##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
fix(permissions): Invalidate cache on changing the default permissions...
super-admin -
r5186:76f12b03 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,606 +1,609 b''
1 1 # Copyright (C) 2010-2023 RhodeCode GmbH
2 2 #
3 3 # This program is free software: you can redistribute it and/or modify
4 4 # it under the terms of the GNU Affero General Public License, version 3
5 5 # (only), as published by the Free Software Foundation.
6 6 #
7 7 # This program is distributed in the hope that it will be useful,
8 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 10 # GNU General Public License for more details.
11 11 #
12 12 # You should have received a copy of the GNU Affero General Public License
13 13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 14 #
15 15 # This program is dual-licensed. If you wish to learn more about the
16 16 # RhodeCode Enterprise Edition, including its added features, Support services,
17 17 # and proprietary license terms, please see https://rhodecode.com/licenses/
18 18
19 19 """
20 20 permissions model for RhodeCode
21 21 """
22 22 import collections
23 23 import logging
24 24 import traceback
25 25
26 26 from sqlalchemy.exc import DatabaseError
27 27
28 28 from rhodecode import events
29 29 from rhodecode.model import BaseModel
30 30 from rhodecode.model.db import (
31 31 User, Permission, UserToPerm, UserRepoToPerm, UserRepoGroupToPerm,
32 32 UserUserGroupToPerm, UserGroup, UserGroupToPerm, UserToRepoBranchPermission)
33 33 from rhodecode.lib.utils2 import str2bool, safe_int
34 34
35 35 log = logging.getLogger(__name__)
36 36
37 37
38 38 class PermissionModel(BaseModel):
39 39 """
40 40 Permissions model for RhodeCode
41 41 """
42 42 FORKING_DISABLED = 'hg.fork.none'
43 43 FORKING_ENABLED = 'hg.fork.repository'
44 44
45 45 cls = Permission
46 46 global_perms = {
47 47 'default_repo_create': None,
48 48 # special case for create repos on write access to group
49 49 'default_repo_create_on_write': None,
50 50 'default_repo_group_create': None,
51 51 'default_user_group_create': None,
52 52 'default_fork_create': None,
53 53 'default_inherit_default_permissions': None,
54 54 'default_register': None,
55 55 'default_password_reset': None,
56 56 'default_extern_activate': None,
57 57
58 58 # object permissions below
59 59 'default_repo_perm': None,
60 60 'default_group_perm': None,
61 61 'default_user_group_perm': None,
62 62
63 63 # branch
64 64 'default_branch_perm': None,
65 65 }
66 66
67 67 def set_global_permission_choices(self, c_obj, gettext_translator):
68 68 _ = gettext_translator
69 69
70 70 c_obj.repo_perms_choices = [
71 71 ('repository.none', _('None'),),
72 72 ('repository.read', _('Read'),),
73 73 ('repository.write', _('Write'),),
74 74 ('repository.admin', _('Admin'),)]
75 75
76 76 c_obj.group_perms_choices = [
77 77 ('group.none', _('None'),),
78 78 ('group.read', _('Read'),),
79 79 ('group.write', _('Write'),),
80 80 ('group.admin', _('Admin'),)]
81 81
82 82 c_obj.user_group_perms_choices = [
83 83 ('usergroup.none', _('None'),),
84 84 ('usergroup.read', _('Read'),),
85 85 ('usergroup.write', _('Write'),),
86 86 ('usergroup.admin', _('Admin'),)]
87 87
88 88 c_obj.branch_perms_choices = [
89 89 ('branch.none', _('Protected/No Access'),),
90 90 ('branch.merge', _('Web merge'),),
91 91 ('branch.push', _('Push'),),
92 92 ('branch.push_force', _('Force Push'),)]
93 93
94 94 c_obj.register_choices = [
95 95 ('hg.register.none', _('Disabled')),
96 96 ('hg.register.manual_activate', _('Allowed with manual account activation')),
97 97 ('hg.register.auto_activate', _('Allowed with automatic account activation'))]
98 98
99 99 c_obj.password_reset_choices = [
100 100 ('hg.password_reset.enabled', _('Allow password recovery')),
101 101 ('hg.password_reset.hidden', _('Hide password recovery link')),
102 102 ('hg.password_reset.disabled', _('Disable password recovery'))]
103 103
104 104 c_obj.extern_activate_choices = [
105 105 ('hg.extern_activate.manual', _('Manual activation of external account')),
106 106 ('hg.extern_activate.auto', _('Automatic activation of external account'))]
107 107
108 108 c_obj.repo_create_choices = [
109 109 ('hg.create.none', _('Disabled')),
110 110 ('hg.create.repository', _('Enabled'))]
111 111
112 112 c_obj.repo_create_on_write_choices = [
113 113 ('hg.create.write_on_repogroup.false', _('Disabled')),
114 114 ('hg.create.write_on_repogroup.true', _('Enabled'))]
115 115
116 116 c_obj.user_group_create_choices = [
117 117 ('hg.usergroup.create.false', _('Disabled')),
118 118 ('hg.usergroup.create.true', _('Enabled'))]
119 119
120 120 c_obj.repo_group_create_choices = [
121 121 ('hg.repogroup.create.false', _('Disabled')),
122 122 ('hg.repogroup.create.true', _('Enabled'))]
123 123
124 124 c_obj.fork_choices = [
125 125 (self.FORKING_DISABLED, _('Disabled')),
126 126 (self.FORKING_ENABLED, _('Enabled'))]
127 127
128 128 c_obj.inherit_default_permission_choices = [
129 129 ('hg.inherit_default_perms.false', _('Disabled')),
130 130 ('hg.inherit_default_perms.true', _('Enabled'))]
131 131
132 132 def get_default_perms(self, object_perms, suffix):
133 133 defaults = {}
134 134 for perm in object_perms:
135 135 # perms
136 136 if perm.permission.permission_name.startswith('repository.'):
137 137 defaults['default_repo_perm' + suffix] = perm.permission.permission_name
138 138
139 139 if perm.permission.permission_name.startswith('group.'):
140 140 defaults['default_group_perm' + suffix] = perm.permission.permission_name
141 141
142 142 if perm.permission.permission_name.startswith('usergroup.'):
143 143 defaults['default_user_group_perm' + suffix] = perm.permission.permission_name
144 144
145 145 # branch
146 146 if perm.permission.permission_name.startswith('branch.'):
147 147 defaults['default_branch_perm' + suffix] = perm.permission.permission_name
148 148
149 149 # creation of objects
150 150 if perm.permission.permission_name.startswith('hg.create.write_on_repogroup'):
151 151 defaults['default_repo_create_on_write' + suffix] = perm.permission.permission_name
152 152
153 153 elif perm.permission.permission_name.startswith('hg.create.'):
154 154 defaults['default_repo_create' + suffix] = perm.permission.permission_name
155 155
156 156 if perm.permission.permission_name.startswith('hg.fork.'):
157 157 defaults['default_fork_create' + suffix] = perm.permission.permission_name
158 158
159 159 if perm.permission.permission_name.startswith('hg.inherit_default_perms.'):
160 160 defaults['default_inherit_default_permissions' + suffix] = perm.permission.permission_name
161 161
162 162 if perm.permission.permission_name.startswith('hg.repogroup.'):
163 163 defaults['default_repo_group_create' + suffix] = perm.permission.permission_name
164 164
165 165 if perm.permission.permission_name.startswith('hg.usergroup.'):
166 166 defaults['default_user_group_create' + suffix] = perm.permission.permission_name
167 167
168 168 # registration and external account activation
169 169 if perm.permission.permission_name.startswith('hg.register.'):
170 170 defaults['default_register' + suffix] = perm.permission.permission_name
171 171
172 172 if perm.permission.permission_name.startswith('hg.password_reset.'):
173 173 defaults['default_password_reset' + suffix] = perm.permission.permission_name
174 174
175 175 if perm.permission.permission_name.startswith('hg.extern_activate.'):
176 176 defaults['default_extern_activate' + suffix] = perm.permission.permission_name
177 177
178 178 return defaults
179 179
180 180 def _make_new_user_perm(self, user, perm_name):
181 181 log.debug('Creating new user permission:%s', perm_name)
182 182 new_perm = Permission.get_by_key(perm_name)
183 183 if not new_perm:
184 184 raise ValueError(f'permission with name {perm_name} not found')
185 185
186 186 new = UserToPerm()
187 187 new.user = user
188 188 new.permission = new_perm
189 189 return new
190 190
191 191 def _make_new_user_group_perm(self, user_group, perm_name):
192 192 log.debug('Creating new user group permission:%s', perm_name)
193 193 new_perm = Permission.get_by_key(perm_name)
194 194 if not new_perm:
195 195 raise ValueError(f'permission with name {perm_name} not found')
196 196
197 197 new = UserGroupToPerm()
198 198 new.users_group = user_group
199 199 new.permission = new_perm
200 200 return new
201 201
202 202 def _keep_perm(self, perm_name, keep_fields):
203 203 def get_pat(field_name):
204 204 return {
205 205 # global perms
206 206 'default_repo_create': 'hg.create.',
207 207 # special case for create repos on write access to group
208 208 'default_repo_create_on_write': 'hg.create.write_on_repogroup.',
209 209 'default_repo_group_create': 'hg.repogroup.create.',
210 210 'default_user_group_create': 'hg.usergroup.create.',
211 211 'default_fork_create': 'hg.fork.',
212 212 'default_inherit_default_permissions': 'hg.inherit_default_perms.',
213 213
214 214 # application perms
215 215 'default_register': 'hg.register.',
216 216 'default_password_reset': 'hg.password_reset.',
217 217 'default_extern_activate': 'hg.extern_activate.',
218 218
219 219 # object permissions below
220 220 'default_repo_perm': 'repository.',
221 221 'default_group_perm': 'group.',
222 222 'default_user_group_perm': 'usergroup.',
223 223 # branch
224 224 'default_branch_perm': 'branch.',
225 225
226 226 }[field_name]
227 227 for field in keep_fields:
228 228 pat = get_pat(field)
229 229 if perm_name.startswith(pat):
230 230 return True
231 231 return False
232 232
233 233 def _clear_object_perm(self, object_perms, preserve=None):
234 234 preserve = preserve or []
235 235 _deleted = []
236 236 for perm in object_perms:
237 237 perm_name = perm.permission.permission_name
238 238 if not self._keep_perm(perm_name, keep_fields=preserve):
239 239 _deleted.append(perm_name)
240 240 self.sa.delete(perm)
241 241 return _deleted
242 242
243 243 def _clear_user_perms(self, user_id, preserve=None):
244 244 perms = self.sa.query(UserToPerm)\
245 245 .filter(UserToPerm.user_id == user_id)\
246 246 .all()
247 247 return self._clear_object_perm(perms, preserve=preserve)
248 248
249 249 def _clear_user_group_perms(self, user_group_id, preserve=None):
250 250 perms = self.sa.query(UserGroupToPerm)\
251 251 .filter(UserGroupToPerm.users_group_id == user_group_id)\
252 252 .all()
253 253 return self._clear_object_perm(perms, preserve=preserve)
254 254
255 255 def _set_new_object_perms(self, obj_type, to_object, form_result, preserve=None):
256 256 # clear current entries, to make this function idempotent
257 257 # it will fix even if we define more permissions or permissions
258 258 # are somehow missing
259 259 preserve = preserve or []
260 260 _global_perms = self.global_perms.copy()
261 261 if obj_type not in ['user', 'user_group']:
262 262 raise ValueError("obj_type must be on of 'user' or 'user_group'")
263 263 global_perms = len(_global_perms)
264 264 default_user_perms = len(Permission.DEFAULT_USER_PERMISSIONS)
265 265 if global_perms != default_user_perms:
266 266 raise Exception(
267 267 'Inconsistent permissions definition. Got {} vs {}'.format(
268 268 global_perms, default_user_perms))
269 269
270 270 if obj_type == 'user':
271 271 self._clear_user_perms(to_object.user_id, preserve)
272 272 if obj_type == 'user_group':
273 273 self._clear_user_group_perms(to_object.users_group_id, preserve)
274 274
275 275 # now kill the keys that we want to preserve from the form.
276 276 for key in preserve:
277 277 del _global_perms[key]
278 278
279 279 for k in _global_perms.copy():
280 280 _global_perms[k] = form_result[k]
281 281
282 282 # at that stage we validate all are passed inside form_result
283 283 for _perm_key, perm_value in _global_perms.items():
284 284 if perm_value is None:
285 285 raise ValueError('Missing permission for {}'.format(_perm_key))
286 286
287 287 if obj_type == 'user':
288 288 p = self._make_new_user_perm(to_object, perm_value)
289 289 self.sa.add(p)
290 290 if obj_type == 'user_group':
291 291 p = self._make_new_user_group_perm(to_object, perm_value)
292 292 self.sa.add(p)
293 293
294 294 def _set_new_user_perms(self, user, form_result, preserve=None):
295 295 return self._set_new_object_perms(
296 296 'user', user, form_result, preserve)
297 297
298 298 def _set_new_user_group_perms(self, user_group, form_result, preserve=None):
299 299 return self._set_new_object_perms(
300 300 'user_group', user_group, form_result, preserve)
301 301
302 302 def set_new_user_perms(self, user, form_result):
303 303 # calculate what to preserve from what is given in form_result
304 304 preserve = set(self.global_perms.keys()).difference(set(form_result.keys()))
305 305 return self._set_new_user_perms(user, form_result, preserve)
306 306
307 307 def set_new_user_group_perms(self, user_group, form_result):
308 308 # calculate what to preserve from what is given in form_result
309 309 preserve = set(self.global_perms.keys()).difference(set(form_result.keys()))
310 310 return self._set_new_user_group_perms(user_group, form_result, preserve)
311 311
312 312 def create_permissions(self):
313 313 """
314 314 Create permissions for whole system
315 315 """
316 316 for p in Permission.PERMS:
317 317 if not Permission.get_by_key(p[0]):
318 318 new_perm = Permission()
319 319 new_perm.permission_name = p[0]
320 320 new_perm.permission_longname = p[0] # translation err with p[1]
321 321 self.sa.add(new_perm)
322 322
323 323 def _create_default_object_permission(self, obj_type, obj, obj_perms,
324 324 force=False):
325 325 if obj_type not in ['user', 'user_group']:
326 326 raise ValueError("obj_type must be on of 'user' or 'user_group'")
327 327
328 328 def _get_group(perm_name):
329 329 return '.'.join(perm_name.split('.')[:1])
330 330
331 331 defined_perms_groups = list(map(
332 332 _get_group, (x.permission.permission_name for x in obj_perms)))
333 333 log.debug('GOT ALREADY DEFINED:%s', obj_perms)
334 334
335 335 if force:
336 336 self._clear_object_perm(obj_perms)
337 337 self.sa.commit()
338 338 defined_perms_groups = []
339 339 # for every default permission that needs to be created, we check if
340 340 # it's group is already defined, if it's not we create default perm
341 341 for perm_name in Permission.DEFAULT_USER_PERMISSIONS:
342 342 gr = _get_group(perm_name)
343 343 if gr not in defined_perms_groups:
344 344 log.debug('GR:%s not found, creating permission %s',
345 345 gr, perm_name)
346 346 if obj_type == 'user':
347 347 new_perm = self._make_new_user_perm(obj, perm_name)
348 348 self.sa.add(new_perm)
349 349 if obj_type == 'user_group':
350 350 new_perm = self._make_new_user_group_perm(obj, perm_name)
351 351 self.sa.add(new_perm)
352 352
353 353 def create_default_user_permissions(self, user, force=False):
354 354 """
355 355 Creates only missing default permissions for user, if force is set it
356 356 resets the default permissions for that user
357 357
358 358 :param user:
359 359 :param force:
360 360 """
361 361 user = self._get_user(user)
362 362 obj_perms = UserToPerm.query().filter(UserToPerm.user == user).all()
363 363 return self._create_default_object_permission(
364 364 'user', user, obj_perms, force)
365 365
366 366 def create_default_user_group_permissions(self, user_group, force=False):
367 367 """
368 368 Creates only missing default permissions for user group, if force is
369 369 set it resets the default permissions for that user group
370 370
371 371 :param user_group:
372 372 :param force:
373 373 """
374 374 user_group = self._get_user_group(user_group)
375 375 obj_perms = UserToPerm.query().filter(UserGroupToPerm.users_group == user_group).all()
376 376 return self._create_default_object_permission(
377 377 'user_group', user_group, obj_perms, force)
378 378
379 379 def update_application_permissions(self, form_result):
380 380 if 'perm_user_id' in form_result:
381 381 perm_user = User.get(safe_int(form_result['perm_user_id']))
382 382 else:
383 383 # used mostly to do lookup for default user
384 384 perm_user = User.get_by_username(form_result['perm_user_name'])
385 385
386 386 try:
387 387 # stage 1 set anonymous access
388 388 if perm_user.username == User.DEFAULT_USER:
389 389 perm_user.active = str2bool(form_result['anonymous'])
390 390 self.sa.add(perm_user)
391 391
392 392 # stage 2 reset defaults and set them from form data
393 393 self._set_new_user_perms(perm_user, form_result, preserve=[
394 394 'default_repo_perm',
395 395 'default_group_perm',
396 396 'default_user_group_perm',
397 397 'default_branch_perm',
398 398
399 399 'default_repo_group_create',
400 400 'default_user_group_create',
401 401 'default_repo_create_on_write',
402 402 'default_repo_create',
403 403 'default_fork_create',
404 404 'default_inherit_default_permissions'])
405 405
406 406 self.sa.commit()
407 407 except (DatabaseError,):
408 408 log.error(traceback.format_exc())
409 409 self.sa.rollback()
410 410 raise
411 411
412 412 def update_user_permissions(self, form_result):
413 413 if 'perm_user_id' in form_result:
414 414 perm_user = User.get(safe_int(form_result['perm_user_id']))
415 415 else:
416 416 # used mostly to do lookup for default user
417 417 perm_user = User.get_by_username(form_result['perm_user_name'])
418 418 try:
419 419 # stage 2 reset defaults and set them from form data
420 420 self._set_new_user_perms(perm_user, form_result, preserve=[
421 421 'default_repo_perm',
422 422 'default_group_perm',
423 423 'default_user_group_perm',
424 424 'default_branch_perm',
425 425
426 426 'default_register',
427 427 'default_password_reset',
428 428 'default_extern_activate'])
429 429 self.sa.commit()
430 430 except (DatabaseError,):
431 431 log.error(traceback.format_exc())
432 432 self.sa.rollback()
433 433 raise
434 434
435 435 def update_user_group_permissions(self, form_result):
436 436 if 'perm_user_group_id' in form_result:
437 437 perm_user_group = UserGroup.get(safe_int(form_result['perm_user_group_id']))
438 438 else:
439 439 # used mostly to do lookup for default user
440 440 perm_user_group = UserGroup.get_by_group_name(form_result['perm_user_group_name'])
441 441 try:
442 442 # stage 2 reset defaults and set them from form data
443 443 self._set_new_user_group_perms(perm_user_group, form_result, preserve=[
444 444 'default_repo_perm',
445 445 'default_group_perm',
446 446 'default_user_group_perm',
447 447 'default_branch_perm',
448 448
449 449 'default_register',
450 450 'default_password_reset',
451 451 'default_extern_activate'])
452 452 self.sa.commit()
453 453 except (DatabaseError,):
454 454 log.error(traceback.format_exc())
455 455 self.sa.rollback()
456 456 raise
457 457
458 458 def update_object_permissions(self, form_result):
459 459 if 'perm_user_id' in form_result:
460 460 perm_user = User.get(safe_int(form_result['perm_user_id']))
461 461 else:
462 462 # used mostly to do lookup for default user
463 463 perm_user = User.get_by_username(form_result['perm_user_name'])
464 464 try:
465 465
466 466 # stage 2 reset defaults and set them from form data
467 467 self._set_new_user_perms(perm_user, form_result, preserve=[
468 468 'default_repo_group_create',
469 469 'default_user_group_create',
470 470 'default_repo_create_on_write',
471 471 'default_repo_create',
472 472 'default_fork_create',
473 473 'default_inherit_default_permissions',
474 474 'default_branch_perm',
475 475
476 476 'default_register',
477 477 'default_password_reset',
478 478 'default_extern_activate'])
479 479
480 480 # overwrite default repo permissions
481 481 if form_result['overwrite_default_repo']:
482 482 _def_name = form_result['default_repo_perm'].split('repository.')[-1]
483 483 _def = Permission.get_by_key('repository.' + _def_name)
484 484 for r2p in self.sa.query(UserRepoToPerm)\
485 485 .filter(UserRepoToPerm.user == perm_user)\
486 486 .all():
487 487 # don't reset PRIVATE repositories
488 488 if not r2p.repository.private:
489 489 r2p.permission = _def
490 490 self.sa.add(r2p)
491 491
492 492 # overwrite default repo group permissions
493 493 if form_result['overwrite_default_group']:
494 494 _def_name = form_result['default_group_perm'].split('group.')[-1]
495 495 _def = Permission.get_by_key('group.' + _def_name)
496 496 for g2p in self.sa.query(UserRepoGroupToPerm)\
497 497 .filter(UserRepoGroupToPerm.user == perm_user)\
498 498 .all():
499 499 g2p.permission = _def
500 500 self.sa.add(g2p)
501 501
502 502 # overwrite default user group permissions
503 503 if form_result['overwrite_default_user_group']:
504 504 _def_name = form_result['default_user_group_perm'].split('usergroup.')[-1]
505 505 # user groups
506 506 _def = Permission.get_by_key('usergroup.' + _def_name)
507 507 for g2p in self.sa.query(UserUserGroupToPerm)\
508 508 .filter(UserUserGroupToPerm.user == perm_user)\
509 509 .all():
510 510 g2p.permission = _def
511 511 self.sa.add(g2p)
512 512
513 513 # COMMIT
514 514 self.sa.commit()
515 515 except (DatabaseError,):
516 516 log.exception('Failed to set default object permissions')
517 517 self.sa.rollback()
518 518 raise
519 519
520 # because we've FORCED and update here, make sure we reset all permissions cache
521 PermissionModel().trigger_permission_flush()
522
520 523 def update_branch_permissions(self, form_result):
521 524 if 'perm_user_id' in form_result:
522 525 perm_user = User.get(safe_int(form_result['perm_user_id']))
523 526 else:
524 527 # used mostly to do lookup for default user
525 528 perm_user = User.get_by_username(form_result['perm_user_name'])
526 529 try:
527 530
528 531 # stage 2 reset defaults and set them from form data
529 532 self._set_new_user_perms(perm_user, form_result, preserve=[
530 533 'default_repo_perm',
531 534 'default_group_perm',
532 535 'default_user_group_perm',
533 536
534 537 'default_repo_group_create',
535 538 'default_user_group_create',
536 539 'default_repo_create_on_write',
537 540 'default_repo_create',
538 541 'default_fork_create',
539 542 'default_inherit_default_permissions',
540 543
541 544 'default_register',
542 545 'default_password_reset',
543 546 'default_extern_activate'])
544 547
545 548 # overwrite default branch permissions
546 549 if form_result['overwrite_default_branch']:
547 550 _def_name = \
548 551 form_result['default_branch_perm'].split('branch.')[-1]
549 552
550 553 _def = Permission.get_by_key('branch.' + _def_name)
551 554
552 555 user_perms = UserToRepoBranchPermission.query()\
553 556 .join(UserToRepoBranchPermission.user_repo_to_perm)\
554 557 .filter(UserRepoToPerm.user == perm_user).all()
555 558
556 559 for g2p in user_perms:
557 560 g2p.permission = _def
558 561 self.sa.add(g2p)
559 562
560 563 # COMMIT
561 564 self.sa.commit()
562 565 except (DatabaseError,):
563 566 log.exception('Failed to set default branch permissions')
564 567 self.sa.rollback()
565 568 raise
566 569
567 570 def get_users_with_repo_write(self, db_repo):
568 571 write_plus = ['repository.write', 'repository.admin']
569 572 default_user_id = User.get_default_user_id()
570 573 user_write_permissions = collections.OrderedDict()
571 574
572 575 # write or higher and DEFAULT user for inheritance
573 576 for perm in db_repo.permissions():
574 577 if perm.permission in write_plus or perm.user_id == default_user_id:
575 578 user_write_permissions[perm.user_id] = perm
576 579 return user_write_permissions
577 580
578 581 def get_user_groups_with_repo_write(self, db_repo):
579 582 write_plus = ['repository.write', 'repository.admin']
580 583 user_group_write_permissions = collections.OrderedDict()
581 584
582 585 # write or higher and DEFAULT user for inheritance
583 586 for p in db_repo.permission_user_groups():
584 587 if p.permission in write_plus:
585 588 user_group_write_permissions[p.users_group_id] = p
586 589 return user_group_write_permissions
587 590
588 591 def trigger_permission_flush(self, affected_user_ids=None):
589 592 affected_user_ids = affected_user_ids or User.get_all_user_ids()
590 593 events.trigger(events.UserPermissionsChange(affected_user_ids))
591 594
592 595 def flush_user_permission_caches(self, changes, affected_user_ids=None):
593 596 affected_user_ids = affected_user_ids or []
594 597
595 598 for change in changes['added'] + changes['updated'] + changes['deleted']:
596 599 if change['type'] == 'user':
597 600 affected_user_ids.append(change['id'])
598 601 if change['type'] == 'user_group':
599 602 user_group = UserGroup.get(safe_int(change['id']))
600 603 if user_group:
601 604 group_members_ids = [x.user_id for x in user_group.members]
602 605 affected_user_ids.extend(group_members_ids)
603 606
604 607 self.trigger_permission_flush(affected_user_ids)
605 608
606 609 return affected_user_ids
General Comments 0
You need to be logged in to leave comments. Login now