rhodecode-enterprise-ce Commit - r4421:73f70a03

permissions: allow users to update settings for repository groups they still own, or have admin perms, when they don't change their name....

dan -

r4421:73f70a03 default

parent child

Collapse all files

rhodecode/api/tests/test_create_repo_group.py

0 +2 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2020 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import mock
             import pytest
             from rhodecode.model.meta import Session
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.user import UserModel
             from rhodecode.tests import TEST_USER_ADMIN_LOGIN
             from rhodecode.api.tests.utils import (
                 build_data, api_call, assert_ok, assert_error, crash)
             from rhodecode.tests.fixture import Fixture
             fixture = Fixture()
             @pytest.mark.usefixtures("testuser_api", "app")
             class TestCreateRepoGroup(object):
                 def test_api_create_repo_group(self):
                     repo_group_name = 'api-repo-group'
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     id_, params = build_data(
                         self.apikey, 'create_repo_group',
                         group_name=repo_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,)
                     response = api_call(self.app, params)
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is not None
                     ret = {
                         'msg': 'Created new repo group `%s`' % (repo_group_name,),
                         'repo_group': repo_group.get_api_data()
                     }
                     expected = ret
                     try:
                         assert_ok(id_, expected, given=response.body)
                     finally:
                         fixture.destroy_repo_group(repo_group_name)
                 def test_api_create_repo_group_in_another_group(self):
                     repo_group_name = 'api-repo-group'
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     # create the parent
                     fixture.create_repo_group(repo_group_name)
                     full_repo_group_name = repo_group_name+'/'+repo_group_name
                     id_, params = build_data(
                         self.apikey, 'create_repo_group',
                         group_name=full_repo_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,
                         copy_permissions=True)
                     response = api_call(self.app, params)
                     repo_group = RepoGroupModel.cls.get_by_group_name(full_repo_group_name)
                     assert repo_group is not None
                     ret = {
                         'msg': 'Created new repo group `%s`' % (full_repo_group_name,),
                         'repo_group': repo_group.get_api_data()
                     }
                     expected = ret
                     try:
                         assert_ok(id_, expected, given=response.body)
                     finally:
                         fixture.destroy_repo_group(full_repo_group_name)
                         fixture.destroy_repo_group(repo_group_name)
                 def test_api_create_repo_group_in_another_group_not_existing(self):
                     repo_group_name = 'api-repo-group-no'
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     full_repo_group_name = repo_group_name+'/'+repo_group_name
                     id_, params = build_data(
                         self.apikey, 'create_repo_group',
                         group_name=full_repo_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,
                         copy_permissions=True)
                     response = api_call(self.app, params)
                     expected = {
                         'repo_group':
                             'Parent repository group `{}` does not exist'.format(
                                 repo_group_name)}
                     assert_error(id_, expected, given=response.body)
                 def test_api_create_repo_group_that_exists(self):
                     repo_group_name = 'api-repo-group'
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     fixture.create_repo_group(repo_group_name)
                     id_, params = build_data(
                         self.apikey, 'create_repo_group',
                         group_name=repo_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,)
                     response = api_call(self.app, params)
                     expected = {
                         'unique_repo_group_name':
                             'Repository group with name `{}` already exists'.format(
                                 repo_group_name)}
                     try:
                         assert_error(id_, expected, given=response.body)
                     finally:
                         fixture.destroy_repo_group(repo_group_name)
                 def test_api_create_repo_group_regular_user_wit_root_location_perms(
                         self, user_util):
                     regular_user = user_util.create_user()
                     regular_user_api_key = regular_user.api_key
                     repo_group_name = 'api-repo-group-by-regular-user'
                     usr = UserModel().get_by_username(regular_user.username)
                     usr.inherit_default_permissions = False
                     Session().add(usr)
                     UserModel().grant_perm(
                         regular_user.username, 'hg.repogroup.create.true')
                     Session().commit()
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     id_, params = build_data(
                         regular_user_api_key, 'create_repo_group',
                         group_name=repo_group_name)
                     response = api_call(self.app, params)
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is not None
                     expected = {
                         'msg': 'Created new repo group `%s`' % (repo_group_name,),
                         'repo_group': repo_group.get_api_data()
                     }
                     try:
                         assert_ok(id_, expected, given=response.body)
                     finally:
                         fixture.destroy_repo_group(repo_group_name)
                 def test_api_create_repo_group_regular_user_with_admin_perms_to_parent(
                         self, user_util):
                     repo_group_name = 'api-repo-group-parent'
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     # create the parent
                     fixture.create_repo_group(repo_group_name)
                     # user perms
                     regular_user = user_util.create_user()
                     regular_user_api_key = regular_user.api_key
                     usr = UserModel().get_by_username(regular_user.username)
                     usr.inherit_default_permissions = False
                     Session().add(usr)
                     RepoGroupModel().grant_user_permission(
                         repo_group_name, regular_user.username, 'group.admin')
                     Session().commit()
                     full_repo_group_name = repo_group_name + '/' + repo_group_name
                     id_, params = build_data(
                         regular_user_api_key, 'create_repo_group',
                         group_name=full_repo_group_name)
                     response = api_call(self.app, params)
                     repo_group = RepoGroupModel.cls.get_by_group_name(full_repo_group_name)
                     assert repo_group is not None
                     expected = {
                         'msg': 'Created new repo group `{}`'.format(full_repo_group_name),
                         'repo_group': repo_group.get_api_data()
                     }
                     try:
                         assert_ok(id_, expected, given=response.body)
                     finally:
                         fixture.destroy_repo_group(full_repo_group_name)
                         fixture.destroy_repo_group(repo_group_name)
                 def test_api_create_repo_group_regular_user_no_permission_to_create_to_root_level(self):
                     repo_group_name = 'api-repo-group'
                     id_, params = build_data(
                         self.apikey_regular, 'create_repo_group',
                         group_name=repo_group_name)
                     response = api_call(self.app, params)
                     expected = {
                         'repo_group':
                             u'You do not have the permission to store '
                             u'repository groups in the root location.'}
                     assert_error(id_, expected, given=response.body)
                 def test_api_create_repo_group_regular_user_no_parent_group_perms(self):
                     repo_group_name = 'api-repo-group-regular-user'
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     # create the parent
                     fixture.create_repo_group(repo_group_name)
                     full_repo_group_name = repo_group_name+'/'+repo_group_name
                     id_, params = build_data(
                         self.apikey_regular, 'create_repo_group',
                         group_name=full_repo_group_name)
                     response = api_call(self.app, params)
                     expected = {
                         'repo_group':
-                            'Parent repository group `{}` does not exist'.format(
+                            u"You do not have the permissions to store "
-                                repo_group_name)}
+                            u"repository groups inside repository group `{}`".format(repo_group_name)}
                     try:
                         assert_error(id_, expected, given=response.body)
                     finally:
                         fixture.destroy_repo_group(repo_group_name)
                 def test_api_create_repo_group_regular_user_no_permission_to_specify_owner(
                         self):
                     repo_group_name = 'api-repo-group'
                     id_, params = build_data(
                         self.apikey_regular, 'create_repo_group',
                         group_name=repo_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,)
                     response = api_call(self.app, params)
                     expected = "Only RhodeCode super-admin can specify `owner` param"
                     assert_error(id_, expected, given=response.body)
                 @mock.patch.object(RepoGroupModel, 'create', crash)
                 def test_api_create_repo_group_exception_occurred(self):
                     repo_group_name = 'api-repo-group'
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     id_, params = build_data(
                         self.apikey, 'create_repo_group',
                         group_name=repo_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,)
                     response = api_call(self.app, params)
                     expected = 'failed to create repo group `%s`' % (repo_group_name,)
                     assert_error(id_, expected, given=response.body)
                 def test_create_group_with_extra_slashes_in_name(self, user_util):
                     existing_repo_group = user_util.create_repo_group()
                     dirty_group_name = '//{}//group2//'.format(
                         existing_repo_group.group_name)
                     cleaned_group_name = '{}/group2'.format(
                         existing_repo_group.group_name)
                     id_, params = build_data(
                         self.apikey, 'create_repo_group',
                         group_name=dirty_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,)
                     response = api_call(self.app, params)
                     repo_group = RepoGroupModel.cls.get_by_group_name(cleaned_group_name)
                     expected = {
                         'msg': 'Created new repo group `%s`' % (cleaned_group_name,),
                         'repo_group': repo_group.get_api_data()
                     }
                     assert_ok(id_, expected, given=response.body)
                     fixture.destroy_repo_group(cleaned_group_name)

rhodecode/model/validation_schema/schemas/repo_group_schema.py

0 +16 -3

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2020 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import colander
             import deform.widget
             from rhodecode.translation import _
             from rhodecode.model.validation_schema import validators, preparers, types
             def get_group_and_repo(repo_name):
                 from rhodecode.model.repo_group import RepoGroupModel
                 return RepoGroupModel()._get_group_name_and_parent(
                     repo_name, get_object=True)
             def get_repo_group(repo_group_id):
                 from rhodecode.model.repo_group import RepoGroup
                 return RepoGroup.get(repo_group_id), RepoGroup.CHOICES_SEPARATOR
             @colander.deferred
             def deferred_can_write_to_group_validator(node, kw):
                 old_values = kw.get('old_values') or {}
                 request_user = kw.get('user')
                 def can_write_group_validator(node, value):
                     from rhodecode.lib.auth import (
                         HasPermissionAny, HasRepoGroupPermissionAny)
                     from rhodecode.model.repo_group import RepoGroupModel
                     messages = {
                         'invalid_parent_repo_group':
                             _(u"Parent repository group `{}` does not exist"),
                         # permissions denied we expose as not existing, to prevent
                         # resource discovery
                         'permission_denied_parent_group':
-                            _(u"Parent repository group `{}` does not exist"),
+                            _(u"You do not have the permissions to store "
+                              u"repository groups inside repository group `{}`"),
                         'permission_denied_root':
                             _(u"You do not have the permission to store "
                               u"repository groups in the root location.")
                     }
                     value = value['repo_group_name']
                     parent_group_name = value
                     is_root_location = value is types.RootLocation
                     # NOT initialized validators, we must call them
                     can_create_repo_groups_at_root = HasPermissionAny(
                         'hg.admin', 'hg.repogroup.create.true')
                     if is_root_location:
                         if can_create_repo_groups_at_root(user=request_user):
                             # we can create repo group inside tool-level. No more checks
                             # are required
                             return
                         else:
                             raise colander.Invalid(node, messages['permission_denied_root'])
                     # check if the parent repo group actually exists
                     parent_group = None
                     if parent_group_name:
                         parent_group = RepoGroupModel().get_by_group_name(parent_group_name)
                         if value and not parent_group:
                             raise colander.Invalid(
                                 node, messages['invalid_parent_repo_group'].format(
                                     parent_group_name))
                     # check if we have permissions to create new groups under
                     # parent repo group
                     # create repositories with write permission on group is set to true
                     create_on_write = HasPermissionAny(
                         'hg.create.write_on_repogroup.true')(user=request_user)
                     group_admin = HasRepoGroupPermissionAny('group.admin')(
                         parent_group_name, 'can write into group validator', user=request_user)
                     group_write = HasRepoGroupPermissionAny('group.write')(
                         parent_group_name, 'can write into group validator', user=request_user)
                     # creation by write access is currently disabled. Needs thinking if
                     # we want to allow this...
                     forbidden = not (group_admin or (group_write and create_on_write and 0))
+                    old_name = old_values.get('group_name')
+                    if old_name and old_name == old_values.get('submitted_repo_group_name'):
+                        # we're editing a repository group, we didn't change the name
+                        # we skip the check for write into parent group now
+                        # this allows changing settings for this repo group
+                        return
                     if parent_group and forbidden:
-                        msg = messages['permission_denied_parent_group'].format(
+                        msg = messages['permission_denied_parent_group'].format(parent_group_name)
-                            parent_group_name)
                         raise colander.Invalid(node, msg)
                 return can_write_group_validator
             @colander.deferred
             def deferred_repo_group_owner_validator(node, kw):
                 def repo_owner_validator(node, value):
                     from rhodecode.model.db import User
                     existing = User.get_by_username(value)
                     if not existing:
                         msg = _(u'Repo group owner with id `{}` does not exists').format(
                             value)
                         raise colander.Invalid(node, msg)
                 return repo_owner_validator
             @colander.deferred
             def deferred_unique_name_validator(node, kw):
                 request_user = kw.get('user')
                 old_values = kw.get('old_values') or {}
                 def unique_name_validator(node, value):
                     from rhodecode.model.db import Repository, RepoGroup
                     name_changed = value != old_values.get('group_name')
                     existing = Repository.get_by_repo_name(value)
                     if name_changed and existing:
                         msg = _(u'Repository with name `{}` already exists').format(value)
                         raise colander.Invalid(node, msg)
                     existing_group = RepoGroup.get_by_group_name(value)
                     if name_changed and existing_group:
                         msg = _(u'Repository group with name `{}` already exists').format(
                             value)
                         raise colander.Invalid(node, msg)
                 return unique_name_validator
             @colander.deferred
             def deferred_repo_group_name_validator(node, kw):
                 return validators.valid_name_validator
             @colander.deferred
             def deferred_repo_group_validator(node, kw):
                 options = kw.get(
                     'repo_group_repo_group_options')
                 return colander.OneOf([x for x in options])
             @colander.deferred
             def deferred_repo_group_widget(node, kw):
                 items = kw.get('repo_group_repo_group_items')
                 return deform.widget.Select2Widget(values=items)
             class GroupType(colander.Mapping):
                 def _validate(self, node, value):
                     try:
                         return dict(repo_group_name=value)
                     except Exception as e:
                         raise colander.Invalid(
                             node, '"${val}" is not a mapping type: ${err}'.format(
                                 val=value, err=e))
                 def deserialize(self, node, cstruct):
                     if cstruct is colander.null:
                         return cstruct
                     appstruct = super(GroupType, self).deserialize(node, cstruct)
                     validated_name = appstruct['repo_group_name']
                     # inject group based on once deserialized data
                     (repo_group_name_without_group,
                      parent_group_name,
                      parent_group) = get_group_and_repo(validated_name)
                     appstruct['repo_group_name_with_group'] = validated_name
                     appstruct['repo_group_name_without_group'] = repo_group_name_without_group
                     appstruct['repo_group_name'] = parent_group_name or types.RootLocation
                     if parent_group:
                         appstruct['repo_group_id'] = parent_group.group_id
                     return appstruct
             class GroupSchema(colander.SchemaNode):
                 schema_type = GroupType
                 validator = deferred_can_write_to_group_validator
                 missing = colander.null
             class RepoGroup(GroupSchema):
                 repo_group_name = colander.SchemaNode(
                     types.GroupNameType())
                 repo_group_id = colander.SchemaNode(
                     colander.String(), missing=None)
                 repo_group_name_without_group = colander.SchemaNode(
                     colander.String(), missing=None)
             class RepoGroupAccessSchema(colander.MappingSchema):
                 repo_group = RepoGroup()
             class RepoGroupNameUniqueSchema(colander.MappingSchema):
                 unique_repo_group_name = colander.SchemaNode(
                     colander.String(),
                     validator=deferred_unique_name_validator)
             class RepoGroupSchema(colander.Schema):
                 repo_group_name = colander.SchemaNode(
                     types.GroupNameType(),
                     validator=deferred_repo_group_name_validator)
                 repo_group_owner = colander.SchemaNode(
                     colander.String(),
                     validator=deferred_repo_group_owner_validator)
                 repo_group_description = colander.SchemaNode(
                     colander.String(), missing='', widget=deform.widget.TextAreaWidget())
                 repo_group_copy_permissions = colander.SchemaNode(
                     types.StringBooleanType(),
                     missing=False, widget=deform.widget.CheckboxWidget())
                 repo_group_enable_locking = colander.SchemaNode(
                     types.StringBooleanType(),
                     missing=False, widget=deform.widget.CheckboxWidget())
                 def deserialize(self, cstruct):
                     """
                     Custom deserialize that allows to chain validation, and verify
                     permissions, and as last step uniqueness
                     """
                     appstruct = super(RepoGroupSchema, self).deserialize(cstruct)
                     validated_name = appstruct['repo_group_name']
                     # second pass to validate permissions to repo_group
+                    if 'old_values' in self.bindings:
+                        # save current repo name for name change checks
+                        self.bindings['old_values']['submitted_repo_group_name'] = validated_name
                     second = RepoGroupAccessSchema().bind(**self.bindings)
                     appstruct_second = second.deserialize({'repo_group': validated_name})
                     # save result
                     appstruct['repo_group'] = appstruct_second['repo_group']
                     # thirds to validate uniqueness
                     third = RepoGroupNameUniqueSchema().bind(**self.bindings)
                     third.deserialize({'unique_repo_group_name': validated_name})
                     return appstruct
             class RepoGroupSettingsSchema(RepoGroupSchema):
                 repo_group = colander.SchemaNode(
                     colander.Integer(),
                     validator=deferred_repo_group_validator,
                     widget=deferred_repo_group_widget,
                     missing='')
                 def deserialize(self, cstruct):
                     """
                     Custom deserialize that allows to chain validation, and verify
                     permissions, and as last step uniqueness
                     """
                     # first pass, to validate given data
                     appstruct = super(RepoGroupSchema, self).deserialize(cstruct)
                     validated_name = appstruct['repo_group_name']
                     # because of repoSchema adds repo-group as an ID, we inject it as
                     # full name here because validators require it, it's unwrapped later
                     # so it's safe to use and final name is going to be without group anyway
                     group, separator = get_repo_group(appstruct['repo_group'])
                     if group:
                         validated_name = separator.join([group.group_name, validated_name])
                     # second pass to validate permissions to repo_group
+                    if 'old_values' in self.bindings:
+                        # save current repo name for name change checks
+                        self.bindings['old_values']['submitted_repo_group_name'] = validated_name
                     second = RepoGroupAccessSchema().bind(**self.bindings)
                     appstruct_second = second.deserialize({'repo_group': validated_name})
                     # save result
                     appstruct['repo_group'] = appstruct_second['repo_group']
                     # thirds to validate uniqueness
                     third = RepoGroupNameUniqueSchema().bind(**self.bindings)
                     third.deserialize({'unique_repo_group_name': validated_name})
                     return appstruct

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages