prefix + obj.username
             def display_user_group_sort(obj):
                 """
                 Sort function used to sort permissions in .permissions() function of
                 Repository, RepoGroup, UserGroup. Also it put the default user in front
                 of all other resources
                 """
                 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
                 return prefix + obj.users_group_name
             def _hash_key(k):
                 return sha1_safe(k)
             def in_filter_generator(qry, items, limit=500):
                 """
                 Splits IN() into multiple with OR
                 e.g.::
                 cnt = Repository.query().filter(
                     or_(
                         *in_filter_generator(Repository.repo_id, range(100000))
                     )).count()
                 """
                 if not items:
                     # empty list will cause empty query which might cause security issues
                     # this can lead to hidden unpleasant results
                     items = [-1]
                 parts = []
                 for chunk in xrange(0, len(items), limit):
                     parts.append(
                         qry.in_(items[chunk: chunk + limit])
                     )
                 return parts
             base_table_args = {
                 'extend_existing': True,
                 'mysql_engine': 'InnoDB',
                 'mysql_charset': 'utf8',
                 'sqlite_autoincrement': True
             }
             class EncryptedTextValue(TypeDecorator):
                 """
                 Special column for encrypted long text data, use like::
                     value = Column("encrypted_value", EncryptedValue(), nullable=False)
                 This column is intelligent so if value is in unencrypted form it return
                 unencrypted form, but on save it always encrypts
                 """
                 impl = Text
                 def process_bind_param(self, value, dialect):
                     """
                     Setter for storing value
                     """
                     import rhodecode
                     if not value:
                         return value
                     # protect against double encrypting if values is already encrypted
                     if value.startswith('enc$aes$') \
                             or value.startswith('enc$aes_hmac$') \
                             or value.startswith('enc2$'):
                         raise ValueError('value needs to be in unencrypted format, '
                                          'ie. not starting with enc$ or enc2$')
                     algo = rhodecode.CONFIG.get('rhodecode.encrypted_values.algorithm') or 'aes'
                     if algo == 'aes':
                         return 'enc$aes_hmac$%s' % AESCipher(ENCRYPTION_KEY, hmac=True).encrypt(value)
                     elif algo == 'fernet':
                         return Encryptor(ENCRYPTION_KEY).encrypt(value)
                     else:
                         ValueError('Bad encryption algorithm, should be fernet or aes, got: {}'.format(algo))
                 def process_result_value(self, value, dialect):
                     """
                     Getter for retrieving value
                     """
                     import rhodecode
                     if not value:
                         return value
                     algo = rhodecode.CONFIG.get('rhodecode.encrypted_values.algorithm') or 'aes'
                     enc_strict_mode = str2bool(rhodecode.CONFIG.get('rhodecode.encrypted_values.strict') or True)
                     if algo == 'aes':
                         decrypted_data = validate_and_get_enc_data(value, ENCRYPTION_KEY, enc_strict_mode)
                     elif algo == 'fernet':
                         return Encryptor(ENCRYPTION_KEY).decrypt(value)
                     else:
                         ValueError('Bad encryption algorithm, should be fernet or aes, got: {}'.format(algo))
                     return decrypted_data
             class BaseModel(object):
                 """
                 Base Model for all classes
                 """
                 @classmethod
                 def _get_keys(cls):
                     """return column names for this model """
                     return class_mapper(cls).c.keys()
                 def get_dict(self):
                     """
                     return dict with keys and values corresponding
                     to this model data """
                     d = {}
                     for k in self._get_keys():
                         d[k] = getattr(self, k)
                     # also use __json__() if present to get additional fields
                     _json_attr = getattr(self, '__json__', None)
                     if _json_attr:
                         # update with attributes from __json__
                         if callable(_json_attr):
                             _json_attr = _json_attr()
                         for k, val in _json_attr.iteritems():
                             d[k] = val
                     return d
                 def get_appstruct(self):
                     """return list with keys and values tuples corresponding
                     to this model data """
                     lst = []
                     for k in self._get_keys():
                         lst.append((k, getattr(self, k),))
                     return lst
                 def populate_obj(self, populate_dict):
                     """populate model with data from given populate_dict"""
                     for k in self._get_keys():
                         if k in populate_dict:
                             setattr(self, k, populate_dict[k])
                 @classmethod
                 def query(cls):
                     return Session().query(cls)
                 @classmethod
                 def get(cls, id_):
                     if id_:
                         return cls.query().get(id_)
                 @classmethod
                 def get_or_404(cls, id_):
                     from pyramid.httpexceptions import HTTPNotFound
                     try:
                         id_ = int(id_)
                     except (TypeError, ValueError):
                         raise HTTPNotFound()
                     res = cls.query().get(id_)
                     if not res:
                         raise HTTPNotFound()
                     return res
                 @classmethod
                 def getAll(cls):
                     # deprecated and left for backward compatibility
                     return cls.get_all()
                 @classmethod
                 def get_all(cls):
                     return cls.query().all()
                 @classmethod
                 def delete(cls, id_):
                     obj = cls.query().get(id_)
                     Session().delete(obj)
                 @classmethod
                 def identity_cache(cls, session, attr_name, value):
                     exist_in_session = []
                     for (item_cls, pkey), instance in session.identity_map.items():
                         if cls == item_cls and getattr(instance, attr_name) == value:
                             exist_in_session.append(instance)
                     if exist_in_session:
                         if len(exist_in_session) == 1:
                             return exist_in_session[0]
                         log.exception(
                             'multiple objects with attr %s and '
                             'value %s found with same name: %r',
                             attr_name, value, exist_in_session)
                 def __repr__(self):
                     if hasattr(self, '__unicode__'):
                         # python repr needs to return str
                         try:
                             return safe_str(self.__unicode__())
                         except UnicodeDecodeError:
                             pass
                     return '<DB:%s>' % (self.__class__.__name__)
             class RhodeCodeSetting(Base, BaseModel):
                 __tablename__ = 'rhodecode_settings'
                 __table_args__ = (
                     UniqueConstraint('app_settings_name'),
                     base_table_args
                 )
                 SETTINGS_TYPES = {
                     'str': safe_str,
                     'int': safe_int,
                     'unicode': safe_unicode,
                     'bool': str2bool,
                     'list': functools.partial(aslist, sep=',')
                 }
                 DEFAULT_UPDATE_URL = 'https://rhodecode.com/api/v1/info/versions'
                 GLOBAL_CONF_KEY = 'app_settings'
                 app_settings_id = Column("app_settings_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 app_settings_name = Column("app_settings_name", String(255), nullable=True, unique=None, default=None)
                 _app_settings_value = Column("app_settings_value", String(4096), nullable=True, unique=None, default=None)
                 _app_settings_type = Column("app_settings_type", String(255), nullable=True, unique=None, default=None)
                 def __init__(self, key='', val='', type='unicode'):
                     self.app_settings_name = key
                     self.app_settings_type = type
                     self.app_settings_value = val
                 @validates('_app_settings_value')
                 def validate_settings_value(self, key, val):
                     assert type(val) == unicode
                     return val
                 @hybrid_property
                 def app_settings_value(self):
                     v = self._app_settings_value
                     _type = self.app_settings_type
                     if _type:
                         _type = self.app_settings_type.split('.')[0]
                         # decode the encrypted value
                         if 'encrypted' in self.app_settings_type:
                             cipher = EncryptedTextValue()
                             v = safe_unicode(cipher.process_result_value(v, None))
                     converter = self.SETTINGS_TYPES.get(_type) or \
                         self.SETTINGS_TYPES['unicode']
                     return converter(v)
                 @app_settings_value.setter
                 def app_settings_value(self, val):
                     """
                     Setter that will always make sure we use unicode in app_settings_value
                     :param val:
                     """
                     val = safe_unicode(val)
                     # encode the encrypted value
                     if 'encrypted' in self.app_settings_type:
                         cipher = EncryptedTextValue()
                         val = safe_unicode(cipher.process_bind_param(val, None))
                     self._app_settings_value = val
                 @hybrid_property
                 def app_settings_type(self):
                     return self._app_settings_type
                 @app_settings_type.setter
                 def app_settings_type(self, val):
                     if val.split('.')[0] not in self.SETTINGS_TYPES:
                         raise Exception('type must be one of %s got %s'
                                         % (self.SETTINGS_TYPES.keys(), val))
                     self._app_settings_type = val
                 @classmethod
                 def get_by_prefix(cls, prefix):
                     return RhodeCodeSetting.query()\
                         .filter(RhodeCodeSetting.app_settings_name.startswith(prefix))\
                         .all()
                 def __unicode__(self):
                     return u"<%s('%s:%s[%s]')>" % (
                         self.__class__.__name__,
                         self.app_settings_name, self.app_settings_value,
                         self.app_settings_type
                     )
             class RhodeCodeUi(Base, BaseModel):
                 __tablename__ = 'rhodecode_ui'
                 __table_args__ = (
                     UniqueConstraint('ui_key'),
                     base_table_args
                 )
                 HOOK_REPO_SIZE = 'changegroup.repo_size'
                 # HG
                 HOOK_PRE_PULL = 'preoutgoing.pre_pull'
                 HOOK_PULL = 'outgoing.pull_logger'
                 HOOK_PRE_PUSH = 'prechangegroup.pre_push'
                 HOOK_PRETX_PUSH = 'pretxnchangegroup.pre_push'
                 HOOK_PUSH = 'changegroup.push_logger'
                 HOOK_PUSH_KEY = 'pushkey.key_push'
                 HOOKS_BUILTIN = [
                     HOOK_PRE_PULL,
                     HOOK_PULL,
                     HOOK_PRE_PUSH,
                     HOOK_PRETX_PUSH,
                     HOOK_PUSH,
                     HOOK_PUSH_KEY,
                 ]
                 # TODO: johbo: Unify way how hooks are configured for git and hg,
                 # git part is currently hardcoded.
                 # SVN PATTERNS
                 SVN_BRANCH_ID = 'vcs_svn_branch'
                 SVN_TAG_ID = 'vcs_svn_tag'
                 ui_id = Column(
                     "ui_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 ui_section = Column(
                     "ui_section", String(255), nullable=True, unique=None, default=None)
                 ui_key = Column(
                     "ui_key", String(255), nullable=True, unique=None, default=None)
                 ui_value = Column(
                     "ui_value", String(255), nullable=True, unique=None, default=None)
                 ui_active = Column(
                     "ui_active", Boolean(), nullable=True, unique=None, default=True)
                 def __repr__(self):
                     return '<%s[%s]%s=>%s]>' % (self.__class__.__name__, self.ui_section,
                                                 self.ui_key, self.ui_value)
             class RepoRhodeCodeSetting(Base, BaseModel):
                 __tablename__ = 'repo_rhodecode_settings'
                 __table_args__ = (
                     UniqueConstraint(
                         'app_settings_name', 'repository_id',
                         name='uq_repo_rhodecode_setting_name_repo_id'),
                     base_table_args
                 )
                 repository_id = Column(
                     "repository_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=False)
                 app_settings_id = Column(
                     "app_settings_id", Integer(), nullable=False, unique=True,
                     default=None, primary_key=True)
                 app_settings_name = Column(
                     "app_settings_name", String(255), nullable=True, unique=None,
                     default=None)
                 _app_settings_value = Column(
                     "app_settings_value", String(4096), nullable=True, unique=None,
                     default=None)
                 _app_settings_type = Column(
                     "app_settings_type", String(255), nullable=True, unique=None,
                     default=None)
                 repository = relationship('Repository')
                 def __init__(self, repository_id, key='', val='', type='unicode'):
                     self.repository_id = repository_id
                     self.app_settings_name = key
                     self.app_settings_type = type
                     self.app_settings_value = val
                 @validates('_app_settings_value')
                 def validate_settings_value(self, key, val):
                     assert type(val) == unicode
                     return val
                 @hybrid_property
                 def app_settings_value(self):
                     v = self._app_settings_value
                     type_ = self.app_settings_type
                     SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
                     converter = SETTINGS_TYPES.get(type_) or SETTINGS_TYPES['unicode']
                     return converter(v)
                 @app_settings_value.setter
                 def app_settings_value(self, val):
                     """
                     Setter that will always make sure we use unicode in app_settings_value
                     :param val:
                     """
                     self._app_settings_value = safe_unicode(val)
                 @hybrid_property
                 def app_settings_type(self):
                     return self._app_settings_type
                 @app_settings_type.setter
                 def app_settings_type(self, val):
                     SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
                     if val not in SETTINGS_TYPES:
                         raise Exception('type must be one of %s got %s'
                                         % (SETTINGS_TYPES.keys(), val))
                     self._app_settings_type = val
                 def __unicode__(self):
                     return u"<%s('%s:%s:%s[%s]')>" % (
                         self.__class__.__name__, self.repository.repo_name,
                         self.app_settings_name, self.app_settings_value,
                         self.app_settings_type
                     )
             class RepoRhodeCodeUi(Base, BaseModel):
                 __tablename__ = 'repo_rhodecode_ui'
                 __table_args__ = (
                     UniqueConstraint(
                         'repository_id', 'ui_section', 'ui_key',
                         name='uq_repo_rhodecode_ui_repository_id_section_key'),
                     base_table_args
                 )
                 repository_id = Column(
                     "repository_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=False)
                 ui_id = Column(
                     "ui_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 ui_section = Column(
                     "ui_section", String(255), nullable=True, unique=None, default=None)
                 ui_key = Column(
                     "ui_key", String(255), nullable=True, unique=None, default=None)
                 ui_value = Column(
                     "ui_value", String(255), nullable=True, unique=None, default=None)
                 ui_active = Column(
                     "ui_active", Boolean(), nullable=True, unique=None, default=True)
                 repository = relationship('Repository')
                 def __repr__(self):
                     return '<%s[%s:%s]%s=>%s]>' % (
                         self.__class__.__name__, self.repository.repo_name,
                         self.ui_section, self.ui_key, self.ui_value)
             class User(Base, BaseModel):
                 __tablename__ = 'users'
                 __table_args__ = (
                     UniqueConstraint('username'), UniqueConstraint('email'),
                     Index('u_username_idx', 'username'),
                     Index('u_email_idx', 'email'),
                     base_table_args
                 )
                 DEFAULT_USER = 'default'
                 DEFAULT_USER_EMAIL = 'anonymous@rhodecode.org'
                 DEFAULT_GRAVATAR_URL = 'https://secure.gravatar.com/avatar/{md5email}?d=identicon&s={size}'
                 user_id = Column("user_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 username = Column("username", String(255), nullable=True, unique=None, default=None)
                 password = Column("password", String(255), nullable=True, unique=None, default=None)
                 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 admin = Column("admin", Boolean(), nullable=True, unique=None, default=False)
                 name = Column("firstname", String(255), nullable=True, unique=None, default=None)
                 lastname = Column("lastname", String(255), nullable=True, unique=None, default=None)
                 _email = Column("email", String(255), nullable=True, unique=None, default=None)
                 last_login = Column("last_login", DateTime(timezone=False), nullable=True, unique=None, default=None)
                 last_activity = Column('last_activity', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 extern_type = Column("extern_type", String(255), nullable=True, unique=None, default=None)
                 extern_name = Column("extern_name", String(255), nullable=True, unique=None, default=None)
                 _api_key = Column("api_key", String(255), nullable=True, unique=None, default=None)
                 inherit_default_permissions = Column("inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 _user_data = Column("user_data", LargeBinary(), nullable=True)  # JSON data
                 user_log = relationship('UserLog')
                 user_perms = relationship('UserToPerm', primaryjoin="User.user_id==UserToPerm.user_id", cascade='all')
                 repositories = relationship('Repository')
                 repository_groups = relationship('RepoGroup')
                 user_groups = relationship('UserGroup')
                 user_followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_user_id==User.user_id', cascade='all')
                 followings = relationship('UserFollowing', primaryjoin='UserFollowing.user_id==User.user_id', cascade='all')
                 repo_to_perm = relationship('UserRepoToPerm', primaryjoin='UserRepoToPerm.user_id==User.user_id', cascade='all')
                 repo_group_to_perm = relationship('UserRepoGroupToPerm', primaryjoin='UserRepoGroupToPerm.user_id==User.user_id', cascade='all')
                 user_group_to_perm = relationship('UserUserGroupToPerm', primaryjoin='UserUserGroupToPerm.user_id==User.user_id', cascade='all')
                 group_member = relationship('UserGroupMember', cascade='all')
                 notifications = relationship('UserNotification', cascade='all')
                 # notifications assigned to this user
                 user_created_notifications = relationship('Notification', cascade='all')
                 # comments created by this user
                 user_comments = relationship('ChangesetComment', cascade='all')
                 # user profile extra info
                 user_emails = relationship('UserEmailMap', cascade='all')
                 user_ip_map = relationship('UserIpMap', cascade='all')
                 user_auth_tokens = relationship('UserApiKeys', cascade='all')
                 user_ssh_keys = relationship('UserSshKeys', cascade='all')
                 # gists
                 user_gists = relationship('Gist', cascade='all')
                 # user pull requests
                 user_pull_requests = relationship('PullRequest', cascade='all')
                 # external identities
                 extenal_identities = relationship(
                     'ExternalIdentity',
                     primaryjoin="User.user_id==ExternalIdentity.local_user_id",
                     cascade='all')
                 # review rules
                 user_review_rules = relationship('RepoReviewRuleUser', cascade='all')
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
                                                   self.user_id, self.username)
                 @hybrid_property
                 def email(self):
                     return self._email
                 @email.setter
                 def email(self, val):
                     self._email = val.lower() if val else None
                 @hybrid_property
                 def first_name(self):
                     from rhodecode.lib import helpers as h
                     if self.name:
                         return h.escape(self.name)
                     return self.name
                 @hybrid_property
                 def last_name(self):
                     from rhodecode.lib import helpers as h
                     if self.lastname:
                         return h.escape(self.lastname)
                     return self.lastname
                 @hybrid_property
                 def api_key(self):
                     """
                     Fetch if exist an auth-token with role ALL connected to this user
                     """
                     user_auth_token = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == self.user_id)\
                         .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_ALL).first()
                     if user_auth_token:
                         user_auth_token = user_auth_token.api_key
                     return user_auth_token
                 @api_key.setter
                 def api_key(self, val):
                     # don't allow to set API key this is deprecated for now
                     self._api_key = None
                 @property
                 def reviewer_pull_requests(self):
                     return PullRequestReviewers.query() \
                         .options(joinedload(PullRequestReviewers.pull_request)) \
                         .filter(PullRequestReviewers.user_id == self.user_id) \
                         .all()
                 @property
                 def firstname(self):
                     # alias for future
                     return self.name
                 @property
                 def emails(self):
                     other = UserEmailMap.query()\
                         .filter(UserEmailMap.user == self) \
                         .order_by(UserEmailMap.email_id.asc()) \
                         .all()
                     return [self.email] + [x.email for x in other]
                 @property
                 def auth_tokens(self):
                     auth_tokens = self.get_auth_tokens()
                     return [x.api_key for x in auth_tokens]
                 def get_auth_tokens(self):
                     return UserApiKeys.query()\
                         .filter(UserApiKeys.user == self)\
                         .order_by(UserApiKeys.user_api_key_id.asc())\
                         .all()
                 @LazyProperty
                 def feed_token(self):
                     return self.get_feed_token()
                 def get_feed_token(self, cache=True):
                     feed_tokens = UserApiKeys.query()\
                         .filter(UserApiKeys.user == self)\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_FEED)
                     if cache:
                         feed_tokens = feed_tokens.options(
                             FromCache("sql_cache_short", "get_user_feed_token_%s" % self.user_id))
                     feed_tokens = feed_tokens.all()
                     if feed_tokens:
                         return feed_tokens[0].api_key
                     return 'NO_FEED_TOKEN_AVAILABLE'
                 @classmethod
                 def get(cls, user_id, cache=False):
                     if not user_id:
                         return
                     user = cls.query()
                     if cache:
                         user = user.options(
                             FromCache("sql_cache_short", "get_users_%s" % user_id))
                     return user.get(user_id)
                 @classmethod
                 def extra_valid_auth_tokens(cls, user, role=None):
                     tokens = UserApiKeys.query().filter(UserApiKeys.user == user)\
                             .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))
                     if role:
                         tokens = tokens.filter(or_(UserApiKeys.role == role,
                                                    UserApiKeys.role == UserApiKeys.ROLE_ALL))
                     return tokens.all()
                 def authenticate_by_token(self, auth_token, roles=None, scope_repo_id=None):
                     from rhodecode.lib import auth
                     log.debug('Trying to authenticate user: %s via auth-token, '
                               'and roles: %s', self, roles)
                     if not auth_token:
                         return False
                     roles = (roles or []) + [UserApiKeys.ROLE_ALL]
                     tokens_q = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == self.user_id)\
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time()))
                     tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles))
                     crypto_backend = auth.crypto_backend()
                     enc_token_map = {}
                     plain_token_map = {}
                     for token in tokens_q:
                         if token.api_key.startswith(crypto_backend.ENC_PREF):
                             enc_token_map[token.api_key] = token
                         else:
                             plain_token_map[token.api_key] = token
                     log.debug(
                         'Found %s plain and %s encrypted user tokens to check for authentication',
                         len(plain_token_map), len(enc_token_map))
                     # plain token match comes first
                     match = plain_token_map.get(auth_token)
                     # check encrypted tokens now
                     if not match:
                         for token_hash, token in enc_token_map.items():
                             # NOTE(marcink): this is expensive to calculate, but most secure
                             if crypto_backend.hash_check(auth_token, token_hash):
                                 match = token
                                 break
                     if match:
                         log.debug('Found matching token %s', match)
                         if match.repo_id:
                             log.debug('Found scope, checking for scope match of token %s', match)
                             if match.repo_id == scope_repo_id:
                                 return True
                             else:
                                 log.debug(
                                     'AUTH_TOKEN: scope mismatch, token has a set repo scope: %s, '
                                     'and calling scope is:%s, skipping further checks',
                                      match.repo, scope_repo_id)
                                 return False
                         else:
                             return True
                     return False
                 @property
                 def ip_addresses(self):
                     ret = UserIpMap.query().filter(UserIpMap.user == self).all()
                     return [x.ip_addr for x in ret]
                 @property
                 def username_and_name(self):
                     return '%s (%s %s)' % (self.username, self.first_name, self.last_name)
                 @property
                 def username_or_name_or_email(self):
                     full_name = self.full_name if self.full_name is not ' ' else None
                     return self.username or full_name or self.email
                 @property
                 def full_name(self):
                     return '%s %s' % (self.first_name, self.last_name)
                 @property
                 def full_name_or_username(self):
                     return ('%s %s' % (self.first_name, self.last_name)
                             if (self.first_name and self.last_name) else self.username)
                 @property
                 def full_contact(self):
                     return '%s %s <%s>' % (self.first_name, self.last_name, self.email)
                 @property
                 def short_contact(self):
                     return '%s %s' % (self.first_name, self.last_name)
                 @property
                 def is_admin(self):
                     return self.admin
                 def AuthUser(self, **kwargs):
                     """
                     Returns instance of AuthUser for this user
                     """
                     from rhodecode.lib.auth import AuthUser
                     return AuthUser(user_id=self.user_id, username=self.username, **kwargs)
                 @hybrid_property
                 def user_data(self):
                     if not self._user_data:
                         return {}
                     try:
                         return json.loads(self._user_data)
                     except TypeError:
                         return {}
                 @user_data.setter
                 def user_data(self, val):
                     if not isinstance(val, dict):
                         raise Exception('user_data must be dict, got %s' % type(val))
                     try:
                         self._user_data = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @classmethod
                 def get_by_username(cls, username, case_insensitive=False,
                                     cache=False, identity_cache=False):
                     session = Session()
                     if case_insensitive:
                         q = cls.query().filter(
                             func.lower(cls.username) == func.lower(username))
                     else:
                         q = cls.query().filter(cls.username == username)
                     if cache:
                         if identity_cache:
                             val = cls.identity_cache(session, 'username', username)
                             if val:
                                 return val
                         else:
                             cache_key = "get_user_by_name_%s" % _hash_key(username)
                             q = q.options(
                                 FromCache("sql_cache_short", cache_key))
                     return q.scalar()
                 @classmethod
                 def get_by_auth_token(cls, auth_token, cache=False):
                     q = UserApiKeys.query()\
                         .filter(UserApiKeys.api_key == auth_token)\
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time()))
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", "get_auth_token_%s" % auth_token))
                     match = q.first()
                     if match:
                         return match.user
                 @classmethod
                 def get_by_email(cls, email, case_insensitive=False, cache=False):
                     if case_insensitive:
                         q = cls.query().filter(func.lower(cls.email) == func.lower(email))
                     else:
                         q = cls.query().filter(cls.email == email)
                     email_key = _hash_key(email)
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", "get_email_key_%s" % email_key))
                     ret = q.scalar()
                     if ret is None:
                         q = UserEmailMap.query()
                         # try fetching in alternate email map
                         if case_insensitive:
                             q = q.filter(func.lower(UserEmailMap.email) == func.lower(email))
                         else:
                             q = q.filter(UserEmailMap.email == email)
                         q = q.options(joinedload(UserEmailMap.user))
                         if cache:
                             q = q.options(
                                 FromCache("sql_cache_short", "get_email_map_key_%s" % email_key))
                         ret = getattr(q.scalar(), 'user', None)
                     return ret
                 @classmethod
                 def get_from_cs_author(cls, author):
                     """
                     Tries to get User objects out of commit author string
                     :param author:
                     """
                     from rhodecode.lib.helpers import email, author_name
                     # Valid email in the attribute passed, see if they're in the system
                     _email = email(author)
                     if _email:
                         user = cls.get_by_email(_email, case_insensitive=True)
                         if user:
                             return user
                     # Maybe we can match by username?
                     _author = author_name(author)
                     user = cls.get_by_username(_author, case_insensitive=True)
                     if user:
                         return user
                 def update_userdata(self, **kwargs):
                     usr = self
                     old = usr.user_data
                     old.update(**kwargs)
                     usr.user_data = old
                     Session().add(usr)
                     log.debug('updated userdata with ', kwargs)
                 def update_lastlogin(self):
                     """Update user lastlogin"""
                     self.last_login = datetime.datetime.now()
                     Session().add(self)
                     log.debug('updated user %s lastlogin', self.username)
                 def update_password(self, new_password):
                     from rhodecode.lib.auth import get_crypt_password
                     self.password = get_crypt_password(new_password)
                     Session().add(self)
                 @classmethod
                 def get_first_super_admin(cls):
                     user = User.query()\
                         .filter(User.admin == true()) \
                         .order_by(User.user_id.asc()) \
                         .first()
                     if user is None:
                         raise Exception('FATAL: Missing administrative account!')
                     return user
                 @classmethod
                 def get_all_super_admins(cls, only_active=False):
                     """
                     Returns all admin accounts sorted by username
                     """
                     qry = User.query().filter(User.admin == true()).order_by(User.username.asc())
                     if only_active:
                         qry = qry.filter(User.active == true())
                     return qry.all()
                 @classmethod
                 def get_default_user(cls, cache=False, refresh=False):
                     user = User.get_by_username(User.DEFAULT_USER, cache=cache)
                     if user is None:
                         raise Exception('FATAL: Missing default account!')
                     if refresh:
                         # The default user might be based on outdated state which
                         # has been loaded from the cache.
                         # A call to refresh() ensures that the
                         # latest state from the database is used.
                         Session().refresh(user)
                     return user
                 def _get_default_perms(self, user, suffix=''):
                     from rhodecode.model.permission import PermissionModel
                     return PermissionModel().get_default_perms(user.user_perms, suffix)
                 def get_default_perms(self, suffix=''):
                     return self._get_default_perms(self, suffix)
                 def get_api_data(self, include_secrets=False, details='full'):
                     """
                     Common function for generating user related data for API
                     :param include_secrets: By default secrets in the API data will be replaced
                        by a placeholder value to prevent exposing this data by accident. In case
                        this data shall be exposed, set this flag to ``True``.
                     :param details: details can be 'basic|full' basic gives only a subset of
                        the available user information that includes user_id, name and emails.
                     """
                     user = self
                     user_data = self.user_data
                     data = {
                         'user_id': user.user_id,
                         'username': user.username,
                         'firstname': user.name,
                         'lastname': user.lastname,
                         'email': user.email,
                         'emails': user.emails,
                     }
                     if details == 'basic':
                         return data
                     auth_token_length = 40
                     auth_token_replacement = '*' * auth_token_length
                     extras = {
                         'auth_tokens': [auth_token_replacement],
                         'active': user.active,
                         'admin': user.admin,
                         'extern_type': user.extern_type,
                         'extern_name': user.extern_name,
                         'last_login': user.last_login,
                         'last_activity': user.last_activity,
                         'ip_addresses': user.ip_addresses,
                         'language': user_data.get('language')
                     }
                     data.update(extras)
                     if include_secrets:
                         data['auth_tokens'] = user.auth_tokens
                     return data
                 def __json__(self):
                     data = {
                         'full_name': self.full_name,
                         'full_name_or_username': self.full_name_or_username,
                         'short_contact': self.short_contact,
                         'full_contact': self.full_contact,
                     }
                     data.update(self.get_api_data())
                     return data
             class UserApiKeys(Base, BaseModel):
                 __tablename__ = 'user_api_keys'
                 __table_args__ = (
                     Index('uak_api_key_idx', 'api_key', unique=True),
                     Index('uak_api_key_expires_idx', 'api_key', 'expires'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 # ApiKey role
                 ROLE_ALL = 'token_role_all'
                 ROLE_HTTP = 'token_role_http'
                 ROLE_VCS = 'token_role_vcs'
                 ROLE_API = 'token_role_api'
                 ROLE_FEED = 'token_role_feed'
                 ROLE_PASSWORD_RESET = 'token_password_reset'
                 ROLES = [ROLE_ALL, ROLE_HTTP, ROLE_VCS, ROLE_API, ROLE_FEED]
                 user_api_key_id = Column("user_api_key_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 api_key = Column("api_key", String(255), nullable=False, unique=True)
                 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 expires = Column('expires', Float(53), nullable=False)
                 role = Column('role', String(255), nullable=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 # scope columns
                 repo_id = Column(
                     'repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 repo_group_id = Column(
                     'repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 user = relationship('User', lazy='joined')
                 def __unicode__(self):
                     return u"<%s('%s')>" % (self.__class__.__name__, self.role)
                 def __json__(self):
                     data = {
                         'auth_token': self.api_key,
                         'role': self.role,
                         'scope': self.scope_humanized,
                         'expired': self.expired
                     }
                     return data
                 def get_api_data(self, include_secrets=False):
                     data = self.__json__()
                     if include_secrets:
                         return data
                     else:
                         data['auth_token'] = self.token_obfuscated
                         return data
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @property
                 def expired(self):
                     if self.expires == -1:
                         return False
                     return time.time() > self.expires
                 @classmethod
                 def _get_role_name(cls, role):
                     return {
                         cls.ROLE_ALL: _('all'),
                         cls.ROLE_HTTP: _('http/web interface'),
                         cls.ROLE_VCS: _('vcs (git/hg/svn protocol)'),
                         cls.ROLE_API: _('api calls'),
                         cls.ROLE_FEED: _('feed access'),
                     }.get(role, role)
                 @property
                 def role_humanized(self):
                     return self._get_role_name(self.role)
                 def _get_scope(self):
                     if self.repo:
                         return 'Repository: {}'.format(self.repo.repo_name)
                     if self.repo_group:
                         return 'RepositoryGroup: {} (recursive)'.format(self.repo_group.group_name)
                     return 'Global'
                 @property
                 def scope_humanized(self):
                     return self._get_scope()
                 @property
                 def token_obfuscated(self):
                     if self.api_key:
                         return self.api_key[:4] + "****"
             class UserEmailMap(Base, BaseModel):
                 __tablename__ = 'user_email_map'
                 __table_args__ = (
                     Index('uem_email_idx', 'email'),
                     UniqueConstraint('email'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 email_id = Column("email_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 _email = Column("email", String(255), nullable=True, unique=False, default=None)
                 user = relationship('User', lazy='joined')
                 @validates('_email')
                 def validate_email(self, key, email):
                     # check if this email is not main one
                     main_email = Session().query(User).filter(User.email == email).scalar()
                     if main_email is not None:
                         raise AttributeError('email %s is present is user table' % email)
                     return email
                 @hybrid_property
                 def email(self):
                     return self._email
                 @email.setter
                 def email(self, val):
                     self._email = val.lower() if val else None
             class UserIpMap(Base, BaseModel):
                 __tablename__ = 'user_ip_map'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'ip_addr'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 ip_addr = Column("ip_addr", String(255), nullable=True, unique=False, default=None)
                 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 description = Column("description", String(10000), nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @classmethod
                 def _get_ip_range(cls, ip_addr):
                     net = ipaddress.ip_network(safe_unicode(ip_addr), strict=False)
                     return [str(net.network_address), str(net.broadcast_address)]
                 def __json__(self):
                     return {
                       'ip_addr': self.ip_addr,
                       'ip_range': self._get_ip_range(self.ip_addr),
                     }
                 def __unicode__(self):
                     return u"<%s('user_id:%s=>%s')>" % (self.__class__.__name__,
                                                         self.user_id, self.ip_addr)
             class UserSshKeys(Base, BaseModel):
                 __tablename__ = 'user_ssh_keys'
                 __table_args__ = (
                     Index('usk_ssh_key_fingerprint_idx', 'ssh_key_fingerprint'),
                     UniqueConstraint('ssh_key_fingerprint'),
                     base_table_args
                 )
                 __mapper_args__ = {}
                 ssh_key_id = Column('ssh_key_id', Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 ssh_key_data = Column('ssh_key_data', String(10240), nullable=False, unique=None, default=None)
                 ssh_key_fingerprint = Column('ssh_key_fingerprint', String(255), nullable=False, unique=None, default=None)
                 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 accessed_on = Column('accessed_on', DateTime(timezone=False), nullable=True, default=None)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 def __json__(self):
                     data = {
                         'ssh_fingerprint': self.ssh_key_fingerprint,
                         'description': self.description,
                         'created_on': self.created_on
                     }
                     return data
                 def get_api_data(self):
                     data = self.__json__()
                     return data
             class UserLog(Base, BaseModel):
                 __tablename__ = 'user_logs'
                 __table_args__ = (
                     base_table_args,
                 )
                 VERSION_1 = 'v1'
                 VERSION_2 = 'v2'
                 VERSIONS = [VERSION_1, VERSION_2]
                 user_log_id = Column("user_log_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id',ondelete='SET NULL'), nullable=True, unique=None, default=None)
                 username = Column("username", String(255), nullable=True, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id', ondelete='SET NULL'), nullable=True, unique=None, default=None)
                 repository_name = Column("repository_name", String(255), nullable=True, unique=None, default=None)
                 user_ip = Column("user_ip", String(255), nullable=True, unique=None, default=None)
                 action = Column("action", Text().with_variant(Text(1200000), 'mysql'), nullable=True, unique=None, default=None)
                 action_date = Column("action_date", DateTime(timezone=False), nullable=True, unique=None, default=None)
                 version = Column("version", String(255), nullable=True, default=VERSION_1)
                 user_data = Column('user_data_json', MutationObj.as_mutable(JsonType(dialect_map=dict(mysql=LONGTEXT()))))
                 action_data = Column('action_data_json', MutationObj.as_mutable(JsonType(dialect_map=dict(mysql=LONGTEXT()))))
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (
                         self.__class__.__name__, self.repository_name, self.action)
                 def __json__(self):
                     return {
                         'user_id': self.user_id,
                         'username': self.username,
                         'repository_id': self.repository_id,
                         'repository_name': self.repository_name,
                         'user_ip': self.user_ip,
                         'action_date': self.action_date,
                         'action': self.action,
                     }
                 @hybrid_property
                 def entry_id(self):
                     return self.user_log_id
                 @property
                 def action_as_day(self):
                     return datetime.date(*self.action_date.timetuple()[:3])
                 user = relationship('User')
                 repository = relationship('Repository', cascade='')
             class UserGroup(Base, BaseModel):
                 __tablename__ = 'users_groups'
                 __table_args__ = (
                     base_table_args,
                 )
                 users_group_id = Column("users_group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_name = Column("users_group_name", String(255), nullable=False, unique=True, default=None)
                 user_group_description = Column("user_group_description", String(10000), nullable=True, unique=None, default=None)
                 users_group_active = Column("users_group_active", Boolean(), nullable=True, unique=None, default=None)
                 inherit_default_permissions = Column("users_group_inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 _group_data = Column("group_data", LargeBinary(), nullable=True)  # JSON data
                 members = relationship('UserGroupMember', cascade="all, delete, delete-orphan", lazy="joined")
                 users_group_to_perm = relationship('UserGroupToPerm', cascade='all')
                 users_group_repo_to_perm = relationship('UserGroupRepoToPerm', cascade='all')
                 users_group_repo_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
                 user_user_group_to_perm = relationship('UserUserGroupToPerm', cascade='all')
                 user_group_user_group_to_perm = relationship('UserGroupUserGroupToPerm ', primaryjoin="UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id", cascade='all')
                 user_group_review_rules = relationship('RepoReviewRuleUserGroup', cascade='all')
                 user = relationship('User', primaryjoin="User.user_id==UserGroup.user_id")
                 @classmethod
                 def _load_group_data(cls, column):
                     if not column:
                         return {}
                     try:
                         return json.loads(column) or {}
                     except TypeError:
                         return {}
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.user_group_description)
                 @hybrid_property
                 def group_data(self):
                     return self._load_group_data(self._group_data)
                 @group_data.expression
                 def group_data(self, **kwargs):
                     return self._group_data
                 @group_data.setter
                 def group_data(self, val):
                     try:
                         self._group_data = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @classmethod
                 def _load_sync(cls, group_data):
                     if group_data:
                         return group_data.get('extern_type')
                 @property
                 def sync(self):
                     return self._load_sync(self.group_data)
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
                                                   self.users_group_id,
                                                   self.users_group_name)
                 @classmethod
                 def get_by_group_name(cls, group_name, cache=False,
                                       case_insensitive=False):
                     if case_insensitive:
                         q = cls.query().filter(func.lower(cls.users_group_name) ==
                                                func.lower(group_name))
                     else:
                         q = cls.query().filter(cls.users_group_name == group_name)
                     if cache:
                         q = q.options(
                             FromCache("sql_cache_short", "get_group_%s" % _hash_key(group_name)))
                     return q.scalar()
                 @classmethod
                 def get(cls, user_group_id, cache=False):
                     if not user_group_id:
                         return
                     user_group = cls.query()
                     if cache:
                         user_group = user_group.options(
                             FromCache("sql_cache_short", "get_users_group_%s" % user_group_id))
                     return user_group.get(user_group_id)
                 def permissions(self, with_admins=True, with_owner=True,
                                 expand_from_user_groups=False):
                     """
                     Permissions for user groups
                     """
                     _admin_perm = 'usergroup.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     q = UserUserGroupToPerm.query().filter(UserUserGroupToPerm.user_group == self)
                     q = q.options(joinedload(UserUserGroupToPerm.user_group),
                                   joinedload(UserUserGroupToPerm.user),
                                   joinedload(UserUserGroupToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     user_groups_rows = []
                     if expand_from_user_groups:
                         for ug in self.permission_user_groups(with_members=True):
                             for user_data in ug.members:
                                 user_groups_rows.append(user_data)
                     return super_admin_rows + owner_row + perm_rows + user_groups_rows
                 def permission_user_groups(self, with_members=False):
                     q = UserGroupUserGroupToPerm.query()\
                         .filter(UserGroupUserGroupToPerm.target_user_group == self)
                     q = q.options(joinedload(UserGroupUserGroupToPerm.user_group),
                                   joinedload(UserGroupUserGroupToPerm.target_user_group),
                                   joinedload(UserGroupUserGroupToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         entry = AttributeDict(_user_group.user_group.get_dict())
                         entry.permission = _user_group.permission.permission_name
                         if with_members:
                             entry.members = [x.user.get_dict()
                                              for x in _user_group.user_group.members]
                         perm_rows.append(entry)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def _get_default_perms(self, user_group, suffix=''):
                     from rhodecode.model.permission import PermissionModel
                     return PermissionModel().get_default_perms(user_group.users_group_to_perm, suffix)
                 def get_default_perms(self, suffix=''):
                     return self._get_default_perms(self, suffix)
                 def get_api_data(self, with_group_members=True, include_secrets=False):
                     """
                     :param include_secrets: See :meth:`User.get_api_data`, this parameter is
                        basically forwarded.
                     """
                     user_group = self
                     data = {
                         'users_group_id': user_group.users_group_id,
                         'group_name': user_group.users_group_name,
                         'group_description': user_group.user_group_description,
                         'active': user_group.users_group_active,
                         'owner': user_group.user.username,
                         'sync': user_group.sync,
                         'owner_email': user_group.user.email,
                     }
                     if with_group_members:
                         users = []
                         for user in user_group.members:
                             user = user.user
                             users.append(user.get_api_data(include_secrets=include_secrets))
                         data['users'] = users
                     return data
             class UserGroupMember(Base, BaseModel):
                 __tablename__ = 'users_groups_members'
                 __table_args__ = (
                     base_table_args,
                 )
                 users_group_member_id = Column("users_group_member_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 users_group = relationship('UserGroup')
                 def __init__(self, gr_id='', u_id=''):
                     self.users_group_id = gr_id
                     self.user_id = u_id
             class RepositoryField(Base, BaseModel):
                 __tablename__ = 'repositories_fields'
                 __table_args__ = (
                     UniqueConstraint('repository_id', 'field_key'),  # no-multi field
                     base_table_args,
                 )
                 PREFIX = 'ex_'  # prefix used in form to not conflict with already existing fields
                 repo_field_id = Column("repo_field_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 field_key = Column("field_key", String(250))
                 field_label = Column("field_label", String(1024), nullable=False)
                 field_value = Column("field_value", String(10000), nullable=False)
                 field_desc = Column("field_desc", String(1024), nullable=False)
                 field_type = Column("field_type", String(255), nullable=False, unique=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 repository = relationship('Repository')
                 @property
                 def field_key_prefixed(self):
                     return 'ex_%s' % self.field_key
                 @classmethod
                 def un_prefix_key(cls, key):
                     if key.startswith(cls.PREFIX):
                         return key[len(cls.PREFIX):]
                     return key
                 @classmethod
                 def get_by_key_name(cls, key, repo):
                     row = cls.query()\
                             .filter(cls.repository == repo)\
                             .filter(cls.field_key == key).scalar()
                     return row
             class Repository(Base, BaseModel):
                 __tablename__ = 'repositories'
                 __table_args__ = (
                     Index('r_repo_name_idx', 'repo_name', mysql_length=255),
                     base_table_args,
                 )
                 DEFAULT_CLONE_URI = '{scheme}://{user}@{netloc}/{repo}'
                 DEFAULT_CLONE_URI_ID = '{scheme}://{user}@{netloc}/_{repoid}'
                 DEFAULT_CLONE_URI_SSH = 'ssh://{sys_user}@{hostname}/{repo}'
                 STATE_CREATED = 'repo_state_created'
                 STATE_PENDING = 'repo_state_pending'
                 STATE_ERROR = 'repo_state_error'
                 LOCK_AUTOMATIC = 'lock_auto'
                 LOCK_API = 'lock_api'
                 LOCK_WEB = 'lock_web'
                 LOCK_PULL = 'lock_pull'
                 NAME_SEP = URL_SEP
                 repo_id = Column(
                     "repo_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 _repo_name = Column(
                     "repo_name", Text(), nullable=False, default=None)
                 _repo_name_hash = Column(
                     "repo_name_hash", String(255), nullable=False, unique=True)
                 repo_state = Column("repo_state", String(255), nullable=True)
                 clone_uri = Column(
                     "clone_uri", EncryptedTextValue(), nullable=True, unique=False,
                     default=None)
                 push_uri = Column(
                     "push_uri", EncryptedTextValue(), nullable=True, unique=False,
                     default=None)
                 repo_type = Column(
                     "repo_type", String(255), nullable=False, unique=False, default=None)
                 user_id = Column(
                     "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
                     unique=False, default=None)
                 private = Column(
                     "private", Boolean(), nullable=True, unique=None, default=None)
                 archived = Column(
                     "archived", Boolean(), nullable=True, unique=None, default=None)
                 enable_statistics = Column(
                     "statistics", Boolean(), nullable=True, unique=None, default=True)
                 enable_downloads = Column(
                     "downloads", Boolean(), nullable=True, unique=None, default=True)
                 description = Column(
                     "description", String(10000), nullable=True, unique=None, default=None)
                 created_on = Column(
                     'created_on', DateTime(timezone=False), nullable=True, unique=None,
                     default=datetime.datetime.now)
                 updated_on = Column(
                     'updated_on', DateTime(timezone=False), nullable=True, unique=None,
                     default=datetime.datetime.now)
                 _landing_revision = Column(
                     "landing_revision", String(255), nullable=False, unique=False,
                     default=None)
                 enable_locking = Column(
                     "enable_locking", Boolean(), nullable=False, unique=None,
                     default=False)
                 _locked = Column(
                     "locked", String(255), nullable=True, unique=False, default=None)
                 _changeset_cache = Column(
                     "changeset_cache", LargeBinary(), nullable=True)  # JSON data
                 fork_id = Column(
                     "fork_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=False, default=None)
                 group_id = Column(
                     "group_id", Integer(), ForeignKey('groups.group_id'), nullable=True,
                     unique=False, default=None)
                 user = relationship('User', lazy='joined')
                 fork = relationship('Repository', remote_side=repo_id, lazy='joined')
                 group = relationship('RepoGroup', lazy='joined')
                 repo_to_perm = relationship(
                     'UserRepoToPerm', cascade='all',
                     order_by='UserRepoToPerm.repo_to_perm_id')
                 users_group_to_perm = relationship('UserGroupRepoToPerm', cascade='all')
                 stats = relationship('Statistics', cascade='all', uselist=False)
                 followers = relationship(
                     'UserFollowing',
                     primaryjoin='UserFollowing.follows_repo_id==Repository.repo_id',
                     cascade='all')
                 extra_fields = relationship(
                     'RepositoryField', cascade="all, delete, delete-orphan")
                 logs = relationship('UserLog')
                 comments = relationship(
                     'ChangesetComment', cascade="all, delete, delete-orphan")
                 pull_requests_source = relationship(
                     'PullRequest',
                     primaryjoin='PullRequest.source_repo_id==Repository.repo_id',
                     cascade="all, delete, delete-orphan")
                 pull_requests_target = relationship(
                     'PullRequest',
                     primaryjoin='PullRequest.target_repo_id==Repository.repo_id',
                     cascade="all, delete, delete-orphan")
                 ui = relationship('RepoRhodeCodeUi', cascade="all")
                 settings = relationship('RepoRhodeCodeSetting', cascade="all")
                 integrations = relationship('Integration', cascade="all, delete, delete-orphan")
                 scoped_tokens = relationship('UserApiKeys', cascade="all")
                 artifacts = relationship('FileStore', cascade="all")
                 def __unicode__(self):
                     return u"<%s('%s:%s')>" % (self.__class__.__name__, self.repo_id,
                                                safe_unicode(self.repo_name))
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @hybrid_property
                 def landing_rev(self):
                     # always should return [rev_type, rev]
                     if self._landing_revision:
                         _rev_info = self._landing_revision.split(':')
                         if len(_rev_info) < 2:
                             _rev_info.insert(0, 'rev')
                         return [_rev_info[0], _rev_info[1]]
                     return [None, None]
                 @landing_rev.setter
                 def landing_rev(self, val):
                     if ':' not in val:
                         raise ValueError('value must be delimited with `:` and consist '
                                          'of <rev_type>:<rev>, got %s instead' % val)
                     self._landing_revision = val
                 @hybrid_property
                 def locked(self):
                     if self._locked:
                         user_id, timelocked, reason = self._locked.split(':')
                         lock_values = int(user_id), timelocked, reason
                     else:
                         lock_values = [None, None, None]
                     return lock_values
                 @locked.setter
                 def locked(self, val):
                     if val and isinstance(val, (list, tuple)):
                         self._locked = ':'.join(map(str, val))
                     else:
                         self._locked = None
                 @hybrid_property
                 def changeset_cache(self):
                     from rhodecode.lib.vcs.backends.base import EmptyCommit
                     dummy = EmptyCommit().__json__()
                     if not self._changeset_cache:
                         dummy['source_repo_id'] = self.repo_id
                         return json.loads(json.dumps(dummy))
                     try:
                         return json.loads(self._changeset_cache)
                     except TypeError:
                         return dummy
                     except Exception:
                         log.error(traceback.format_exc())
                         return dummy
                 @changeset_cache.setter
                 def changeset_cache(self, val):
                     try:
                         self._changeset_cache = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @hybrid_property
                 def repo_name(self):
                     return self._repo_name
                 @repo_name.setter
                 def repo_name(self, value):
                     self._repo_name = value
                     self._repo_name_hash = hashlib.sha1(safe_str(value)).hexdigest()
                 @classmethod
                 def normalize_repo_name(cls, repo_name):
                     """
                     Normalizes os specific repo_name to the format internally stored inside
                     database using URL_SEP
                     :param cls:
                     :param repo_name:
                     """
                     return cls.NAME_SEP.join(repo_name.split(os.sep))
                 @classmethod
                 def get_by_repo_name(cls, repo_name, cache=False, identity_cache=False):
                     session = Session()
                     q = session.query(cls).filter(cls.repo_name == repo_name)
                     if cache:
                         if identity_cache:
                             val = cls.identity_cache(session, 'repo_name', repo_name)
                             if val:
                                 return val
                         else:
                             cache_key = "get_repo_by_name_%s" % _hash_key(repo_name)
                             q = q.options(
                                 FromCache("sql_cache_short", cache_key))
                     return q.scalar()
                 @classmethod
                 def get_by_id_or_repo_name(cls, repoid):
                     if isinstance(repoid, (int, long)):
                         try:
                             repo = cls.get(repoid)
                         except ValueError:
                             repo = None
                     else:
                         repo = cls.get_by_repo_name(repoid)
                     return repo
                 @classmethod
                 def get_by_full_path(cls, repo_full_path):
                     repo_name = repo_full_path.split(cls.base_path(), 1)[-1]
                     repo_name = cls.normalize_repo_name(repo_name)
                     return cls.get_by_repo_name(repo_name.strip(URL_SEP))
                 @classmethod
                 def get_repo_forks(cls, repo_id):
                     return cls.query().filter(Repository.fork_id == repo_id)
                 @classmethod
                 def base_path(cls):
                     """
                     Returns base path when all repos are stored
                     :param cls:
                     """
                     q = Session().query(RhodeCodeUi)\
                         .filter(RhodeCodeUi.ui_key == cls.NAME_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return q.one().ui_value
                 @classmethod
                 def get_all_repos(cls, user_id=Optional(None), group_id=Optional(None),
                                   case_insensitive=True, archived=False):
                     q = Repository.query()
                     if not archived:
                         q = q.filter(Repository.archived.isnot(true()))
                     if not isinstance(user_id, Optional):
                         q = q.filter(Repository.user_id == user_id)
                     if not isinstance(group_id, Optional):
                         q = q.filter(Repository.group_id == group_id)
                     if case_insensitive:
                         q = q.order_by(func.lower(Repository.repo_name))
                     else:
                         q = q.order_by(Repository.repo_name)
                     return q.all()
                 @property
                 def repo_uid(self):
                     return '_{}'.format(self.repo_id)
                 @property
                 def forks(self):
                     """
                     Return forks of this repo
                     """
                     return Repository.get_repo_forks(self.repo_id)
                 @property
                 def parent(self):
                     """
                     Returns fork parent
                     """
                     return self.fork
                 @property
                 def just_name(self):
                     return self.repo_name.split(self.NAME_SEP)[-1]
                 @property
                 def groups_with_parents(self):
                     groups = []
                     if self.group is None:
                         return groups
                     cur_gr = self.group
                     groups.insert(0, cur_gr)
                     while 1:
                         gr = getattr(cur_gr, 'parent_group', None)
                         cur_gr = cur_gr.parent_group
                         if gr is None:
                             break
                         groups.insert(0, gr)
                     return groups
                 @property
                 def groups_and_repo(self):
                     return self.groups_with_parents, self
                 @LazyProperty
                 def repo_path(self):
                     """
                     Returns base full path for that repository means where it actually
                     exists on a filesystem
                     """
                     q = Session().query(RhodeCodeUi).filter(
                         RhodeCodeUi.ui_key == self.NAME_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return q.one().ui_value
                 @property
                 def repo_full_path(self):
                     p = [self.repo_path]
                     # we need to split the name by / since this is how we store the
                     # names in the database, but that eventually needs to be converted
                     # into a valid system path
                     p += self.repo_name.split(self.NAME_SEP)
                     return os.path.join(*map(safe_unicode, p))
                 @property
                 def cache_keys(self):
                     """
                     Returns associated cache keys for that repo
                     """
                     invalidation_namespace = CacheKey.REPO_INVALIDATION_NAMESPACE.format(
                         repo_id=self.repo_id)
                     return CacheKey.query()\
                         .filter(CacheKey.cache_args == invalidation_namespace)\
                         .order_by(CacheKey.cache_key)\
                         .all()
                 @property
                 def cached_diffs_relative_dir(self):
                     """
                     Return a relative to the repository store path of cached diffs
                     used for safe display for users, who shouldn't know the absolute store
                     path
                     """
                     return os.path.join(
                         os.path.dirname(self.repo_name),
                         self.cached_diffs_dir.split(os.path.sep)[-1])
                 @property
                 def cached_diffs_dir(self):
                     path = self.repo_full_path
                     return os.path.join(
                         os.path.dirname(path),
                         '.__shadow_diff_cache_repo_{}'.format(self.repo_id))
                 def cached_diffs(self):
                     diff_cache_dir = self.cached_diffs_dir
                     if os.path.isdir(diff_cache_dir):
                         return os.listdir(diff_cache_dir)
                     return []
                 def shadow_repos(self):
                     shadow_repos_pattern = '.__shadow_repo_{}'.format(self.repo_id)
                     return [
                         x for x in os.listdir(os.path.dirname(self.repo_full_path))
                         if x.startswith(shadow_repos_pattern)]
                 def get_new_name(self, repo_name):
                     """
                     returns new full repository name based on assigned group and new new
                     :param group_name:
                     """
                     path_prefix = self.group.full_path_splitted if self.group else []
                     return self.NAME_SEP.join(path_prefix + [repo_name])
                 @property
                 def _config(self):
                     """
                     Returns db based config object.
                     """
                     from rhodecode.lib.utils import make_db_config
                     return make_db_config(clear_session=False, repo=self)
                 def permissions(self, with_admins=True, with_owner=True,
                                 expand_from_user_groups=False):
                     """
                     Permissions for repositories
                     """
                     _admin_perm = 'repository.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         usr.permission_id = None
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 usr.permission_id = None
                                 super_admin_rows.append(usr)
                     q = UserRepoToPerm.query().filter(UserRepoToPerm.repository == self)
                     q = q.options(joinedload(UserRepoToPerm.repository),
                                   joinedload(UserRepoToPerm.user),
                                   joinedload(UserRepoToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         # also check if this permission is maybe used by branch_permissions
                         if _usr.branch_perm_entry:
                             usr.branch_rules = [x.branch_rule_id for x in _usr.branch_perm_entry]
                         usr.permission = _usr.permission.permission_name
                         usr.permission_id = _usr.repo_to_perm_id
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     user_groups_rows = []
                     if expand_from_user_groups:
                         for ug in self.permission_user_groups(with_members=True):
                             for user_data in ug.members:
                                 user_groups_rows.append(user_data)
                     return super_admin_rows + owner_row + perm_rows + user_groups_rows
                 def permission_user_groups(self, with_members=True):
                     q = UserGroupRepoToPerm.query()\
                         .filter(UserGroupRepoToPerm.repository == self)
                     q = q.options(joinedload(UserGroupRepoToPerm.repository),
                                   joinedload(UserGroupRepoToPerm.users_group),
                                   joinedload(UserGroupRepoToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         entry = AttributeDict(_user_group.users_group.get_dict())
                         entry.permission = _user_group.permission.permission_name
                         if with_members:
                             entry.members = [x.user.get_dict()
                                              for x in _user_group.users_group.members]
                         perm_rows.append(entry)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def get_api_data(self, include_secrets=False):
                     """
                     Common function for generating repo api data
                     :param include_secrets: See :meth:`User.get_api_data`.
                     """
                     # TODO: mikhail: Here there is an anti-pattern, we probably need to
                     # move this methods on models level.
                     from rhodecode.model.settings import SettingsModel
                     from rhodecode.model.repo import RepoModel
                     repo = self
                     _user_id, _time, _reason = self.locked
                     data = {
                         'repo_id': repo.repo_id,
                         'repo_name': repo.repo_name,
                         'repo_type': repo.repo_type,
                         'clone_uri': repo.clone_uri or '',
                         'push_uri': repo.push_uri or '',
                         'url': RepoModel().get_url(self),
                         'private': repo.private,
                         'created_on': repo.created_on,
                         'description': repo.description_safe,
                         'landing_rev': repo.landing_rev,
                         'owner': repo.user.username,
                         'fork_of': repo.fork.repo_name if repo.fork else None,
                         'fork_of_id': repo.fork.repo_id if repo.fork else None,
                         'enable_statistics': repo.enable_statistics,
                         'enable_locking': repo.enable_locking,
                         'enable_downloads': repo.enable_downloads,
                         'last_changeset': repo.changeset_cache,
                         'locked_by': User.get(_user_id).get_api_data(
                             include_secrets=include_secrets) if _user_id else None,
                         'locked_date': time_to_datetime(_time) if _time else None,
                         'lock_reason': _reason if _reason else None,
                     }
                     # TODO: mikhail: should be per-repo settings here
                     rc_config = SettingsModel().get_all_settings()
                     repository_fields = str2bool(
                         rc_config.get('rhodecode_repository_fields'))
                     if repository_fields:
                         for f in self.extra_fields:
                             data[f.field_key_prefixed] = f.field_value
                     return data
                 @classmethod
                 def lock(cls, repo, user_id, lock_time=None, lock_reason=None):
                     if not lock_time:
                         lock_time = time.time()
                     if not lock_reason:
                         lock_reason = cls.LOCK_AUTOMATIC
                     repo.locked = [user_id, lock_time, lock_reason]
                     Session().add(repo)
                     Session().commit()
                 @classmethod
                 def unlock(cls, repo):
                     repo.locked = None
                     Session().add(repo)
                     Session().commit()
                 @classmethod
                 def getlock(cls, repo):
                     return repo.locked
                 def is_user_lock(self, user_id):
                     if self.lock[0]:
                         lock_user_id = safe_int(self.lock[0])
                         user_id = safe_int(user_id)
                         # both are ints, and they are equal
                         return all([lock_user_id, user_id]) and lock_user_id == user_id
                     return False
                 def get_locking_state(self, action, user_id, only_when_enabled=True):
                     """
                     Checks locking on this repository, if locking is enabled and lock is
                     present returns a tuple of make_lock, locked, locked_by.
                     make_lock can have 3 states None (do nothing) True, make lock
                     False release lock, This value is later propagated to hooks, which
                     do the locking. Think about this as signals passed to hooks what to do.
                     """
                     # TODO: johbo: This is part of the business logic and should be moved
                     # into the RepositoryModel.
                     if action not in ('push', 'pull'):
                         raise ValueError("Invalid action value: %s" % repr(action))
                     # defines if locked error should be thrown to user
                     currently_locked = False
                     # defines if new lock should be made, tri-state
                     make_lock = None
                     repo = self
                     user = User.get(user_id)
                     lock_info = repo.locked
                     if repo and (repo.enable_locking or not only_when_enabled):
                         if action == 'push':
                             # check if it's already locked !, if it is compare users
                             locked_by_user_id = lock_info[0]
                             if user.user_id == locked_by_user_id:
                                 log.debug(
                                     'Got `push` action from user %s, now unlocking', user)
                                 # unlock if we have push from user who locked
                                 make_lock = False
                             else:
                                 # we're not the same user who locked, ban with
                                 # code defined in settings (default is 423 HTTP Locked) !
                                 log.debug('Repo %s is currently locked by %s', repo, user)
                                 currently_locked = True
                         elif action == 'pull':
                             # [0] user [1] date
                             if lock_info[0] and lock_info[1]:
                                 log.debug('Repo %s is currently locked by %s', repo, user)
                                 currently_locked = True
                             else:
                                 log.debug('Setting lock on repo %s by %s', repo, user)
                                 make_lock = True
                     else:
                         log.debug('Repository %s do not have locking enabled', repo)
                     log.debug('FINAL locking values make_lock:%s,locked:%s,locked_by:%s',
                               make_lock, currently_locked, lock_info)
                     from rhodecode.lib.auth import HasRepoPermissionAny
                     perm_check = HasRepoPermissionAny('repository.write', 'repository.admin')
                     if make_lock and not perm_check(repo_name=repo.repo_name, user=user):
                         # if we don't have at least write permission we cannot make a lock
                         log.debug('lock state reset back to FALSE due to lack '
                                   'of at least read permission')
                         make_lock = False
                     return make_lock, currently_locked, lock_info
                 @property
                 def last_commit_cache_update_diff(self):
                     return time.time() - (safe_int(self.changeset_cache.get('updated_on')) or 0)
                 @property
                 def last_commit_change(self):
                     from rhodecode.lib.vcs.utils.helpers import parse_datetime
                     empty_date = datetime.datetime.fromtimestamp(0)
                     date_latest = self.changeset_cache.get('date', empty_date)
                     try:
                         return parse_datetime(date_latest)
                     except Exception:
                         return empty_date
                 @property
                 def last_db_change(self):
                     return self.updated_on
                 @property
                 def clone_uri_hidden(self):
                     clone_uri = self.clone_uri
                     if clone_uri:
                         import urlobject
                         url_obj = urlobject.URLObject(cleaned_uri(clone_uri))
                         if url_obj.password:
                             clone_uri = url_obj.with_password('*****')
                     return clone_uri
                 @property
                 def push_uri_hidden(self):
                     push_uri = self.push_uri
                     if push_uri:
                         import urlobject
                         url_obj = urlobject.URLObject(cleaned_uri(push_uri))
                         if url_obj.password:
                             push_uri = url_obj.with_password('*****')
                     return push_uri
                 def clone_url(self, **override):
                     from rhodecode.model.settings import SettingsModel
                     uri_tmpl = None
                     if 'with_id' in override:
                         uri_tmpl = self.DEFAULT_CLONE_URI_ID
                         del override['with_id']
                     if 'uri_tmpl' in override:
                         uri_tmpl = override['uri_tmpl']
                         del override['uri_tmpl']
                     ssh = False
                     if 'ssh' in override:
                         ssh = True
                         del override['ssh']
                     # we didn't override our tmpl from **overrides
                     if not uri_tmpl:
                         rc_config = SettingsModel().get_all_settings(cache=True)
                         if ssh:
                             uri_tmpl = rc_config.get(
                                 'rhodecode_clone_uri_ssh_tmpl') or self.DEFAULT_CLONE_URI_SSH
                         else:
                             uri_tmpl = rc_config.get(
                                 'rhodecode_clone_uri_tmpl') or self.DEFAULT_CLONE_URI
                     request = get_current_request()
                     return get_clone_url(request=request,
                                          uri_tmpl=uri_tmpl,
                                          repo_name=self.repo_name,
                                          repo_id=self.repo_id, **override)
                 def set_state(self, state):
                     self.repo_state = state
                     Session().add(self)
                 #==========================================================================
                 # SCM PROPERTIES
                 #==========================================================================
                 def get_commit(self, commit_id=None, commit_idx=None, pre_load=None):
                     return get_commit_safe(
                         self.scm_instance(), commit_id, commit_idx, pre_load=pre_load)
                 def get_changeset(self, rev=None, pre_load=None):
                     warnings.warn("Use get_commit", DeprecationWarning)
                     commit_id = None
                     commit_idx = None
                     if isinstance(rev, compat.string_types):
                         commit_id = rev
                     else:
                         commit_idx = rev
                     return self.get_commit(commit_id=commit_id, commit_idx=commit_idx,
                                            pre_load=pre_load)
                 def get_landing_commit(self):
                     """
                     Returns landing commit, or if that doesn't exist returns the tip
                     """
                     _rev_type, _rev = self.landing_rev
                     commit = self.get_commit(_rev)
                     if isinstance(commit, EmptyCommit):
                         return self.get_commit()
                     return commit
                 def update_commit_cache(self, cs_cache=None, config=None):
                     """
                     Update cache of last changeset for repository, keys should be::
                         source_repo_id
                         short_id
                         raw_id
                         revision
                         parents
                         message
                         date
                         author
                         updated_on
                     """
                     from rhodecode.lib.vcs.backends.base import BaseChangeset
                     if cs_cache is None:
                         # use no-cache version here
                         scm_repo = self.scm_instance(cache=False, config=config)
                         empty = scm_repo is None or scm_repo.is_empty()
                         if not empty:
                             cs_cache = scm_repo.get_commit(
                                 pre_load=["author", "date", "message", "parents"])
                         else:
                             cs_cache = EmptyCommit()
                     if isinstance(cs_cache, BaseChangeset):
                         cs_cache = cs_cache.__json__()
                     def is_outdated(new_cs_cache):
                         if (new_cs_cache['raw_id'] != self.changeset_cache['raw_id'] or
                             new_cs_cache['revision'] != self.changeset_cache['revision']):
                             return True
                         return False
                     # check if we have maybe already latest cached revision
                     if is_outdated(cs_cache) or not self.changeset_cache:
                         _default = datetime.datetime.utcnow()
                         last_change = cs_cache.get('date') or _default
                         # we check if last update is newer than the new value
                         # if yes, we use the current timestamp instead. Imagine you get
                         # old commit pushed 1y ago, we'd set last update 1y to ago.
                         last_change_timestamp = datetime_to_time(last_change)
                         current_timestamp = datetime_to_time(last_change)
                         if last_change_timestamp > current_timestamp:
                             cs_cache['date'] = _default
                         cs_cache['updated_on'] = time.time()
                         self.changeset_cache = cs_cache
                         Session().add(self)
                         Session().commit()
                         log.debug('updated repo %s with new commit cache %s',
                                   self.repo_name, cs_cache)
                     else:
                         cs_cache = self.changeset_cache
                         cs_cache['updated_on'] = time.time()
                         self.changeset_cache = cs_cache
                         Session().add(self)
                         Session().commit()
                         log.debug('Skipping update_commit_cache for repo:`%s` '
                                   'commit already with latest changes', self.repo_name)
                 @property
                 def tip(self):
                     return self.get_commit('tip')
                 @property
                 def author(self):
                     return self.tip.author
                 @property
                 def last_change(self):
                     return self.scm_instance().last_change
                 def get_comments(self, revisions=None):
                     """
                     Returns comments for this repository grouped by revisions
                     :param revisions: filter query by revisions only
                     """
                     cmts = ChangesetComment.query()\
                         .filter(ChangesetComment.repo == self)
                     if revisions:
                         cmts = cmts.filter(ChangesetComment.revision.in_(revisions))
                     grouped = collections.defaultdict(list)
                     for cmt in cmts.all():
                         grouped[cmt.revision].append(cmt)
                     return grouped
                 def statuses(self, revisions=None):
                     """
                     Returns statuses for this repository
                     :param revisions: list of revisions to get statuses for
                     """
                     statuses = ChangesetStatus.query()\
                         .filter(ChangesetStatus.repo == self)\
                         .filter(ChangesetStatus.version == 0)
                     if revisions:
                         # Try doing the filtering in chunks to avoid hitting limits
                         size = 500
                         status_results = []
                         for chunk in xrange(0, len(revisions), size):
                             status_results += statuses.filter(
                                 ChangesetStatus.revision.in_(
                                     revisions[chunk: chunk+size])
                             ).all()
                     else:
                         status_results = statuses.all()
                     grouped = {}
                     # maybe we have open new pullrequest without a status?
                     stat = ChangesetStatus.STATUS_UNDER_REVIEW
                     status_lbl = ChangesetStatus.get_status_lbl(stat)
                     for pr in PullRequest.query().filter(PullRequest.source_repo == self).all():
                         for rev in pr.revisions:
                             pr_id = pr.pull_request_id
                             pr_repo = pr.target_repo.repo_name
                             grouped[rev] = [stat, status_lbl, pr_id, pr_repo]
                     for stat in status_results:
                         pr_id = pr_repo = None
                         if stat.pull_request:
                             pr_id = stat.pull_request.pull_request_id
                             pr_repo = stat.pull_request.target_repo.repo_name
                         grouped[stat.revision] = [str(stat.status), stat.status_lbl,
                                                   pr_id, pr_repo]
                     return grouped
                 # ==========================================================================
                 # SCM CACHE INSTANCE
                 # ==========================================================================
                 def scm_instance(self, **kwargs):
                     import rhodecode
                     # Passing a config will not hit the cache currently only used
                     # for repo2dbmapper
                     config = kwargs.pop('config', None)
                     cache = kwargs.pop('cache', None)
                     vcs_full_cache = kwargs.pop('vcs_full_cache', None)
                     if vcs_full_cache is not None:
                         # allows override global config
                         full_cache = vcs_full_cache
                     else:
                         full_cache = str2bool(rhodecode.CONFIG.get('vcs_full_cache'))
                     # if cache is NOT defined use default global, else we have a full
                     # control over cache behaviour
                     if cache is None and full_cache and not config:
                         log.debug('Initializing pure cached instance for %s', self.repo_path)
                         return self._get_instance_cached()
                     # cache here is sent to the "vcs server"
                     return self._get_instance(cache=bool(cache), config=config)
                 def _get_instance_cached(self):
                     from rhodecode.lib import rc_cache
                     cache_namespace_uid = 'cache_repo_instance.{}'.format(self.repo_id)
                     invalidation_namespace = CacheKey.REPO_INVALIDATION_NAMESPACE.format(
                         repo_id=self.repo_id)
                     region = rc_cache.get_or_create_region('cache_repo_longterm', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid)
                     def get_instance_cached(repo_id, context_id, _cache_state_uid):
                         return self._get_instance(repo_state_uid=_cache_state_uid)
                     # we must use thread scoped cache here,
                     # because each thread of gevent needs it's own not shared connection and cache
                     # we also alter `args` so the cache key is individual for every green thread.
                     inv_context_manager = rc_cache.InvalidationContext(
                         uid=cache_namespace_uid, invalidation_namespace=invalidation_namespace,
                         thread_scoped=True)
                     with inv_context_manager as invalidation_context:
                         cache_state_uid = invalidation_context.cache_data['cache_state_uid']
                         args = (self.repo_id, inv_context_manager.cache_key, cache_state_uid)
                         # re-compute and store cache if we get invalidate signal
                         if invalidation_context.should_invalidate():
                             instance = get_instance_cached.refresh(*args)
                         else:
                             instance = get_instance_cached(*args)
-                        log.debug('Repo instance fetched in %.3fs', inv_context_manager.compute_time)
+                        log.debug('Repo instance fetched in %.4fs', inv_context_manager.compute_time)
                         return instance
                 def _get_instance(self, cache=True, config=None, repo_state_uid=None):
                     log.debug('Initializing %s instance `%s` with cache flag set to: %s',
                               self.repo_type, self.repo_path, cache)
                     config = config or self._config
                     custom_wire = {
                         'cache': cache,  # controls the vcs.remote cache
                         'repo_state_uid': repo_state_uid
                     }
                     repo = get_vcs_instance(
                         repo_path=safe_str(self.repo_full_path),
                         config=config,
                         with_wire=custom_wire,
                         create=False,
                         _vcs_alias=self.repo_type)
                     if repo is not None:
                         repo.count()  # cache rebuild
                     return repo
                 def __json__(self):
                     return {'landing_rev': self.landing_rev}
                 def get_dict(self):
                     # Since we transformed `repo_name` to a hybrid property, we need to
                     # keep compatibility with the code which uses `repo_name` field.
                     result = super(Repository, self).get_dict()
                     result['repo_name'] = result.pop('_repo_name', None)
                     return result
             class RepoGroup(Base, BaseModel):
                 __tablename__ = 'groups'
                 __table_args__ = (
                     UniqueConstraint('group_name', 'group_parent_id'),
                     base_table_args,
                 )
                 __mapper_args__ = {'order_by': 'group_name'}
                 CHOICES_SEPARATOR = '/'  # used to generate select2 choices for nested groups
                 group_id = Column("group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 _group_name = Column("group_name", String(255), nullable=False, unique=True, default=None)
                 group_name_hash = Column("repo_group_name_hash", String(1024), nullable=False, unique=False)
                 group_parent_id = Column("group_parent_id", Integer(), ForeignKey('groups.group_id'), nullable=True, unique=None, default=None)
                 group_description = Column("group_description", String(10000), nullable=True, unique=None, default=None)
                 enable_locking = Column("enable_locking", Boolean(), nullable=False, unique=None, default=False)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 updated_on = Column('updated_on', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
                 personal = Column('personal', Boolean(), nullable=True, unique=None, default=None)
                 _changeset_cache = Column(
                     "changeset_cache", LargeBinary(), nullable=True)  # JSON data
                 repo_group_to_perm = relationship('UserRepoGroupToPerm', cascade='all', order_by='UserRepoGroupToPerm.group_to_perm_id')
                 users_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
                 parent_group = relationship('RepoGroup', remote_side=group_id)
                 user = relationship('User')
                 integrations = relationship('Integration', cascade="all, delete, delete-orphan")
                 def __init__(self, group_name='', parent_group=None):
                     self.group_name = group_name
                     self.parent_group = parent_group
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (
                         self.__class__.__name__, self.group_id, self.group_name)
                 @hybrid_property
                 def group_name(self):
                     return self._group_name
                 @group_name.setter
                 def group_name(self, value):
                     self._group_name = value
                     self.group_name_hash = self.hash_repo_group_name(value)
                 @hybrid_property
                 def changeset_cache(self):
                     from rhodecode.lib.vcs.backends.base import EmptyCommit
                     dummy = EmptyCommit().__json__()
                     if not self._changeset_cache:
                         dummy['source_repo_id'] = ''
                         return json.loads(json.dumps(dummy))
                     try:
                         return json.loads(self._changeset_cache)
                     except TypeError:
                         return dummy
                     except Exception:
                         log.error(traceback.format_exc())
                         return dummy
                 @changeset_cache.setter
                 def changeset_cache(self, val):
                     try:
                         self._changeset_cache = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @validates('group_parent_id')
                 def validate_group_parent_id(self, key, val):
                     """
                     Check cycle references for a parent group to self
                     """
                     if self.group_id and val:
                         assert val != self.group_id
                     return val
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.group_description)
                 @classmethod
                 def hash_repo_group_name(cls, repo_group_name):
                     val = remove_formatting(repo_group_name)
                     val = safe_str(val).lower()
                     chars = []
                     for c in val:
                         if c not in string.ascii_letters:
                             c = str(ord(c))
                         chars.append(c)
                     return ''.join(chars)
                 @classmethod
                 def _generate_choice(cls, repo_group):
                     from webhelpers.html import literal as _literal
                     _name = lambda k: _literal(cls.CHOICES_SEPARATOR.join(k))
                     return repo_group.group_id, _name(repo_group.full_path_splitted)
                 @classmethod
                 def groups_choices(cls, groups=None, show_empty_group=True):
                     if not groups:
                         groups = cls.query().all()
                     repo_groups = []
                     if show_empty_group:
                         repo_groups = [(-1, u'-- %s --' % _('No parent'))]
                     repo_groups.extend([cls._generate_choice(x) for x in groups])
                     repo_groups = sorted(
                         repo_groups, key=lambda t: t[1].split(cls.CHOICES_SEPARATOR)[0])
                     return repo_groups
                 @classmethod
                 def url_sep(cls):
                     return URL_SEP
                 @classmethod
                 def get_by_group_name(cls, group_name, cache=False, case_insensitive=False):
                     if case_insensitive:
                         gr = cls.query().filter(func.lower(cls.group_name)
                                                 == func.lower(group_name))
                     else:
                         gr = cls.query().filter(cls.group_name == group_name)
                     if cache:
                         name_key = _hash_key(group_name)
                         gr = gr.options(
                             FromCache("sql_cache_short", "get_group_%s" % name_key))
                     return gr.scalar()
                 @classmethod
                 def get_user_personal_repo_group(cls, user_id):
                     user = User.get(user_id)
                     if user.username == User.DEFAULT_USER:
                         return None
                     return cls.query()\
                         .filter(cls.personal == true()) \
                         .filter(cls.user == user) \
                         .order_by(cls.group_id.asc()) \
                         .first()
                 @classmethod
                 def get_all_repo_groups(cls, user_id=Optional(None), group_id=Optional(None),
                                         case_insensitive=True):
                     q = RepoGroup.query()
                     if not isinstance(user_id, Optional):
                         q = q.filter(RepoGroup.user_id == user_id)
                     if not isinstance(group_id, Optional):
                         q = q.filter(RepoGroup.group_parent_id == group_id)
                     if case_insensitive:
                         q = q.order_by(func.lower(RepoGroup.group_name))
                     else:
                         q = q.order_by(RepoGroup.group_name)
                     return q.all()
                 @property
                 def parents(self, parents_recursion_limit = 10):
                     groups = []
                     if self.parent_group is None:
                         return groups
                     cur_gr = self.parent_group
                     groups.insert(0, cur_gr)
                     cnt = 0
                     while 1:
                         cnt += 1
                         gr = getattr(cur_gr, 'parent_group', None)
                         cur_gr = cur_gr.parent_group
                         if gr is None:
                             break
                         if cnt == parents_recursion_limit:
                             # this will prevent accidental infinit loops
                             log.error('more than %s parents found for group %s, stopping '
                                       'recursive parent fetching', parents_recursion_limit, self)
                             break
                         groups.insert(0, gr)
                     return groups
                 @property
                 def last_commit_cache_update_diff(self):
                     return time.time() - (safe_int(self.changeset_cache.get('updated_on')) or 0)
                 @property
                 def last_commit_change(self):
                     from rhodecode.lib.vcs.utils.helpers import parse_datetime
                     empty_date = datetime.datetime.fromtimestamp(0)
                     date_latest = self.changeset_cache.get('date', empty_date)
                     try:
                         return parse_datetime(date_latest)
                     except Exception:
                         return empty_date
                 @property
                 def last_db_change(self):
                     return self.updated_on
                 @property
                 def children(self):
                     return RepoGroup.query().filter(RepoGroup.parent_group == self)
                 @property
                 def name(self):
                     return self.group_name.split(RepoGroup.url_sep())[-1]
                 @property
                 def full_path(self):
                     return self.group_name
                 @property
                 def full_path_splitted(self):
                     return self.group_name.split(RepoGroup.url_sep())
                 @property
                 def repositories(self):
                     return Repository.query()\
                             .filter(Repository.group == self)\
                             .order_by(Repository.repo_name)
                 @property
                 def repositories_recursive_count(self):
                     cnt = self.repositories.count()
                     def children_count(group):
                         cnt = 0
                         for child in group.children:
                             cnt += child.repositories.count()
                             cnt += children_count(child)
                         return cnt
                     return cnt + children_count(self)
                 def _recursive_objects(self, include_repos=True, include_groups=True):
                     all_ = []
                     def _get_members(root_gr):
                         if include_repos:
                             for r in root_gr.repositories:
                                 all_.append(r)
                         childs = root_gr.children.all()
                         if childs:
                             for gr in childs:
                                 if include_groups:
                                     all_.append(gr)
                                 _get_members(gr)
                     root_group = []
                     if include_groups:
                         root_group = [self]
                     _get_members(self)
                     return root_group + all_
                 def recursive_groups_and_repos(self):
                     """
                     Recursive return all groups, with repositories in those groups
                     """
                     return self._recursive_objects()
                 def recursive_groups(self):
                     """
                     Returns all children groups for this group including children of children
                     """
                     return self._recursive_objects(include_repos=False)
                 def recursive_repos(self):
                     """
                     Returns all children repositories for this group
                     """
                     return self._recursive_objects(include_groups=False)
                 def get_new_name(self, group_name):
                     """
                     returns new full group name based on parent and new name
                     :param group_name:
                     """
                     path_prefix = (self.parent_group.full_path_splitted if
                                    self.parent_group else [])
                     return RepoGroup.url_sep().join(path_prefix + [group_name])
                 def update_commit_cache(self, config=None):
                     """
                     Update cache of last changeset for newest repository inside this group, keys should be::
                         source_repo_id
                         short_id
                         raw_id
                         revision
                         parents
                         message
                         date
                         author
                     """
                     from rhodecode.lib.vcs.utils.helpers import parse_datetime
                     def repo_groups_and_repos():
                         all_entries = OrderedDefaultDict(list)
                         def _get_members(root_gr, pos=0):
                             for repo in root_gr.repositories:
                                 all_entries[root_gr].append(repo)
                             # fill in all parent positions
                             for parent_group in root_gr.parents:
                                 all_entries[parent_group].extend(all_entries[root_gr])
                             children_groups = root_gr.children.all()
                             if children_groups:
                                 for cnt, gr in enumerate(children_groups, 1):
                                     _get_members(gr, pos=pos+cnt)
                         _get_members(root_gr=self)
                         return all_entries
                     empty_date = datetime.datetime.fromtimestamp(0)
                     for repo_group, repos in repo_groups_and_repos().items():
                         latest_repo_cs_cache = {}
                         for repo in repos:
                             repo_cs_cache = repo.changeset_cache
                             date_latest = latest_repo_cs_cache.get('date', empty_date)
                             date_current = repo_cs_cache.get('date', empty_date)
                             current_timestamp = datetime_to_time(parse_datetime(date_latest))
                             if current_timestamp < datetime_to_time(parse_datetime(date_current)):
                                 latest_repo_cs_cache = repo_cs_cache
                                 latest_repo_cs_cache['source_repo_id'] = repo.repo_id
                         latest_repo_cs_cache['updated_on'] = time.time()
                         repo_group.changeset_cache = latest_repo_cs_cache
                         Session().add(repo_group)
                         Session().commit()
                         log.debug('updated repo group %s with new commit cache %s',
                                   repo_group.group_name, latest_repo_cs_cache)
                 def permissions(self, with_admins=True, with_owner=True,
                                 expand_from_user_groups=False):
                     """
                     Permissions for repository groups
                     """
                     _admin_perm = 'group.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_ids = []
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             super_admin_ids.append(usr.user_id)
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     q = UserRepoGroupToPerm.query().filter(UserRepoGroupToPerm.group == self)
                     q = q.options(joinedload(UserRepoGroupToPerm.group),
                                   joinedload(UserRepoGroupToPerm.user),
                                   joinedload(UserRepoGroupToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         # if this user is also owner/admin, mark as duplicate record
                         if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
                             usr.duplicate_perm = True
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_user_sort)
                     user_groups_rows = []
                     if expand_from_user_groups:
                         for ug in self.permission_user_groups(with_members=True):
                             for user_data in ug.members:
                                 user_groups_rows.append(user_data)
                     return super_admin_rows + owner_row + perm_rows + user_groups_rows
                 def permission_user_groups(self, with_members=False):
                     q = UserGroupRepoGroupToPerm.query()\
                         .filter(UserGroupRepoGroupToPerm.group == self)
                     q = q.options(joinedload(UserGroupRepoGroupToPerm.group),
                                   joinedload(UserGroupRepoGroupToPerm.users_group),
                                   joinedload(UserGroupRepoGroupToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         entry = AttributeDict(_user_group.users_group.get_dict())
                         entry.permission = _user_group.permission.permission_name
                         if with_members:
                             entry.members = [x.user.get_dict()
                                              for x in _user_group.users_group.members]
                         perm_rows.append(entry)
                     perm_rows = sorted(perm_rows, key=display_user_group_sort)
                     return perm_rows
                 def get_api_data(self):
                     """
                     Common function for generating api data
                     """
                     group = self
                     data = {
                         'group_id': group.group_id,
                         'group_name': group.group_name,
                         'group_description': group.description_safe,
                         'parent_group': group.parent_group.group_name if group.parent_group else None,
                         'repositories': [x.repo_name for x in group.repositories],
                         'owner': group.user.username,
                     }
                     return data
                 def get_dict(self):
                     # Since we transformed `group_name` to a hybrid property, we need to
                     # keep compatibility with the code which uses `group_name` field.
                     result = super(RepoGroup, self).get_dict()
                     result['group_name'] = result.pop('_group_name', None)
                     return result
             class Permission(Base, BaseModel):
                 __tablename__ = 'permissions'
                 __table_args__ = (
                     Index('p_perm_name_idx', 'permission_name'),
                     base_table_args,
                 )
                 PERMS = [
                     ('hg.admin', _('RhodeCode Super Administrator')),
                     ('repository.none', _('Repository no access')),
                     ('repository.read', _('Repository read access')),
                     ('repository.write', _('Repository write access')),
                     ('repository.admin', _('Repository admin access')),
                     ('group.none', _('Repository group no access')),
                     ('group.read', _('Repository group read access')),
                     ('group.write', _('Repository group write access')),
                     ('group.admin', _('Repository group admin access')),
                     ('usergroup.none', _('User group no access')),
                     ('usergroup.read', _('User group read access')),
                     ('usergroup.write', _('User group write access')),
                     ('usergroup.admin', _('User group admin access')),
                     ('branch.none', _('Branch no permissions')),
                     ('branch.merge', _('Branch access by web merge')),
                     ('branch.push', _('Branch access by push')),
                     ('branch.push_force', _('Branch access by push with force')),
                     ('hg.repogroup.create.false', _('Repository Group creation disabled')),
                     ('hg.repogroup.create.true', _('Repository Group creation enabled')),
                     ('hg.usergroup.create.false', _('User Group creation disabled')),
                     ('hg.usergroup.create.true', _('User Group creation enabled')),
                     ('hg.create.none', _('Repository creation disabled')),
                     ('hg.create.repository', _('Repository creation enabled')),
                     ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')),
                     ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')),
                     ('hg.fork.none', _('Repository forking disabled')),
                     ('hg.fork.repository', _('Repository forking enabled')),
                     ('hg.register.none', _('Registration disabled')),
                     ('hg.register.manual_activate', _('User Registration with manual account activation')),
                     ('hg.register.auto_activate', _('User Registration with automatic account activation')),
                     ('hg.password_reset.enabled', _('Password reset enabled')),
                     ('hg.password_reset.hidden', _('Password reset hidden')),
                     ('hg.password_reset.disabled', _('Password reset disabled')),
                     ('hg.extern_activate.manual', _('Manual activation of external account')),
                     ('hg.extern_activate.auto', _('Automatic activation of external account')),
                     ('hg.inherit_default_perms.false', _('Inherit object permissions from default user disabled')),
                     ('hg.inherit_default_perms.true', _('Inherit object permissions from default user enabled')),
                 ]
                 # definition of system default permissions for DEFAULT user, created on
                 # system setup
                 DEFAULT_USER_PERMISSIONS = [
                     # object perms
                     'repository.read',
                     'group.read',
                     'usergroup.read',
                     # branch, for backward compat we need same value as before so forced pushed
                     'branch.push_force',
                     # global
                     'hg.create.repository',
                     'hg.repogroup.create.false',
                     'hg.usergroup.create.false',
                     'hg.create.write_on_repogroup.true',
                     'hg.fork.repository',
                     'hg.register.manual_activate',
                     'hg.password_reset.enabled',
                     'hg.extern_activate.auto',
                     'hg.inherit_default_perms.true',
                 ]
                 # defines which permissions are more important higher the more important
                 # Weight defines which permissions are more important.
                 # The higher number the more important.
                 PERM_WEIGHTS = {
                     'repository.none': 0,
                     'repository.read': 1,
                     'repository.write': 3,
                     'repository.admin': 4,
                     'group.none': 0,
                     'group.read': 1,
                     'group.write': 3,
                     'group.admin': 4,
                     'usergroup.none': 0,
                     'usergroup.read': 1,
                     'usergroup.write': 3,
                     'usergroup.admin': 4,
                     'branch.none': 0,
                     'branch.merge': 1,
                     'branch.push': 3,
                     'branch.push_force': 4,
                     'hg.repogroup.create.false': 0,
                     'hg.repogroup.create.true': 1,
                     'hg.usergroup.create.false': 0,
                     'hg.usergroup.create.true': 1,
                     'hg.fork.none': 0,
                     'hg.fork.repository': 1,
                     'hg.create.none': 0,
                     'hg.create.repository': 1
                 }
                 permission_id = Column("permission_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 permission_name = Column("permission_name", String(255), nullable=True, unique=None, default=None)
                 permission_longname = Column("permission_longname", String(255), nullable=True, unique=None, default=None)
                 def __unicode__(self):
                     return u"<%s('%s:%s')>" % (
                         self.__class__.__name__, self.permission_id, self.permission_name
                     )
                 @classmethod
                 def get_by_key(cls, key):
                     return cls.query().filter(cls.permission_name == key).scalar()
                 @classmethod
                 def get_default_repo_perms(cls, user_id, repo_id=None):
                     q = Session().query(UserRepoToPerm, Repository, Permission)\
                         .join((Permission, UserRepoToPerm.permission_id == Permission.permission_id))\
                         .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\
                         .filter(UserRepoToPerm.user_id == user_id)
                     if repo_id:
                         q = q.filter(UserRepoToPerm.repository_id == repo_id)
                     return q.all()
                 @classmethod
                 def get_default_repo_branch_perms(cls, user_id, repo_id=None):
                     q = Session().query(UserToRepoBranchPermission, UserRepoToPerm, Permission) \
                         .join(
                             Permission,
                             UserToRepoBranchPermission.permission_id == Permission.permission_id) \
                         .join(
                             UserRepoToPerm,
                             UserToRepoBranchPermission.rule_to_perm_id == UserRepoToPerm.repo_to_perm_id) \
                         .filter(UserRepoToPerm.user_id == user_id)
                     if repo_id:
                         q = q.filter(UserToRepoBranchPermission.repository_id == repo_id)
                     return q.order_by(UserToRepoBranchPermission.rule_order).all()
                 @classmethod
                 def get_default_repo_perms_from_user_group(cls, user_id, repo_id=None):
                     q = Session().query(UserGroupRepoToPerm, Repository, Permission)\
                         .join(
                             Permission,
                             UserGroupRepoToPerm.permission_id == Permission.permission_id)\
                         .join(
                             Repository,
                             UserGroupRepoToPerm.repository_id == Repository.repo_id)\
                         .join(
                             UserGroup,
                             UserGroupRepoToPerm.users_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupRepoToPerm.users_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_id:
                         q = q.filter(UserGroupRepoToPerm.repository_id == repo_id)
                     return q.all()
                 @classmethod
                 def get_default_repo_branch_perms_from_user_group(cls, user_id, repo_id=None):
                     q = Session().query(UserGroupToRepoBranchPermission, UserGroupRepoToPerm, Permission) \
                         .join(
                             Permission,
                             UserGroupToRepoBranchPermission.permission_id == Permission.permission_id) \
                         .join(
                             UserGroupRepoToPerm,
                             UserGroupToRepoBranchPermission.rule_to_perm_id == UserGroupRepoToPerm.users_group_to_perm_id) \
                         .join(
                             UserGroup,
                             UserGroupRepoToPerm.users_group_id == UserGroup.users_group_id) \
                         .join(
                             UserGroupMember,
                             UserGroupRepoToPerm.users_group_id == UserGroupMember.users_group_id) \
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_id:
                         q = q.filter(UserGroupToRepoBranchPermission.repository_id == repo_id)
                     return q.order_by(UserGroupToRepoBranchPermission.rule_order).all()
                 @classmethod
                 def get_default_group_perms(cls, user_id, repo_group_id=None):
                     q = Session().query(UserRepoGroupToPerm, RepoGroup, Permission)\
                         .join(
                             Permission,
                             UserRepoGroupToPerm.permission_id == Permission.permission_id)\
                         .join(
                             RepoGroup,
                             UserRepoGroupToPerm.group_id == RepoGroup.group_id)\
                         .filter(UserRepoGroupToPerm.user_id == user_id)
                     if repo_group_id:
                         q = q.filter(UserRepoGroupToPerm.group_id == repo_group_id)
                     return q.all()
                 @classmethod
                 def get_default_group_perms_from_user_group(
                         cls, user_id, repo_group_id=None):
                     q = Session().query(UserGroupRepoGroupToPerm, RepoGroup, Permission)\
                         .join(
                             Permission,
                             UserGroupRepoGroupToPerm.permission_id ==
                             Permission.permission_id)\
                         .join(
                             RepoGroup,
                             UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id)\
                         .join(
                             UserGroup,
                             UserGroupRepoGroupToPerm.users_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupRepoGroupToPerm.users_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_group_id:
                         q = q.filter(UserGroupRepoGroupToPerm.group_id == repo_group_id)
                     return q.all()
                 @classmethod
                 def get_default_user_group_perms(cls, user_id, user_group_id=None):
                     q = Session().query(UserUserGroupToPerm, UserGroup, Permission)\
                         .join((Permission, UserUserGroupToPerm.permission_id == Permission.permission_id))\
                         .join((UserGroup, UserUserGroupToPerm.user_group_id == UserGroup.users_group_id))\
                         .filter(UserUserGroupToPerm.user_id == user_id)
                     if user_group_id:
                         q = q.filter(UserUserGroupToPerm.user_group_id == user_group_id)
                     return q.all()
                 @classmethod
                 def get_default_user_group_perms_from_user_group(
                         cls, user_id, user_group_id=None):
                     TargetUserGroup = aliased(UserGroup, name='target_user_group')
                     q = Session().query(UserGroupUserGroupToPerm, UserGroup, Permission)\
                         .join(
                             Permission,
                             UserGroupUserGroupToPerm.permission_id ==
                             Permission.permission_id)\
                         .join(
                             TargetUserGroup,
                             UserGroupUserGroupToPerm.target_user_group_id ==
                             TargetUserGroup.users_group_id)\
                         .join(
                             UserGroup,
                             UserGroupUserGroupToPerm.user_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupUserGroupToPerm.user_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if user_group_id:
                         q = q.filter(
                             UserGroupUserGroupToPerm.user_group_id == user_group_id)
                     return q.all()
             class UserRepoToPerm(Base, BaseModel):
                 __tablename__ = 'repo_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'repository_id', 'permission_id'),
                     base_table_args
                 )
                 repo_to_perm_id = Column("repo_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 repository = relationship('Repository')
                 permission = relationship('Permission')
                 branch_perm_entry = relationship('UserToRepoBranchPermission', cascade="all, delete, delete-orphan", lazy='joined')
                 @classmethod
                 def create(cls, user, repository, permission):
                     n = cls()
                     n.user = user
                     n.repository = repository
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.repository)
             class UserUserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_user_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'user_group_id', 'permission_id'),
                     base_table_args
                 )
                 user_user_group_to_perm_id = Column("user_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 user_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, user_group, permission):
                     n = cls()
                     n.user = user
                     n.user_group = user_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.user_group)
             class UserToPerm(Base, BaseModel):
                 __tablename__ = 'user_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'permission_id'),
                     base_table_args
                 )
                 user_to_perm_id = Column("user_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 permission = relationship('Permission', lazy='joined')
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.permission)
             class UserGroupRepoToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_repo_to_perm'
                 __table_args__ = (
                     UniqueConstraint('repository_id', 'users_group_id', 'permission_id'),
                     base_table_args
                 )
                 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 repository = relationship('Repository')
                 user_group_branch_perms = relationship('UserGroupToRepoBranchPermission', cascade='all')
                 @classmethod
                 def create(cls, users_group, repository, permission):
                     n = cls()
                     n.users_group = users_group
                     n.repository = repository
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupRepoToPerm:%s => %s >' % (self.users_group, self.repository)
             class UserGroupUserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_group_user_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('target_user_group_id', 'user_group_id', 'permission_id'),
                     CheckConstraint('target_user_group_id != user_group_id'),
                     base_table_args
                 )
                 user_group_user_group_to_perm_id = Column("user_group_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 target_user_group_id = Column("target_user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 target_user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id')
                 user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.user_group_id==UserGroup.users_group_id')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, target_user_group, user_group, permission):
                     n = cls()
                     n.target_user_group = target_user_group
                     n.user_group = user_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupUserGroup:%s => %s >' % (self.target_user_group, self.user_group)
             class UserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('users_group_id', 'permission_id',),
                     base_table_args
                 )
                 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
             class UserRepoGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_repo_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'group_id', 'permission_id'),
                     base_table_args
                 )
                 group_to_perm_id = Column("group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 group = relationship('RepoGroup')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, repository_group, permission):
                     n = cls()
                     n.user = user
                     n.group = repository_group
                     n.permission = permission
                     Session().add(n)
                     return n
             class UserGroupRepoGroupToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_repo_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('users_group_id', 'group_id'),
                     base_table_args
                 )
                 users_group_repo_group_to_perm_id = Column("users_group_repo_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 group = relationship('RepoGroup')
                 @classmethod
                 def create(cls, user_group, repository_group, permission):
                     n = cls()
                     n.users_group = user_group
                     n.group = repository_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupRepoGroupToPerm:%s => %s >' % (self.users_group, self.group)
             class Statistics(Base, BaseModel):
                 __tablename__ = 'statistics'
                 __table_args__ = (
                      base_table_args
                 )
                 stat_id = Column("stat_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=True, default=None)
                 stat_on_revision = Column("stat_on_revision", Integer(), nullable=False)
                 commit_activity = Column("commit_activity", LargeBinary(1000000), nullable=False)#JSON data
                 commit_activity_combined = Column("commit_activity_combined", LargeBinary(), nullable=False)#JSON data
                 languages = Column("languages", LargeBinary(1000000), nullable=False)#JSON data
                 repository = relationship('Repository', single_parent=True)
             class UserFollowing(Base, BaseModel):
                 __tablename__ = 'user_followings'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'follows_repository_id'),
                     UniqueConstraint('user_id', 'follows_user_id'),
                     base_table_args
                 )
                 user_following_id = Column("user_following_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 follows_repo_id = Column("follows_repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=None, default=None)
                 follows_user_id = Column("follows_user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 follows_from = Column('follows_from', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
                 user = relationship('User', primaryjoin='User.user_id==UserFollowing.user_id')
                 follows_user = relationship('User', primaryjoin='User.user_id==UserFollowing.follows_user_id')
                 follows_repository = relationship('Repository', order_by='Repository.repo_name')
                 @classmethod
                 def get_repo_followers(cls, repo_id):
                     return cls.query().filter(cls.follows_repo_id == repo_id)
             class CacheKey(Base, BaseModel):
                 __tablename__ = 'cache_invalidation'
                 __table_args__ = (
                     UniqueConstraint('cache_key'),
                     Index('key_idx', 'cache_key'),
                     base_table_args,
                 )
                 CACHE_TYPE_FEED = 'FEED'
                 CACHE_TYPE_README = 'README'
                 # namespaces used to register process/thread aware caches
                 REPO_INVALIDATION_NAMESPACE = 'repo_cache:{repo_id}'
                 SETTINGS_INVALIDATION_NAMESPACE = 'system_settings'
                 cache_id = Column("cache_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 cache_key = Column("cache_key", String(255), nullable=True, unique=None, default=None)
                 cache_args = Column("cache_args", String(255), nullable=True, unique=None, default=None)
                 cache_state_uid = Column("cache_state_uid", String(255), nullable=True, unique=None, default=None)
                 cache_active = Column("cache_active", Boolean(), nullable=True, unique=None, default=False)
                 def __init__(self, cache_key, cache_args='', cache_state_uid=None):
                     self.cache_key = cache_key
                     self.cache_args = cache_args
                     self.cache_active = False
                     # first key should be same for all entries, since all workers should share it
                     self.cache_state_uid = cache_state_uid or self.generate_new_state_uid(based_on=cache_args)
                 def __unicode__(self):
                     return u"<%s('%s:%s[%s]')>" % (
                         self.__class__.__name__,
                         self.cache_id, self.cache_key, self.cache_active)
                 def _cache_key_partition(self):
                     prefix, repo_name, suffix = self.cache_key.partition(self.cache_args)
                     return prefix, repo_name, suffix
                 def get_prefix(self):
                     """
                     Try to extract prefix from existing cache key. The key could consist
                     of prefix, repo_name, suffix
                     """
                     # this returns prefix, repo_name, suffix
                     return self._cache_key_partition()[0]
                 def get_suffix(self):
                     """
                     get suffix that might have been used in _get_cache_key to
                     generate self.cache_key. Only used for informational purposes
                     in repo_edit.mako.
                     """
                     # prefix, repo_name, suffix
                     return self._cache_key_partition()[2]
                 @classmethod
                 def generate_new_state_uid(cls, based_on=None):
                     if based_on:
                         return str(uuid.uuid5(uuid.NAMESPACE_URL, safe_str(based_on)))
                     else:
                         return str(uuid.uuid4())
                 @classmethod
                 def delete_all_cache(cls):
                     """
                     Delete all cache keys from database.
                     Should only be run when all instances are down and all entries
                     thus stale.
                     """
                     cls.query().delete()
                     Session().commit()
                 @classmethod
                 def set_invalidate(cls, cache_uid, delete=False):
                     """
                     Mark all caches of a repo as invalid in the database.
                     """
                     try:
                         qry = Session().query(cls).filter(cls.cache_args == cache_uid)
                         if delete:
                             qry.delete()
                             log.debug('cache objects deleted for cache args %s',
                                       safe_str(cache_uid))
                         else:
                             qry.update({"cache_active": False,
                                         "cache_state_uid": cls.generate_new_state_uid()})
                             log.debug('cache objects marked as invalid for cache args %s',
                                       safe_str(cache_uid))
                         Session().commit()
                     except Exception:
                         log.exception(
                             'Cache key invalidation failed for cache args %s',
                             safe_str(cache_uid))
                         Session().rollback()
                 @classmethod
                 def get_active_cache(cls, cache_key):
                     inv_obj = cls.query().filter(cls.cache_key == cache_key).scalar()
                     if inv_obj:
                         return inv_obj
                     return None
             class ChangesetComment(Base, BaseModel):
                 __tablename__ = 'changeset_comments'
                 __table_args__ = (
                     Index('cc_revision_idx', 'revision'),
                     base_table_args,
                 )
                 COMMENT_OUTDATED = u'comment_outdated'
                 COMMENT_TYPE_NOTE = u'note'
                 COMMENT_TYPE_TODO = u'todo'
                 COMMENT_TYPES = [COMMENT_TYPE_NOTE, COMMENT_TYPE_TODO]
                 comment_id = Column('comment_id', Integer(), nullable=False, primary_key=True)
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
                 revision = Column('revision', String(40), nullable=True)
                 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
                 pull_request_version_id = Column("pull_request_version_id", Integer(), ForeignKey('pull_request_versions.pull_request_version_id'), nullable=True)
                 line_no = Column('line_no', Unicode(10), nullable=True)
                 hl_lines = Column('hl_lines', Unicode(512), nullable=True)
                 f_path = Column('f_path', Unicode(1000), nullable=True)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
                 text = Column('text', UnicodeText().with_variant(UnicodeText(25000), 'mysql'), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 renderer = Column('renderer', Unicode(64), nullable=True)
                 display_state = Column('display_state',  Unicode(128), nullable=True)
                 comment_type = Column('comment_type',  Unicode(128), nullable=True, default=COMMENT_TYPE_NOTE)
                 resolved_comment_id = Column('resolved_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'), nullable=True)
                 resolved_comment = relationship('ChangesetComment', remote_side=comment_id, back_populates='resolved_by')
                 resolved_by = relationship('ChangesetComment', back_populates='resolved_comment')
                 author = relationship('User', lazy='joined')
                 repo = relationship('Repository')
                 status_change = relationship('ChangesetStatus', cascade="all, delete, delete-orphan", lazy='joined')
                 pull_request = relationship('PullRequest', lazy='joined')
                 pull_request_version = relationship('PullRequestVersion')
                 @classmethod
                 def get_users(cls, revision=None, pull_request_id=None):
                     """
                     Returns user associated with this ChangesetComment. ie those
                     who actually commented
                     :param cls:
                     :param revision:
                     """
                     q = Session().query(User)\
                             .join(ChangesetComment.author)
                     if revision:
                         q = q.filter(cls.revision == revision)
                     elif pull_request_id:
                         q = q.filter(cls.pull_request_id == pull_request_id)
                     return q.all()
                 @classmethod
                 def get_index_from_version(cls, pr_version, versions):
                     num_versions = [x.pull_request_version_id for x in versions]
                     try:
                         return num_versions.index(pr_version) +1
                     except (IndexError, ValueError):
                         return
                 @property
                 def outdated(self):
                     return self.display_state == self.COMMENT_OUTDATED
                 def outdated_at_version(self, version):
                     """
                     Checks if comment is outdated for given pull request version
                     """
                     return self.outdated and self.pull_request_version_id != version
                 def older_than_version(self, version):
                     """
                     Checks if comment is made from previous version than given
                     """
                     if version is None:
                         return self.pull_request_version_id is not None
                     return self.pull_request_version_id < version
                 @property
                 def resolved(self):
                     return self.resolved_by[0] if self.resolved_by else None
                 @property
                 def is_todo(self):
                     return self.comment_type == self.COMMENT_TYPE_TODO
                 @property
                 def is_inline(self):
                     return self.line_no and self.f_path
                 def get_index_version(self, versions):
                     return self.get_index_from_version(
                         self.pull_request_version_id, versions)
                 def __repr__(self):
                     if self.comment_id:
                         return '<DB:Comment #%s>' % self.comment_id
                     else:
                         return '<DB:Comment at %#x>' % id(self)
                 def get_api_data(self):
                     comment = self
                     data = {
                         'comment_id': comment.comment_id,
                         'comment_type': comment.comment_type,
                         'comment_text': comment.text,
                         'comment_status': comment.status_change,
                         'comment_f_path': comment.f_path,
                         'comment_lineno': comment.line_no,
                         'comment_author': comment.author,
                         'comment_created_on': comment.created_on,
                         'comment_resolved_by': self.resolved
                     }
                     return data
                 def __json__(self):
                     data = dict()
                     data.update(self.get_api_data())
                     return data
             class ChangesetStatus(Base, BaseModel):
                 __tablename__ = 'changeset_statuses'
                 __table_args__ = (
                     Index('cs_revision_idx', 'revision'),
                     Index('cs_version_idx', 'version'),
                     UniqueConstraint('repo_id', 'revision', 'version'),
                     base_table_args
                 )
                 STATUS_NOT_REVIEWED = DEFAULT = 'not_reviewed'
                 STATUS_APPROVED = 'approved'
                 STATUS_REJECTED = 'rejected'
                 STATUS_UNDER_REVIEW = 'under_review'
                 STATUSES = [
                     (STATUS_NOT_REVIEWED, _("Not Reviewed")),  # (no icon) and default
                     (STATUS_APPROVED, _("Approved")),
                     (STATUS_REJECTED, _("Rejected")),
                     (STATUS_UNDER_REVIEW, _("Under Review")),
                 ]
                 changeset_status_id = Column('changeset_status_id', Integer(), nullable=False, primary_key=True)
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None)
                 revision = Column('revision', String(40), nullable=False)
                 status = Column('status', String(128), nullable=False, default=DEFAULT)
                 changeset_comment_id = Column('changeset_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'))
                 modified_at = Column('modified_at', DateTime(), nullable=False, default=datetime.datetime.now)
                 version = Column('version', Integer(), nullable=False, default=0)
                 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
                 author = relationship('User', lazy='joined')
                 repo = relationship('Repository')
                 comment = relationship('ChangesetComment', lazy='joined')
                 pull_request = relationship('PullRequest', lazy='joined')
                 def __unicode__(self):
                     return u"<%s('%s[v%s]:%s')>" % (
                         self.__class__.__name__,
                         self.status, self.version, self.author
                     )
                 @classmethod
                 def get_status_lbl(cls, value):
                     return dict(cls.STATUSES).get(value)
                 @property
                 def status_lbl(self):
                     return ChangesetStatus.get_status_lbl(self.status)
                 def get_api_data(self):
                     status = self
                     data = {
                         'status_id': status.changeset_status_id,
                         'status': status.status,
                     }
                     return data
                 def __json__(self):
                     data = dict()
                     data.update(self.get_api_data())
                     return data
             class _SetState(object):
                 """
                 Context processor allowing changing state for sensitive operation such as
                 pull request update or merge
                 """
                 def __init__(self, pull_request, pr_state, back_state=None):
                     self._pr = pull_request
                     self._org_state = back_state or pull_request.pull_request_state
                     self._pr_state = pr_state
                 def __enter__(self):
                     log.debug('StateLock: entering set state context, setting state to: `%s`',
                               self._pr_state)
                     self._pr.pull_request_state = self._pr_state
                     Session().add(self._pr)
                     Session().commit()
                 def __exit__(self, exc_type, exc_val, exc_tb):
                     log.debug('StateLock: exiting set state context, setting state to: `%s`',
                               self._org_state)
                     self._pr.pull_request_state = self._org_state
                     Session().add(self._pr)
                     Session().commit()
             class _PullRequestBase(BaseModel):
                 """
                 Common attributes of pull request and version entries.
                 """
                 # .status values
                 STATUS_NEW = u'new'
                 STATUS_OPEN = u'open'
                 STATUS_CLOSED = u'closed'
                 # available states
                 STATE_CREATING = u'creating'
                 STATE_UPDATING = u'updating'
                 STATE_MERGING = u'merging'
                 STATE_CREATED = u'created'
                 title = Column('title', Unicode(255), nullable=True)
                 description = Column(
                     'description', UnicodeText().with_variant(UnicodeText(10240), 'mysql'),
                     nullable=True)
                 description_renderer = Column('description_renderer', Unicode(64), nullable=True)
                 # new/open/closed status of pull request (not approve/reject/etc)
                 status = Column('status', Unicode(255), nullable=False, default=STATUS_NEW)
                 created_on = Column(
                     'created_on', DateTime(timezone=False), nullable=False,
                     default=datetime.datetime.now)
                 updated_on = Column(
                     'updated_on', DateTime(timezone=False), nullable=False,
                     default=datetime.datetime.now)
                 pull_request_state = Column("pull_request_state", String(255), nullable=True)
                 @declared_attr
                 def user_id(cls):
                     return Column(
                         "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
                         unique=None)
                 # 500 revisions max
                 _revisions = Column(
                     'revisions', UnicodeText().with_variant(UnicodeText(20500), 'mysql'))
                 @declared_attr
                 def source_repo_id(cls):
                     # TODO: dan: rename column to source_repo_id
                     return Column(
                         'org_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                         nullable=False)
                 _source_ref = Column('org_ref', Unicode(255), nullable=False)
                 @hybrid_property
                 def source_ref(self):
                     return self._source_ref
                 @source_ref.setter
                 def source_ref(self, val):
                     parts = (val or '').split(':')
                     if len(parts) != 3:
                         raise ValueError(
                             'Invalid reference format given: {}, expected X:Y:Z'.format(val))
                     self._source_ref = safe_unicode(val)
                 _target_ref = Column('other_ref', Unicode(255), nullable=False)
                 @hybrid_property
                 def target_ref(self):
                     return self._target_ref
                 @target_ref.setter
                 def target_ref(self, val):
                     parts = (val or '').split(':')
                     if len(parts) != 3:
                         raise ValueError(
                             'Invalid reference format given: {}, expected X:Y:Z'.format(val))
                     self._target_ref = safe_unicode(val)
                 @declared_attr
                 def target_repo_id(cls):
                     # TODO: dan: rename column to target_repo_id
                     return Column(
                         'other_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                         nullable=False)
                 _shadow_merge_ref = Column('shadow_merge_ref', Unicode(255), nullable=True)
                 # TODO: dan: rename column to last_merge_source_rev
                 _last_merge_source_rev = Column(
                     'last_merge_org_rev', String(40), nullable=True)
                 # TODO: dan: rename column to last_merge_target_rev
                 _last_merge_target_rev = Column(
                     'last_merge_other_rev', String(40), nullable=True)
                 _last_merge_status = Column('merge_status', Integer(), nullable=True)
                 merge_rev = Column('merge_rev', String(40), nullable=True)
                 reviewer_data = Column(
                     'reviewer_data_json', MutationObj.as_mutable(
                         JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
                 @property
                 def reviewer_data_json(self):
                     return json.dumps(self.reviewer_data)
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.description)
                 @hybrid_property
                 def revisions(self):
                     return self._revisions.split(':') if self._revisions else []
                 @revisions.setter
                 def revisions(self, val):
                     self._revisions = ':'.join(val)
                 @hybrid_property
                 def last_merge_status(self):
                     return safe_int(self._last_merge_status)
                 @last_merge_status.setter
                 def last_merge_status(self, val):
                     self._last_merge_status = val
                 @declared_attr
                 def author(cls):
                     return relationship('User', lazy='joined')
                 @declared_attr
                 def source_repo(cls):
                     return relationship(
                         'Repository',
                         primaryjoin='%s.source_repo_id==Repository.repo_id' % cls.__name__)
                 @property
                 def source_ref_parts(self):
                     return self.unicode_to_reference(self.source_ref)
                 @declared_attr
                 def target_repo(cls):
                     return relationship(
                         'Repository',
                         primaryjoin='%s.target_repo_id==Repository.repo_id' % cls.__name__)
                 @property
                 def target_ref_parts(self):
                     return self.unicode_to_reference(self.target_ref)
                 @property
                 def shadow_merge_ref(self):
                     return self.unicode_to_reference(self._shadow_merge_ref)
                 @shadow_merge_ref.setter
                 def shadow_merge_ref(self, ref):
                     self._shadow_merge_ref = self.reference_to_unicode(ref)
                 @staticmethod
                 def unicode_to_reference(raw):
                     """
                     Convert a unicode (or string) to a reference object.
                     If unicode evaluates to False it returns None.
                     """
                     if raw:
                         refs = raw.split(':')
                         return Reference(*refs)
                     else:
                         return None
                 @staticmethod
                 def reference_to_unicode(ref):
                     """
                     Convert a reference object to unicode.
                     If reference is None it returns None.
                     """
                     if ref:
                         return u':'.join(ref)
                     else:
                         return None
                 def get_api_data(self, with_merge_state=True):
                     from rhodecode.model.pull_request import PullRequestModel
                     pull_request = self
                     if with_merge_state:
                         merge_status = PullRequestModel().merge_status(pull_request)
                         merge_state = {
                             'status': merge_status[0],
                             'message': safe_unicode(merge_status[1]),
                         }
                     else:
                         merge_state = {'status': 'not_available',
                                        'message': 'not_available'}
                     merge_data = {
                         'clone_url': PullRequestModel().get_shadow_clone_url(pull_request),
                         'reference': (
                             pull_request.shadow_merge_ref._asdict()
                             if pull_request.shadow_merge_ref else None),
                     }
                     data = {
                         'pull_request_id': pull_request.pull_request_id,
                         'url': PullRequestModel().get_url(pull_request),
                         'title': pull_request.title,
                         'description': pull_request.description,
                         'status': pull_request.status,
                         'state': pull_request.pull_request_state,
                         'created_on': pull_request.created_on,
                         'updated_on': pull_request.updated_on,
                         'commit_ids': pull_request.revisions,
                         'review_status': pull_request.calculated_review_status(),
                         'mergeable': merge_state,
                         'source': {
                             'clone_url': pull_request.source_repo.clone_url(),
                             'repository': pull_request.source_repo.repo_name,
                             'reference': {
                                 'name': pull_request.source_ref_parts.name,
                                 'type': pull_request.source_ref_parts.type,
                                 'commit_id': pull_request.source_ref_parts.commit_id,
                             },
                         },
                         'target': {
                             'clone_url': pull_request.target_repo.clone_url(),
                             'repository': pull_request.target_repo.repo_name,
                             'reference': {
                                 'name': pull_request.target_ref_parts.name,
                                 'type': pull_request.target_ref_parts.type,
                                 'commit_id': pull_request.target_ref_parts.commit_id,
                             },
                         },
                         'merge': merge_data,
                         'author': pull_request.author.get_api_data(include_secrets=False,
                                                                    details='basic'),
                         'reviewers': [
                             {
                                 'user': reviewer.get_api_data(include_secrets=False,
                                                               details='basic'),
                                 'reasons': reasons,
                                 'review_status': st[0][1].status if st else 'not_reviewed',
                             }
                             for obj, reviewer, reasons, mandatory, st in
                             pull_request.reviewers_statuses()
                         ]
                     }
                     return data
                 def set_state(self, pull_request_state, final_state=None):
                     """
                     # goes from initial state to updating to initial state.
                     # initial state can be changed by specifying back_state=
                     with pull_request_obj.set_state(PullRequest.STATE_UPDATING):
                        pull_request.merge()
                     :param pull_request_state:
                     :param final_state:
                     """
                     return _SetState(self, pull_request_state, back_state=final_state)
             class PullRequest(Base, _PullRequestBase):
                 __tablename__ = 'pull_requests'
                 __table_args__ = (
                     base_table_args,
                 )
                 pull_request_id = Column(
                     'pull_request_id', Integer(), nullable=False, primary_key=True)
                 def __repr__(self):
                     if self.pull_request_id:
                         return '<DB:PullRequest #%s>' % self.pull_request_id
                     else:
                         return '<DB:PullRequest at %#x>' % id(self)
                 reviewers = relationship('PullRequestReviewers',
                                          cascade="all, delete, delete-orphan")
                 statuses = relationship('ChangesetStatus',
                                         cascade="all, delete, delete-orphan")
                 comments = relationship('ChangesetComment',
                                         cascade="all, delete, delete-orphan")
                 versions = relationship('PullRequestVersion',
                                         cascade="all, delete, delete-orphan",
                                         lazy='dynamic')
                 @classmethod
                 def get_pr_display_object(cls, pull_request_obj, org_pull_request_obj,
                                           internal_methods=None):
                     class PullRequestDisplay(object):
                         """
                         Special object wrapper for showing PullRequest data via Versions
                         It mimics PR object as close as possible. This is read only object
                         just for display
                         """
                         def __init__(self, attrs, internal=None):
                             self.attrs = attrs
                             # internal have priority over the given ones via attrs
                             self.internal = internal or ['versions']
                         def __getattr__(self, item):
                             if item in self.internal:
                                 return getattr(self, item)
                             try:
                                 return self.attrs[item]
                             except KeyError:
                                 raise AttributeError(
                                     '%s object has no attribute %s' % (self, item))
                         def __repr__(self):
                             return '<DB:PullRequestDisplay #%s>' % self.attrs.get('pull_request_id')
                         def versions(self):
                             return pull_request_obj.versions.order_by(
                                 PullRequestVersion.pull_request_version_id).all()
                         def is_closed(self):
                             return pull_request_obj.is_closed()
                         @property
                         def pull_request_version_id(self):
                             return getattr(pull_request_obj, 'pull_request_version_id', None)
                     attrs = StrictAttributeDict(pull_request_obj.get_api_data(with_merge_state=False))
                     attrs.author = StrictAttributeDict(
                         pull_request_obj.author.get_api_data())
                     if pull_request_obj.target_repo:
                         attrs.target_repo = StrictAttributeDict(
                             pull_request_obj.target_repo.get_api_data())
                         attrs.target_repo.clone_url = pull_request_obj.target_repo.clone_url
                     if pull_request_obj.source_repo:
                         attrs.source_repo = StrictAttributeDict(
                             pull_request_obj.source_repo.get_api_data())
                         attrs.source_repo.clone_url = pull_request_obj.source_repo.clone_url
                     attrs.source_ref_parts = pull_request_obj.source_ref_parts
                     attrs.target_ref_parts = pull_request_obj.target_ref_parts
                     attrs.revisions = pull_request_obj.revisions
                     attrs.shadow_merge_ref = org_pull_request_obj.shadow_merge_ref
                     attrs.reviewer_data = org_pull_request_obj.reviewer_data
                     attrs.reviewer_data_json = org_pull_request_obj.reviewer_data_json
                     return PullRequestDisplay(attrs, internal=internal_methods)
                 def is_closed(self):
                     return self.status == self.STATUS_CLOSED
                 def __json__(self):
                     return {
                         'revisions': self.revisions,
                     }
                 def calculated_review_status(self):
                     from rhodecode.model.changeset_status import ChangesetStatusModel
                     return ChangesetStatusModel().calculated_review_status(self)
                 def reviewers_statuses(self):
                     from rhodecode.model.changeset_status import ChangesetStatusModel
                     return ChangesetStatusModel().reviewers_statuses(self)
                 @property
                 def workspace_id(self):
                     from rhodecode.model.pull_request import PullRequestModel
                     return PullRequestModel()._workspace_id(self)
                 def get_shadow_repo(self):
                     workspace_id = self.workspace_id
                     vcs_obj = self.target_repo.scm_instance()
                     shadow_repository_path = vcs_obj._get_shadow_repository_path(
                         self.target_repo.repo_id, workspace_id)
                     if os.path.isdir(shadow_repository_path):
                         return vcs_obj.get_shadow_instance(shadow_repository_path)
             class PullRequestVersion(Base, _PullRequestBase):
                 __tablename__ = 'pull_request_versions'
                 __table_args__ = (
                     base_table_args,
                 )
                 pull_request_version_id = Column(
                     'pull_request_version_id', Integer(), nullable=False, primary_key=True)
                 pull_request_id = Column(
                     'pull_request_id', Integer(),
                     ForeignKey('pull_requests.pull_request_id'), nullable=False)
                 pull_request = relationship('PullRequest')
                 def __repr__(self):
                     if self.pull_request_version_id:
                         return '<DB:PullRequestVersion #%s>' % self.pull_request_version_id
                     else:
                         return '<DB:PullRequestVersion at %#x>' % id(self)
                 @property
                 def reviewers(self):
                     return self.pull_request.reviewers
                 @property
                 def versions(self):
                     return self.pull_request.versions
                 def is_closed(self):
                     # calculate from original
                     return self.pull_request.status == self.STATUS_CLOSED
                 def calculated_review_status(self):
                     return self.pull_request.calculated_review_status()
                 def reviewers_statuses(self):
                     return self.pull_request.reviewers_statuses()
             class PullRequestReviewers(Base, BaseModel):
                 __tablename__ = 'pull_request_reviewers'
                 __table_args__ = (
                     base_table_args,
                 )
                 @hybrid_property
                 def reasons(self):
                     if not self._reasons:
                         return []
                     return self._reasons
                 @reasons.setter
                 def reasons(self, val):
                     val = val or []
                     if any(not isinstance(x, compat.string_types) for x in val):
                         raise Exception('invalid reasons type, must be list of strings')
                     self._reasons = val
                 pull_requests_reviewers_id = Column(
                     'pull_requests_reviewers_id', Integer(), nullable=False,
                     primary_key=True)
                 pull_request_id = Column(
                     "pull_request_id", Integer(),
                     ForeignKey('pull_requests.pull_request_id'), nullable=False)
                 user_id = Column(
                     "user_id", Integer(), ForeignKey('users.user_id'), nullable=True)
                 _reasons = Column(
                     'reason', MutationList.as_mutable(
                         JsonType('list', dialect_map=dict(mysql=UnicodeText(16384)))))
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 user = relationship('User')
                 pull_request = relationship('PullRequest')
                 rule_data = Column(
                     'rule_data_json',
                     JsonType(dialect_map=dict(mysql=UnicodeText(16384))))
                 def rule_user_group_data(self):
                     """
                     Returns the voting user group rule data for this reviewer
                     """
                     if self.rule_data and 'vote_rule' in self.rule_data:
                         user_group_data = {}
                         if 'rule_user_group_entry_id' in self.rule_data:
                             # means a group with voting rules !
                             user_group_data['id'] = self.rule_data['rule_user_group_entry_id']
                             user_group_data['name'] = self.rule_data['rule_name']
                             user_group_data['vote_rule'] = self.rule_data['vote_rule']
                         return user_group_data
                 def __unicode__(self):
                     return u"<%s('id:%s')>" % (self.__class__.__name__,
                                                self.pull_requests_reviewers_id)
             class Notification(Base, BaseModel):
                 __tablename__ = 'notifications'
                 __table_args__ = (
                     Index('notification_type_idx', 'type'),
                     base_table_args,
                 )
                 TYPE_CHANGESET_COMMENT = u'cs_comment'
                 TYPE_MESSAGE = u'message'
                 TYPE_MENTION = u'mention'
                 TYPE_REGISTRATION = u'registration'
                 TYPE_PULL_REQUEST = u'pull_request'
                 TYPE_PULL_REQUEST_COMMENT = u'pull_request_comment'
                 notification_id = Column('notification_id', Integer(), nullable=False, primary_key=True)
                 subject = Column('subject', Unicode(512), nullable=True)
                 body = Column('body', UnicodeText().with_variant(UnicodeText(50000), 'mysql'), nullable=True)
                 created_by = Column("created_by", Integer(), ForeignKey('users.user_id'), nullable=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 type_ = Column('type', Unicode(255))
                 created_by_user = relationship('User')
                 notifications_to_users = relationship('UserNotification', lazy='joined',
                                                       cascade="all, delete, delete-orphan")
                 @property
                 def recipients(self):
                     return [x.user for x in UserNotification.query()\
                             .filter(UserNotification.notification == self)\
                             .order_by(UserNotification.user_id.asc()).all()]
                 @classmethod
                 def create(cls, created_by, subject, body, recipients, type_=None):
                     if type_ is None:
                         type_ = Notification.TYPE_MESSAGE
                     notification = cls()
                     notification.created_by_user = created_by
                     notification.subject = subject
                     notification.body = body
                     notification.type_ = type_
                     notification.created_on = datetime.datetime.now()
                     # For each recipient link the created notification to his account
                     for u in recipients:
                         assoc = UserNotification()
                         assoc.user_id = u.user_id
                         assoc.notification = notification
                         # if created_by is inside recipients mark his notification
                         # as read
                         if u.user_id == created_by.user_id:
                             assoc.read = True
                         Session().add(assoc)
                     Session().add(notification)
                     return notification
             class UserNotification(Base, BaseModel):
                 __tablename__ = 'user_to_notification'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'notification_id'),
                     base_table_args
                 )
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
                 notification_id = Column("notification_id", Integer(), ForeignKey('notifications.notification_id'), primary_key=True)
                 read = Column('read', Boolean, default=False)
                 sent_on = Column('sent_on', DateTime(timezone=False), nullable=True, unique=None)
                 user = relationship('User', lazy="joined")
                 notification = relationship('Notification', lazy="joined",
                                             order_by=lambda: Notification.created_on.desc(),)
                 def mark_as_read(self):
                     self.read = True
                     Session().add(self)
             class Gist(Base, BaseModel):
                 __tablename__ = 'gists'
                 __table_args__ = (
                     Index('g_gist_access_id_idx', 'gist_access_id'),
                     Index('g_created_on_idx', 'created_on'),
                     base_table_args
                 )
                 GIST_PUBLIC = u'public'
                 GIST_PRIVATE = u'private'
                 DEFAULT_FILENAME = u'gistfile1.txt'
                 ACL_LEVEL_PUBLIC = u'acl_public'
                 ACL_LEVEL_PRIVATE = u'acl_private'
                 gist_id = Column('gist_id', Integer(), primary_key=True)
                 gist_access_id = Column('gist_access_id', Unicode(250))
                 gist_description = Column('gist_description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 gist_owner = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True)
                 gist_expires = Column('gist_expires', Float(53), nullable=False)
                 gist_type = Column('gist_type', Unicode(128), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 acl_level = Column('acl_level', Unicode(128), nullable=True)
                 owner = relationship('User')
                 def __repr__(self):
                     return '<Gist:[%s]%s>' % (self.gist_type, self.gist_access_id)
                 @hybrid_property
                 def description_safe(self):
                     from rhodecode.lib import helpers as h
                     return h.escape(self.gist_description)
                 @classmethod
                 def get_or_404(cls, id_):
                     from pyramid.httpexceptions import HTTPNotFound
                     res = cls.query().filter(cls.gist_access_id == id_).scalar()
                     if not res:
                         raise HTTPNotFound()
                     return res
                 @classmethod
                 def get_by_access_id(cls, gist_access_id):
                     return cls.query().filter(cls.gist_access_id == gist_access_id).scalar()
                 def gist_url(self):
                     from rhodecode.model.gist import GistModel
                     return GistModel().get_url(self)
                 @classmethod
                 def base_path(cls):
                     """
                     Returns base path when all gists are stored
                     :param cls:
                     """
                     from rhodecode.model.gist import GIST_STORE_LOC
                     q = Session().query(RhodeCodeUi)\
                         .filter(RhodeCodeUi.ui_key == URL_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return os.path.join(q.one().ui_value, GIST_STORE_LOC)
                 def get_api_data(self):
                     """
                     Common function for generating gist related data for API
                     """
                     gist = self
                     data = {
                         'gist_id': gist.gist_id,
                         'type': gist.gist_type,
                         'access_id': gist.gist_access_id,
                         'description': gist.gist_description,
                         'url': gist.gist_url(),
                         'expires': gist.gist_expires,
                         'created_on': gist.created_on,
                         'modified_at': gist.modified_at,
                         'content': None,
                         'acl_level': gist.acl_level,
                     }
                     return data
                 def __json__(self):
                     data = dict(
                     )
                     data.update(self.get_api_data())
                     return data
                 # SCM functions
                 def scm_instance(self, **kwargs):
                     """
                     Get an instance of VCS Repository
                     :param kwargs:
                     """
                     from rhodecode.model.gist import GistModel
                     full_repo_path = os.path.join(self.base_path(), self.gist_access_id)
                     return get_vcs_instance(
                         repo_path=safe_str(full_repo_path), create=False,
                         _vcs_alias=GistModel.vcs_backend)
             class ExternalIdentity(Base, BaseModel):
                 __tablename__ = 'external_identities'
                 __table_args__ = (
                     Index('local_user_id_idx', 'local_user_id'),
                     Index('external_id_idx', 'external_id'),
                     base_table_args
                 )
                 external_id = Column('external_id', Unicode(255), default=u'', primary_key=True)
                 external_username = Column('external_username', Unicode(1024), default=u'')
                 local_user_id = Column('local_user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
                 provider_name = Column('provider_name', Unicode(255), default=u'', primary_key=True)
                 access_token = Column('access_token', String(1024), default=u'')
                 alt_token = Column('alt_token', String(1024), default=u'')
                 token_secret = Column('token_secret', String(1024), default=u'')
                 @classmethod
                 def by_external_id_and_provider(cls, external_id, provider_name, local_user_id=None):
                     """
                     Returns ExternalIdentity instance based on search params
                     :param external_id:
                     :param provider_name:
                     :return: ExternalIdentity
                     """
                     query = cls.query()
                     query = query.filter(cls.external_id == external_id)
                     query = query.filter(cls.provider_name == provider_name)
                     if local_user_id:
                         query = query.filter(cls.local_user_id == local_user_id)
                     return query.first()
                 @classmethod
                 def user_by_external_id_and_provider(cls, external_id, provider_name):
                     """
                     Returns User instance based on search params
                     :param external_id:
                     :param provider_name:
                     :return: User
                     """
                     query = User.query()
                     query = query.filter(cls.external_id == external_id)
                     query = query.filter(cls.provider_name == provider_name)
                     query = query.filter(User.user_id == cls.local_user_id)
                     return query.first()
                 @classmethod
                 def by_local_user_id(cls, local_user_id):
                     """
                     Returns all tokens for user
                     :param local_user_id:
                     :return: ExternalIdentity
                     """
                     query = cls.query()
                     query = query.filter(cls.local_user_id == local_user_id)
                     return query
                 @classmethod
                 def load_provider_plugin(cls, plugin_id):
                     from rhodecode.authentication.base import loadplugin
                     _plugin_id = 'egg:rhodecode-enterprise-ee#{}'.format(plugin_id)
                     auth_plugin = loadplugin(_plugin_id)
                     return auth_plugin
             class Integration(Base, BaseModel):
                 __tablename__ = 'integrations'
                 __table_args__ = (
                     base_table_args
                 )
                 integration_id = Column('integration_id', Integer(), primary_key=True)
                 integration_type = Column('integration_type', String(255))
                 enabled = Column('enabled', Boolean(), nullable=False)
                 name = Column('name', String(255), nullable=False)
                 child_repos_only = Column('child_repos_only', Boolean(), nullable=False,
                     default=False)
                 settings = Column(
                     'settings_json', MutationObj.as_mutable(
                         JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
                 repo_id = Column(
                     'repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 repo_group_id = Column(
                     'repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 @property
                 def scope(self):
                     if self.repo:
                         return repr(self.repo)
                     if self.repo_group:
                         if self.child_repos_only:
                             return repr(self.repo_group) + ' (child repos only)'
                         else:
                             return repr(self.repo_group) + ' (recursive)'
                     if self.child_repos_only:
                         return 'root_repos'
                     return 'global'
                 def __repr__(self):
                     return '<Integration(%r, %r)>' % (self.integration_type, self.scope)
             class RepoReviewRuleUser(Base, BaseModel):
                 __tablename__ = 'repo_review_rules_users'
                 __table_args__ = (
                     base_table_args
                 )
                 repo_review_rule_user_id = Column('repo_review_rule_user_id', Integer(), primary_key=True)
                 repo_review_rule_id = Column("repo_review_rule_id", Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False)
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 user = relationship('User')
                 def rule_data(self):
                     return {
                         'mandatory': self.mandatory
                     }
             class RepoReviewRuleUserGroup(Base, BaseModel):
                 __tablename__ = 'repo_review_rules_users_groups'
                 __table_args__ = (
                     base_table_args
                 )
                 VOTE_RULE_ALL = -1
                 repo_review_rule_users_group_id = Column('repo_review_rule_users_group_id', Integer(), primary_key=True)
                 repo_review_rule_id = Column("repo_review_rule_id", Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
                 users_group_id = Column("users_group_id", Integer(),ForeignKey('users_groups.users_group_id'), nullable=False)
                 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
                 vote_rule = Column("vote_rule", Integer(), nullable=True, default=VOTE_RULE_ALL)
                 users_group = relationship('UserGroup')
                 def rule_data(self):
                     return {
                         'mandatory': self.mandatory,
                         'vote_rule': self.vote_rule
                     }
                 @property
                 def vote_rule_label(self):
                     if not self.vote_rule or self.vote_rule == self.VOTE_RULE_ALL:
                         return 'all must vote'
                     else:
                         return 'min. vote {}'.format(self.vote_rule)
             class RepoReviewRule(Base, BaseModel):
                 __tablename__ = 'repo_review_rules'
                 __table_args__ = (
                     base_table_args
                 )
                 repo_review_rule_id = Column(
                     'repo_review_rule_id', Integer(), primary_key=True)
                 repo_id = Column(
                     "repo_id", Integer(), ForeignKey('repositories.repo_id'))
                 repo = relationship('Repository', backref='review_rules')
                 review_rule_name = Column('review_rule_name', String(255))
                 _branch_pattern = Column("branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default=u'*')  # glob
                 _target_branch_pattern = Column("target_branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default=u'*')  # glob
                 _file_pattern = Column("file_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default=u'*')  # glob
                 use_authors_for_review = Column("use_authors_for_review", Boolean(), nullable=False, default=False)
                 forbid_author_to_review = Column("forbid_author_to_review", Boolean(), nullable=False, default=False)
                 forbid_commit_author_to_review = Column("forbid_commit_author_to_review", Boolean(), nullable=False, default=False)
                 forbid_adding_reviewers = Column("forbid_adding_reviewers", Boolean(), nullable=False, default=False)
                 rule_users = relationship('RepoReviewRuleUser')
                 rule_user_groups = relationship('RepoReviewRuleUserGroup')
                 def _validate_pattern(self, value):
                     re.compile('^' + glob2re(value) + '$')
                 @hybrid_property
                 def source_branch_pattern(self):
                     return self._branch_pattern or '*'
                 @source_branch_pattern.setter
                 def source_branch_pattern(self, value):
                     self._validate_pattern(value)
                     self._branch_pattern = value or '*'
                 @hybrid_property
                 def target_branch_pattern(self):
                     return self._target_branch_pattern or '*'
                 @target_branch_pattern.setter
                 def target_branch_pattern(self, value):
                     self._validate_pattern(value)
                     self._target_branch_pattern = value or '*'
                 @hybrid_property
                 def file_pattern(self):
                     return self._file_pattern or '*'
                 @file_pattern.setter
                 def file_pattern(self, value):
                     self._validate_pattern(value)
                     self._file_pattern = value or '*'
                 def matches(self, source_branch, target_branch, files_changed):
                     """
                     Check if this review rule matches a branch/files in a pull request
                     :param source_branch: source branch name for the commit
                     :param target_branch: target branch name for the commit
                     :param files_changed: list of file paths changed in the pull request
                     """
                     source_branch = source_branch or ''
                     target_branch = target_branch or ''
                     files_changed = files_changed or []
                     branch_matches = True
                     if source_branch or target_branch:
                         if self.source_branch_pattern == '*':
                             source_branch_match = True
                         else:
                             if self.source_branch_pattern.startswith('re:'):
                                 source_pattern = self.source_branch_pattern[3:]
                             else:
                                 source_pattern = '^' + glob2re(self.source_branch_pattern) + '$'
                             source_branch_regex = re.compile(source_pattern)
                             source_branch_match = bool(source_branch_regex.search(source_branch))
                         if self.target_branch_pattern == '*':
                             target_branch_match = True
                         else:
                             if self.target_branch_pattern.startswith('re:'):
                                 target_pattern = self.target_branch_pattern[3:]
                             else:
                                 target_pattern = '^' + glob2re(self.target_branch_pattern) + '$'
                             target_branch_regex = re.compile(target_pattern)
                             target_branch_match = bool(target_branch_regex.search(target_branch))
                         branch_matches = source_branch_match and target_branch_match
                     files_matches = True
                     if self.file_pattern != '*':
                         files_matches = False
                         if self.file_pattern.startswith('re:'):
                             file_pattern = self.file_pattern[3:]
                         else:
                             file_pattern = glob2re(self.file_pattern)
                         file_regex = re.compile(file_pattern)
                         for filename in files_changed:
                             if file_regex.search(filename):
                                 files_matches = True
                                 break
                     return branch_matches and files_matches
                 @property
                 def review_users(self):
                     """ Returns the users which this rule applies to """
                     users = collections.OrderedDict()
                     for rule_user in self.rule_users:
                         if rule_user.user.active:
                             if rule_user.user not in users:
                                 users[rule_user.user.username] = {
                                     'user': rule_user.user,
                                     'source': 'user',
                                     'source_data': {},
                                     'data': rule_user.rule_data()
                                 }
                     for rule_user_group in self.rule_user_groups:
                         source_data = {
                             'user_group_id': rule_user_group.users_group.users_group_id,
                             'name': rule_user_group.users_group.users_group_name,
                             'members': len(rule_user_group.users_group.members)
                         }
                         for member in rule_user_group.users_group.members:
                             if member.user.active:
                                 key = member.user.username
                                 if key in users:
                                     # skip this member as we have him already
                                     # this prevents from override the "first" matched
                                     # users with duplicates in multiple groups
                                     continue
                                 users[key] = {
                                     'user': member.user,
                                     'source': 'user_group',
                                     'source_data': source_data,
                                     'data': rule_user_group.rule_data()
                                 }
                     return users
                 def user_group_vote_rule(self, user_id):
                     rules = []
                     if not self.rule_user_groups:
                         return rules
                     for user_group in self.rule_user_groups:
                         user_group_members = [x.user_id for x in user_group.users_group.members]
                         if user_id in user_group_members:
                             rules.append(user_group)
                     return rules
                 def __repr__(self):
                     return '<RepoReviewerRule(id=%r, repo=%r)>' % (
                         self.repo_review_rule_id, self.repo)
             class ScheduleEntry(Base, BaseModel):
                 __tablename__ = 'schedule_entries'
                 __table_args__ = (
                     UniqueConstraint('schedule_name', name='s_schedule_name_idx'),
                     UniqueConstraint('task_uid', name='s_task_uid_idx'),
                     base_table_args,
                 )
                 schedule_types = ['crontab', 'timedelta', 'integer']
                 schedule_entry_id = Column('schedule_entry_id', Integer(), primary_key=True)
                 schedule_name = Column("schedule_name", String(255), nullable=False, unique=None, default=None)
                 schedule_description = Column("schedule_description", String(10000), nullable=True, unique=None, default=None)
                 schedule_enabled = Column("schedule_enabled", Boolean(), nullable=False, unique=None, default=True)
                 _schedule_type = Column("schedule_type", String(255), nullable=False, unique=None, default=None)
                 schedule_definition = Column('schedule_definition_json', MutationObj.as_mutable(JsonType(default=lambda: "", dialect_map=dict(mysql=LONGTEXT()))))
                 schedule_last_run = Column('schedule_last_run', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 schedule_total_run_count = Column('schedule_total_run_count', Integer(), nullable=True, unique=None, default=0)
                 # task
                 task_uid = Column("task_uid", String(255), nullable=False, unique=None, default=None)
                 task_dot_notation = Column("task_dot_notation", String(4096), nullable=False, unique=None, default=None)
                 task_args = Column('task_args_json', MutationObj.as_mutable(JsonType(default=list, dialect_map=dict(mysql=LONGTEXT()))))
                 task_kwargs = Column('task_kwargs_json', MutationObj.as_mutable(JsonType(default=dict, dialect_map=dict(mysql=LONGTEXT()))))
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 updated_on = Column('updated_on', DateTime(timezone=False), nullable=True, unique=None, default=None)
                 @hybrid_property
                 def schedule_type(self):
                     return self._schedule_type
                 @schedule_type.setter
                 def schedule_type(self, val):
                     if val not in self.schedule_types:
                         raise ValueError('Value must be on of `{}` and got `{}`'.format(
                             val, self.schedule_type))
                     self._schedule_type = val
                 @classmethod
                 def get_uid(cls, obj):
                     args = obj.task_args
                     kwargs = obj.task_kwargs
                     if isinstance(args, JsonRaw):
                         try:
                             args = json.loads(args)
                         except ValueError:
                             args = tuple()
                     if isinstance(kwargs, JsonRaw):
                         try:
                             kwargs = json.loads(kwargs)
                         except ValueError:
                             kwargs = dict()
                     dot_notation = obj.task_dot_notation
                     val = '.'.join(map(safe_str, [
                         sorted(dot_notation), args, sorted(kwargs.items())]))
                     return hashlib.sha1(val).hexdigest()
                 @classmethod
                 def get_by_schedule_name(cls, schedule_name):
                     return cls.query().filter(cls.schedule_name == schedule_name).scalar()
                 @classmethod
                 def get_by_schedule_id(cls, schedule_id):
                     return cls.query().filter(cls.schedule_entry_id == schedule_id).scalar()
                 @property
                 def task(self):
                     return self.task_dot_notation
                 @property
                 def schedule(self):
                     from rhodecode.lib.celerylib.utils import raw_2_schedule
                     schedule = raw_2_schedule(self.schedule_definition, self.schedule_type)
                     return schedule
                 @property
                 def args(self):
                     try:
                         return list(self.task_args or [])
                     except ValueError:
                         return list()
                 @property
                 def kwargs(self):
                     try:
                         return dict(self.task_kwargs or {})
                     except ValueError:
                         return dict()
                 def _as_raw(self, val):
                     if hasattr(val, 'de_coerce'):
                         val = val.de_coerce()
                         if val:
                             val = json.dumps(val)
                     return val
                 @property
                 def schedule_definition_raw(self):
                     return self._as_raw(self.schedule_definition)
                 @property
                 def args_raw(self):
                     return self._as_raw(self.task_args)
                 @property
                 def kwargs_raw(self):
                     return self._as_raw(self.task_kwargs)
                 def __repr__(self):
                     return '<DB:ScheduleEntry({}:{})>'.format(
                         self.schedule_entry_id, self.schedule_name)
             @event.listens_for(ScheduleEntry, 'before_update')
             def update_task_uid(mapper, connection, target):
                 target.task_uid = ScheduleEntry.get_uid(target)
             @event.listens_for(ScheduleEntry, 'before_insert')
             def set_task_uid(mapper, connection, target):
                 target.task_uid = ScheduleEntry.get_uid(target)
             class _BaseBranchPerms(BaseModel):
                 @classmethod
                 def compute_hash(cls, value):
                     return sha1_safe(value)
                 @hybrid_property
                 def branch_pattern(self):
                     return self._branch_pattern or '*'
                 @hybrid_property
                 def branch_hash(self):
                     return self._branch_hash
                 def _validate_glob(self, value):
                     re.compile('^' + glob2re(value) + '$')
                 @branch_pattern.setter
                 def branch_pattern(self, value):
                     self._validate_glob(value)
                     self._branch_pattern = value or '*'
                     # set the Hash when setting the branch pattern
                     self._branch_hash = self.compute_hash(self._branch_pattern)
                 def matches(self, branch):
                     """
                     Check if this the branch matches entry
                     :param branch: branch name for the commit
                     """
                     branch = branch or ''
                     branch_matches = True
                     if branch:
                         branch_regex = re.compile('^' + glob2re(self.branch_pattern) + '$')
                         branch_matches = bool(branch_regex.search(branch))
                     return branch_matches
             class UserToRepoBranchPermission(Base, _BaseBranchPerms):
                 __tablename__ = 'user_to_repo_branch_permissions'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True,}
                 )
                 branch_rule_id = Column('branch_rule_id', Integer(), primary_key=True)
                 repository_id = Column('repository_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 repo = relationship('Repository', backref='user_branch_perms')
                 permission_id = Column('permission_id', Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 permission = relationship('Permission')
                 rule_to_perm_id = Column('rule_to_perm_id', Integer(), ForeignKey('repo_to_perm.repo_to_perm_id'), nullable=False, unique=None, default=None)
                 user_repo_to_perm = relationship('UserRepoToPerm')
                 rule_order = Column('rule_order', Integer(), nullable=False)
                 _branch_pattern = Column('branch_pattern', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), default=u'*')  # glob
                 _branch_hash = Column('branch_hash', UnicodeText().with_variant(UnicodeText(2048), 'mysql'))
                 def __unicode__(self):
                     return u'<UserBranchPermission(%s => %r)>' % (
                         self.user_repo_to_perm, self.branch_pattern)
             class UserGroupToRepoBranchPermission(Base, _BaseBranchPerms):
                 __tablename__ = 'user_group_to_repo_branch_permissions'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True,}
                 )
                 branch_rule_id = Column('branch_rule_id', Integer(), primary_key=True)
                 repository_id = Column('repository_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 repo = relationship('Repository', backref='user_group_branch_perms')
                 permission_id = Column('permission_id', Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 permission = relationship('Permission')
                 rule_to_perm_id = Column('rule_to_perm_id', Integer(), ForeignKey('users_group_repo_to_perm.users_group_to_perm_id'), nullable=False, unique=None, default=None)
                 user_group_repo_to_perm = relationship('UserGroupRepoToPerm')
                 rule_order = Column('rule_order', Integer(), nullable=False)
                 _branch_pattern = Column('branch_pattern', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), default=u'*')  # glob
                 _branch_hash = Column('branch_hash', UnicodeText().with_variant(UnicodeText(2048), 'mysql'))
                 def __unicode__(self):
                     return u'<UserBranchPermission(%s => %r)>' % (
                         self.user_group_repo_to_perm, self.branch_pattern)
             class UserBookmark(Base, BaseModel):
                 __tablename__ = 'user_bookmarks'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'bookmark_repo_id'),
                     UniqueConstraint('user_id', 'bookmark_repo_group_id'),
                     UniqueConstraint('user_id', 'bookmark_position'),
                     base_table_args
                 )
                 user_bookmark_id = Column("user_bookmark_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 position = Column("bookmark_position", Integer(), nullable=False)
                 title = Column("bookmark_title", String(255), nullable=True, unique=None, default=None)
                 redirect_url = Column("bookmark_redirect_url", String(10240), nullable=True, unique=None, default=None)
                 created_on = Column("created_on", DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 bookmark_repo_id = Column("bookmark_repo_id", Integer(), ForeignKey("repositories.repo_id"), nullable=True, unique=None, default=None)
                 bookmark_repo_group_id = Column("bookmark_repo_group_id", Integer(), ForeignKey("groups.group_id"), nullable=True, unique=None, default=None)
                 user = relationship("User")
                 repository = relationship("Repository")
                 repository_group = relationship("RepoGroup")
                 @classmethod
                 def get_by_position_for_user(cls, position, user_id):
                     return cls.query() \
                         .filter(UserBookmark.user_id == user_id) \
                         .filter(UserBookmark.position == position).scalar()
                 @classmethod
                 def get_bookmarks_for_user(cls, user_id):
                     return cls.query() \
                         .filter(UserBookmark.user_id == user_id) \
                         .options(joinedload(UserBookmark.repository)) \
                         .options(joinedload(UserBookmark.repository_group)) \
                         .order_by(UserBookmark.position.asc()) \
                         .all()
                 def __unicode__(self):
                     return u'<UserBookmark(%d @ %r)>' % (self.position, self.redirect_url)
             class FileStore(Base, BaseModel):
                 __tablename__ = 'file_store'
                 __table_args__ = (
                     base_table_args
                 )
                 file_store_id = Column('file_store_id', Integer(), primary_key=True)
                 file_uid = Column('file_uid', String(1024), nullable=False)
                 file_display_name = Column('file_display_name', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), nullable=True)
                 file_description = Column('file_description', UnicodeText().with_variant(UnicodeText(10240), 'mysql'), nullable=True)
                 file_org_name = Column('file_org_name', UnicodeText().with_variant(UnicodeText(10240), 'mysql'), nullable=False)
                 # sha256 hash
                 file_hash = Column('file_hash', String(512), nullable=False)
                 file_size = Column('file_size', Integer(), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 accessed_on = Column('accessed_on', DateTime(timezone=False), nullable=True)
                 accessed_count = Column('accessed_count', Integer(), default=0)
                 enabled = Column('enabled', Boolean(), nullable=False, default=True)
                 # if repo/repo_group reference is set, check for permissions
                 check_acl = Column('check_acl', Boolean(), nullable=False, default=True)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
                 upload_user = relationship('User', lazy='joined', primaryjoin='User.user_id==FileStore.user_id')
                 # scope limited to user, which requester have access to
                 scope_user_id = Column(
                     'scope_user_id', Integer(), ForeignKey('users.user_id'),
                     nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined', primaryjoin='User.user_id==FileStore.scope_user_id')
                 # scope limited to user group, which requester have access to
                 scope_user_group_id = Column(
                     'scope_user_group_id', Integer(), ForeignKey('users_groups.users_group_id'),
                     nullable=True, unique=None, default=None)
                 user_group = relationship('UserGroup', lazy='joined')
                 # scope limited to repo, which requester have access to
                 scope_repo_id = Column(
                     'scope_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 # scope limited to repo group, which requester have access to
                 scope_repo_group_id = Column(
                     'scope_repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 @classmethod
                 def create(cls, file_uid, filename, file_hash, file_size, file_display_name='',
                            file_description='', enabled=True, check_acl=True, user_id=None,
                            scope_user_id=None, scope_repo_id=None, scope_repo_group_id=None):
                     store_entry = FileStore()
                     store_entry.file_uid = file_uid
                     store_entry.file_display_name = file_display_name
                     store_entry.file_org_name = filename
                     store_entry.file_size = file_size
                     store_entry.file_hash = file_hash
                     store_entry.file_description = file_description
                     store_entry.check_acl = check_acl
                     store_entry.enabled = enabled
                     store_entry.user_id = user_id
                     store_entry.scope_user_id = scope_user_id
                     store_entry.scope_repo_id = scope_repo_id
                     store_entry.scope_repo_group_id = scope_repo_group_id
                     return store_entry
                 @classmethod
                 def bump_access_counter(cls, file_uid, commit=True):
                     FileStore().query()\
                         .filter(FileStore.file_uid == file_uid)\
                         .update({FileStore.accessed_count: (FileStore.accessed_count + 1),
                                  FileStore.accessed_on: datetime.datetime.now()})
                     if commit:
                         Session().commit()
                 def __repr__(self):
                     return '<FileStore({})>'.format(self.file_store_id)
             class DbMigrateVersion(Base, BaseModel):
                 __tablename__ = 'db_migrate_version'
                 __table_args__ = (
                     base_table_args,
                 )
                 repository_id = Column('repository_id', String(250), primary_key=True)
                 repository_path = Column('repository_path', Text)
                 version = Column('version', Integer)
                 @classmethod
                 def set_version(cls, version):
                     """
                     Helper for forcing a different version, usually for debugging purposes via ishell.
                     """
                     ver = DbMigrateVersion.query().first()
                     ver.version = version
                     Session().commit()
             class DbSession(Base, BaseModel):
                 __tablename__ = 'db_session'
                 __table_args__ = (
                     base_table_args,
                 )
                 def __repr__(self):
                     return '<DB:DbSession({})>'.format(self.id)
                 id = Column('id', Integer())
                 namespace = Column('namespace', String(255), primary_key=True)
                 accessed = Column('accessed', DateTime, nullable=False)
                 created = Column('created', DateTime, nullable=False)
                 data = Column('data', PickleType, nullable=False)

rhodecode/model/settings.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import os
             import hashlib
             import logging
             from collections import namedtuple
             from functools import wraps
             import bleach
             from rhodecode.lib import rc_cache
             from rhodecode.lib.utils2 import (
                 Optional, AttributeDict, safe_str, remove_prefix, str2bool)
             from rhodecode.lib.vcs.backends import base
             from rhodecode.model import BaseModel
             from rhodecode.model.db import (
                 RepoRhodeCodeUi, RepoRhodeCodeSetting, RhodeCodeUi, RhodeCodeSetting, CacheKey)
             from rhodecode.model.meta import Session
             log = logging.getLogger(__name__)
             UiSetting = namedtuple(
                 'UiSetting', ['section', 'key', 'value', 'active'])
             SOCIAL_PLUGINS_LIST = ['github', 'bitbucket', 'twitter', 'google']
             class SettingNotFound(Exception):
                 def __init__(self, setting_id):
                     msg = 'Setting `{}` is not found'.format(setting_id)
                     super(SettingNotFound, self).__init__(msg)
             class SettingsModel(BaseModel):
                 BUILTIN_HOOKS = (
                     RhodeCodeUi.HOOK_REPO_SIZE, RhodeCodeUi.HOOK_PUSH,
                     RhodeCodeUi.HOOK_PRE_PUSH, RhodeCodeUi.HOOK_PRETX_PUSH,
                     RhodeCodeUi.HOOK_PULL, RhodeCodeUi.HOOK_PRE_PULL,
                     RhodeCodeUi.HOOK_PUSH_KEY,)
                 HOOKS_SECTION = 'hooks'
                 def __init__(self, sa=None, repo=None):
                     self.repo = repo
                     self.UiDbModel = RepoRhodeCodeUi if repo else RhodeCodeUi
                     self.SettingsDbModel = (
                         RepoRhodeCodeSetting if repo else RhodeCodeSetting)
                     super(SettingsModel, self).__init__(sa)
                 def get_ui_by_key(self, key):
                     q = self.UiDbModel.query()
                     q = q.filter(self.UiDbModel.ui_key == key)
                     q = self._filter_by_repo(RepoRhodeCodeUi, q)
                     return q.scalar()
                 def get_ui_by_section(self, section):
                     q = self.UiDbModel.query()
                     q = q.filter(self.UiDbModel.ui_section == section)
                     q = self._filter_by_repo(RepoRhodeCodeUi, q)
                     return q.all()
                 def get_ui_by_section_and_key(self, section, key):
                     q = self.UiDbModel.query()
                     q = q.filter(self.UiDbModel.ui_section == section)
                     q = q.filter(self.UiDbModel.ui_key == key)
                     q = self._filter_by_repo(RepoRhodeCodeUi, q)
                     return q.scalar()
                 def get_ui(self, section=None, key=None):
                     q = self.UiDbModel.query()
                     q = self._filter_by_repo(RepoRhodeCodeUi, q)
                     if section:
                         q = q.filter(self.UiDbModel.ui_section == section)
                     if key:
                         q = q.filter(self.UiDbModel.ui_key == key)
                     # TODO: mikhail: add caching
                     result = [
                         UiSetting(
                             section=safe_str(r.ui_section), key=safe_str(r.ui_key),
                             value=safe_str(r.ui_value), active=r.ui_active
                         )
                         for r in q.all()
                     ]
                     return result
                 def get_builtin_hooks(self):
                     q = self.UiDbModel.query()
                     q = q.filter(self.UiDbModel.ui_key.in_(self.BUILTIN_HOOKS))
                     return self._get_hooks(q)
                 def get_custom_hooks(self):
                     q = self.UiDbModel.query()
                     q = q.filter(~self.UiDbModel.ui_key.in_(self.BUILTIN_HOOKS))
                     return self._get_hooks(q)
                 def create_ui_section_value(self, section, val, key=None, active=True):
                     new_ui = self.UiDbModel()
                     new_ui.ui_section = section
                     new_ui.ui_value = val
                     new_ui.ui_active = active
                     repository_id = ''
                     if self.repo:
                         repo = self._get_repo(self.repo)
                         repository_id = repo.repo_id
                         new_ui.repository_id = repository_id
                     if not key:
                         # keys are unique so they need appended info
                         if self.repo:
                             key = hashlib.sha1(
                                 '{}{}{}'.format(section, val, repository_id)).hexdigest()
                         else:
                             key = hashlib.sha1('{}{}'.format(section, val)).hexdigest()
                     new_ui.ui_key = key
                     Session().add(new_ui)
                     return new_ui
                 def create_or_update_hook(self, key, value):
                     ui = (
                         self.get_ui_by_section_and_key(self.HOOKS_SECTION, key) or
                         self.UiDbModel())
                     ui.ui_section = self.HOOKS_SECTION
                     ui.ui_active = True
                     ui.ui_key = key
                     ui.ui_value = value
                     if self.repo:
                         repo = self._get_repo(self.repo)
                         repository_id = repo.repo_id
                         ui.repository_id = repository_id
                     Session().add(ui)
                     return ui
                 def delete_ui(self, id_):
                     ui = self.UiDbModel.get(id_)
                     if not ui:
                         raise SettingNotFound(id_)
                     Session().delete(ui)
                 def get_setting_by_name(self, name):
                     q = self._get_settings_query()
                     q = q.filter(self.SettingsDbModel.app_settings_name == name)
                     return q.scalar()
                 def create_or_update_setting(
                         self, name, val=Optional(''), type_=Optional('unicode')):
                     """
                     Creates or updates RhodeCode setting. If updates is triggered it will
                     only update parameters that are explicityl set Optional instance will
                     be skipped
                     :param name:
                     :param val:
                     :param type_:
                     :return:
                     """
                     res = self.get_setting_by_name(name)
                     repo = self._get_repo(self.repo) if self.repo else None
                     if not res:
                         val = Optional.extract(val)
                         type_ = Optional.extract(type_)
                         args = (
                             (repo.repo_id, name, val, type_)
                             if repo else (name, val, type_))
                         res = self.SettingsDbModel(*args)
                     else:
                         if self.repo:
                             res.repository_id = repo.repo_id
                         res.app_settings_name = name
                         if not isinstance(type_, Optional):
                             # update if set
                             res.app_settings_type = type_
                         if not isinstance(val, Optional):
                             # update if set
                             res.app_settings_value = val
                     Session().add(res)
                     return res
                 def invalidate_settings_cache(self):
                     invalidation_namespace = CacheKey.SETTINGS_INVALIDATION_NAMESPACE
                     CacheKey.set_invalidate(invalidation_namespace)
                 def get_all_settings(self, cache=False):
                     region = rc_cache.get_or_create_region('sql_cache_short')
                     invalidation_namespace = CacheKey.SETTINGS_INVALIDATION_NAMESPACE
                     @region.conditional_cache_on_arguments(condition=cache)
                     def _get_all_settings(name, key):
                         q = self._get_settings_query()
                         if not q:
                             raise Exception('Could not get application settings !')
                         settings = {
                             'rhodecode_' + result.app_settings_name: result.app_settings_value
                             for result in q
                         }
                         return settings
                     repo = self._get_repo(self.repo) if self.repo else None
                     key = "settings_repo.{}".format(repo.repo_id) if repo else "settings_app"
                     inv_context_manager = rc_cache.InvalidationContext(
                         uid='cache_settings', invalidation_namespace=invalidation_namespace)
                     with inv_context_manager as invalidation_context:
                         # check for stored invalidation signal, and maybe purge the cache
                         # before computing it again
                         if invalidation_context.should_invalidate():
                             # NOTE:(marcink) we flush the whole sql_cache_short region, because it
                             # reads different settings etc. It's little too much but those caches
                             # are anyway very short lived and it's a safest way.
                             region = rc_cache.get_or_create_region('sql_cache_short')
                             region.invalidate()
                         result = _get_all_settings('rhodecode_settings', key)
-                        log.debug('Fetching app settings for key: %s took: %.3fs', key,
+                        log.debug('Fetching app settings for key: %s took: %.4fs', key,
                                   inv_context_manager.compute_time)
                     return result
                 def get_auth_settings(self):
                     q = self._get_settings_query()
                     q = q.filter(
                         self.SettingsDbModel.app_settings_name.startswith('auth_'))
                     rows = q.all()
                     auth_settings = {
                         row.app_settings_name: row.app_settings_value for row in rows}
                     return auth_settings
                 def get_auth_plugins(self):
                     auth_plugins = self.get_setting_by_name("auth_plugins")
                     return auth_plugins.app_settings_value
                 def get_default_repo_settings(self, strip_prefix=False):
                     q = self._get_settings_query()
                     q = q.filter(
                         self.SettingsDbModel.app_settings_name.startswith('default_'))
                     rows = q.all()
                     result = {}
                     for row in rows:
                         key = row.app_settings_name
                         if strip_prefix:
                             key = remove_prefix(key, prefix='default_')
                         result.update({key: row.app_settings_value})
                     return result
                 def get_repo(self):
                     repo = self._get_repo(self.repo)
                     if not repo:
                         raise Exception(
                             'Repository `{}` cannot be found inside the database'.format(
                                 self.repo))
                     return repo
                 def _filter_by_repo(self, model, query):
                     if self.repo:
                         repo = self.get_repo()
                         query = query.filter(model.repository_id == repo.repo_id)
                     return query
                 def _get_hooks(self, query):
                     query = query.filter(self.UiDbModel.ui_section == self.HOOKS_SECTION)
                     query = self._filter_by_repo(RepoRhodeCodeUi, query)
                     return query.all()
                 def _get_settings_query(self):
                     q = self.SettingsDbModel.query()
                     return self._filter_by_repo(RepoRhodeCodeSetting, q)
                 def list_enabled_social_plugins(self, settings):
                     enabled = []
                     for plug in SOCIAL_PLUGINS_LIST:
                         if str2bool(settings.get('rhodecode_auth_{}_enabled'.format(plug)
                                                  )):
                             enabled.append(plug)
                     return enabled
             def assert_repo_settings(func):
                 @wraps(func)
                 def _wrapper(self, *args, **kwargs):
                     if not self.repo_settings:
                         raise Exception('Repository is not specified')
                     return func(self, *args, **kwargs)
                 return _wrapper
             class IssueTrackerSettingsModel(object):
                 INHERIT_SETTINGS = 'inherit_issue_tracker_settings'
                 SETTINGS_PREFIX = 'issuetracker_'
                 def __init__(self, sa=None, repo=None):
                     self.global_settings = SettingsModel(sa=sa)
                     self.repo_settings = SettingsModel(sa=sa, repo=repo) if repo else None
                 @property
                 def inherit_global_settings(self):
                     if not self.repo_settings:
                         return True
                     setting = self.repo_settings.get_setting_by_name(self.INHERIT_SETTINGS)
                     return setting.app_settings_value if setting else True
                 @inherit_global_settings.setter
                 def inherit_global_settings(self, value):
                     if self.repo_settings:
                         settings = self.repo_settings.create_or_update_setting(
                             self.INHERIT_SETTINGS, value, type_='bool')
                         Session().add(settings)
                 def _get_keyname(self, key, uid, prefix=''):
                     return '{0}{1}{2}_{3}'.format(
                         prefix, self.SETTINGS_PREFIX, key, uid)
                 def _make_dict_for_settings(self, qs):
                     prefix_match = self._get_keyname('pat', '', 'rhodecode_')
                     issuetracker_entries = {}
                     # create keys
                     for k, v in qs.items():
                         if k.startswith(prefix_match):
                             uid = k[len(prefix_match):]
                             issuetracker_entries[uid] = None
                     def url_cleaner(input_str):
                         input_str = input_str.replace('"', '').replace("'", '')
                         input_str = bleach.clean(input_str, strip=True)
                         return input_str
                     # populate
                     for uid in issuetracker_entries:
                         url_data = qs.get(self._get_keyname('url', uid, 'rhodecode_'))
                         issuetracker_entries[uid] = AttributeDict({
                             'pat': qs.get(
                                 self._get_keyname('pat', uid, 'rhodecode_')),
                             'url': url_cleaner(
                                 qs.get(self._get_keyname('url', uid, 'rhodecode_')) or ''),
                             'pref': bleach.clean(
                                 qs.get(self._get_keyname('pref', uid, 'rhodecode_')) or ''),
                             'desc': qs.get(
                                 self._get_keyname('desc', uid, 'rhodecode_')),
                         })
                     return issuetracker_entries
                 def get_global_settings(self, cache=False):
                     """
                     Returns list of global issue tracker settings
                     """
                     defaults = self.global_settings.get_all_settings(cache=cache)
                     settings = self._make_dict_for_settings(defaults)
                     return settings
                 def get_repo_settings(self, cache=False):
                     """
                     Returns list of issue tracker settings per repository
                     """
                     if not self.repo_settings:
                         raise Exception('Repository is not specified')
                     all_settings = self.repo_settings.get_all_settings(cache=cache)
                     settings = self._make_dict_for_settings(all_settings)
                     return settings
                 def get_settings(self, cache=False):
                     if self.inherit_global_settings:
                         return self.get_global_settings(cache=cache)
                     else:
                         return self.get_repo_settings(cache=cache)
                 def delete_entries(self, uid):
                     if self.repo_settings:
                         all_patterns = self.get_repo_settings()
                         settings_model = self.repo_settings
                     else:
                         all_patterns = self.get_global_settings()
                         settings_model = self.global_settings
                     entries = all_patterns.get(uid, [])
                     for del_key in entries:
                         setting_name = self._get_keyname(del_key, uid)
                         entry = settings_model.get_setting_by_name(setting_name)
                         if entry:
                             Session().delete(entry)
                     Session().commit()
                 def create_or_update_setting(
                         self, name, val=Optional(''), type_=Optional('unicode')):
                     if self.repo_settings:
                         setting = self.repo_settings.create_or_update_setting(
                             name, val, type_)
                     else:
                         setting = self.global_settings.create_or_update_setting(
                             name, val, type_)
                     return setting
             class VcsSettingsModel(object):
                 INHERIT_SETTINGS = 'inherit_vcs_settings'
                 GENERAL_SETTINGS = (
                     'use_outdated_comments',
                     'pr_merge_enabled',
                     'hg_use_rebase_for_merging',
                     'hg_close_branch_before_merging',
                     'git_use_rebase_for_merging',
                     'git_close_branch_before_merging',
                     'diff_cache',
                 )
                 HOOKS_SETTINGS = (
                     ('hooks', 'changegroup.repo_size'),
                     ('hooks', 'changegroup.push_logger'),
                     ('hooks', 'outgoing.pull_logger'),
                 )
                 HG_SETTINGS = (
                     ('extensions', 'largefiles'),
                     ('phases', 'publish'),
                     ('extensions', 'evolve'),
                     ('extensions', 'topic'),
                     ('experimental', 'evolution'),
                     ('experimental', 'evolution.exchange'),
                 )
                 GIT_SETTINGS = (
                     ('vcs_git_lfs', 'enabled'),
                 )
                 GLOBAL_HG_SETTINGS = (
                     ('extensions', 'largefiles'),
                     ('largefiles', 'usercache'),
                     ('phases', 'publish'),
                     ('extensions', 'hgsubversion'),
                     ('extensions', 'evolve'),
                     ('extensions', 'topic'),
                     ('experimental', 'evolution'),
                     ('experimental', 'evolution.exchange'),
                 )
                 GLOBAL_GIT_SETTINGS = (
                     ('vcs_git_lfs', 'enabled'),
                     ('vcs_git_lfs', 'store_location')
                 )
                 GLOBAL_SVN_SETTINGS = (
                     ('vcs_svn_proxy', 'http_requests_enabled'),
                     ('vcs_svn_proxy', 'http_server_url')
                 )
                 SVN_BRANCH_SECTION = 'vcs_svn_branch'
                 SVN_TAG_SECTION = 'vcs_svn_tag'
                 SSL_SETTING = ('web', 'push_ssl')
                 PATH_SETTING = ('paths', '/')
                 def __init__(self, sa=None, repo=None):
                     self.global_settings = SettingsModel(sa=sa)
                     self.repo_settings = SettingsModel(sa=sa, repo=repo) if repo else None
                     self._ui_settings = (
                         self.HG_SETTINGS + self.GIT_SETTINGS + self.HOOKS_SETTINGS)
                     self._svn_sections = (self.SVN_BRANCH_SECTION, self.SVN_TAG_SECTION)
                 @property
                 @assert_repo_settings
                 def inherit_global_settings(self):
                     setting = self.repo_settings.get_setting_by_name(self.INHERIT_SETTINGS)
                     return setting.app_settings_value if setting else True
                 @inherit_global_settings.setter
                 @assert_repo_settings
                 def inherit_global_settings(self, value):
                     self.repo_settings.create_or_update_setting(
                         self.INHERIT_SETTINGS, value, type_='bool')
                 def get_global_svn_branch_patterns(self):
                     return self.global_settings.get_ui_by_section(self.SVN_BRANCH_SECTION)
                 @assert_repo_settings
                 def get_repo_svn_branch_patterns(self):
                     return self.repo_settings.get_ui_by_section(self.SVN_BRANCH_SECTION)
                 def get_global_svn_tag_patterns(self):
                     return self.global_settings.get_ui_by_section(self.SVN_TAG_SECTION)
                 @assert_repo_settings
                 def get_repo_svn_tag_patterns(self):
                     return self.repo_settings.get_ui_by_section(self.SVN_TAG_SECTION)
                 def get_global_settings(self):
                     return self._collect_all_settings(global_=True)
                 @assert_repo_settings
                 def get_repo_settings(self):
                     return self._collect_all_settings(global_=False)
                 @assert_repo_settings
                 def create_or_update_repo_settings(
                         self, data, inherit_global_settings=False):
                     from rhodecode.model.scm import ScmModel
                     self.inherit_global_settings = inherit_global_settings
                     repo = self.repo_settings.get_repo()
                     if not inherit_global_settings:
                         if repo.repo_type == 'svn':
                             self.create_repo_svn_settings(data)
                         else:
                             self.create_or_update_repo_hook_settings(data)
                             self.create_or_update_repo_pr_settings(data)
                         if repo.repo_type == 'hg':
                             self.create_or_update_repo_hg_settings(data)
                         if repo.repo_type == 'git':
                             self.create_or_update_repo_git_settings(data)
                     ScmModel().mark_for_invalidation(repo.repo_name, delete=True)
                 @assert_repo_settings
                 def create_or_update_repo_hook_settings(self, data):
                     for section, key in self.HOOKS_SETTINGS:
                         data_key = self._get_form_ui_key(section, key)
                         if data_key not in data:
                             raise ValueError(
                                 'The given data does not contain {} key'.format(data_key))
                         active = data.get(data_key)
                         repo_setting = self.repo_settings.get_ui_by_section_and_key(
                             section, key)
                         if not repo_setting:
                             global_setting = self.global_settings.\
                                 get_ui_by_section_and_key(section, key)
                             self.repo_settings.create_ui_section_value(
                                 section, global_setting.ui_value, key=key, active=active)
                         else:
                             repo_setting.ui_active = active
                             Session().add(repo_setting)
                 def update_global_hook_settings(self, data):
                     for section, key in self.HOOKS_SETTINGS:
                         data_key = self._get_form_ui_key(section, key)
                         if data_key not in data:
                             raise ValueError(
                                 'The given data does not contain {} key'.format(data_key))
                         active = data.get(data_key)
                         repo_setting = self.global_settings.get_ui_by_section_and_key(
                             section, key)
                         repo_setting.ui_active = active
                         Session().add(repo_setting)
                 @assert_repo_settings
                 def create_or_update_repo_pr_settings(self, data):
                     return self._create_or_update_general_settings(
                         self.repo_settings, data)
                 def create_or_update_global_pr_settings(self, data):
                     return self._create_or_update_general_settings(
                         self.global_settings, data)
                 @assert_repo_settings
                 def create_repo_svn_settings(self, data):
                     return self._create_svn_settings(self.repo_settings, data)
                 def _set_evolution(self, settings, is_enabled):
                     if is_enabled:
                         # if evolve is active set evolution=all
                         self._create_or_update_ui(
                             settings, *('experimental', 'evolution'), value='all',
                             active=True)
                         self._create_or_update_ui(
                             settings, *('experimental', 'evolution.exchange'), value='yes',
                             active=True)
                         # if evolve is active set topics server support
                         self._create_or_update_ui(
                             settings, *('extensions', 'topic'), value='',
                             active=True)
                     else:
                         self._create_or_update_ui(
                             settings, *('experimental', 'evolution'), value='',
                             active=False)
                         self._create_or_update_ui(
                             settings, *('experimental', 'evolution.exchange'), value='no',
                             active=False)
                         self._create_or_update_ui(
                             settings, *('extensions', 'topic'), value='',
                             active=False)
                 @assert_repo_settings
                 def create_or_update_repo_hg_settings(self, data):
                     largefiles, phases, evolve = \
                         self.HG_SETTINGS[:3]
                     largefiles_key, phases_key, evolve_key = \
                         self._get_settings_keys(self.HG_SETTINGS[:3], data)
                     self._create_or_update_ui(
                         self.repo_settings, *largefiles, value='',
                         active=data[largefiles_key])
                     self._create_or_update_ui(
                         self.repo_settings, *evolve, value='',
                         active=data[evolve_key])
                     self._set_evolution(self.repo_settings, is_enabled=data[evolve_key])
                     self._create_or_update_ui(
                         self.repo_settings, *phases, value=safe_str(data[phases_key]))
                 def create_or_update_global_hg_settings(self, data):
                     largefiles, largefiles_store, phases, hgsubversion, evolve \
                         = self.GLOBAL_HG_SETTINGS[:5]
                     largefiles_key, largefiles_store_key, phases_key, subversion_key, evolve_key \
                         = self._get_settings_keys(self.GLOBAL_HG_SETTINGS[:5], data)
                     self._create_or_update_ui(
                         self.global_settings, *largefiles, value='',
                         active=data[largefiles_key])
                     self._create_or_update_ui(
                         self.global_settings, *largefiles_store, value=data[largefiles_store_key])
                     self._create_or_update_ui(
                         self.global_settings, *phases, value=safe_str(data[phases_key]))
                     self._create_or_update_ui(
                         self.global_settings, *hgsubversion, active=data[subversion_key])
                     self._create_or_update_ui(
                         self.global_settings, *evolve, value='',
                         active=data[evolve_key])
                     self._set_evolution(self.global_settings, is_enabled=data[evolve_key])
                 def create_or_update_repo_git_settings(self, data):
                     # NOTE(marcink): # comma makes unpack work properly
                     lfs_enabled, \
                         = self.GIT_SETTINGS
                     lfs_enabled_key, \
                         = self._get_settings_keys(self.GIT_SETTINGS, data)
                     self._create_or_update_ui(
                         self.repo_settings, *lfs_enabled, value=data[lfs_enabled_key],
                         active=data[lfs_enabled_key])
                 def create_or_update_global_git_settings(self, data):
                     lfs_enabled, lfs_store_location \
                         = self.GLOBAL_GIT_SETTINGS
                     lfs_enabled_key, lfs_store_location_key \
                         = self._get_settings_keys(self.GLOBAL_GIT_SETTINGS, data)
                     self._create_or_update_ui(
                         self.global_settings, *lfs_enabled, value=data[lfs_enabled_key],
                         active=data[lfs_enabled_key])
                     self._create_or_update_ui(
                         self.global_settings, *lfs_store_location,
                         value=data[lfs_store_location_key])
                 def create_or_update_global_svn_settings(self, data):
                     # branch/tags patterns
                     self._create_svn_settings(self.global_settings, data)
                     http_requests_enabled, http_server_url = self.GLOBAL_SVN_SETTINGS
                     http_requests_enabled_key, http_server_url_key = self._get_settings_keys(
                         self.GLOBAL_SVN_SETTINGS, data)
                     self._create_or_update_ui(
                         self.global_settings, *http_requests_enabled,
                         value=safe_str(data[http_requests_enabled_key]))
                     self._create_or_update_ui(
                         self.global_settings, *http_server_url,
                         value=data[http_server_url_key])
                 def update_global_ssl_setting(self, value):
                     self._create_or_update_ui(
                         self.global_settings, *self.SSL_SETTING, value=value)
                 def update_global_path_setting(self, value):
                     self._create_or_update_ui(
                         self.global_settings, *self.PATH_SETTING, value=value)
                 @assert_repo_settings
                 def delete_repo_svn_pattern(self, id_):
                     ui = self.repo_settings.UiDbModel.get(id_)
                     if ui and ui.repository.repo_name == self.repo_settings.repo:
                         # only delete if it's the same repo as initialized settings
                         self.repo_settings.delete_ui(id_)
                     else:
                         # raise error as if we wouldn't find this option
                         self.repo_settings.delete_ui(-1)
                 def delete_global_svn_pattern(self, id_):
                     self.global_settings.delete_ui(id_)
                 @assert_repo_settings
                 def get_repo_ui_settings(self, section=None, key=None):
                     global_uis = self.global_settings.get_ui(section, key)
                     repo_uis = self.repo_settings.get_ui(section, key)
                     filtered_repo_uis = self._filter_ui_settings(repo_uis)
                     filtered_repo_uis_keys = [
                         (s.section, s.key) for s in filtered_repo_uis]
                     def _is_global_ui_filtered(ui):
                         return (
                             (ui.section, ui.key) in filtered_repo_uis_keys
                             or ui.section in self._svn_sections)
                     filtered_global_uis = [
                         ui for ui in global_uis if not _is_global_ui_filtered(ui)]
                     return filtered_global_uis + filtered_repo_uis
                 def get_global_ui_settings(self, section=None, key=None):
                     return self.global_settings.get_ui(section, key)
                 def get_ui_settings_as_config_obj(self, section=None, key=None):
                     config = base.Config()
                     ui_settings = self.get_ui_settings(section=section, key=key)
                     for entry in ui_settings:
                         config.set(entry.section, entry.key, entry.value)
                     return config
                 def get_ui_settings(self, section=None, key=None):
                     if not self.repo_settings or self.inherit_global_settings:
                         return self.get_global_ui_settings(section, key)
                     else:
                         return self.get_repo_ui_settings(section, key)
                 def get_svn_patterns(self, section=None):
                     if not self.repo_settings:
                         return self.get_global_ui_settings(section)
                     else:
                         return self.get_repo_ui_settings(section)
                 @assert_repo_settings
                 def get_repo_general_settings(self):
                     global_settings = self.global_settings.get_all_settings()
                     repo_settings = self.repo_settings.get_all_settings()
                     filtered_repo_settings = self._filter_general_settings(repo_settings)
                     global_settings.update(filtered_repo_settings)
                     return global_settings
                 def get_global_general_settings(self):
                     return self.global_settings.get_all_settings()
                 def get_general_settings(self):
                     if not self.repo_settings or self.inherit_global_settings:
                         return self.get_global_general_settings()
                     else:
                         return self.get_repo_general_settings()
                 def get_repos_location(self):
                     return self.global_settings.get_ui_by_key('/').ui_value
                 def _filter_ui_settings(self, settings):
                     filtered_settings = [
                         s for s in settings if self._should_keep_setting(s)]
                     return filtered_settings
                 def _should_keep_setting(self, setting):
                     keep = (
                         (setting.section, setting.key) in self._ui_settings or
                         setting.section in self._svn_sections)
                     return keep
                 def _filter_general_settings(self, settings):
                     keys = ['rhodecode_{}'.format(key) for key in self.GENERAL_SETTINGS]
                     return {
                         k: settings[k]
                         for k in settings if k in keys}
                 def _collect_all_settings(self, global_=False):
                     settings = self.global_settings if global_ else self.repo_settings
                     result = {}
                     for section, key in self._ui_settings:
                         ui = settings.get_ui_by_section_and_key(section, key)
                         result_key = self._get_form_ui_key(section, key)
                         if ui:
                             if section in ('hooks', 'extensions'):
                                 result[result_key] = ui.ui_active
                             elif result_key in ['vcs_git_lfs_enabled']:
                                 result[result_key] = ui.ui_active
                             else:
                                 result[result_key] = ui.ui_value
                     for name in self.GENERAL_SETTINGS:
                         setting = settings.get_setting_by_name(name)
                         if setting:
                             result_key = 'rhodecode_{}'.format(name)
                             result[result_key] = setting.app_settings_value
                     return result
                 def _get_form_ui_key(self, section, key):
                     return '{section}_{key}'.format(
                         section=section, key=key.replace('.', '_'))
                 def _create_or_update_ui(
                         self, settings, section, key, value=None, active=None):
                     ui = settings.get_ui_by_section_and_key(section, key)
                     if not ui:
                         active = True if active is None else active
                         settings.create_ui_section_value(
                             section, value, key=key, active=active)
                     else:
                         if active is not None:
                             ui.ui_active = active
                         if value is not None:
                             ui.ui_value = value
                         Session().add(ui)
                 def _create_svn_settings(self, settings, data):
                     svn_settings = {
                         'new_svn_branch': self.SVN_BRANCH_SECTION,
                         'new_svn_tag': self.SVN_TAG_SECTION
                     }
                     for key in svn_settings:
                         if data.get(key):
                             settings.create_ui_section_value(svn_settings[key], data[key])
                 def _create_or_update_general_settings(self, settings, data):
                     for name in self.GENERAL_SETTINGS:
                         data_key = 'rhodecode_{}'.format(name)
                         if data_key not in data:
                             raise ValueError(
                                 'The given data does not contain {} key'.format(data_key))
                         setting = settings.create_or_update_setting(
                             name, data[data_key], 'bool')
                         Session().add(setting)
                 def _get_settings_keys(self, settings, data):
                     data_keys = [self._get_form_ui_key(*s) for s in settings]
                     for data_key in data_keys:
                         if data_key not in data:
                             raise ValueError(
                                 'The given data does not contain {} key'.format(data_key))
                     return data_keys
                 def create_largeobjects_dirs_if_needed(self, repo_store_path):
                     """
                     This is subscribed to the `pyramid.events.ApplicationCreated` event. It
                     does a repository scan if enabled in the settings.
                     """
                     from rhodecode.lib.vcs.backends.hg import largefiles_store
                     from rhodecode.lib.vcs.backends.git import lfs_store
                     paths = [
                         largefiles_store(repo_store_path),
                         lfs_store(repo_store_path)]
                     for path in paths:
                         if os.path.isdir(path):
                             continue
                         if os.path.isfile(path):
                             continue
                         # not a file nor dir, we try to create it
                         try:
                             os.makedirs(path)
                         except Exception:
                             log.warning('Failed to create largefiles dir:%s', path)

rhodecode/tests/load/time_urls.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import timeit
             import logging
             import click
             log = logging.getLogger(__name__)
             @click.command()
             @click.option('--server', help='Server url to connect to. e.g http://rc.local.com', required=True)
             @click.option('--pages', help='load pages to visit from a file', required=True, type=click.File())
             @click.option('--repeat', help='number of times to repeat', default=10, type=int)
             def main(server, repeat, pages):
                 print("Repeating each URL %d times\n" % repeat)
                 pages = pages.readlines()
                 for page_url in pages:
                     url = "%s/%s" % (server, page_url.strip())
                     print(url)
                     stmt = "requests.get('%s', timeout=120)" % url
                     t = timeit.Timer(stmt=stmt, setup="import requests")
                     result = t.repeat(repeat=repeat, number=1)
-                    print("  %.3f (min) - %.3f (max) - %.3f (avg)\n" %
+                    print("  %.4f (min) - %.4f (max) - %.4f (avg)\n" %
                           (min(result), max(result), sum(result) / len(result)))
             if __name__ == '__main__':
                 main()

rhodecode/tests/scripts/test_concurency.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Test suite for making push/pull operations
             """
             import os
             import sys
             import shutil
             import logging
             from os.path import join as jn
             from os.path import dirname as dn
             from tempfile import _RandomNameSequence
             from subprocess32 import Popen, PIPE
             from rhodecode.lib.utils2 import engine_from_config
             from rhodecode.lib.auth import get_crypt_password
             from rhodecode.model import init_model
             from rhodecode.model import meta
             from rhodecode.model.db import User, Repository
             from rhodecode.tests import TESTS_TMP_PATH, HG_REPO
             rel_path = dn(dn(dn(dn(os.path.abspath(__file__)))))
             USER = 'test_admin'
             PASS = 'test12'
             HOST = 'rc.local'
             METHOD = 'pull'
             DEBUG = True
             log = logging.getLogger(__name__)
             class Command(object):
                 def __init__(self, cwd):
                     self.cwd = cwd
                 def execute(self, cmd, *args):
                     """Runs command on the system with given ``args``.
                     """
                     command = cmd + ' ' + ' '.join(args)
                     log.debug('Executing %s', command)
                     if DEBUG:
                         print(command)
                     p = Popen(command, shell=True, stdout=PIPE, stderr=PIPE, cwd=self.cwd)
                     stdout, stderr = p.communicate()
                     if DEBUG:
                         print('{} {}'.format(stdout, stderr))
                     return stdout, stderr
             def get_session():
                 conf = {}
                 engine = engine_from_config(conf, 'sqlalchemy.db1.')
                 init_model(engine)
                 sa = meta.Session
                 return sa
             def create_test_user(force=True):
                 print('creating test user')
                 sa = get_session()
                 user = sa.query(User).filter(User.username == USER).scalar()
                 if force and user is not None:
                     print('removing current user')
                     for repo in sa.query(Repository).filter(Repository.user == user).all():
                         sa.delete(repo)
                     sa.delete(user)
                     sa.commit()
                 if user is None or force:
                     print('creating new one')
                     new_usr = User()
                     new_usr.username = USER
                     new_usr.password = get_crypt_password(PASS)
                     new_usr.email = 'mail@mail.com'
                     new_usr.name = 'test'
                     new_usr.lastname = 'lasttestname'
                     new_usr.active = True
                     new_usr.admin = True
                     sa.add(new_usr)
                     sa.commit()
                 print('done')
             def create_test_repo(force=True):
                 print('creating test repo')
                 from rhodecode.model.repo import RepoModel
                 sa = get_session()
                 user = sa.query(User).filter(User.username == USER).scalar()
                 if user is None:
                     raise Exception('user not found')
                 repo = sa.query(Repository).filter(Repository.repo_name == HG_REPO).scalar()
                 if repo is None:
                     print('repo not found creating')
                     form_data = {'repo_name': HG_REPO,
                                  'repo_type': 'hg',
                                  'private':False,
                                  'clone_uri': '' }
                     rm = RepoModel(sa)
                     rm.base_path = '/home/hg'
                     rm.create(form_data, user)
                 print('done')
             def get_anonymous_access():
                 sa = get_session()
                 return sa.query(User).filter(User.username == 'default').one().active
             #==============================================================================
             # TESTS
             #==============================================================================
             def test_clone_with_credentials(repo=HG_REPO, method=METHOD,
                                             seq=None, backend='hg', check_output=True):
                 cwd = path = jn(TESTS_TMP_PATH, repo)
                 if seq is None:
                     seq = _RandomNameSequence().next()
                 try:
                     shutil.rmtree(path, ignore_errors=True)
                     os.makedirs(path)
                 except OSError:
                     raise
                 clone_url = 'http://%(user)s:%(pass)s@%(host)s/%(cloned_repo)s' % \
                               {'user': USER,
                                'pass': PASS,
                                'host': HOST,
                                'cloned_repo': repo, }
                 dest = path + seq
                 if method == 'pull':
                     stdout, stderr = Command(cwd).execute(backend, method, '--cwd', dest, clone_url)
                 else:
                     stdout, stderr = Command(cwd).execute(backend, method, clone_url, dest)
                     if check_output:
                         if backend == 'hg':
                             assert """adding file changes""" in stdout, 'no messages about cloning'
                             assert """abort""" not in stderr, 'got error from clone'
                         elif backend == 'git':
                             assert """Cloning into""" in stdout, 'no messages about cloning'
             if __name__ == '__main__':
                 try:
                     create_test_user(force=False)
                     seq = None
                     import time
                     try:
                         METHOD = sys.argv[3]
                     except Exception:
                         pass
                     try:
                         backend = sys.argv[4]
                     except Exception:
                         backend = 'hg'
                     if METHOD == 'pull':
                         seq = _RandomNameSequence().next()
                         test_clone_with_credentials(repo=sys.argv[1], method='clone',
                                                     seq=seq, backend=backend)
                     s = time.time()
                     for i in range(1, int(sys.argv[2]) + 1):
                         print('take {}'.format(i))
                         test_clone_with_credentials(repo=sys.argv[1], method=METHOD,
                                                     seq=seq, backend=backend)
-                    print('time taken %.3f' % (time.time() - s))
+                    print('time taken %.4f' % (time.time() - s))
                 except Exception as e:
                     sys.exit('stop on %s' % e)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages