rhodecode-enterprise-ce Commit - r3887:85d5bce0

permissions: properly flush user cache permissions in more cases of permission changes....

marcink -

r3887:85d5bce0 default

parent child

rhodecode/api/views/repo_api.py

0 +9 -4

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import time
             import rhodecode
             from rhodecode.api import (
                 jsonrpc_method, JSONRPCError, JSONRPCForbidden, JSONRPCValidationError)
             from rhodecode.api.utils import (
                 has_superadmin_permission, Optional, OAttr, get_repo_or_error,
                 get_user_group_or_error, get_user_or_error, validate_repo_permissions,
                 get_perm_or_error, parse_args, get_origin, build_commit_data,
                 validate_set_owner_permissions)
             from rhodecode.lib import audit_logger, rc_cache
             from rhodecode.lib import repo_maintenance
             from rhodecode.lib.auth import HasPermissionAnyApi, HasUserGroupPermissionAnyApi
             from rhodecode.lib.celerylib.utils import get_task_id
             from rhodecode.lib.utils2 import str2bool, time_to_datetime, safe_str, safe_int
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.exceptions import StatusChangeOnClosedPullRequestError
             from rhodecode.lib.vcs import RepositoryError
             from rhodecode.lib.vcs.exceptions import NodeDoesNotExistError
             from rhodecode.model.changeset_status import ChangesetStatusModel
             from rhodecode.model.comment import CommentsModel
             from rhodecode.model.db import (
                 Session, ChangesetStatus, RepositoryField, Repository, RepoGroup,
                 ChangesetComment)
+            from rhodecode.model.permission import PermissionModel
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.scm import ScmModel, RepoList
             from rhodecode.model.settings import SettingsModel, VcsSettingsModel
             from rhodecode.model import validation_schema
             from rhodecode.model.validation_schema.schemas import repo_schema
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_repo(request, apiuser, repoid, cache=Optional(True)):
                 """
                 Gets an existing repository by its name or repository_id.
                 The members section so the output returns users groups or users
                 associated with that repository.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository id.
                 :type repoid: str or int
                 :param cache: use the cached value for last changeset
                 :type: cache: Optional(bool)
                 Example output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": <repo_id>,
                       "result": {
                         "clone_uri": null,
                         "created_on": "timestamp",
                         "description": "repo description",
                         "enable_downloads": false,
                         "enable_locking": false,
                         "enable_statistics": false,
                         "followers": [
                           {
                             "active": true,
                             "admin": false,
                             "api_key": "****************************************",
                             "api_keys": [
                               "****************************************"
                             ],
                             "email": "user@example.com",
                             "emails": [
                               "user@example.com"
                             ],
                             "extern_name": "rhodecode",
                             "extern_type": "rhodecode",
                             "firstname": "username",
                             "ip_addresses": [],
                             "language": null,
                             "last_login": "2015-09-16T17:16:35.854",
                             "lastname": "surname",
                             "user_id": <user_id>,
                             "username": "name"
                           }
                         ],
                         "fork_of": "parent-repo",
                         "landing_rev": [
                           "rev",
                           "tip"
                         ],
                         "last_changeset": {
                           "author": "User <user@example.com>",
                           "branch": "default",
                           "date": "timestamp",
                           "message": "last commit message",
                           "parents": [
                             {
                               "raw_id": "commit-id"
                             }
                           ],
                           "raw_id": "commit-id",
                           "revision": <revision number>,
                           "short_id": "short id"
                         },
                         "lock_reason": null,
                         "locked_by": null,
                         "locked_date": null,
                         "owner": "owner-name",
                         "permissions": [
                           {
                             "name": "super-admin-name",
                             "origin": "super-admin",
                             "permission": "repository.admin",
                             "type": "user"
                           },
                           {
                             "name": "owner-name",
                             "origin": "owner",
                             "permission": "repository.admin",
                             "type": "user"
                           },
                           {
                             "name": "user-group-name",
                             "origin": "permission",
                             "permission": "repository.write",
                             "type": "user_group"
                           }
                         ],
                         "private": true,
                         "repo_id": 676,
                         "repo_name": "user-group/repo-name",
                         "repo_type": "hg"
                       }
                     }
                 """
                 repo = get_repo_or_error(repoid)
                 cache = Optional.extract(cache)
                 include_secrets = False
                 if has_superadmin_permission(apiuser):
                     include_secrets = True
                 else:
                     # check if we have at least read permission for this repo !
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 permissions = []
                 for _user in repo.permissions():
                     user_data = {
                         'name': _user.username,
                         'permission': _user.permission,
                         'origin': get_origin(_user),
                         'type': "user",
                     }
                     permissions.append(user_data)
                 for _user_group in repo.permission_user_groups():
                     user_group_data = {
                         'name': _user_group.users_group_name,
                         'permission': _user_group.permission,
                         'origin': get_origin(_user_group),
                         'type': "user_group",
                     }
                     permissions.append(user_group_data)
                 following_users = [
                     user.user.get_api_data(include_secrets=include_secrets)
                     for user in repo.followers]
                 if not cache:
                     repo.update_commit_cache()
                 data = repo.get_api_data(include_secrets=include_secrets)
                 data['permissions'] = permissions
                 data['followers'] = following_users
                 return data
             @jsonrpc_method()
             def get_repos(request, apiuser, root=Optional(None), traverse=Optional(True)):
                 """
                 Lists all existing repositories.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param root: specify root repository group to fetch repositories.
                     filters the returned repositories to be members of given root group.
                 :type root: Optional(None)
                 :param traverse: traverse given root into subrepositories. With this flag
                     set to False, it will only return top-level repositories from `root`.
                     if root is empty it will return just top-level repositories.
                 :type traverse: Optional(True)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: [
                               {
                                 "repo_id" :          "<repo_id>",
                                 "repo_name" :        "<reponame>"
                                 "repo_type" :        "<repo_type>",
                                 "clone_uri" :        "<clone_uri>",
                                 "private": :         "<bool>",
                                 "created_on" :       "<datetimecreated>",
                                 "description" :      "<description>",
                                 "landing_rev":       "<landing_rev>",
                                 "owner":             "<repo_owner>",
                                 "fork_of":           "<name_of_fork_parent>",
                                 "enable_downloads":  "<bool>",
                                 "enable_locking":    "<bool>",
                                 "enable_statistics": "<bool>",
                               },
                               ...
                             ]
                     error:  null
                 """
                 include_secrets = has_superadmin_permission(apiuser)
                 _perms = ('repository.read', 'repository.write', 'repository.admin',)
                 extras = {'user': apiuser}
                 root = Optional.extract(root)
                 traverse = Optional.extract(traverse, binary=True)
                 if root:
                     # verify parent existance, if it's empty return an error
                     parent = RepoGroup.get_by_group_name(root)
                     if not parent:
                         raise JSONRPCError(
                             'Root repository group `{}` does not exist'.format(root))
                     if traverse:
                         repos = RepoModel().get_repos_for_root(root=root, traverse=traverse)
                     else:
                         repos = RepoModel().get_repos_for_root(root=parent)
                 else:
                     if traverse:
                         repos = RepoModel().get_all()
                     else:
                         # return just top-level
                         repos = RepoModel().get_repos_for_root(root=None)
                 repo_list = RepoList(repos, perm_set=_perms, extra_kwargs=extras)
                 return [repo.get_api_data(include_secrets=include_secrets)
                         for repo in repo_list]
             @jsonrpc_method()
             def get_repo_changeset(request, apiuser, repoid, revision,
                                    details=Optional('basic')):
                 """
                 Returns information about a changeset.
                 Additionally parameters define the amount of details returned by
                 this function.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository id
                 :type repoid: str or int
                 :param revision: revision for which listing should be done
                 :type revision: str
                 :param details: details can be 'basic|extended|full' full gives diff
                     info details like the diff itself, and number of changed files etc.
                 :type details: Optional(str)
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 changes_details = Optional.extract(details)
                 _changes_details_types = ['basic', 'extended', 'full']
                 if changes_details not in _changes_details_types:
                     raise JSONRPCError(
                         'ret_type must be one of %s' % (
                             ','.join(_changes_details_types)))
                 pre_load = ['author', 'branch', 'date', 'message', 'parents',
                             'status', '_commit', '_file_paths']
                 try:
                     cs = repo.get_commit(commit_id=revision, pre_load=pre_load)
                 except TypeError as e:
                     raise JSONRPCError(safe_str(e))
                 _cs_json = cs.__json__()
                 _cs_json['diff'] = build_commit_data(cs, changes_details)
                 if changes_details == 'full':
                     _cs_json['refs'] = cs._get_refs()
                 return _cs_json
             @jsonrpc_method()
             def get_repo_changesets(request, apiuser, repoid, start_rev, limit,
                                     details=Optional('basic')):
                 """
                 Returns a set of commits limited by the number starting
                 from the `start_rev` option.
                 Additional parameters define the amount of details returned by this
                 function.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 :param start_rev: The starting revision from where to get changesets.
                 :type start_rev: str
                 :param limit: Limit the number of commits to this amount
                 :type limit: str or int
                 :param details: Set the level of detail returned. Valid option are:
                     ``basic``, ``extended`` and ``full``.
                 :type details: Optional(str)
                 .. note::
                    Setting the parameter `details` to the value ``full`` is extensive
                    and returns details like the diff itself, and the number
                    of changed files.
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 changes_details = Optional.extract(details)
                 _changes_details_types = ['basic', 'extended', 'full']
                 if changes_details not in _changes_details_types:
                     raise JSONRPCError(
                         'ret_type must be one of %s' % (
                             ','.join(_changes_details_types)))
                 limit = int(limit)
                 pre_load = ['author', 'branch', 'date', 'message', 'parents',
                             'status', '_commit', '_file_paths']
                 vcs_repo = repo.scm_instance()
                 # SVN needs a special case to distinguish its index and commit id
                 if vcs_repo and vcs_repo.alias == 'svn' and (start_rev == '0'):
                     start_rev = vcs_repo.commit_ids[0]
                 try:
                     commits = vcs_repo.get_commits(
                         start_id=start_rev, pre_load=pre_load, translate_tags=False)
                 except TypeError as e:
                     raise JSONRPCError(safe_str(e))
                 except Exception:
                     log.exception('Fetching of commits failed')
                     raise JSONRPCError('Error occurred during commit fetching')
                 ret = []
                 for cnt, commit in enumerate(commits):
                     if cnt >= limit != -1:
                         break
                     _cs_json = commit.__json__()
                     _cs_json['diff'] = build_commit_data(commit, changes_details)
                     if changes_details == 'full':
                         _cs_json['refs'] = {
                             'branches': [commit.branch],
                             'bookmarks': getattr(commit, 'bookmarks', []),
                             'tags': commit.tags
                         }
                     ret.append(_cs_json)
                 return ret
             @jsonrpc_method()
             def get_repo_nodes(request, apiuser, repoid, revision, root_path,
                                ret_type=Optional('all'), details=Optional('basic'),
                                max_file_bytes=Optional(None)):
                 """
                 Returns a list of nodes and children in a flat list for a given
                 path at given revision.
                 It's possible to specify ret_type to show only `files` or `dirs`.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 :param revision: The revision for which listing should be done.
                 :type revision: str
                 :param root_path: The path from which to start displaying.
                 :type root_path: str
                 :param ret_type: Set the return type. Valid options are
                     ``all`` (default), ``files`` and ``dirs``.
                 :type ret_type: Optional(str)
                 :param details: Returns extended information about nodes, such as
                     md5, binary, and or content.
                     The valid options are ``basic`` and ``full``.
                 :type details: Optional(str)
                 :param max_file_bytes: Only return file content under this file size bytes
                 :type details: Optional(int)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: [
                                 {
                                   "binary": false,
                                   "content": "File line",
                                   "extension": "md",
                                   "lines": 2,
                                   "md5": "059fa5d29b19c0657e384749480f6422",
                                   "mimetype": "text/x-minidsrc",
                                   "name": "file.md",
                                   "size": 580,
                                   "type": "file"
                                 },
                               ...
                             ]
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 ret_type = Optional.extract(ret_type)
                 details = Optional.extract(details)
                 _extended_types = ['basic', 'full']
                 if details not in _extended_types:
                     raise JSONRPCError('ret_type must be one of %s' % (','.join(_extended_types)))
                 extended_info = False
                 content = False
                 if details == 'basic':
                     extended_info = True
                 if details == 'full':
                     extended_info = content = True
                 _map = {}
                 try:
                     # check if repo is not empty by any chance, skip quicker if it is.
                     _scm = repo.scm_instance()
                     if _scm.is_empty():
                         return []
                     _d, _f = ScmModel().get_nodes(
                         repo, revision, root_path, flat=False,
                         extended_info=extended_info, content=content,
                         max_file_bytes=max_file_bytes)
                     _map = {
                         'all': _d + _f,
                         'files': _f,
                         'dirs': _d,
                     }
                     return _map[ret_type]
                 except KeyError:
                     raise JSONRPCError(
                         'ret_type must be one of %s' % (','.join(sorted(_map.keys()))))
                 except Exception:
                     log.exception("Exception occurred while trying to get repo nodes")
                     raise JSONRPCError(
                         'failed to get repo: `%s` nodes' % repo.repo_name
                     )
             @jsonrpc_method()
             def get_repo_file(request, apiuser, repoid, commit_id, file_path,
                               max_file_bytes=Optional(None), details=Optional('basic'),
                               cache=Optional(True)):
                 """
                 Returns a single file from repository at given revision.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 :param commit_id: The revision for which listing should be done.
                 :type commit_id: str
                 :param file_path: The path from which to start displaying.
                 :type file_path: str
                 :param details: Returns different set of information about nodes.
                     The valid options are ``minimal`` ``basic`` and ``full``.
                 :type details: Optional(str)
                 :param max_file_bytes: Only return file content under this file size bytes
                 :type max_file_bytes: Optional(int)
                 :param cache: Use internal caches for fetching files. If disabled fetching
                     files is slower but more memory efficient
                 :type cache: Optional(bool)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                         "binary": false,
                         "extension": "py",
                         "lines": 35,
                         "content": "....",
                         "md5": "76318336366b0f17ee249e11b0c99c41",
                         "mimetype": "text/x-python",
                         "name": "python.py",
                         "size": 817,
                         "type": "file",
                     }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 cache = Optional.extract(cache, binary=True)
                 details = Optional.extract(details)
                 _extended_types = ['minimal', 'minimal+search', 'basic', 'full']
                 if details not in _extended_types:
                     raise JSONRPCError(
                         'ret_type must be one of %s, got %s' % (','.join(_extended_types)), details)
                 extended_info = False
                 content = False
                 if details == 'minimal':
                     extended_info = False
                 elif details == 'basic':
                     extended_info = True
                 elif details == 'full':
                     extended_info = content = True
                 try:
                     # check if repo is not empty by any chance, skip quicker if it is.
                     _scm = repo.scm_instance()
                     if _scm.is_empty():
                         return None
                     node = ScmModel().get_node(
                         repo, commit_id, file_path, extended_info=extended_info,
                         content=content, max_file_bytes=max_file_bytes, cache=cache)
                 except NodeDoesNotExistError:
                     raise JSONRPCError('There is no file in repo: `{}` at path `{}` for commit: `{}`'.format(
                         repo.repo_name, file_path, commit_id))
                 except Exception:
                     log.exception("Exception occurred while trying to get repo %s file",
                                   repo.repo_name)
                     raise JSONRPCError('failed to get repo: `{}` file at path {}'.format(
                         repo.repo_name, file_path))
                 return node
             @jsonrpc_method()
             def get_repo_fts_tree(request, apiuser, repoid, commit_id, root_path):
                 """
                 Returns a list of tree nodes for path at given revision. This api is built
                 strictly for usage in full text search building, and shouldn't be consumed
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 repo_id = repo.repo_id
                 cache_seconds = safe_int(rhodecode.CONFIG.get('rc_cache.cache_repo.expiration_time'))
                 cache_on = cache_seconds > 0
                 cache_namespace_uid = 'cache_repo.{}'.format(repo_id)
                 region = rc_cache.get_or_create_region('cache_repo', cache_namespace_uid)
                 def compute_fts_tree(repo_id, commit_id, root_path, cache_ver):
                     return ScmModel().get_fts_data(repo_id, commit_id, root_path)
                 try:
                     # check if repo is not empty by any chance, skip quicker if it is.
                     _scm = repo.scm_instance()
                     if _scm.is_empty():
                         return []
                 except RepositoryError:
                     log.exception("Exception occurred while trying to get repo nodes")
                     raise JSONRPCError('failed to get repo: `%s` nodes' % repo.repo_name)
                 try:
                     # we need to resolve commit_id to a FULL sha for cache to work correctly.
                     # sending 'master' is a pointer that needs to be translated to current commit.
                     commit_id = _scm.get_commit(commit_id=commit_id).raw_id
                     log.debug(
                         'Computing FTS REPO TREE for repo_id %s commit_id `%s` '
                         'with caching: %s[TTL: %ss]' % (
                             repo_id, commit_id, cache_on, cache_seconds or 0))
                     tree_files = compute_fts_tree(repo_id, commit_id, root_path, 'v1')
                     return tree_files
                 except Exception:
                     log.exception("Exception occurred while trying to get repo nodes")
                     raise JSONRPCError('failed to get repo: `%s` nodes' % repo.repo_name)
             @jsonrpc_method()
             def get_repo_refs(request, apiuser, repoid):
                 """
                 Returns a dictionary of current references. It returns
                 bookmarks, branches, closed_branches, and tags for given repository
                 It's possible to specify ret_type to show only `files` or `dirs`.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     "result": {
                         "bookmarks": {
                           "dev": "5611d30200f4040ba2ab4f3d64e5b06408a02188",
                           "master": "367f590445081d8ec8c2ea0456e73ae1f1c3d6cf"
                         },
                         "branches": {
                           "default": "5611d30200f4040ba2ab4f3d64e5b06408a02188",
                           "stable": "367f590445081d8ec8c2ea0456e73ae1f1c3d6cf"
                         },
                         "branches_closed": {},
                         "tags": {
                           "tip": "5611d30200f4040ba2ab4f3d64e5b06408a02188",
                           "v4.4.0": "1232313f9e6adac5ce5399c2a891dc1e72b79022",
                           "v4.4.1": "cbb9f1d329ae5768379cdec55a62ebdd546c4e27",
                           "v4.4.2": "24ffe44a27fcd1c5b6936144e176b9f6dd2f3a17",
                         }
                     }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     # check if repo is not empty by any chance, skip quicker if it is.
                     vcs_instance = repo.scm_instance()
                     refs = vcs_instance.refs()
                     return refs
                 except Exception:
                     log.exception("Exception occurred while trying to get repo refs")
                     raise JSONRPCError(
                         'failed to get repo: `%s` references' % repo.repo_name
                     )
             @jsonrpc_method()
             def create_repo(
                     request, apiuser, repo_name, repo_type,
                     owner=Optional(OAttr('apiuser')),
                     description=Optional(''),
                     private=Optional(False),
                     clone_uri=Optional(None),
                     push_uri=Optional(None),
                     landing_rev=Optional(None),
                     enable_statistics=Optional(False),
                     enable_locking=Optional(False),
                     enable_downloads=Optional(False),
                     copy_permissions=Optional(False)):
                 """
                 Creates a repository.
                 * If the repository name contains "/", repository will be created inside
                   a repository group or nested repository groups
                   For example "foo/bar/repo1" will create |repo| called "repo1" inside
                   group "foo/bar". You have to have permissions to access and write to
                   the last repository group ("bar" in this example)
                 This command can only be run using an |authtoken| with at least
                 permissions to create repositories, or write permissions to
                 parent repository groups.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repo_name: Set the repository name.
                 :type repo_name: str
                 :param repo_type: Set the repository type; 'hg','git', or 'svn'.
                 :type repo_type: str
                 :param owner: user_id or username
                 :type owner: Optional(str)
                 :param description: Set the repository description.
                 :type description: Optional(str)
                 :param private: set repository as private
                 :type private: bool
                 :param clone_uri: set clone_uri
                 :type clone_uri: str
                 :param push_uri: set push_uri
                 :type push_uri: str
                 :param landing_rev: <rev_type>:<rev>, e.g branch:default, book:dev, rev:abcd
                 :type landing_rev: str
                 :param enable_locking:
                 :type enable_locking: bool
                 :param enable_downloads:
                 :type enable_downloads: bool
                 :param enable_statistics:
                 :type enable_statistics: bool
                 :param copy_permissions: Copy permission from group in which the
                     repository is being created.
                 :type copy_permissions: bool
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "Created new repository `<reponame>`",
                               "success": true,
                               "task": "<celery task id or None if done sync>"
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                      'failed to create repository `<repo_name>`'
                   }
                 """
                 owner = validate_set_owner_permissions(apiuser, owner)
                 description = Optional.extract(description)
                 copy_permissions = Optional.extract(copy_permissions)
                 clone_uri = Optional.extract(clone_uri)
                 push_uri = Optional.extract(push_uri)
                 defs = SettingsModel().get_default_repo_settings(strip_prefix=True)
                 if isinstance(private, Optional):
                     private = defs.get('repo_private') or Optional.extract(private)
                 if isinstance(repo_type, Optional):
                     repo_type = defs.get('repo_type')
                 if isinstance(enable_statistics, Optional):
                     enable_statistics = defs.get('repo_enable_statistics')
                 if isinstance(enable_locking, Optional):
                     enable_locking = defs.get('repo_enable_locking')
                 if isinstance(enable_downloads, Optional):
                     enable_downloads = defs.get('repo_enable_downloads')
                 landing_ref, _label = ScmModel.backend_landing_ref(repo_type)
                 ref_choices, _labels = ScmModel().get_repo_landing_revs(request.translate)
                 ref_choices = list(set(ref_choices + [landing_ref]))
                 landing_commit_ref = Optional.extract(landing_rev) or landing_ref
                 schema = repo_schema.RepoSchema().bind(
                     repo_type_options=rhodecode.BACKENDS.keys(),
                     repo_ref_options=ref_choices,
                     repo_type=repo_type,
                     # user caller
                     user=apiuser)
                 try:
                     schema_data = schema.deserialize(dict(
                         repo_name=repo_name,
                         repo_type=repo_type,
                         repo_owner=owner.username,
                         repo_description=description,
                         repo_landing_commit_ref=landing_commit_ref,
                         repo_clone_uri=clone_uri,
                         repo_push_uri=push_uri,
                         repo_private=private,
                         repo_copy_permissions=copy_permissions,
                         repo_enable_statistics=enable_statistics,
                         repo_enable_downloads=enable_downloads,
                         repo_enable_locking=enable_locking))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 try:
                     data = {
                         'owner': owner,
                         'repo_name': schema_data['repo_group']['repo_name_without_group'],
                         'repo_name_full': schema_data['repo_name'],
                         'repo_group': schema_data['repo_group']['repo_group_id'],
                         'repo_type': schema_data['repo_type'],
                         'repo_description': schema_data['repo_description'],
                         'repo_private': schema_data['repo_private'],
                         'clone_uri': schema_data['repo_clone_uri'],
                         'push_uri': schema_data['repo_push_uri'],
                         'repo_landing_rev': schema_data['repo_landing_commit_ref'],
                         'enable_statistics': schema_data['repo_enable_statistics'],
                         'enable_locking': schema_data['repo_enable_locking'],
                         'enable_downloads': schema_data['repo_enable_downloads'],
                         'repo_copy_permissions': schema_data['repo_copy_permissions'],
                     }
                     task = RepoModel().create(form_data=data, cur_user=owner.user_id)
                     task_id = get_task_id(task)
                     # no commit, it's done in RepoModel, or async via celery
                     return {
                         'msg': "Created new repository `%s`" % (schema_data['repo_name'],),
                         'success': True,  # cannot return the repo data here since fork
                         # can be done async
                         'task': task_id
                     }
                 except Exception:
                     log.exception(
                         u"Exception while trying to create the repository %s",
                         schema_data['repo_name'])
                     raise JSONRPCError(
                         'failed to create repository `%s`' % (schema_data['repo_name'],))
             @jsonrpc_method()
             def add_field_to_repo(request, apiuser, repoid, key, label=Optional(''),
                                   description=Optional('')):
                 """
                 Adds an extra field to a repository.
                 This command can only be run using an |authtoken| with at least
                 write permissions to the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository id.
                 :type repoid: str or int
                 :param key: Create a unique field key for this repository.
                 :type key: str
                 :param label:
                 :type label: Optional(str)
                 :param description:
                 :type description: Optional(str)
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 label = Optional.extract(label) or key
                 description = Optional.extract(description)
                 field = RepositoryField.get_by_key_name(key, repo)
                 if field:
                     raise JSONRPCError('Field with key '
                                        '`%s` exists for repo `%s`' % (key, repoid))
                 try:
                     RepoModel().add_repo_field(repo, key, field_label=label,
                                                field_desc=description)
                     Session().commit()
                     return {
                         'msg': "Added new repository field `%s`" % (key,),
                         'success': True,
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to add field to repo")
                     raise JSONRPCError(
                         'failed to create new field for repository `%s`' % (repoid,))
             @jsonrpc_method()
             def remove_field_from_repo(request, apiuser, repoid, key):
                 """
                 Removes an extra field from a repository.
                 This command can only be run using an |authtoken| with at least
                 write permissions to the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param key: Set the unique field key for this repository.
                 :type key: str
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 field = RepositoryField.get_by_key_name(key, repo)
                 if not field:
                     raise JSONRPCError('Field with key `%s` does not '
                                        'exists for repo `%s`' % (key, repoid))
                 try:
                     RepoModel().delete_repo_field(repo, field_key=key)
                     Session().commit()
                     return {
                         'msg': "Deleted repository field `%s`" % (key,),
                         'success': True,
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying to delete field from repo")
                     raise JSONRPCError(
                         'failed to delete field for repository `%s`' % (repoid,))
             @jsonrpc_method()
             def update_repo(
                     request, apiuser, repoid, repo_name=Optional(None),
                     owner=Optional(OAttr('apiuser')), description=Optional(''),
                     private=Optional(False),
                     clone_uri=Optional(None), push_uri=Optional(None),
                     landing_rev=Optional(None), fork_of=Optional(None),
                     enable_statistics=Optional(False),
                     enable_locking=Optional(False),
                     enable_downloads=Optional(False), fields=Optional('')):
                 """
                 Updates a repository with the given information.
                 This command can only be run using an |authtoken| with at least
                 admin permissions to the |repo|.
                 * If the repository name contains "/", repository will be updated
                   accordingly with a repository group or nested repository groups
                   For example repoid=repo-test name="foo/bar/repo-test" will update |repo|
                   called "repo-test" and place it inside group "foo/bar".
                   You have to have permissions to access and write to the last repository
                   group ("bar" in this example)
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: repository name or repository ID.
                 :type repoid: str or int
                 :param repo_name: Update the |repo| name, including the
                     repository group it's in.
                 :type repo_name: str
                 :param owner: Set the |repo| owner.
                 :type owner: str
                 :param fork_of: Set the |repo| as fork of another |repo|.
                 :type fork_of: str
                 :param description: Update the |repo| description.
                 :type description: str
                 :param private: Set the |repo| as private. (True | False)
                 :type private: bool
                 :param clone_uri: Update the |repo| clone URI.
                 :type clone_uri: str
                 :param landing_rev: Set the |repo| landing revision. e.g branch:default, book:dev, rev:abcd
                 :type landing_rev: str
                 :param enable_statistics: Enable statistics on the |repo|, (True | False).
                 :type enable_statistics: bool
                 :param enable_locking: Enable |repo| locking.
                 :type enable_locking: bool
                 :param enable_downloads: Enable downloads from the |repo|, (True | False).
                 :type enable_downloads: bool
                 :param fields: Add extra fields to the |repo|. Use the following
                     example format: ``field_key=field_val,field_key2=fieldval2``.
                     Escape ', ' with \,
                 :type fields: str
                 """
                 repo = get_repo_or_error(repoid)
                 include_secrets = False
                 if not has_superadmin_permission(apiuser):
                     validate_repo_permissions(apiuser, repoid, repo, ('repository.admin',))
                 else:
                     include_secrets = True
                 updates = dict(
                     repo_name=repo_name
                     if not isinstance(repo_name, Optional) else repo.repo_name,
                     fork_id=fork_of
                     if not isinstance(fork_of, Optional) else repo.fork.repo_name if repo.fork else None,
                     user=owner
                     if not isinstance(owner, Optional) else repo.user.username,
                     repo_description=description
                     if not isinstance(description, Optional) else repo.description,
                     repo_private=private
                     if not isinstance(private, Optional) else repo.private,
                     clone_uri=clone_uri
                     if not isinstance(clone_uri, Optional) else repo.clone_uri,
                     push_uri=push_uri
                     if not isinstance(push_uri, Optional) else repo.push_uri,
                     repo_landing_rev=landing_rev
                     if not isinstance(landing_rev, Optional) else repo._landing_revision,
                     repo_enable_statistics=enable_statistics
                     if not isinstance(enable_statistics, Optional) else repo.enable_statistics,
                     repo_enable_locking=enable_locking
                     if not isinstance(enable_locking, Optional) else repo.enable_locking,
                     repo_enable_downloads=enable_downloads
                     if not isinstance(enable_downloads, Optional) else repo.enable_downloads)
                 landing_ref, _label = ScmModel.backend_landing_ref(repo.repo_type)
                 ref_choices, _labels = ScmModel().get_repo_landing_revs(
                     request.translate, repo=repo)
                 ref_choices = list(set(ref_choices + [landing_ref]))
                 old_values = repo.get_api_data()
                 repo_type = repo.repo_type
                 schema = repo_schema.RepoSchema().bind(
                     repo_type_options=rhodecode.BACKENDS.keys(),
                     repo_ref_options=ref_choices,
                     repo_type=repo_type,
                     # user caller
                     user=apiuser,
                     old_values=old_values)
                 try:
                     schema_data = schema.deserialize(dict(
                         # we save old value, users cannot change type
                         repo_type=repo_type,
                         repo_name=updates['repo_name'],
                         repo_owner=updates['user'],
                         repo_description=updates['repo_description'],
                         repo_clone_uri=updates['clone_uri'],
                         repo_push_uri=updates['push_uri'],
                         repo_fork_of=updates['fork_id'],
                         repo_private=updates['repo_private'],
                         repo_landing_commit_ref=updates['repo_landing_rev'],
                         repo_enable_statistics=updates['repo_enable_statistics'],
                         repo_enable_downloads=updates['repo_enable_downloads'],
                         repo_enable_locking=updates['repo_enable_locking']))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 # save validated data back into the updates dict
                 validated_updates = dict(
                     repo_name=schema_data['repo_group']['repo_name_without_group'],
                     repo_group=schema_data['repo_group']['repo_group_id'],
                     user=schema_data['repo_owner'],
                     repo_description=schema_data['repo_description'],
                     repo_private=schema_data['repo_private'],
                     clone_uri=schema_data['repo_clone_uri'],
                     push_uri=schema_data['repo_push_uri'],
                     repo_landing_rev=schema_data['repo_landing_commit_ref'],
                     repo_enable_statistics=schema_data['repo_enable_statistics'],
                     repo_enable_locking=schema_data['repo_enable_locking'],
                     repo_enable_downloads=schema_data['repo_enable_downloads'],
                 )
                 if schema_data['repo_fork_of']:
                     fork_repo = get_repo_or_error(schema_data['repo_fork_of'])
                     validated_updates['fork_id'] = fork_repo.repo_id
                 # extra fields
                 fields = parse_args(Optional.extract(fields), key_prefix='ex_')
                 if fields:
                     validated_updates.update(fields)
                 try:
                     RepoModel().update(repo, **validated_updates)
                     audit_logger.store_api(
                         'repo.edit', action_data={'old_data': old_values},
                         user=apiuser, repo=repo)
                     Session().commit()
                     return {
                         'msg': 'updated repo ID:%s %s' % (repo.repo_id, repo.repo_name),
                         'repository': repo.get_api_data(include_secrets=include_secrets)
                     }
                 except Exception:
                     log.exception(
                         u"Exception while trying to update the repository %s",
                         repoid)
                     raise JSONRPCError('failed to update repo `%s`' % repoid)
             @jsonrpc_method()
             def fork_repo(request, apiuser, repoid, fork_name,
                           owner=Optional(OAttr('apiuser')),
                           description=Optional(''),
                           private=Optional(False),
                           clone_uri=Optional(None),
                           landing_rev=Optional(None),
                           copy_permissions=Optional(False)):
                 """
                 Creates a fork of the specified |repo|.
                 * If the fork_name contains "/", fork will be created inside
                   a repository group or nested repository groups
                   For example "foo/bar/fork-repo" will create fork called "fork-repo"
                   inside group "foo/bar". You have to have permissions to access and
                   write to the last repository group ("bar" in this example)
                 This command can only be run using an |authtoken| with minimum
                 read permissions of the forked repo, create fork permissions for an user.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set repository name or repository ID.
                 :type repoid: str or int
                 :param fork_name: Set the fork name, including it's repository group membership.
                 :type fork_name: str
                 :param owner: Set the fork owner.
                 :type owner: str
                 :param description: Set the fork description.
                 :type description: str
                 :param copy_permissions: Copy permissions from parent |repo|. The
                     default is False.
                 :type copy_permissions: bool
                 :param private: Make the fork private. The default is False.
                 :type private: bool
                 :param landing_rev: Set the landing revision. E.g branch:default, book:dev, rev:abcd
                 Example output:
                 .. code-block:: bash
                     id : <id_for_response>
                     api_key : "<api_key>"
                     args:     {
                                 "repoid" :          "<reponame or repo_id>",
                                 "fork_name":        "<forkname>",
                                 "owner":            "<username or user_id = Optional(=apiuser)>",
                                 "description":      "<description>",
                                 "copy_permissions": "<bool>",
                                 "private":          "<bool>",
                                 "landing_rev":      "<landing_rev>"
                               }
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "Created fork of `<reponame>` as `<forkname>`",
                               "success": true,
                               "task": "<celery task id or None if done sync>"
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 repo_name = repo.repo_name
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for
                     # this repo that we fork !
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read')
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                     # check if the regular user has at least fork permissions as well
                     if not HasPermissionAnyApi('hg.fork.repository')(user=apiuser):
                         raise JSONRPCForbidden()
                 # check if user can set owner parameter
                 owner = validate_set_owner_permissions(apiuser, owner)
                 description = Optional.extract(description)
                 copy_permissions = Optional.extract(copy_permissions)
                 clone_uri = Optional.extract(clone_uri)
                 landing_ref, _label = ScmModel.backend_landing_ref(repo.repo_type)
                 ref_choices, _labels = ScmModel().get_repo_landing_revs(request.translate)
                 ref_choices = list(set(ref_choices + [landing_ref]))
                 landing_commit_ref = Optional.extract(landing_rev) or landing_ref
                 private = Optional.extract(private)
                 schema = repo_schema.RepoSchema().bind(
                     repo_type_options=rhodecode.BACKENDS.keys(),
                     repo_ref_options=ref_choices,
                     repo_type=repo.repo_type,
                     # user caller
                     user=apiuser)
                 try:
                     schema_data = schema.deserialize(dict(
                         repo_name=fork_name,
                         repo_type=repo.repo_type,
                         repo_owner=owner.username,
                         repo_description=description,
                         repo_landing_commit_ref=landing_commit_ref,
                         repo_clone_uri=clone_uri,
                         repo_private=private,
                         repo_copy_permissions=copy_permissions))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 try:
                     data = {
                         'fork_parent_id': repo.repo_id,
                         'repo_name': schema_data['repo_group']['repo_name_without_group'],
                         'repo_name_full': schema_data['repo_name'],
                         'repo_group': schema_data['repo_group']['repo_group_id'],
                         'repo_type': schema_data['repo_type'],
                         'description': schema_data['repo_description'],
                         'private': schema_data['repo_private'],
                         'copy_permissions': schema_data['repo_copy_permissions'],
                         'landing_rev': schema_data['repo_landing_commit_ref'],
                     }
                     task = RepoModel().create_fork(data, cur_user=owner.user_id)
                     # no commit, it's done in RepoModel, or async via celery
                     task_id = get_task_id(task)
                     return {
                         'msg': 'Created fork of `%s` as `%s`' % (
                             repo.repo_name, schema_data['repo_name']),
                         'success': True,  # cannot return the repo data here since fork
                         # can be done async
                         'task': task_id
                     }
                 except Exception:
                     log.exception(
                         u"Exception while trying to create fork %s",
                         schema_data['repo_name'])
                     raise JSONRPCError(
                         'failed to fork repository `%s` as `%s`' % (
                             repo_name, schema_data['repo_name']))
             @jsonrpc_method()
             def delete_repo(request, apiuser, repoid, forks=Optional('')):
                 """
                 Deletes a repository.
                 * When the `forks` parameter is set it's possible to detach or delete
                   forks of deleted repository.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param forks: Set to `detach` or `delete` forks from the |repo|.
                 :type forks: Optional(str)
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "Deleted repository `<reponame>`",
                               "success": true
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 repo_name = repo.repo_name
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     handle_forks = Optional.extract(forks)
                     _forks_msg = ''
                     _forks = [f for f in repo.forks]
                     if handle_forks == 'detach':
                         _forks_msg = ' ' + 'Detached %s forks' % len(_forks)
                     elif handle_forks == 'delete':
                         _forks_msg = ' ' + 'Deleted %s forks' % len(_forks)
                     elif _forks:
                         raise JSONRPCError(
                             'Cannot delete `%s` it still contains attached forks' %
                             (repo.repo_name,)
                         )
                     old_data = repo.get_api_data()
                     RepoModel().delete(repo, forks=forks)
                     repo = audit_logger.RepoWrap(repo_id=None,
                                                  repo_name=repo.repo_name)
                     audit_logger.store_api(
                         'repo.delete', action_data={'old_data': old_data},
                         user=apiuser, repo=repo)
                     ScmModel().mark_for_invalidation(repo_name, delete=True)
                     Session().commit()
                     return {
                         'msg': 'Deleted repository `%s`%s' % (repo_name, _forks_msg),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to delete repo")
                     raise JSONRPCError(
                         'failed to delete repository `%s`' % (repo_name,)
                     )
             #TODO: marcink, change name ?
             @jsonrpc_method()
             def invalidate_cache(request, apiuser, repoid, delete_keys=Optional(False)):
                 """
                 Invalidates the cache for the specified repository.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Sets the repository name or repository ID.
                 :type repoid: str or int
                 :param delete_keys: This deletes the invalidated keys instead of
                     just flagging them.
                 :type delete_keys: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     'msg': Cache for repository `<repository name>` was invalidated,
                     'repository': <repository name>
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error : {
                      'Error occurred during cache invalidation action'
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin', 'repository.write',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 delete = Optional.extract(delete_keys)
                 try:
                     ScmModel().mark_for_invalidation(repo.repo_name, delete=delete)
                     return {
                         'msg': 'Cache for repository `%s` was invalidated' % (repoid,),
                         'repository': repo.repo_name
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying to invalidate repo cache")
                     raise JSONRPCError(
                         'Error occurred during cache invalidation action'
                     )
             #TODO: marcink, change name ?
             @jsonrpc_method()
             def lock(request, apiuser, repoid, locked=Optional(None),
                      userid=Optional(OAttr('apiuser'))):
                 """
                 Sets the lock state of the specified |repo| by the given user.
                 From more information, see :ref:`repo-locking`.
                 * If the ``userid`` option is not set, the repository is locked to the
                   user who called the method.
                 * If the ``locked`` parameter is not set, the current lock state of the
                   repository is displayed.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Sets the repository name or repository ID.
                 :type repoid: str or int
                 :param locked: Sets the lock state.
                 :type locked: Optional(``True`` | ``False``)
                 :param userid: Set the repository lock to this user.
                 :type userid: Optional(str or int)
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     'repo': '<reponame>',
                     'locked': <bool: lock state>,
                     'locked_since': <int: lock timestamp>,
                     'locked_by': <username of person who made the lock>,
                     'lock_reason': <str: reason for locking>,
                     'lock_state_changed': <bool: True if lock state has been changed in this request>,
                     'msg': 'Repo `<reponame>` locked by `<username>` on <timestamp>.'
                     or
                     'msg': 'Repo `<repository name>` not locked.'
                     or
                     'msg': 'User `<user name>` set lock state for repo `<repository name>` to `<new lock state>`'
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     'Error occurred locking repository `<reponame>`'
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least write permission for this repo !
                     _perms = ('repository.admin', 'repository.write',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                     # make sure normal user does not pass someone else userid,
                     # he is not allowed to do that
                     if not isinstance(userid, Optional) and userid != apiuser.user_id:
                         raise JSONRPCError('userid is not the same as your user')
                 if isinstance(userid, Optional):
                     userid = apiuser.user_id
                 user = get_user_or_error(userid)
                 if isinstance(locked, Optional):
                     lockobj = repo.locked
                     if lockobj[0] is None:
                         _d = {
                             'repo': repo.repo_name,
                             'locked': False,
                             'locked_since': None,
                             'locked_by': None,
                             'lock_reason': None,
                             'lock_state_changed': False,
                             'msg': 'Repo `%s` not locked.' % repo.repo_name
                         }
                         return _d
                     else:
                         _user_id, _time, _reason = lockobj
                         lock_user = get_user_or_error(userid)
                         _d = {
                             'repo': repo.repo_name,
                             'locked': True,
                             'locked_since': _time,
                             'locked_by': lock_user.username,
                             'lock_reason': _reason,
                             'lock_state_changed': False,
                             'msg': ('Repo `%s` locked by `%s` on `%s`.'
                                     % (repo.repo_name, lock_user.username,
                                        json.dumps(time_to_datetime(_time))))
                         }
                         return _d
                 # force locked state through a flag
                 else:
                     locked = str2bool(locked)
                     lock_reason = Repository.LOCK_API
                     try:
                         if locked:
                             lock_time = time.time()
                             Repository.lock(repo, user.user_id, lock_time, lock_reason)
                         else:
                             lock_time = None
                             Repository.unlock(repo)
                         _d = {
                             'repo': repo.repo_name,
                             'locked': locked,
                             'locked_since': lock_time,
                             'locked_by': user.username,
                             'lock_reason': lock_reason,
                             'lock_state_changed': True,
                             'msg': ('User `%s` set lock state for repo `%s` to `%s`'
                                     % (user.username, repo.repo_name, locked))
                         }
                         return _d
                     except Exception:
                         log.exception(
                             "Exception occurred while trying to lock repository")
                         raise JSONRPCError(
                             'Error occurred locking repository `%s`' % repo.repo_name
                         )
             @jsonrpc_method()
             def comment_commit(
                     request, apiuser, repoid, commit_id, message, status=Optional(None),
                     comment_type=Optional(ChangesetComment.COMMENT_TYPE_NOTE),
                     resolves_comment_id=Optional(None),
                     userid=Optional(OAttr('apiuser'))):
                 """
                 Set a commit comment, and optionally change the status of the commit.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param commit_id: Specify the commit_id for which to set a comment.
                 :type commit_id: str
                 :param message: The comment text.
                 :type message: str
                 :param status: (**Optional**) status of commit, one of: 'not_reviewed',
                     'approved', 'rejected', 'under_review'
                 :type status: str
                 :param comment_type: Comment type, one of: 'note', 'todo'
                 :type comment_type: Optional(str), default: 'note'
                 :param userid: Set the user name of the comment creator.
                 :type userid: Optional(str or int)
                 Example error output:
                 .. code-block:: bash
                     {
                         "id" : <id_given_in_input>,
                         "result" : {
                             "msg": "Commented on commit `<commit_id>` for repository `<repoid>`",
                             "status_change": null or <status>,
                             "success": true
                         },
                         "error" :  null
                     }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.read', 'repository.write', 'repository.admin')
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     commit_id = repo.scm_instance().get_commit(commit_id=commit_id).raw_id
                 except Exception as e:
                     log.exception('Failed to fetch commit')
                     raise JSONRPCError(safe_str(e))
                 if isinstance(userid, Optional):
                     userid = apiuser.user_id
                 user = get_user_or_error(userid)
                 status = Optional.extract(status)
                 comment_type = Optional.extract(comment_type)
                 resolves_comment_id = Optional.extract(resolves_comment_id)
                 allowed_statuses = [x[0] for x in ChangesetStatus.STATUSES]
                 if status and status not in allowed_statuses:
                     raise JSONRPCError('Bad status, must be on '
                                        'of %s got %s' % (allowed_statuses, status,))
                 if resolves_comment_id:
                     comment = ChangesetComment.get(resolves_comment_id)
                     if not comment:
                         raise JSONRPCError(
                             'Invalid resolves_comment_id `%s` for this commit.'
                             % resolves_comment_id)
                     if comment.comment_type != ChangesetComment.COMMENT_TYPE_TODO:
                         raise JSONRPCError(
                             'Comment `%s` is wrong type for setting status to resolved.'
                             % resolves_comment_id)
                 try:
                     rc_config = SettingsModel().get_all_settings()
                     renderer = rc_config.get('rhodecode_markup_renderer', 'rst')
                     status_change_label = ChangesetStatus.get_status_lbl(status)
                     comment = CommentsModel().create(
                         message, repo, user, commit_id=commit_id,
                         status_change=status_change_label,
                         status_change_type=status,
                         renderer=renderer,
                         comment_type=comment_type,
                         resolves_comment_id=resolves_comment_id,
                         auth_user=apiuser
                     )
                     if status:
                         # also do a status change
                         try:
                             ChangesetStatusModel().set_status(
                                 repo, status, user, comment, revision=commit_id,
                                 dont_allow_on_closed_pull_request=True
                             )
                         except StatusChangeOnClosedPullRequestError:
                             log.exception(
                                 "Exception occurred while trying to change repo commit status")
                             msg = ('Changing status on a changeset associated with '
                                    'a closed pull request is not allowed')
                             raise JSONRPCError(msg)
                     Session().commit()
                     return {
                         'msg': (
                             'Commented on commit `%s` for repository `%s`' % (
                                 comment.revision, repo.repo_name)),
                         'status_change': status,
                         'success': True,
                     }
                 except JSONRPCError:
                     # catch any inside errors, and re-raise them to prevent from
                     # below global catch to silence them
                     raise
                 except Exception:
                     log.exception("Exception occurred while trying to comment on commit")
                     raise JSONRPCError(
                         'failed to set comment on repository `%s`' % (repo.repo_name,)
                     )
             @jsonrpc_method()
             def get_repo_comments(request, apiuser, repoid,
                                   commit_id=Optional(None), comment_type=Optional(None),
                                   userid=Optional(None)):
                 """
                 Get all comments for a repository
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param commit_id: Optionally filter the comments by the commit_id
                 :type commit_id: Optional(str), default: None
                 :param comment_type: Optionally filter the comments by the comment_type
                     one of: 'note', 'todo'
                 :type comment_type: Optional(str), default: None
                 :param userid: Optionally filter the comments by the author of comment
                 :type userid: Optional(str or int), Default: None
                 Example error output:
                 .. code-block:: bash
                     {
                         "id" : <id_given_in_input>,
                         "result" : [
                             {
                               "comment_author": <USER_DETAILS>,
                               "comment_created_on": "2017-02-01T14:38:16.309",
                               "comment_f_path": "file.txt",
                               "comment_id": 282,
                               "comment_lineno": "n1",
                               "comment_resolved_by": null,
                               "comment_status": [],
                               "comment_text": "This file needs a header",
                               "comment_type": "todo"
                             }
                         ],
                         "error" :  null
                     }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.read', 'repository.write', 'repository.admin')
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 commit_id = Optional.extract(commit_id)
                 userid = Optional.extract(userid)
                 if userid:
                     user = get_user_or_error(userid)
                 else:
                     user = None
                 comment_type = Optional.extract(comment_type)
                 if comment_type and comment_type not in ChangesetComment.COMMENT_TYPES:
                     raise JSONRPCError(
                             'comment_type must be one of `{}` got {}'.format(
                                 ChangesetComment.COMMENT_TYPES, comment_type)
                         )
                 comments = CommentsModel().get_repository_comments(
                     repo=repo, comment_type=comment_type, user=user, commit_id=commit_id)
                 return comments
             @jsonrpc_method()
             def grant_user_permission(request, apiuser, repoid, userid, perm):
                 """
                 Grant permissions for the specified user on the given repository,
                 or update existing permissions if found.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param userid: Set the user name.
                 :type userid: str
                 :param perm: Set the user permissions, using the following format
                     ``(repository.(none|read|write|admin))``
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Granted perm: `<perm>` for user: `<username>` in repo: `<reponame>`",
                               "success": true
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 user = get_user_or_error(userid)
                 perm = get_perm_or_error(perm)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 perm_additions = [[user.user_id, perm.permission_name, "user"]]
                 try:
                     changes = RepoModel().update_permissions(
                         repo=repo, perm_additions=perm_additions, cur_user=apiuser)
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_api(
                         'repo.edit.permissions', action_data=action_data, user=apiuser, repo=repo)
+                    Session().commit()
+                    PermissionModel().flush_user_permission_caches(changes)
-                    Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` for user: `%s` in repo: `%s`' % (
                             perm.permission_name, user.username, repo.repo_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying edit permissions for repo")
                     raise JSONRPCError(
                         'failed to edit permission for user: `%s` in repo: `%s`' % (
                             userid, repoid
                         )
                     )
             @jsonrpc_method()
             def revoke_user_permission(request, apiuser, repoid, userid):
                 """
                 Revoke permission for a user on the specified repository.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param userid: Set the user name of revoked user.
                 :type userid: str or int
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Revoked perm for user: `<username>` in repo: `<reponame>`",
                               "success": true
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 user = get_user_or_error(userid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 perm_deletions = [[user.user_id, None, "user"]]
                 try:
                     changes = RepoModel().update_permissions(
                         repo=repo, perm_deletions=perm_deletions, cur_user=user)
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_api(
                         'repo.edit.permissions', action_data=action_data, user=apiuser, repo=repo)
+                    Session().commit()
+                    PermissionModel().flush_user_permission_caches(changes)
-                    Session().commit()
                     return {
                         'msg': 'Revoked perm for user: `%s` in repo: `%s`' % (
                             user.username, repo.repo_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying revoke permissions to repo")
                     raise JSONRPCError(
                         'failed to edit permission for user: `%s` in repo: `%s`' % (
                             userid, repoid
                         )
                     )
             @jsonrpc_method()
             def grant_user_group_permission(request, apiuser, repoid, usergroupid, perm):
                 """
                 Grant permission for a user group on the specified repository,
                 or update existing permissions.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param usergroupid: Specify the ID of the user group.
                 :type usergroupid: str or int
                 :param perm: Set the user group permissions using the following
                     format: (repository.(none|read|write|admin))
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg" : "Granted perm: `<perm>` for group: `<usersgroupname>` in repo: `<reponame>`",
                     "success": true
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user group: `<usergroup>` in repo `<repo>`'
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 perm = get_perm_or_error(perm)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 perm_additions = [[user_group.users_group_id, perm.permission_name, "user_group"]]
                 try:
                     changes = RepoModel().update_permissions(
                         repo=repo, perm_additions=perm_additions, cur_user=apiuser)
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_api(
                         'repo.edit.permissions', action_data=action_data, user=apiuser, repo=repo)
+                    Session().commit()
+                    PermissionModel().flush_user_permission_caches(changes)
-                    Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` for user group: `%s` in '
                                'repo: `%s`' % (
                                    perm.permission_name, user_group.users_group_name,
                                    repo.repo_name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying change permission on repo")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'repo: `%s`' % (
                             usergroupid, repo.repo_name
                         )
                     )
             @jsonrpc_method()
             def revoke_user_group_permission(request, apiuser, repoid, usergroupid):
                 """
                 Revoke the permissions of a user group on a given repository.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param usergroupid: Specify the user group ID.
                 :type usergroupid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Revoked perm for group: `<usersgroupname>` in repo: `<reponame>`",
                               "success": true
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 perm_deletions = [[user_group.users_group_id, None, "user_group"]]
                 try:
                     changes = RepoModel().update_permissions(
                         repo=repo, perm_deletions=perm_deletions, cur_user=apiuser)
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_api(
                         'repo.edit.permissions', action_data=action_data, user=apiuser, repo=repo)
+                    Session().commit()
+                    PermissionModel().flush_user_permission_caches(changes)
-                    Session().commit()
                     return {
                         'msg': 'Revoked perm for user group: `%s` in repo: `%s`' % (
                             user_group.users_group_name, repo.repo_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying revoke "
                                   "user group permission on repo")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'repo: `%s`' % (
                             user_group.users_group_name, repo.repo_name
                         )
                     )
             @jsonrpc_method()
             def pull(request, apiuser, repoid, remote_uri=Optional(None)):
                 """
                 Triggers a pull on the given repository from a remote location. You
                 can use this to keep remote repositories up-to-date.
                 This command can only be run using an |authtoken| with admin
                 rights to the specified repository. For more information,
                 see :ref:`config-token-ref`.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 :param remote_uri: Optional remote URI to pass in for pull
                 :type remote_uri: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Pulled from url `<remote_url>` on repo `<repository name>`"
                     "repository": "<repository name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "Unable to push changes from `<remote_url>`"
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 remote_uri = Optional.extract(remote_uri)
                 remote_uri_display = remote_uri or repo.clone_uri_hidden
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     ScmModel().pull_changes(
                         repo.repo_name, apiuser.username, remote_uri=remote_uri)
                     return {
                         'msg': 'Pulled from url `%s` on repo `%s`' % (
                             remote_uri_display, repo.repo_name),
                         'repository': repo.repo_name
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to "
                                   "pull changes from remote location")
                     raise JSONRPCError(
                         'Unable to pull changes from `%s`' % remote_uri_display
                     )
             @jsonrpc_method()
             def strip(request, apiuser, repoid, revision, branch):
                 """
                 Strips the given revision from the specified repository.
                 * This will remove the revision and all of its decendants.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 :param revision: The revision you wish to strip.
                 :type revision: str
                 :param branch: The branch from which to strip the revision.
                 :type branch: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "'Stripped commit <commit_hash> from repo `<repository name>`'"
                     "repository": "<repository name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "Unable to strip commit <commit_hash> from repo `<repository name>`"
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     ScmModel().strip(repo, revision, branch)
                     audit_logger.store_api(
                         'repo.commit.strip', action_data={'commit_id': revision},
                         repo=repo,
                         user=apiuser, commit=True)
                     return {
                         'msg': 'Stripped commit %s from repo `%s`' % (
                             revision, repo.repo_name),
                         'repository': repo.repo_name
                     }
                 except Exception:
                     log.exception("Exception while trying to strip")
                     raise JSONRPCError(
                         'Unable to strip commit %s from repo `%s`' % (
                             revision, repo.repo_name)
                     )
             @jsonrpc_method()
             def get_repo_settings(request, apiuser, repoid, key=Optional(None)):
                 """
                 Returns all settings for a repository. If key is given it only returns the
                 setting identified by the key or null.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository id.
                 :type repoid: str or int
                 :param key: Key of the setting to return.
                 :type: key: Optional(str)
                 Example output:
                 .. code-block:: bash
                     {
                         "error": null,
                         "id": 237,
                         "result": {
                             "extensions_largefiles": true,
                             "extensions_evolve": true,
                             "hooks_changegroup_push_logger": true,
                             "hooks_changegroup_repo_size": false,
                             "hooks_outgoing_pull_logger": true,
                             "phases_publish": "True",
                             "rhodecode_hg_use_rebase_for_merging": true,
                             "rhodecode_pr_merge_enabled": true,
                             "rhodecode_use_outdated_comments": true
                         }
                     }
                 """
                 # Restrict access to this api method to admins only.
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 try:
                     repo = get_repo_or_error(repoid)
                     settings_model = VcsSettingsModel(repo=repo)
                     settings = settings_model.get_global_settings()
                     settings.update(settings_model.get_repo_settings())
                     # If only a single setting is requested fetch it from all settings.
                     key = Optional.extract(key)
                     if key is not None:
                         settings = settings.get(key, None)
                 except Exception:
                     msg = 'Failed to fetch settings for repository `{}`'.format(repoid)
                     log.exception(msg)
                     raise JSONRPCError(msg)
                 return settings
             @jsonrpc_method()
             def set_repo_settings(request, apiuser, repoid, settings):
                 """
                 Update repository settings. Returns true on success.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository id.
                 :type repoid: str or int
                 :param settings: The new settings for the repository.
                 :type: settings: dict
                 Example output:
                 .. code-block:: bash
                     {
                         "error": null,
                         "id": 237,
                         "result": true
                     }
                 """
                 # Restrict access to this api method to admins only.
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 if type(settings) is not dict:
                     raise JSONRPCError('Settings have to be a JSON Object.')
                 try:
                     settings_model = VcsSettingsModel(repo=repoid)
                     # Merge global, repo and incoming settings.
                     new_settings = settings_model.get_global_settings()
                     new_settings.update(settings_model.get_repo_settings())
                     new_settings.update(settings)
                     # Update the settings.
                     inherit_global_settings = new_settings.get(
                         'inherit_global_settings', False)
                     settings_model.create_or_update_repo_settings(
                         new_settings, inherit_global_settings=inherit_global_settings)
                     Session().commit()
                 except Exception:
                     msg = 'Failed to update settings for repository `{}`'.format(repoid)
                     log.exception(msg)
                     raise JSONRPCError(msg)
                 # Indicate success.
                 return True
             @jsonrpc_method()
             def maintenance(request, apiuser, repoid):
                 """
                 Triggers a maintenance on the given repository.
                 This command can only be run using an |authtoken| with admin
                 rights to the specified repository. For more information,
                 see :ref:`config-token-ref`.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "executed maintenance command",
                     "executed_actions": [
                        <action_message>, <action_message2>...
                     ],
                     "repository": "<repository name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "Unable to execute maintenance on `<reponame>`"
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     maintenance = repo_maintenance.RepoMaintenance()
                     executed_actions = maintenance.execute(repo)
                     return {
                         'msg': 'executed maintenance command',
                         'executed_actions': executed_actions,
                         'repository': repo.repo_name
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to run maintenance")
                     raise JSONRPCError(
                         'Unable to execute maintenance on `%s`' % repo.repo_name)

rhodecode/api/views/repo_group_api.py

0 +9 -4

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from rhodecode.api import JSONRPCValidationError
             from rhodecode.api import jsonrpc_method, JSONRPCError
             from rhodecode.api.utils import (
                 has_superadmin_permission, Optional, OAttr, get_user_or_error,
                 get_repo_group_or_error, get_perm_or_error, get_user_group_or_error,
                 get_origin, validate_repo_group_permissions, validate_set_owner_permissions)
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import (
                 HasRepoGroupPermissionAnyApi, HasUserGroupPermissionAnyApi)
             from rhodecode.model.db import Session
+            from rhodecode.model.permission import PermissionModel
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.scm import RepoGroupList
             from rhodecode.model import validation_schema
             from rhodecode.model.validation_schema.schemas import repo_group_schema
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_repo_group(request, apiuser, repogroupid):
                 """
                 Return the specified |repo| group, along with permissions,
                 and repositories inside the group
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Specify the name of ID of the repository group.
                 :type repogroupid: str or int
                 Example output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": repo-group-id,
                       "result": {
                         "group_description": "repo group description",
                         "group_id": 14,
                         "group_name": "group name",
                         "permissions": [
                           {
                             "name": "super-admin-username",
                             "origin": "super-admin",
                             "permission": "group.admin",
                             "type": "user"
                           },
                           {
                             "name": "owner-name",
                             "origin": "owner",
                             "permission": "group.admin",
                             "type": "user"
                           },
                           {
                             "name": "user-group-name",
                             "origin": "permission",
                             "permission": "group.write",
                             "type": "user_group"
                           }
                         ],
                         "owner": "owner-name",
                         "parent_group": null,
                         "repositories": [ repo-list ]
                       }
                     }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this repo group !
                     _perms = ('group.admin', 'group.write', 'group.read',)
                     if not HasRepoGroupPermissionAnyApi(*_perms)(
                             user=apiuser, group_name=repo_group.group_name):
                         raise JSONRPCError(
                             'repository group `%s` does not exist' % (repogroupid,))
                 permissions = []
                 for _user in repo_group.permissions():
                     user_data = {
                         'name': _user.username,
                         'permission': _user.permission,
                         'origin': get_origin(_user),
                         'type': "user",
                     }
                     permissions.append(user_data)
                 for _user_group in repo_group.permission_user_groups():
                     user_group_data = {
                         'name': _user_group.users_group_name,
                         'permission': _user_group.permission,
                         'origin': get_origin(_user_group),
                         'type': "user_group",
                     }
                     permissions.append(user_group_data)
                 data = repo_group.get_api_data()
                 data["permissions"] = permissions
                 return data
             @jsonrpc_method()
             def get_repo_groups(request, apiuser):
                 """
                 Returns all repository groups.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 """
                 result = []
                 _perms = ('group.read', 'group.write', 'group.admin',)
                 extras = {'user': apiuser}
                 for repo_group in RepoGroupList(RepoGroupModel().get_all(),
                                                 perm_set=_perms, extra_kwargs=extras):
                     result.append(repo_group.get_api_data())
                 return result
             @jsonrpc_method()
             def create_repo_group(
                     request, apiuser, group_name,
                     owner=Optional(OAttr('apiuser')),
                     description=Optional(''),
                     copy_permissions=Optional(False)):
                 """
                 Creates a repository group.
                 * If the repository group name contains "/", repository group will be
                   created inside a repository group or nested repository groups
                   For example "foo/bar/group1" will create repository group called "group1"
                   inside group "foo/bar". You have to have permissions to access and
                   write to the last repository group ("bar" in this example)
                 This command can only be run using an |authtoken| with at least
                 permissions to create repository groups, or admin permissions to
                 parent repository groups.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param group_name: Set the repository group name.
                 :type group_name: str
                 :param description: Set the |repo| group description.
                 :type description: str
                 :param owner: Set the |repo| group owner.
                 :type owner: str
                 :param copy_permissions:
                 :type copy_permissions:
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                       "msg": "Created new repo group `<repo_group_name>`"
                       "repo_group": <repogroup_object>
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     failed to create repo group `<repogroupid>`
                   }
                 """
                 owner = validate_set_owner_permissions(apiuser, owner)
                 description = Optional.extract(description)
                 copy_permissions = Optional.extract(copy_permissions)
                 schema = repo_group_schema.RepoGroupSchema().bind(
                     # user caller
                     user=apiuser)
                 try:
                     schema_data = schema.deserialize(dict(
                         repo_group_name=group_name,
                         repo_group_owner=owner.username,
                         repo_group_description=description,
                         repo_group_copy_permissions=copy_permissions,
                     ))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 validated_group_name = schema_data['repo_group_name']
                 try:
                     repo_group = RepoGroupModel().create(
                         owner=owner,
                         group_name=validated_group_name,
                         group_description=schema_data['repo_group_description'],
                         copy_permissions=schema_data['repo_group_copy_permissions'])
                     Session().flush()
                     repo_group_data = repo_group.get_api_data()
                     audit_logger.store_api(
                         'repo_group.create', action_data={'data': repo_group_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'Created new repo group `%s`' % validated_group_name,
                         'repo_group': repo_group.get_api_data()
                     }
                 except Exception:
                     log.exception("Exception occurred while trying create repo group")
                     raise JSONRPCError(
                         'failed to create repo group `%s`' % (validated_group_name,))
             @jsonrpc_method()
             def update_repo_group(
                     request, apiuser, repogroupid, group_name=Optional(''),
                     description=Optional(''), owner=Optional(OAttr('apiuser')),
                     enable_locking=Optional(False)):
                 """
                 Updates repository group with the details given.
                 This command can only be run using an |authtoken| with admin
                 permissions.
                 * If the group_name name contains "/", repository group will be updated
                   accordingly with a repository group or nested repository groups
                   For example repogroupid=group-test group_name="foo/bar/group-test"
                   will update repository group called "group-test" and place it
                   inside group "foo/bar".
                   You have to have permissions to access and write to the last repository
                   group ("bar" in this example)
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the ID of repository group.
                 :type repogroupid: str or int
                 :param group_name: Set the name of the |repo| group.
                 :type group_name: str
                 :param description: Set a description for the group.
                 :type description: str
                 :param owner: Set the |repo| group owner.
                 :type owner: str
                 :param enable_locking: Enable |repo| locking. The default is false.
                 :type enable_locking: bool
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
                     validate_repo_group_permissions(
                         apiuser, repogroupid, repo_group, ('group.admin',))
                 updates = dict(
                     group_name=group_name
                     if not isinstance(group_name, Optional) else repo_group.group_name,
                     group_description=description
                     if not isinstance(description, Optional) else repo_group.group_description,
                     user=owner
                     if not isinstance(owner, Optional) else repo_group.user.username,
                     enable_locking=enable_locking
                     if not isinstance(enable_locking, Optional) else repo_group.enable_locking
                 )
                 schema = repo_group_schema.RepoGroupSchema().bind(
                     # user caller
                     user=apiuser,
                     old_values=repo_group.get_api_data())
                 try:
                     schema_data = schema.deserialize(dict(
                         repo_group_name=updates['group_name'],
                         repo_group_owner=updates['user'],
                         repo_group_description=updates['group_description'],
                         repo_group_enable_locking=updates['enable_locking'],
                     ))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 validated_updates = dict(
                     group_name=schema_data['repo_group']['repo_group_name_without_group'],
                     group_parent_id=schema_data['repo_group']['repo_group_id'],
                     user=schema_data['repo_group_owner'],
                     group_description=schema_data['repo_group_description'],
                     enable_locking=schema_data['repo_group_enable_locking'],
                 )
                 old_data = repo_group.get_api_data()
                 try:
                     RepoGroupModel().update(repo_group, validated_updates)
                     audit_logger.store_api(
                         'repo_group.edit', action_data={'old_data': old_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'updated repository group ID:%s %s' % (
                             repo_group.group_id, repo_group.group_name),
                         'repo_group': repo_group.get_api_data()
                     }
                 except Exception:
                     log.exception(
                         u"Exception occurred while trying update repo group %s",
                         repogroupid)
                     raise JSONRPCError('failed to update repository group `%s`'
                                        % (repogroupid,))
             @jsonrpc_method()
             def delete_repo_group(request, apiuser, repogroupid):
                 """
                 Deletes a |repo| group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the name or ID of repository group to be
                     deleted.
                 :type repogroupid: str or int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     'msg': 'deleted repo group ID:<repogroupid> <repogroupname>'
                     'repo_group': null
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to delete repo group ID:<repogroupid> <repogroupname>"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
                     validate_repo_group_permissions(
                         apiuser, repogroupid, repo_group, ('group.admin',))
                 old_data = repo_group.get_api_data()
                 try:
                     RepoGroupModel().delete(repo_group)
                     audit_logger.store_api(
                         'repo_group.delete', action_data={'old_data': old_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'deleted repo group ID:%s %s' %
                                (repo_group.group_id, repo_group.group_name),
                         'repo_group': None
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to delete repo group")
                     raise JSONRPCError('failed to delete repo group ID:%s %s' %
                                        (repo_group.group_id, repo_group.group_name))
             @jsonrpc_method()
             def grant_user_permission_to_repo_group(
                     request, apiuser, repogroupid, userid, perm,
                     apply_to_children=Optional('none')):
                 """
                 Grant permission for a user on the given repository group, or update
                 existing permissions if found.
                 This command can only be run using an |authtoken| with admin
                 permissions.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the name or ID of repository group.
                 :type repogroupid: str or int
                 :param userid: Set the user name.
                 :type userid: str
                 :param perm: (group.(none|read|write|admin))
                 :type perm: str
                 :param apply_to_children: 'none', 'repos', 'groups', 'all'
                 :type apply_to_children: str
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",
                               "success": true
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
                     validate_repo_group_permissions(
                         apiuser, repogroupid, repo_group, ('group.admin',))
                 user = get_user_or_error(userid)
                 perm = get_perm_or_error(perm, prefix='group.')
                 apply_to_children = Optional.extract(apply_to_children)
                 perm_additions = [[user.user_id, perm.permission_name, "user"]]
                 try:
                     changes = RepoGroupModel().update_permissions(
                         repo_group=repo_group, perm_additions=perm_additions,
                         recursive=apply_to_children, cur_user=apiuser)
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_api(
                         'repo_group.edit.permissions', action_data=action_data,
                         user=apiuser)
+                    Session().commit()
+                    PermissionModel().flush_user_permission_caches(changes)
-                    Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` (recursive:%s) for user: '
                                '`%s` in repo group: `%s`' % (
                                    perm.permission_name, apply_to_children, user.username,
                                    repo_group.name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to grant "
                                   "user permissions to repo group")
                     raise JSONRPCError(
                         'failed to edit permission for user: '
                         '`%s` in repo group: `%s`' % (userid, repo_group.name))
             @jsonrpc_method()
             def revoke_user_permission_from_repo_group(
                     request, apiuser, repogroupid, userid,
                     apply_to_children=Optional('none')):
                 """
                 Revoke permission for a user in a given repository group.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo| group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the name or ID of the repository group.
                 :type repogroupid: str or int
                 :param userid: Set the user name to revoke.
                 :type userid: str
                 :param apply_to_children: 'none', 'repos', 'groups', 'all'
                 :type apply_to_children: str
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Revoked perm (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",
                               "success": true
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
                     validate_repo_group_permissions(
                         apiuser, repogroupid, repo_group, ('group.admin',))
                 user = get_user_or_error(userid)
                 apply_to_children = Optional.extract(apply_to_children)
                 perm_deletions = [[user.user_id, None, "user"]]
                 try:
                     changes = RepoGroupModel().update_permissions(
                         repo_group=repo_group, perm_deletions=perm_deletions,
                         recursive=apply_to_children, cur_user=apiuser)
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_api(
                         'repo_group.edit.permissions', action_data=action_data,
                         user=apiuser)
+                    Session().commit()
+                    PermissionModel().flush_user_permission_caches(changes)
-                    Session().commit()
                     return {
                         'msg': 'Revoked perm (recursive:%s) for user: '
                                '`%s` in repo group: `%s`' % (
                                    apply_to_children, user.username, repo_group.name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying revoke user "
                                   "permission from repo group")
                     raise JSONRPCError(
                         'failed to edit permission for user: '
                         '`%s` in repo group: `%s`' % (userid, repo_group.name))
             @jsonrpc_method()
             def grant_user_group_permission_to_repo_group(
                     request, apiuser, repogroupid, usergroupid, perm,
                     apply_to_children=Optional('none'), ):
                 """
                 Grant permission for a user group on given repository group, or update
                 existing permissions if found.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo| group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the name or id of repository group
                 :type repogroupid: str or int
                 :param usergroupid: id of usergroup
                 :type usergroupid: str or int
                 :param perm: (group.(none|read|write|admin))
                 :type perm: str
                 :param apply_to_children: 'none', 'repos', 'groups', 'all'
                 :type apply_to_children: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",
                     "success": true
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 perm = get_perm_or_error(perm, prefix='group.')
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     validate_repo_group_permissions(
                         apiuser, repogroupid, repo_group, ('group.admin',))
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 apply_to_children = Optional.extract(apply_to_children)
                 perm_additions = [[user_group.users_group_id, perm.permission_name, "user_group"]]
                 try:
                     changes = RepoGroupModel().update_permissions(
                         repo_group=repo_group, perm_additions=perm_additions,
                         recursive=apply_to_children, cur_user=apiuser)
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_api(
                         'repo_group.edit.permissions', action_data=action_data,
                         user=apiuser)
+                    Session().commit()
+                    PermissionModel().flush_user_permission_caches(changes)
-                    Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` (recursive:%s) '
                                'for user group: `%s` in repo group: `%s`' % (
                                    perm.permission_name, apply_to_children,
                                    user_group.users_group_name, repo_group.name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to grant user "
                                   "group permissions to repo group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'repo group: `%s`' % (
                             usergroupid, repo_group.name
                         )
                     )
             @jsonrpc_method()
             def revoke_user_group_permission_from_repo_group(
                     request, apiuser, repogroupid, usergroupid,
                     apply_to_children=Optional('none')):
                 """
                 Revoke permission for user group on given repository.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo| group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: name or id of repository group
                 :type repogroupid: str or int
                 :param usergroupid:
                 :param apply_to_children: 'none', 'repos', 'groups', 'all'
                 :type apply_to_children: str
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Revoked perm (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",
                               "success": true
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     validate_repo_group_permissions(
                         apiuser, repogroupid, repo_group, ('group.admin',))
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 apply_to_children = Optional.extract(apply_to_children)
                 perm_deletions = [[user_group.users_group_id, None, "user_group"]]
                 try:
                     changes = RepoGroupModel().update_permissions(
                         repo_group=repo_group, perm_deletions=perm_deletions,
                         recursive=apply_to_children, cur_user=apiuser)
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_api(
                         'repo_group.edit.permissions', action_data=action_data,
                         user=apiuser)
+                    Session().commit()
+                    PermissionModel().flush_user_permission_caches(changes)
-                    Session().commit()
                     return {
                         'msg': 'Revoked perm (recursive:%s) for user group: '
                                '`%s` in repo group: `%s`' % (
                                    apply_to_children, user_group.users_group_name,
                                    repo_group.name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying revoke user group "
                                   "permissions from repo group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: '
                         '`%s` in repo group: `%s`' % (
                             user_group.users_group_name, repo_group.name
                         )
                     )

rhodecode/api/views/user_group_api.py

0 +12 -4

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from rhodecode.api import (
                 jsonrpc_method, JSONRPCError, JSONRPCForbidden, JSONRPCValidationError)
             from rhodecode.api.utils import (
                 Optional, OAttr, store_update, has_superadmin_permission, get_origin,
                 get_user_or_error, get_user_group_or_error, get_perm_or_error)
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import HasUserGroupPermissionAnyApi, HasPermissionAnyApi
             from rhodecode.lib.exceptions import UserGroupAssignedException
             from rhodecode.model.db import Session
+            from rhodecode.model.permission import PermissionModel
             from rhodecode.model.scm import UserGroupList
             from rhodecode.model.user_group import UserGroupModel
             from rhodecode.model import validation_schema
             from rhodecode.model.validation_schema.schemas import user_group_schema
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_user_group(request, apiuser, usergroupid):
                 """
                 Returns the data of an existing user group.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group from which to return data.
                 :type usergroupid: str or int
                 Example error output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": <id>,
                       "result": {
                         "active": true,
                         "group_description": "group description",
                         "group_name": "group name",
                         "permissions": [
                           {
                             "name": "owner-name",
                             "origin": "owner",
                             "permission": "usergroup.admin",
                             "type": "user"
                           },
                           {
                           {
                             "name": "user name",
                             "origin": "permission",
                             "permission": "usergroup.admin",
                             "type": "user"
                           },
                           {
                             "name": "user group name",
                             "origin": "permission",
                             "permission": "usergroup.write",
                             "type": "user_group"
                           }
                         ],
                         "permissions_summary": {
                           "repositories": {
                             "aa-root-level-repo-1": "repository.admin"
                           },
                           "repositories_groups": {}
                         },
                         "owner": "owner name",
                         "users": [],
                         "users_group_id": 2
                       }
                     }
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError('user group `%s` does not exist' % (
                             usergroupid,))
                 permissions = []
                 for _user in user_group.permissions():
                     user_data = {
                         'name': _user.username,
                         'permission': _user.permission,
                         'origin': get_origin(_user),
                         'type': "user",
                     }
                     permissions.append(user_data)
                 for _user_group in user_group.permission_user_groups():
                     user_group_data = {
                         'name': _user_group.users_group_name,
                         'permission': _user_group.permission,
                         'origin': get_origin(_user_group),
                         'type': "user_group",
                     }
                     permissions.append(user_group_data)
                 data = user_group.get_api_data()
                 data["permissions"] = permissions
                 data["permissions_summary"] = UserGroupModel().get_perms_summary(
                     user_group.users_group_id)
                 return data
             @jsonrpc_method()
             def get_user_groups(request, apiuser):
                 """
                 Lists all the existing user groups within RhodeCode.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result : [<user_group_obj>,...]
                     error : null
                 """
                 include_secrets = has_superadmin_permission(apiuser)
                 result = []
                 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                 extras = {'user': apiuser}
                 for user_group in UserGroupList(UserGroupModel().get_all(),
                                                 perm_set=_perms, extra_kwargs=extras):
                     result.append(
                         user_group.get_api_data(include_secrets=include_secrets))
                 return result
             @jsonrpc_method()
             def create_user_group(
                     request, apiuser, group_name, description=Optional(''),
                     owner=Optional(OAttr('apiuser')), active=Optional(True),
                     sync=Optional(None)):
                 """
                 Creates a new user group.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param group_name: Set the name of the new user group.
                 :type group_name: str
                 :param description: Give a description of the new user group.
                 :type description: str
                 :param owner: Set the owner of the new user group.
                     If not set, the owner is the |authtoken| user.
                 :type owner: Optional(str or int)
                 :param active: Set this group as active.
                 :type active: Optional(``True`` | ``False``)
                 :param sync: Set enabled or disabled the automatically sync from
                     external authentication types like ldap. If User Group will be named like
                     one from e.g ldap and sync flag is enabled members will be synced automatically.
                     Sync type when enabled via API is set to `manual_api`
                 :type sync: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "created new user group `<groupname>`",
                               "user_group": <user_group_object>
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "user group `<group name>` already exist"
                     or
                     "failed to create group `<group name>`"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     if not HasPermissionAnyApi('hg.usergroup.create.true')(user=apiuser):
                         raise JSONRPCForbidden()
                 if UserGroupModel().get_by_name(group_name):
                     raise JSONRPCError("user group `%s` already exist" % (group_name,))
                 if isinstance(owner, Optional):
                     owner = apiuser.user_id
                 owner = get_user_or_error(owner)
                 active = Optional.extract(active)
                 description = Optional.extract(description)
                 sync = Optional.extract(sync)
                 # set the sync option based on group_data
                 group_data = None
                 if sync:
                     group_data = {
                         'extern_type': 'manual_api',
                         'extern_type_set_by': apiuser.username
                     }
                 schema = user_group_schema.UserGroupSchema().bind(
                     # user caller
                     user=apiuser)
                 try:
                     schema_data = schema.deserialize(dict(
                         user_group_name=group_name,
                         user_group_description=description,
                         user_group_owner=owner.username,
                         user_group_active=active,
                         ))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 try:
                     user_group = UserGroupModel().create(
                         name=schema_data['user_group_name'],
                         description=schema_data['user_group_description'],
                         owner=owner,
                         active=schema_data['user_group_active'], group_data=group_data)
                     Session().flush()
                     creation_data = user_group.get_api_data()
                     audit_logger.store_api(
                         'user_group.create', action_data={'data': creation_data},
                         user=apiuser)
                     Session().commit()
+                    affected_user_ids = [apiuser.user_id, owner.user_id]
+                    PermissionModel().trigger_permission_flush(affected_user_ids)
                     return {
                         'msg': 'created new user group `%s`' % group_name,
                         'user_group': creation_data
                     }
                 except Exception:
                     log.exception("Error occurred during creation of user group")
                     raise JSONRPCError('failed to create group `%s`' % (group_name,))
             @jsonrpc_method()
             def update_user_group(request, apiuser, usergroupid, group_name=Optional(''),
                                   description=Optional(''), owner=Optional(None),
                                   active=Optional(True), sync=Optional(None)):
                 """
                 Updates the specified `user group` with the details provided.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the id of the `user group` to update.
                 :type usergroupid: str or int
                 :param group_name: Set the new name the `user group`
                 :type group_name: str
                 :param description: Give a description for the `user group`
                 :type description: str
                 :param owner: Set the owner of the `user group`.
                 :type owner: Optional(str or int)
                 :param active: Set the group as active.
                 :type active: Optional(``True`` | ``False``)
                 :param sync: Set enabled or disabled the automatically sync from
                     external authentication types like ldap. If User Group will be named like
                     one from e.g ldap and sync flag is enabled members will be synced automatically.
                     Sync type when enabled via API is set to `manual_api`
                 :type sync: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": 'updated user group ID:<user group id> <user group name>',
                     "user_group": <user_group_object>
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to update user group `<user group name>`"
                   }
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 include_secrets = False
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 else:
                     include_secrets = True
                 if not isinstance(owner, Optional):
                     owner = get_user_or_error(owner)
                 old_data = user_group.get_api_data()
                 updates = {}
                 store_update(updates, group_name, 'users_group_name')
                 store_update(updates, description, 'user_group_description')
                 store_update(updates, owner, 'user')
                 store_update(updates, active, 'users_group_active')
                 sync = Optional.extract(sync)
                 group_data = None
                 if sync is True:
                     group_data = {
                         'extern_type': 'manual_api',
                         'extern_type_set_by': apiuser.username
                     }
                 if sync is False:
                     group_data = user_group.group_data
                     if group_data and "extern_type" in group_data:
                         del group_data["extern_type"]
                 try:
                     UserGroupModel().update(user_group, updates, group_data=group_data)
                     audit_logger.store_api(
                         'user_group.edit', action_data={'old_data': old_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'updated user group ID:%s %s' % (
                             user_group.users_group_id, user_group.users_group_name),
                         'user_group': user_group.get_api_data(
                             include_secrets=include_secrets)
                     }
                 except Exception:
                     log.exception("Error occurred during update of user group")
                     raise JSONRPCError(
                         'failed to update user group `%s`' % (usergroupid,))
             @jsonrpc_method()
             def delete_user_group(request, apiuser, usergroupid):
                 """
                 Deletes the specified `user group`.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: filled automatically from apikey
                 :type apiuser: AuthUser
                 :param usergroupid:
                 :type usergroupid: int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "deleted user group ID:<user_group_id> <user_group_name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to delete user group ID:<user_group_id> <user_group_name>"
                     or
                     "RepoGroup assigned to <repo_groups_list>"
                   }
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 old_data = user_group.get_api_data()
                 try:
                     UserGroupModel().delete(user_group)
                     audit_logger.store_api(
                         'user_group.delete', action_data={'old_data': old_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'deleted user group ID:%s %s' % (
                             user_group.users_group_id, user_group.users_group_name),
                         'user_group': None
                     }
                 except UserGroupAssignedException as e:
                     log.exception("UserGroupAssigned error")
                     raise JSONRPCError(str(e))
                 except Exception:
                     log.exception("Error occurred during deletion of user group")
                     raise JSONRPCError(
                         'failed to delete user group ID:%s %s' %(
                             user_group.users_group_id, user_group.users_group_name))
             @jsonrpc_method()
             def add_user_to_user_group(request, apiuser, usergroupid, userid):
                 """
                 Adds a user to a `user group`. If the user already exists in the group
                 this command will return false.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified user group.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the name of the `user group` to which a
                     user will be added.
                 :type usergroupid: int
                 :param userid: Set the `user_id` of the user to add to the group.
                 :type userid: int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                       "success": True|False # depends on if member is in group
                       "msg": "added member `<username>` to user group `<groupname>` |
                               User is already in that group"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to add member to user group `<user_group_name>`"
                   }
                 """
                 user = get_user_or_error(userid)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError('user group `%s` does not exist' % (
                             usergroupid,))
                 old_values = user_group.get_api_data()
                 try:
                     ugm = UserGroupModel().add_user_to_group(user_group, user)
                     success = True if ugm is not True else False
                     msg = 'added member `%s` to user group `%s`' % (
                         user.username, user_group.users_group_name
                     )
                     msg = msg if success else 'User is already in that group'
                     if success:
                         user_data = user.get_api_data()
                         audit_logger.store_api(
                             'user_group.edit.member.add',
                             action_data={'user': user_data, 'old_data': old_values},
                             user=apiuser)
                     Session().commit()
                     return {
                         'success': success,
                         'msg': msg
                     }
                 except Exception:
                     log.exception("Error occurred during adding a member to user group")
                     raise JSONRPCError(
                         'failed to add member to user group `%s`' % (
                             user_group.users_group_name,
                         )
                     )
             @jsonrpc_method()
             def remove_user_from_user_group(request, apiuser, usergroupid, userid):
                 """
                 Removes a user from a user group.
                 * If the specified user is not in the group, this command will return
                   `false`.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Sets the user group name.
                 :type usergroupid: str or int
                 :param userid: The user you wish to remove from |RCE|.
                 :type userid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "success":  True|False,  # depends on if member is in group
                               "msg": "removed member <username> from user group <groupname> |
                                       User wasn't in group"
                             }
                     error:  null
                 """
                 user = get_user_or_error(userid)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 old_values = user_group.get_api_data()
                 try:
                     success = UserGroupModel().remove_user_from_group(user_group, user)
                     msg = 'removed member `%s` from user group `%s`' % (
                         user.username, user_group.users_group_name
                     )
                     msg = msg if success else "User wasn't in group"
                     if success:
                         user_data = user.get_api_data()
                         audit_logger.store_api(
                             'user_group.edit.member.delete',
                             action_data={'user': user_data, 'old_data': old_values},
                             user=apiuser)
                     Session().commit()
                     return {'success': success, 'msg': msg}
                 except Exception:
                     log.exception("Error occurred during removing an member from user group")
                     raise JSONRPCError(
                         'failed to remove member from user group `%s`' % (
                             user_group.users_group_name,
                         )
                     )
             @jsonrpc_method()
             def grant_user_permission_to_user_group(
                     request, apiuser, usergroupid, userid, perm):
                 """
                 Set permissions for a user in a user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group to edit permissions on.
                 :type usergroupid: str or int
                 :param userid: Set the user from whom you wish to set permissions.
                 :type userid: str
                 :param perm: (usergroup.(none|read|write|admin))
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Granted perm: `<perm_name>` for user: `<username>` in user group: `<user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 user = get_user_or_error(userid)
                 perm = get_perm_or_error(perm, prefix='usergroup.')
                 try:
                     changes = UserGroupModel().grant_user_permission(
                         user_group=user_group, user=user, perm=perm)
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_api(
                         'user_group.edit.permissions', action_data=action_data,
                         user=apiuser)
+                    Session().commit()
+                    PermissionModel().flush_user_permission_caches(changes)
-                    Session().commit()
                     return {
                         'msg':
                             'Granted perm: `%s` for user: `%s` in user group: `%s`' % (
                                 perm.permission_name, user.username,
                                 user_group.users_group_name
                             ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user: '
                         '`%s` in user group: `%s`' % (
                             userid, user_group.users_group_name))
             @jsonrpc_method()
             def revoke_user_permission_from_user_group(
                     request, apiuser, usergroupid, userid):
                 """
                 Revoke a users permissions in a user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group from which to revoke the user
                     permissions.
                 :type: usergroupid: str or int
                 :param userid: Set the userid of the user whose permissions will be
                     revoked.
                 :type userid: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Revoked perm for user: `<username>` in user group: `<user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 user = get_user_or_error(userid)
                 try:
                     changes = UserGroupModel().revoke_user_permission(
                         user_group=user_group, user=user)
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_api(
                         'user_group.edit.permissions', action_data=action_data,
                         user=apiuser)
+                    Session().commit()
+                    PermissionModel().flush_user_permission_caches(changes)
-                    Session().commit()
                     return {
                         'msg': 'Revoked perm for user: `%s` in user group: `%s`' % (
                             user.username, user_group.users_group_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user: `%s` in user group: `%s`'
                         % (userid, user_group.users_group_name))
             @jsonrpc_method()
             def grant_user_group_permission_to_user_group(
                     request, apiuser, usergroupid, sourceusergroupid, perm):
                 """
                 Give one user group permissions to another user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group on which to edit permissions.
                 :type usergroupid: str or int
                 :param sourceusergroupid: Set the source user group to which
                     access/permissions will be granted.
                 :type sourceusergroupid: str or int
                 :param perm: (usergroup.(none|read|write|admin))
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Granted perm: `<perm_name>` for user group: `<source_user_group_name>` in user group: `<user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(sourceusergroupid)
                 target_user_group = get_user_group_or_error(usergroupid)
                 perm = get_perm_or_error(perm, prefix='usergroup.')
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser,
                             user_group_name=target_user_group.users_group_name):
                         raise JSONRPCError(
                             'to user group `%s` does not exist' % (usergroupid,))
                     # check if we have at least read permission for source user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (sourceusergroupid,))
                 try:
                     changes = UserGroupModel().grant_user_group_permission(
                         target_user_group=target_user_group,
                         user_group=user_group, perm=perm)
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_api(
                         'user_group.edit.permissions', action_data=action_data,
                         user=apiuser)
+                    Session().commit()
+                    PermissionModel().flush_user_permission_caches(changes)
-                    Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` for user group: `%s` '
                                'in user group: `%s`' % (
                                    perm.permission_name, user_group.users_group_name,
                                    target_user_group.users_group_name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user group in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'user group: `%s`' % (
                             sourceusergroupid, target_user_group.users_group_name
                         )
                     )
             @jsonrpc_method()
             def revoke_user_group_permission_from_user_group(
                     request, apiuser, usergroupid, sourceusergroupid):
                 """
                 Revoke the permissions that one user group has to another.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group on which to edit permissions.
                 :type usergroupid: str or int
                 :param sourceusergroupid: Set the user group from which permissions
                     are revoked.
                 :type sourceusergroupid: str or int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Revoked perm for user group: `<user_group_name>` in user group: `<target_user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(sourceusergroupid)
                 target_user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser,
                             user_group_name=target_user_group.users_group_name):
                         raise JSONRPCError(
                             'to user group `%s` does not exist' % (usergroupid,))
                     # check if we have at least read permission
                     # for the source user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (sourceusergroupid,))
                 try:
                     changes = UserGroupModel().revoke_user_group_permission(
                         target_user_group=target_user_group, user_group=user_group)
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_api(
                         'user_group.edit.permissions', action_data=action_data,
                         user=apiuser)
                     Session().commit()
+                    PermissionModel().flush_user_permission_caches(changes)
                     return {
                         'msg': 'Revoked perm for user group: '
                                '`%s` in user group: `%s`' % (
                                    user_group.users_group_name,
                                    target_user_group.users_group_name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user group in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: '
                         '`%s` in user group: `%s`' % (
                             sourceusergroupid, target_user_group.users_group_name
                         )
                     )

rhodecode/apps/admin/views/permissions.py

0 +3 -3

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import re
             import logging
             import formencode
             import formencode.htmlfill
             import datetime
             from pyramid.interfaces import IRoutesMapper
             from pyramid.view import view_config
             from pyramid.httpexceptions import HTTPFound
             from pyramid.renderers import render
             from pyramid.response import Response
             from rhodecode.apps._base import BaseAppView, DataGridAppView
             from rhodecode.apps.ssh_support import SshKeyFileChangeEvent
             from rhodecode import events
             from rhodecode.lib import helpers as h
             from rhodecode.lib.auth import (
                 LoginRequired, HasPermissionAllDecorator, CSRFRequired)
             from rhodecode.lib.utils2 import aslist, safe_unicode
             from rhodecode.model.db import (
                 or_, coalesce, User, UserIpMap, UserSshKeys)
             from rhodecode.model.forms import (
                 ApplicationPermissionsForm, ObjectPermissionsForm, UserPermissionsForm)
             from rhodecode.model.meta import Session
             from rhodecode.model.permission import PermissionModel
             from rhodecode.model.settings import SettingsModel
             log = logging.getLogger(__name__)
             class AdminPermissionsView(BaseAppView, DataGridAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     PermissionModel().set_global_permission_choices(
                         c, gettext_translator=self.request.translate)
                     return c
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='admin_permissions_application', request_method='GET',
                     renderer='rhodecode:templates/admin/permissions/permissions.mako')
                 def permissions_application(self):
                     c = self.load_default_context()
                     c.active = 'application'
                     c.user = User.get_default_user(refresh=True)
                     app_settings = c.rc_config
                     defaults = {
                         'anonymous': c.user.active,
                         'default_register_message': app_settings.get(
                             'rhodecode_register_message')
                     }
                     defaults.update(c.user.get_default_perms())
                     data = render('rhodecode:templates/admin/permissions/permissions.mako',
                                   self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='admin_permissions_application_update', request_method='POST',
                     renderer='rhodecode:templates/admin/permissions/permissions.mako')
                 def permissions_application_update(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'application'
                     _form = ApplicationPermissionsForm(
                         self.request.translate,
                         [x[0] for x in c.register_choices],
                         [x[0] for x in c.password_reset_choices],
                         [x[0] for x in c.extern_activate_choices])()
                     try:
                         form_result = _form.to_python(dict(self.request.POST))
                         form_result.update({'perm_user_name': User.DEFAULT_USER})
                         PermissionModel().update_application_permissions(form_result)
                         settings = [
                             ('register_message', 'default_register_message'),
                         ]
                         for setting, form_key in settings:
                             sett = SettingsModel().create_or_update_setting(
                                 setting, form_result[form_key])
                             Session().add(sett)
                         Session().commit()
                         h.flash(_('Application permissions updated successfully'),
                                 category='success')
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         data = render(
                             'rhodecode:templates/admin/permissions/permissions.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=defaults,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception during update of permissions")
                         h.flash(_('Error occurred during update of permissions'),
                                 category='error')
                     affected_user_ids = [User.get_default_user().user_id]
-                    events.trigger(events.UserPermissionsChange(affected_user_ids))
+                    PermissionModel().trigger_permission_flush(affected_user_ids)
                     raise HTTPFound(h.route_path('admin_permissions_application'))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='admin_permissions_object', request_method='GET',
                     renderer='rhodecode:templates/admin/permissions/permissions.mako')
                 def permissions_objects(self):
                     c = self.load_default_context()
                     c.active = 'objects'
                     c.user = User.get_default_user(refresh=True)
                     defaults = {}
                     defaults.update(c.user.get_default_perms())
                     data = render(
                         'rhodecode:templates/admin/permissions/permissions.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='admin_permissions_object_update', request_method='POST',
                     renderer='rhodecode:templates/admin/permissions/permissions.mako')
                 def permissions_objects_update(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'objects'
                     _form = ObjectPermissionsForm(
                         self.request.translate,
                         [x[0] for x in c.repo_perms_choices],
                         [x[0] for x in c.group_perms_choices],
                         [x[0] for x in c.user_group_perms_choices],
                     )()
                     try:
                         form_result = _form.to_python(dict(self.request.POST))
                         form_result.update({'perm_user_name': User.DEFAULT_USER})
                         PermissionModel().update_object_permissions(form_result)
                         Session().commit()
                         h.flash(_('Object permissions updated successfully'),
                                 category='success')
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         data = render(
                             'rhodecode:templates/admin/permissions/permissions.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=defaults,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception during update of permissions")
                         h.flash(_('Error occurred during update of permissions'),
                                 category='error')
                     affected_user_ids = [User.get_default_user().user_id]
-                    events.trigger(events.UserPermissionsChange(affected_user_ids))
+                    PermissionModel().trigger_permission_flush(affected_user_ids)
                     raise HTTPFound(h.route_path('admin_permissions_object'))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='admin_permissions_branch', request_method='GET',
                     renderer='rhodecode:templates/admin/permissions/permissions.mako')
                 def permissions_branch(self):
                     c = self.load_default_context()
                     c.active = 'branch'
                     c.user = User.get_default_user(refresh=True)
                     defaults = {}
                     defaults.update(c.user.get_default_perms())
                     data = render(
                         'rhodecode:templates/admin/permissions/permissions.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='admin_permissions_global', request_method='GET',
                     renderer='rhodecode:templates/admin/permissions/permissions.mako')
                 def permissions_global(self):
                     c = self.load_default_context()
                     c.active = 'global'
                     c.user = User.get_default_user(refresh=True)
                     defaults = {}
                     defaults.update(c.user.get_default_perms())
                     data = render(
                         'rhodecode:templates/admin/permissions/permissions.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='admin_permissions_global_update', request_method='POST',
                     renderer='rhodecode:templates/admin/permissions/permissions.mako')
                 def permissions_global_update(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'global'
                     _form = UserPermissionsForm(
                         self.request.translate,
                         [x[0] for x in c.repo_create_choices],
                         [x[0] for x in c.repo_create_on_write_choices],
                         [x[0] for x in c.repo_group_create_choices],
                         [x[0] for x in c.user_group_create_choices],
                         [x[0] for x in c.fork_choices],
                         [x[0] for x in c.inherit_default_permission_choices])()
                     try:
                         form_result = _form.to_python(dict(self.request.POST))
                         form_result.update({'perm_user_name': User.DEFAULT_USER})
                         PermissionModel().update_user_permissions(form_result)
                         Session().commit()
                         h.flash(_('Global permissions updated successfully'),
                                 category='success')
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         data = render(
                             'rhodecode:templates/admin/permissions/permissions.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=defaults,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception during update of permissions")
                         h.flash(_('Error occurred during update of permissions'),
                                 category='error')
                     affected_user_ids = [User.get_default_user().user_id]
-                    events.trigger(events.UserPermissionsChange(affected_user_ids))
+                    PermissionModel().trigger_permission_flush(affected_user_ids)
                     raise HTTPFound(h.route_path('admin_permissions_global'))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='admin_permissions_ips', request_method='GET',
                     renderer='rhodecode:templates/admin/permissions/permissions.mako')
                 def permissions_ips(self):
                     c = self.load_default_context()
                     c.active = 'ips'
                     c.user = User.get_default_user(refresh=True)
                     c.user_ip_map = (
                         UserIpMap.query().filter(UserIpMap.user == c.user).all())
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='admin_permissions_overview', request_method='GET',
                     renderer='rhodecode:templates/admin/permissions/permissions.mako')
                 def permissions_overview(self):
                     c = self.load_default_context()
                     c.active = 'perms'
                     c.user = User.get_default_user(refresh=True)
                     c.perm_user = c.user.AuthUser()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='admin_permissions_auth_token_access', request_method='GET',
                     renderer='rhodecode:templates/admin/permissions/permissions.mako')
                 def auth_token_access(self):
                     from rhodecode import CONFIG
                     c = self.load_default_context()
                     c.active = 'auth_token_access'
                     c.user = User.get_default_user(refresh=True)
                     c.perm_user = c.user.AuthUser()
                     mapper = self.request.registry.queryUtility(IRoutesMapper)
                     c.view_data = []
                     _argument_prog = re.compile('\{(.*?)\}|:\((.*)\)')
                     introspector = self.request.registry.introspector
                     view_intr = {}
                     for view_data in introspector.get_category('views'):
                         intr = view_data['introspectable']
                         if 'route_name' in intr and intr['attr']:
                             view_intr[intr['route_name']] = '{}:{}'.format(
                                 str(intr['derived_callable'].func_name), intr['attr']
                             )
                     c.whitelist_key = 'api_access_controllers_whitelist'
                     c.whitelist_file = CONFIG.get('__file__')
                     whitelist_views = aslist(
                         CONFIG.get(c.whitelist_key), sep=',')
                     for route_info in mapper.get_routes():
                         if not route_info.name.startswith('__'):
                             routepath = route_info.pattern
                             def replace(matchobj):
                                 if matchobj.group(1):
                                     return "{%s}" % matchobj.group(1).split(':')[0]
                                 else:
                                     return "{%s}" % matchobj.group(2)
                             routepath = _argument_prog.sub(replace, routepath)
                             if not routepath.startswith('/'):
                                 routepath = '/' + routepath
                             view_fqn = view_intr.get(route_info.name, 'NOT AVAILABLE')
                             active = view_fqn in whitelist_views
                             c.view_data.append((route_info.name, view_fqn, routepath, active))
                     c.whitelist_views = whitelist_views
                     return self._get_template_context(c)
                 def ssh_enabled(self):
                     return self.request.registry.settings.get(
                         'ssh.generate_authorized_keyfile')
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='admin_permissions_ssh_keys', request_method='GET',
                     renderer='rhodecode:templates/admin/permissions/permissions.mako')
                 def ssh_keys(self):
                     c = self.load_default_context()
                     c.active = 'ssh_keys'
                     c.ssh_enabled = self.ssh_enabled()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='admin_permissions_ssh_keys_data', request_method='GET',
                     renderer='json_ext', xhr=True)
                 def ssh_keys_data(self):
                     _ = self.request.translate
                     self.load_default_context()
                     column_map = {
                         'fingerprint': 'ssh_key_fingerprint',
                         'username': User.username
                     }
                     draw, start, limit = self._extract_chunk(self.request)
                     search_q, order_by, order_dir = self._extract_ordering(
                         self.request, column_map=column_map)
                     ssh_keys_data_total_count = UserSshKeys.query()\
                         .count()
                     # json generate
                     base_q = UserSshKeys.query().join(UserSshKeys.user)
                     if search_q:
                         like_expression = u'%{}%'.format(safe_unicode(search_q))
                         base_q = base_q.filter(or_(
                             User.username.ilike(like_expression),
                             UserSshKeys.ssh_key_fingerprint.ilike(like_expression),
                         ))
                     users_data_total_filtered_count = base_q.count()
                     sort_col = self._get_order_col(order_by, UserSshKeys)
                     if sort_col:
                         if order_dir == 'asc':
                             # handle null values properly to order by NULL last
                             if order_by in ['created_on']:
                                 sort_col = coalesce(sort_col, datetime.date.max)
                             sort_col = sort_col.asc()
                         else:
                             # handle null values properly to order by NULL last
                             if order_by in ['created_on']:
                                 sort_col = coalesce(sort_col, datetime.date.min)
                             sort_col = sort_col.desc()
                     base_q = base_q.order_by(sort_col)
                     base_q = base_q.offset(start).limit(limit)
                     ssh_keys = base_q.all()
                     ssh_keys_data = []
                     for ssh_key in ssh_keys:
                         ssh_keys_data.append({
                             "username": h.gravatar_with_user(self.request, ssh_key.user.username),
                             "fingerprint": ssh_key.ssh_key_fingerprint,
                             "description": ssh_key.description,
                             "created_on": h.format_date(ssh_key.created_on),
                             "accessed_on": h.format_date(ssh_key.accessed_on),
                             "action": h.link_to(
                                 _('Edit'), h.route_path('edit_user_ssh_keys',
                                                         user_id=ssh_key.user.user_id))
                         })
                     data = ({
                         'draw': draw,
                         'data': ssh_keys_data,
                         'recordsTotal': ssh_keys_data_total_count,
                         'recordsFiltered': users_data_total_filtered_count,
                     })
                     return data
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='admin_permissions_ssh_keys_update', request_method='POST',
                     renderer='rhodecode:templates/admin/permissions/permissions.mako')
                 def ssh_keys_update(self):
                     _ = self.request.translate
                     self.load_default_context()
                     ssh_enabled = self.ssh_enabled()
                     key_file = self.request.registry.settings.get(
                         'ssh.authorized_keys_file_path')
                     if ssh_enabled:
                         events.trigger(SshKeyFileChangeEvent(), self.request.registry)
                         h.flash(_('Updated SSH keys file: {}').format(key_file),
                                 category='success')
                     else:
                         h.flash(_('SSH key support is disabled in .ini file'),
                                 category='warning')
                     raise HTTPFound(h.route_path('admin_permissions_ssh_keys'))

rhodecode/apps/admin/views/repo_groups.py

0 +2 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import datetime
             import logging
             import formencode
             import formencode.htmlfill
             from pyramid.httpexceptions import HTTPFound, HTTPForbidden
             from pyramid.view import view_config
             from pyramid.renderers import render
             from pyramid.response import Response
             from rhodecode import events
             from rhodecode.apps._base import BaseAppView, DataGridAppView
             from rhodecode.lib.auth import (
                 LoginRequired, CSRFRequired, NotAnonymous,
                 HasPermissionAny, HasRepoGroupPermissionAny)
             from rhodecode.lib import helpers as h, audit_logger
             from rhodecode.lib.utils2 import safe_int, safe_unicode, datetime_to_time
             from rhodecode.model.forms import RepoGroupForm
+            from rhodecode.model.permission import PermissionModel
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.scm import RepoGroupList
             from rhodecode.model.db import (
                 or_, count, func, in_filter_generator, Session, RepoGroup, User, Repository)
             log = logging.getLogger(__name__)
             class AdminRepoGroupsView(BaseAppView, DataGridAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     return c
                 def _load_form_data(self, c):
                     allow_empty_group = False
                     if self._can_create_repo_group():
                         # we're global admin, we're ok and we can create TOP level groups
                         allow_empty_group = True
                     # override the choices for this form, we need to filter choices
                     # and display only those we have ADMIN right
                     groups_with_admin_rights = RepoGroupList(
                         RepoGroup.query().all(),
                         perm_set=['group.admin'])
                     c.repo_groups = RepoGroup.groups_choices(
                         groups=groups_with_admin_rights,
                         show_empty_group=allow_empty_group)
                 def _can_create_repo_group(self, parent_group_id=None):
                     is_admin = HasPermissionAny('hg.admin')('group create controller')
                     create_repo_group = HasPermissionAny(
                         'hg.repogroup.create.true')('group create controller')
                     if is_admin or (create_repo_group and not parent_group_id):
                         # we're global admin, or we have global repo group create
                         # permission
                         # we're ok and we can create TOP level groups
                         return True
                     elif parent_group_id:
                         # we check the permission if we can write to parent group
                         group = RepoGroup.get(parent_group_id)
                         group_name = group.group_name if group else None
                         if HasRepoGroupPermissionAny('group.admin')(
                                 group_name, 'check if user is an admin of group'):
                             # we're an admin of passed in group, we're ok.
                             return True
                         else:
                             return False
                     return False
                 # permission check in data loading of
                 # `repo_group_list_data` via RepoGroupList
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='repo_groups', request_method='GET',
                     renderer='rhodecode:templates/admin/repo_groups/repo_groups.mako')
                 def repo_group_list(self):
                     c = self.load_default_context()
                     return self._get_template_context(c)
                 # permission check inside
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='repo_groups_data', request_method='GET',
                     renderer='json_ext', xhr=True)
                 def repo_group_list_data(self):
                     self.load_default_context()
                     column_map = {
                         'name_raw': 'group_name_hash',
                         'desc': 'group_description',
                         'last_change_raw': 'updated_on',
                         'top_level_repos': 'repos_total',
                         'owner': 'user_username',
                     }
                     draw, start, limit = self._extract_chunk(self.request)
                     search_q, order_by, order_dir = self._extract_ordering(
                         self.request, column_map=column_map)
                     _render = self.request.get_partial_renderer(
                         'rhodecode:templates/data_table/_dt_elements.mako')
                     c = _render.get_call_context()
                     def quick_menu(repo_group_name):
                         return _render('quick_repo_group_menu', repo_group_name)
                     def repo_group_lnk(repo_group_name):
                         return _render('repo_group_name', repo_group_name)
                     def last_change(last_change):
                         if isinstance(last_change, datetime.datetime) and not last_change.tzinfo:
                             delta = datetime.timedelta(
                                 seconds=(datetime.datetime.now() - datetime.datetime.utcnow()).seconds)
                             last_change = last_change + delta
                         return _render("last_change", last_change)
                     def desc(desc, personal):
                         return _render(
                             'repo_group_desc', desc, personal, c.visual.stylify_metatags)
                     def repo_group_actions(repo_group_id, repo_group_name, gr_count):
                         return _render(
                             'repo_group_actions', repo_group_id, repo_group_name, gr_count)
                     def user_profile(username):
                         return _render('user_profile', username)
                     auth_repo_group_list = RepoGroupList(
                         RepoGroup.query().all(), perm_set=['group.admin'])
                     allowed_ids = [-1]
                     for repo_group in auth_repo_group_list:
                             allowed_ids.append(repo_group.group_id)
                     repo_groups_data_total_count = RepoGroup.query()\
                         .filter(or_(
                             # generate multiple IN to fix limitation problems
                             *in_filter_generator(RepoGroup.group_id, allowed_ids)
                         )) \
                         .count()
                     repo_groups_data_total_inactive_count = RepoGroup.query()\
                         .filter(RepoGroup.group_id.in_(allowed_ids))\
                         .count()
                     repo_count = count(Repository.repo_id)
                     base_q = Session.query(
                         RepoGroup.group_name,
                         RepoGroup.group_name_hash,
                         RepoGroup.group_description,
                         RepoGroup.group_id,
                         RepoGroup.personal,
                         RepoGroup.updated_on,
                         User,
                         repo_count.label('repos_count')
                         ) \
                         .filter(or_(
                             # generate multiple IN to fix limitation problems
                             *in_filter_generator(RepoGroup.group_id, allowed_ids)
                         )) \
                         .outerjoin(Repository) \
                         .join(User, User.user_id == RepoGroup.user_id) \
                         .group_by(RepoGroup, User)
                     if search_q:
                         like_expression = u'%{}%'.format(safe_unicode(search_q))
                         base_q = base_q.filter(or_(
                             RepoGroup.group_name.ilike(like_expression),
                         ))
                     repo_groups_data_total_filtered_count = base_q.count()
                     # the inactive isn't really used, but we still make it same as other data grids
                     # which use inactive (users,user groups)
                     repo_groups_data_total_filtered_inactive_count = repo_groups_data_total_filtered_count
                     sort_defined = False
                     if order_by == 'group_name':
                         sort_col = func.lower(RepoGroup.group_name)
                         sort_defined = True
                     elif order_by == 'repos_total':
                         sort_col = repo_count
                         sort_defined = True
                     elif order_by == 'user_username':
                         sort_col = User.username
                     else:
                         sort_col = getattr(RepoGroup, order_by, None)
                     if sort_defined or sort_col:
                         if order_dir == 'asc':
                             sort_col = sort_col.asc()
                         else:
                             sort_col = sort_col.desc()
                     base_q = base_q.order_by(sort_col)
                     base_q = base_q.offset(start).limit(limit)
                     # authenticated access to user groups
                     auth_repo_group_list = base_q.all()
                     repo_groups_data = []
                     for repo_gr in auth_repo_group_list:
                         row = {
                             "menu": quick_menu(repo_gr.group_name),
                             "name": repo_group_lnk(repo_gr.group_name),
                             "name_raw": repo_gr.group_name,
                             "last_change": last_change(repo_gr.updated_on),
                             "last_change_raw": datetime_to_time(repo_gr.updated_on),
                             "last_changeset": "",
                             "last_changeset_raw": "",
                             "desc": desc(repo_gr.group_description, repo_gr.personal),
                             "owner": user_profile(repo_gr.User.username),
                             "top_level_repos": repo_gr.repos_count,
                             "action": repo_group_actions(
                                 repo_gr.group_id, repo_gr.group_name, repo_gr.repos_count),
                         }
                         repo_groups_data.append(row)
                     data = ({
                         'draw': draw,
                         'data': repo_groups_data,
                         'recordsTotal': repo_groups_data_total_count,
                         'recordsTotalInactive': repo_groups_data_total_inactive_count,
                         'recordsFiltered': repo_groups_data_total_filtered_count,
                         'recordsFilteredInactive': repo_groups_data_total_filtered_inactive_count,
                     })
                     return data
                 @LoginRequired()
                 @NotAnonymous()
                 # perm checks inside
                 @view_config(
                     route_name='repo_group_new', request_method='GET',
                     renderer='rhodecode:templates/admin/repo_groups/repo_group_add.mako')
                 def repo_group_new(self):
                     c = self.load_default_context()
                     # perm check for admin, create_group perm or admin of parent_group
                     parent_group_id = safe_int(self.request.GET.get('parent_group'))
                     if not self._can_create_repo_group(parent_group_id):
                         raise HTTPForbidden()
                     self._load_form_data(c)
                     defaults = {}  # Future proof for default of repo group
                     data = render(
                         'rhodecode:templates/admin/repo_groups/repo_group_add.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @NotAnonymous()
                 @CSRFRequired()
                 # perm checks inside
                 @view_config(
                     route_name='repo_group_create', request_method='POST',
                     renderer='rhodecode:templates/admin/repo_groups/repo_group_add.mako')
                 def repo_group_create(self):
                     c = self.load_default_context()
                     _ = self.request.translate
                     parent_group_id = safe_int(self.request.POST.get('group_parent_id'))
                     can_create = self._can_create_repo_group(parent_group_id)
                     self._load_form_data(c)
                     # permissions for can create group based on parent_id are checked
                     # here in the Form
                     available_groups = map(lambda k: safe_unicode(k[0]), c.repo_groups)
                     repo_group_form = RepoGroupForm(
                         self.request.translate, available_groups=available_groups,
                         can_create_in_root=can_create)()
                     repo_group_name = self.request.POST.get('group_name')
                     try:
                         owner = self._rhodecode_user
                         form_result = repo_group_form.to_python(dict(self.request.POST))
                         copy_permissions = form_result.get('group_copy_permissions')
                         repo_group = RepoGroupModel().create(
                             group_name=form_result['group_name_full'],
                             group_description=form_result['group_description'],
                             owner=owner.user_id,
                             copy_permissions=form_result['group_copy_permissions']
                         )
                         Session().flush()
                         repo_group_data = repo_group.get_api_data()
                         audit_logger.store_web(
                             'repo_group.create', action_data={'data': repo_group_data},
                             user=self._rhodecode_user)
                         Session().commit()
                         _new_group_name = form_result['group_name_full']
                         repo_group_url = h.link_to(
                             _new_group_name,
                             h.route_path('repo_group_home', repo_group_name=_new_group_name))
                         h.flash(h.literal(_('Created repository group %s')
                                 % repo_group_url), category='success')
                     except formencode.Invalid as errors:
                         data = render(
                             'rhodecode:templates/admin/repo_groups/repo_group_add.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=errors.value,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception during creation of repository group")
                         h.flash(_('Error occurred during creation of repository group %s')
                                 % repo_group_name, category='error')
                         raise HTTPFound(h.route_path('home'))
                     affected_user_ids = [self._rhodecode_user.user_id]
                     if copy_permissions:
                         user_group_perms = repo_group.permissions(expand_from_user_groups=True)
                         copy_perms = [perm['user_id'] for perm in user_group_perms]
                         # also include those newly created by copy
                         affected_user_ids.extend(copy_perms)
-                    events.trigger(events.UserPermissionsChange(affected_user_ids))
+                    PermissionModel().trigger_permission_flush(affected_user_ids)
                     raise HTTPFound(
                         h.route_path('repo_group_home',
                                      repo_group_name=form_result['group_name_full']))

rhodecode/apps/admin/views/repositories.py

0 +2 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import formencode
             import formencode.htmlfill
             from pyramid.httpexceptions import HTTPFound, HTTPForbidden
             from pyramid.view import view_config
             from pyramid.renderers import render
             from pyramid.response import Response
             from rhodecode import events
             from rhodecode.apps._base import BaseAppView, DataGridAppView
             from rhodecode.lib.celerylib.utils import get_task_id
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.auth import (
                 LoginRequired, CSRFRequired, NotAnonymous,
                 HasPermissionAny, HasRepoGroupPermissionAny)
             from rhodecode.lib import helpers as h
             from rhodecode.lib.utils import repo_name_slug
             from rhodecode.lib.utils2 import safe_int, safe_unicode
             from rhodecode.model.forms import RepoForm
+            from rhodecode.model.permission import PermissionModel
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.scm import RepoList, RepoGroupList, ScmModel
             from rhodecode.model.settings import SettingsModel
             from rhodecode.model.db import Repository, RepoGroup
             log = logging.getLogger(__name__)
             class AdminReposView(BaseAppView, DataGridAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     return c
                 def _load_form_data(self, c):
                     acl_groups = RepoGroupList(RepoGroup.query().all(),
                                                perm_set=['group.write', 'group.admin'])
                     c.repo_groups = RepoGroup.groups_choices(groups=acl_groups)
                     c.repo_groups_choices = map(lambda k: safe_unicode(k[0]), c.repo_groups)
                     c.personal_repo_group = self._rhodecode_user.personal_repo_group
                 @LoginRequired()
                 @NotAnonymous()
                 # perms check inside
                 @view_config(
                     route_name='repos', request_method='GET',
                     renderer='rhodecode:templates/admin/repos/repos.mako')
                 def repository_list(self):
                     c = self.load_default_context()
                     repo_list = Repository.get_all_repos()
                     c.repo_list = RepoList(repo_list, perm_set=['repository.admin'])
                     repos_data = RepoModel().get_repos_as_dict(
                         repo_list=c.repo_list, admin=True, super_user_actions=True)
                     # json used to render the grid
                     c.data = json.dumps(repos_data)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @NotAnonymous()
                 # perms check inside
                 @view_config(
                     route_name='repo_new', request_method='GET',
                     renderer='rhodecode:templates/admin/repos/repo_add.mako')
                 def repository_new(self):
                     c = self.load_default_context()
                     new_repo = self.request.GET.get('repo', '')
                     parent_group = safe_int(self.request.GET.get('parent_group'))
                     _gr = RepoGroup.get(parent_group)
                     if not HasPermissionAny('hg.admin', 'hg.create.repository')():
                         # you're not super admin nor have global create permissions,
                         # but maybe you have at least write permission to a parent group ?
                         gr_name = _gr.group_name if _gr else None
                         # create repositories with write permission on group is set to true
                         create_on_write = HasPermissionAny('hg.create.write_on_repogroup.true')()
                         group_admin = HasRepoGroupPermissionAny('group.admin')(group_name=gr_name)
                         group_write = HasRepoGroupPermissionAny('group.write')(group_name=gr_name)
                         if not (group_admin or (group_write and create_on_write)):
                             raise HTTPForbidden()
                     self._load_form_data(c)
                     c.new_repo = repo_name_slug(new_repo)
                     # apply the defaults from defaults page
                     defaults = SettingsModel().get_default_repo_settings(strip_prefix=True)
                     # set checkbox to autochecked
                     defaults['repo_copy_permissions'] = True
                     parent_group_choice = '-1'
                     if not self._rhodecode_user.is_admin and self._rhodecode_user.personal_repo_group:
                         parent_group_choice = self._rhodecode_user.personal_repo_group
                     if parent_group and _gr:
                         if parent_group in [x[0] for x in c.repo_groups]:
                             parent_group_choice = safe_unicode(parent_group)
                     defaults.update({'repo_group': parent_group_choice})
                     data = render('rhodecode:templates/admin/repos/repo_add.mako',
                                   self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @NotAnonymous()
                 @CSRFRequired()
                 # perms check inside
                 @view_config(
                     route_name='repo_create', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repos.mako')
                 def repository_create(self):
                     c = self.load_default_context()
                     form_result = {}
                     self._load_form_data(c)
                     try:
                         # CanWriteToGroup validators checks permissions of this POST
                         form = RepoForm(
                             self.request.translate, repo_groups=c.repo_groups_choices)()
                         form_result = form.to_python(dict(self.request.POST))
                         copy_permissions = form_result.get('repo_copy_permissions')
                         # create is done sometimes async on celery, db transaction
                         # management is handled there.
                         task = RepoModel().create(form_result, self._rhodecode_user.user_id)
                         task_id = get_task_id(task)
                     except formencode.Invalid as errors:
                         data = render('rhodecode:templates/admin/repos/repo_add.mako',
                                       self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=errors.value,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception as e:
                         msg = self._log_creation_exception(e, form_result.get('repo_name'))
                         h.flash(msg, category='error')
                         raise HTTPFound(h.route_path('home'))
                     repo_name = form_result.get('repo_name_full')
                     affected_user_ids = [self._rhodecode_user.user_id]
                     if copy_permissions:
                         # permission flush is done in repo creating
                         pass
-                    events.trigger(events.UserPermissionsChange(affected_user_ids))
+                    PermissionModel().trigger_permission_flush(affected_user_ids)
                     raise HTTPFound(
                         h.route_path('repo_creating', repo_name=repo_name,
                                      _query=dict(task_id=task_id)))

rhodecode/apps/admin/views/user_groups.py

0 +3 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import formencode
             import formencode.htmlfill
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from pyramid.response import Response
             from pyramid.renderers import render
             from rhodecode import events
             from rhodecode.apps._base import BaseAppView, DataGridAppView
             from rhodecode.lib.auth import (
                 LoginRequired, NotAnonymous, CSRFRequired, HasPermissionAnyDecorator)
             from rhodecode.lib import helpers as h, audit_logger
             from rhodecode.lib.utils2 import safe_unicode
             from rhodecode.model.forms import UserGroupForm
             from rhodecode.model.permission import PermissionModel
             from rhodecode.model.scm import UserGroupList
             from rhodecode.model.db import (
                 or_, count, User, UserGroup, UserGroupMember, in_filter_generator)
             from rhodecode.model.meta import Session
             from rhodecode.model.user_group import UserGroupModel
             from rhodecode.model.db import true
             log = logging.getLogger(__name__)
             class AdminUserGroupsView(BaseAppView, DataGridAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     PermissionModel().set_global_permission_choices(
                         c, gettext_translator=self.request.translate)
                     return c
                 # permission check in data loading of
                 # `user_groups_list_data` via UserGroupList
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='user_groups', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_groups.mako')
                 def user_groups_list(self):
                     c = self.load_default_context()
                     return self._get_template_context(c)
                 # permission check inside
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='user_groups_data', request_method='GET',
                     renderer='json_ext', xhr=True)
                 def user_groups_list_data(self):
                     self.load_default_context()
                     column_map = {
                         'active': 'users_group_active',
                         'description': 'user_group_description',
                         'members': 'members_total',
                         'owner': 'user_username',
                         'sync': 'group_data'
                     }
                     draw, start, limit = self._extract_chunk(self.request)
                     search_q, order_by, order_dir = self._extract_ordering(
                         self.request, column_map=column_map)
                     _render = self.request.get_partial_renderer(
                         'rhodecode:templates/data_table/_dt_elements.mako')
                     def user_group_name(user_group_name):
                         return _render("user_group_name", user_group_name)
                     def user_group_actions(user_group_id, user_group_name):
                         return _render("user_group_actions", user_group_id, user_group_name)
                     def user_profile(username):
                         return _render('user_profile', username)
                     auth_user_group_list = UserGroupList(
                         UserGroup.query().all(), perm_set=['usergroup.admin'])
                     allowed_ids = [-1]
                     for user_group in auth_user_group_list:
                             allowed_ids.append(user_group.users_group_id)
                     user_groups_data_total_count = UserGroup.query()\
                         .filter(or_(
                             # generate multiple IN to fix limitation problems
                             *in_filter_generator(UserGroup.users_group_id, allowed_ids)
                         ))\
                         .count()
                     user_groups_data_total_inactive_count = UserGroup.query()\
                         .filter(or_(
                             # generate multiple IN to fix limitation problems
                             *in_filter_generator(UserGroup.users_group_id, allowed_ids)
                         ))\
                         .filter(UserGroup.users_group_active != true()).count()
                     member_count = count(UserGroupMember.user_id)
                     base_q = Session.query(
                         UserGroup.users_group_name,
                         UserGroup.user_group_description,
                         UserGroup.users_group_active,
                         UserGroup.users_group_id,
                         UserGroup.group_data,
                         User,
                         member_count.label('member_count')
                         ) \
                         .filter(or_(
                             # generate multiple IN to fix limitation problems
                             *in_filter_generator(UserGroup.users_group_id, allowed_ids)
                         )) \
                         .outerjoin(UserGroupMember) \
                         .join(User, User.user_id == UserGroup.user_id) \
                         .group_by(UserGroup, User)
                     base_q_inactive = base_q.filter(UserGroup.users_group_active != true())
                     if search_q:
                         like_expression = u'%{}%'.format(safe_unicode(search_q))
                         base_q = base_q.filter(or_(
                             UserGroup.users_group_name.ilike(like_expression),
                         ))
                         base_q_inactive = base_q.filter(UserGroup.users_group_active != true())
                     user_groups_data_total_filtered_count = base_q.count()
                     user_groups_data_total_filtered_inactive_count = base_q_inactive.count()
                     sort_defined = False
                     if order_by == 'members_total':
                         sort_col = member_count
                         sort_defined = True
                     elif order_by == 'user_username':
                         sort_col = User.username
                     else:
                         sort_col = getattr(UserGroup, order_by, None)
                     if sort_defined or sort_col:
                         if order_dir == 'asc':
                             sort_col = sort_col.asc()
                         else:
                             sort_col = sort_col.desc()
                     base_q = base_q.order_by(sort_col)
                     base_q = base_q.offset(start).limit(limit)
                     # authenticated access to user groups
                     auth_user_group_list = base_q.all()
                     user_groups_data = []
                     for user_gr in auth_user_group_list:
                         row = {
                             "users_group_name": user_group_name(user_gr.users_group_name),
                             "name_raw": h.escape(user_gr.users_group_name),
                             "description": h.escape(user_gr.user_group_description),
                             "members": user_gr.member_count,
                             # NOTE(marcink): because of advanced query we
                             # need to load it like that
                             "sync": UserGroup._load_sync(
                                 UserGroup._load_group_data(user_gr.group_data)),
                             "active": h.bool2icon(user_gr.users_group_active),
                             "owner": user_profile(user_gr.User.username),
                             "action": user_group_actions(
                                 user_gr.users_group_id, user_gr.users_group_name)
                         }
                         user_groups_data.append(row)
                     data = ({
                         'draw': draw,
                         'data': user_groups_data,
                         'recordsTotal': user_groups_data_total_count,
                         'recordsTotalInactive': user_groups_data_total_inactive_count,
                         'recordsFiltered': user_groups_data_total_filtered_count,
                         'recordsFilteredInactive': user_groups_data_total_filtered_inactive_count,
                     })
                     return data
                 @LoginRequired()
                 @HasPermissionAnyDecorator('hg.admin', 'hg.usergroup.create.true')
                 @view_config(
                     route_name='user_groups_new', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_add.mako')
                 def user_groups_new(self):
                     c = self.load_default_context()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAnyDecorator('hg.admin', 'hg.usergroup.create.true')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_groups_create', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_add.mako')
                 def user_groups_create(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     users_group_form = UserGroupForm(self.request.translate)()
                     user_group_name = self.request.POST.get('users_group_name')
                     try:
                         form_result = users_group_form.to_python(dict(self.request.POST))
                         user_group = UserGroupModel().create(
                             name=form_result['users_group_name'],
                             description=form_result['user_group_description'],
                             owner=self._rhodecode_user.user_id,
                             active=form_result['users_group_active'])
                         Session().flush()
                         creation_data = user_group.get_api_data()
                         user_group_name = form_result['users_group_name']
                         audit_logger.store_web(
                             'user_group.create', action_data={'data': creation_data},
                             user=self._rhodecode_user)
                         user_group_link = h.link_to(
                             h.escape(user_group_name),
                             h.route_path(
                                 'edit_user_group', user_group_id=user_group.users_group_id))
                         h.flash(h.literal(_('Created user group %(user_group_link)s')
                                           % {'user_group_link': user_group_link}),
                                 category='success')
                         Session().commit()
                         user_group_id = user_group.users_group_id
                     except formencode.Invalid as errors:
                         data = render(
                             'rhodecode:templates/admin/user_groups/user_group_add.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=errors.value,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception creating user group")
                         h.flash(_('Error occurred during creation of user group %s') \
                                 % user_group_name, category='error')
                         raise HTTPFound(h.route_path('user_groups_new'))
-                    events.trigger(events.UserPermissionsChange([self._rhodecode_user.user_id]))
+                    affected_user_ids = [self._rhodecode_user.user_id]
+                    PermissionModel().trigger_permission_flush(affected_user_ids)
                     raise HTTPFound(
                         h.route_path('edit_user_group', user_group_id=user_group_id))

rhodecode/apps/admin/views/users.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import datetime
             import formencode
             import formencode.htmlfill
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from pyramid.renderers import render
             from pyramid.response import Response
             from rhodecode import events
             from rhodecode.apps._base import BaseAppView, DataGridAppView, UserAppView
             from rhodecode.apps.ssh_support import SshKeyFileChangeEvent
             from rhodecode.authentication.plugins import auth_rhodecode
             from rhodecode.events import trigger
             from rhodecode.model.db import true
             from rhodecode.lib import audit_logger, rc_cache
             from rhodecode.lib.exceptions import (
                 UserCreationError, UserOwnsReposException, UserOwnsRepoGroupsException,
                 UserOwnsUserGroupsException, DefaultUserException)
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.auth import (
                 LoginRequired, HasPermissionAllDecorator, CSRFRequired)
             from rhodecode.lib import helpers as h
             from rhodecode.lib.utils2 import safe_int, safe_unicode, AttributeDict
             from rhodecode.model.auth_token import AuthTokenModel
             from rhodecode.model.forms import (
                 UserForm, UserIndividualPermissionsForm, UserPermissionsForm,
                 UserExtraEmailForm, UserExtraIpForm)
             from rhodecode.model.permission import PermissionModel
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.ssh_key import SshKeyModel
             from rhodecode.model.user import UserModel
             from rhodecode.model.user_group import UserGroupModel
             from rhodecode.model.db import (
                 or_, coalesce,IntegrityError, User, UserGroup, UserIpMap, UserEmailMap,
                 UserApiKeys, UserSshKeys, RepoGroup)
             from rhodecode.model.meta import Session
             log = logging.getLogger(__name__)
             class AdminUsersView(BaseAppView, DataGridAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     return c
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='users', request_method='GET',
                     renderer='rhodecode:templates/admin/users/users.mako')
                 def users_list(self):
                     c = self.load_default_context()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     # renderer defined below
                     route_name='users_data', request_method='GET',
                     renderer='json_ext', xhr=True)
                 def users_list_data(self):
                     self.load_default_context()
                     column_map = {
                         'first_name': 'name',
                         'last_name': 'lastname',
                     }
                     draw, start, limit = self._extract_chunk(self.request)
                     search_q, order_by, order_dir = self._extract_ordering(
                         self.request, column_map=column_map)
                     _render = self.request.get_partial_renderer(
                         'rhodecode:templates/data_table/_dt_elements.mako')
                     def user_actions(user_id, username):
                         return _render("user_actions", user_id, username)
                     users_data_total_count = User.query()\
                         .filter(User.username != User.DEFAULT_USER) \
                         .count()
                     users_data_total_inactive_count = User.query()\
                         .filter(User.username != User.DEFAULT_USER) \
                         .filter(User.active != true())\
                         .count()
                     # json generate
                     base_q = User.query().filter(User.username != User.DEFAULT_USER)
                     base_inactive_q = base_q.filter(User.active != true())
                     if search_q:
                         like_expression = u'%{}%'.format(safe_unicode(search_q))
                         base_q = base_q.filter(or_(
                             User.username.ilike(like_expression),
                             User._email.ilike(like_expression),
                             User.name.ilike(like_expression),
                             User.lastname.ilike(like_expression),
                         ))
                         base_inactive_q = base_q.filter(User.active != true())
                     users_data_total_filtered_count = base_q.count()
                     users_data_total_filtered_inactive_count = base_inactive_q.count()
                     sort_col = getattr(User, order_by, None)
                     if sort_col:
                         if order_dir == 'asc':
                             # handle null values properly to order by NULL last
                             if order_by in ['last_activity']:
                                 sort_col = coalesce(sort_col, datetime.date.max)
                             sort_col = sort_col.asc()
                         else:
                             # handle null values properly to order by NULL last
                             if order_by in ['last_activity']:
                                 sort_col = coalesce(sort_col, datetime.date.min)
                             sort_col = sort_col.desc()
                     base_q = base_q.order_by(sort_col)
                     base_q = base_q.offset(start).limit(limit)
                     users_list = base_q.all()
                     users_data = []
                     for user in users_list:
                         users_data.append({
                             "username": h.gravatar_with_user(self.request, user.username),
                             "email": user.email,
                             "first_name": user.first_name,
                             "last_name": user.last_name,
                             "last_login": h.format_date(user.last_login),
                             "last_activity": h.format_date(user.last_activity),
                             "active": h.bool2icon(user.active),
                             "active_raw": user.active,
                             "admin": h.bool2icon(user.admin),
                             "extern_type": user.extern_type,
                             "extern_name": user.extern_name,
                             "action": user_actions(user.user_id, user.username),
                         })
                     data = ({
                         'draw': draw,
                         'data': users_data,
                         'recordsTotal': users_data_total_count,
                         'recordsFiltered': users_data_total_filtered_count,
                         'recordsTotalInactive': users_data_total_inactive_count,
                         'recordsFilteredInactive': users_data_total_filtered_inactive_count
                     })
                     return data
                 def _set_personal_repo_group_template_vars(self, c_obj):
                     DummyUser = AttributeDict({
                         'username': '${username}',
                         'user_id': '${user_id}',
                     })
                     c_obj.default_create_repo_group = RepoGroupModel() \
                         .get_default_create_personal_repo_group()
                     c_obj.personal_repo_group_name = RepoGroupModel() \
                         .get_personal_group_name(DummyUser)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='users_new', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_add.mako')
                 def users_new(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.default_extern_type = auth_rhodecode.RhodeCodeAuthPlugin.uid
                     self._set_personal_repo_group_template_vars(c)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='users_create', request_method='POST',
                     renderer='rhodecode:templates/admin/users/user_add.mako')
                 def users_create(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.default_extern_type = auth_rhodecode.RhodeCodeAuthPlugin.uid
                     user_model = UserModel()
                     user_form = UserForm(self.request.translate)()
                     try:
                         form_result = user_form.to_python(dict(self.request.POST))
                         user = user_model.create(form_result)
                         Session().flush()
                         creation_data = user.get_api_data()
                         username = form_result['username']
                         audit_logger.store_web(
                             'user.create', action_data={'data': creation_data},
                             user=c.rhodecode_user)
                         user_link = h.link_to(
                             h.escape(username),
                             h.route_path('user_edit', user_id=user.user_id))
                         h.flash(h.literal(_('Created user %(user_link)s')
                                           % {'user_link': user_link}), category='success')
                         Session().commit()
                     except formencode.Invalid as errors:
                         self._set_personal_repo_group_template_vars(c)
                         data = render(
                             'rhodecode:templates/admin/users/user_add.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=errors.value,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except UserCreationError as e:
                         h.flash(e, 'error')
                     except Exception:
                         log.exception("Exception creation of user")
                         h.flash(_('Error occurred during creation of user %s')
                                 % self.request.POST.get('username'), category='error')
                     raise HTTPFound(h.route_path('users'))
             class UsersView(UserAppView):
                 ALLOW_SCOPED_TOKENS = False
                 """
                 This view has alternative version inside EE, if modified please take a look
                 in there as well.
                 """
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     c.allow_scoped_tokens = self.ALLOW_SCOPED_TOKENS
                     c.allowed_languages = [
                         ('en', 'English (en)'),
                         ('de', 'German (de)'),
                         ('fr', 'French (fr)'),
                         ('it', 'Italian (it)'),
                         ('ja', 'Japanese (ja)'),
                         ('pl', 'Polish (pl)'),
                         ('pt', 'Portuguese (pt)'),
                         ('ru', 'Russian (ru)'),
                         ('zh', 'Chinese (zh)'),
                     ]
                     req = self.request
                     c.available_permissions = req.registry.settings['available_permissions']
                     PermissionModel().set_global_permission_choices(
                         c, gettext_translator=req.translate)
                     return c
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_update', request_method='POST',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_update(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     c.active = 'profile'
                     c.extern_type = c.user.extern_type
                     c.extern_name = c.user.extern_name
                     c.perm_user = c.user.AuthUser(ip_addr=self.request.remote_addr)
                     available_languages = [x[0] for x in c.allowed_languages]
                     _form = UserForm(self.request.translate, edit=True,
                                      available_languages=available_languages,
                                      old_data={'user_id': user_id,
                                                'email': c.user.email})()
                     form_result = {}
                     old_values = c.user.get_api_data()
                     try:
                         form_result = _form.to_python(dict(self.request.POST))
                         skip_attrs = ['extern_type', 'extern_name']
                         # TODO: plugin should define if username can be updated
                         if c.extern_type != "rhodecode":
                             # forbid updating username for external accounts
                             skip_attrs.append('username')
                         UserModel().update_user(
                             user_id, skip_attrs=skip_attrs, **form_result)
                         audit_logger.store_web(
                             'user.edit', action_data={'old_data': old_values},
                             user=c.rhodecode_user)
                         Session().commit()
                         h.flash(_('User updated successfully'), category='success')
                     except formencode.Invalid as errors:
                         data = render(
                             'rhodecode:templates/admin/users/user_edit.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=errors.value,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except UserCreationError as e:
                         h.flash(e, 'error')
                     except Exception:
                         log.exception("Exception updating user")
                         h.flash(_('Error occurred during update of user %s')
                                 % form_result.get('username'), category='error')
                     raise HTTPFound(h.route_path('user_edit', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_delete', request_method='POST',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_delete(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.user = self.db_user
                     _repos = c.user.repositories
                     _repo_groups = c.user.repository_groups
                     _user_groups = c.user.user_groups
                     handle_repos = None
                     handle_repo_groups = None
                     handle_user_groups = None
                     # dummy call for flash of handle
                     set_handle_flash_repos = lambda: None
                     set_handle_flash_repo_groups = lambda: None
                     set_handle_flash_user_groups = lambda: None
                     if _repos and self.request.POST.get('user_repos'):
                         do = self.request.POST['user_repos']
                         if do == 'detach':
                             handle_repos = 'detach'
                             set_handle_flash_repos = lambda: h.flash(
                                 _('Detached %s repositories') % len(_repos),
                                 category='success')
                         elif do == 'delete':
                             handle_repos = 'delete'
                             set_handle_flash_repos = lambda: h.flash(
                                 _('Deleted %s repositories') % len(_repos),
                                 category='success')
                     if _repo_groups and self.request.POST.get('user_repo_groups'):
                         do = self.request.POST['user_repo_groups']
                         if do == 'detach':
                             handle_repo_groups = 'detach'
                             set_handle_flash_repo_groups = lambda: h.flash(
                                 _('Detached %s repository groups') % len(_repo_groups),
                                 category='success')
                         elif do == 'delete':
                             handle_repo_groups = 'delete'
                             set_handle_flash_repo_groups = lambda: h.flash(
                                 _('Deleted %s repository groups') % len(_repo_groups),
                                 category='success')
                     if _user_groups and self.request.POST.get('user_user_groups'):
                         do = self.request.POST['user_user_groups']
                         if do == 'detach':
                             handle_user_groups = 'detach'
                             set_handle_flash_user_groups = lambda: h.flash(
                                 _('Detached %s user groups') % len(_user_groups),
                                 category='success')
                         elif do == 'delete':
                             handle_user_groups = 'delete'
                             set_handle_flash_user_groups = lambda: h.flash(
                                 _('Deleted %s user groups') % len(_user_groups),
                                 category='success')
                     old_values = c.user.get_api_data()
                     try:
                         UserModel().delete(c.user, handle_repos=handle_repos,
                                            handle_repo_groups=handle_repo_groups,
                                            handle_user_groups=handle_user_groups)
                         audit_logger.store_web(
                             'user.delete', action_data={'old_data': old_values},
                             user=c.rhodecode_user)
                         Session().commit()
                         set_handle_flash_repos()
                         set_handle_flash_repo_groups()
                         set_handle_flash_user_groups()
                         h.flash(_('Successfully deleted user'), category='success')
                     except (UserOwnsReposException, UserOwnsRepoGroupsException,
                             UserOwnsUserGroupsException, DefaultUserException) as e:
                         h.flash(e, category='warning')
                     except Exception:
                         log.exception("Exception during deletion of user")
                         h.flash(_('An error occurred during deletion of user'),
                                 category='error')
                     raise HTTPFound(h.route_path('users'))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='user_edit', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_edit(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.user = self.db_user
                     c.active = 'profile'
                     c.extern_type = c.user.extern_type
                     c.extern_name = c.user.extern_name
                     c.perm_user = c.user.AuthUser(ip_addr=self.request.remote_addr)
                     defaults = c.user.get_dict()
                     defaults.update({'language': c.user.user_data.get('language')})
                     data = render(
                         'rhodecode:templates/admin/users/user_edit.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='user_edit_advanced', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_edit_advanced(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     c.active = 'advanced'
                     c.personal_repo_group = RepoGroup.get_user_personal_repo_group(user_id)
                     c.personal_repo_group_name = RepoGroupModel()\
                         .get_personal_group_name(c.user)
                     c.user_to_review_rules = sorted(
                         (x.user for x in c.user.user_review_rules),
                         key=lambda u: u.username.lower())
                     c.first_admin = User.get_first_super_admin()
                     defaults = c.user.get_dict()
                     # Interim workaround if the user participated on any pull requests as a
                     # reviewer.
                     has_review = len(c.user.reviewer_pull_requests)
                     c.can_delete_user = not has_review
                     c.can_delete_user_message = ''
                     inactive_link = h.link_to(
                         'inactive', h.route_path('user_edit', user_id=user_id, _anchor='active'))
                     if has_review == 1:
                         c.can_delete_user_message = h.literal(_(
                             'The user participates as reviewer in {} pull request and '
                             'cannot be deleted. \nYou can set the user to '
                             '"{}" instead of deleting it.').format(
                             has_review, inactive_link))
                     elif has_review:
                         c.can_delete_user_message = h.literal(_(
                             'The user participates as reviewer in {} pull requests and '
                             'cannot be deleted. \nYou can set the user to '
                             '"{}" instead of deleting it.').format(
                             has_review, inactive_link))
                     data = render(
                         'rhodecode:templates/admin/users/user_edit.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='user_edit_global_perms', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_edit_global_perms(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.user = self.db_user
                     c.active = 'global_perms'
                     c.default_user = User.get_default_user()
                     defaults = c.user.get_dict()
                     defaults.update(c.default_user.get_default_perms(suffix='_inherited'))
                     defaults.update(c.default_user.get_default_perms())
                     defaults.update(c.user.get_default_perms())
                     data = render(
                         'rhodecode:templates/admin/users/user_edit.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_edit_global_perms_update', request_method='POST',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_edit_global_perms_update(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     c.active = 'global_perms'
                     try:
                         # first stage that verifies the checkbox
                         _form = UserIndividualPermissionsForm(self.request.translate)
                         form_result = _form.to_python(dict(self.request.POST))
                         inherit_perms = form_result['inherit_default_permissions']
                         c.user.inherit_default_permissions = inherit_perms
                         Session().add(c.user)
                         if not inherit_perms:
                             # only update the individual ones if we un check the flag
                             _form = UserPermissionsForm(
                                 self.request.translate,
                                 [x[0] for x in c.repo_create_choices],
                                 [x[0] for x in c.repo_create_on_write_choices],
                                 [x[0] for x in c.repo_group_create_choices],
                                 [x[0] for x in c.user_group_create_choices],
                                 [x[0] for x in c.fork_choices],
                                 [x[0] for x in c.inherit_default_permission_choices])()
                             form_result = _form.to_python(dict(self.request.POST))
                             form_result.update({'perm_user_id': c.user.user_id})
                             PermissionModel().update_user_permissions(form_result)
                         # TODO(marcink): implement global permissions
                         # audit_log.store_web('user.edit.permissions')
                         Session().commit()
                         h.flash(_('User global permissions updated successfully'),
                                 category='success')
                     except formencode.Invalid as errors:
                         data = render(
                             'rhodecode:templates/admin/users/user_edit.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=errors.value,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception during permissions saving")
                         h.flash(_('An error occurred during permissions saving'),
                                 category='error')
                     affected_user_ids = [user_id]
-                    events.trigger(events.UserPermissionsChange(affected_user_ids))
+                    PermissionModel().trigger_permission_flush(affected_user_ids)
                     raise HTTPFound(h.route_path('user_edit_global_perms', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_enable_force_password_reset', request_method='POST',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_enable_force_password_reset(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     try:
                         c.user.update_userdata(force_password_change=True)
                         msg = _('Force password change enabled for user')
                         audit_logger.store_web('user.edit.password_reset.enabled',
                                                user=c.rhodecode_user)
                         Session().commit()
                         h.flash(msg, category='success')
                     except Exception:
                         log.exception("Exception during password reset for user")
                         h.flash(_('An error occurred during password reset for user'),
                                 category='error')
                     raise HTTPFound(h.route_path('user_edit_advanced', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_disable_force_password_reset', request_method='POST',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_disable_force_password_reset(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     try:
                         c.user.update_userdata(force_password_change=False)
                         msg = _('Force password change disabled for user')
                         audit_logger.store_web(
                             'user.edit.password_reset.disabled',
                             user=c.rhodecode_user)
                         Session().commit()
                         h.flash(msg, category='success')
                     except Exception:
                         log.exception("Exception during password reset for user")
                         h.flash(_('An error occurred during password reset for user'),
                                 category='error')
                     raise HTTPFound(h.route_path('user_edit_advanced', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_create_personal_repo_group', request_method='POST',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_create_personal_repo_group(self):
                     """
                     Create personal repository group for this user
                     """
                     from rhodecode.model.repo_group import RepoGroupModel
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     personal_repo_group = RepoGroup.get_user_personal_repo_group(
                         c.user.user_id)
                     if personal_repo_group:
                         raise HTTPFound(h.route_path('user_edit_advanced', user_id=user_id))
                     personal_repo_group_name = RepoGroupModel().get_personal_group_name(c.user)
                     named_personal_group = RepoGroup.get_by_group_name(
                         personal_repo_group_name)
                     try:
                         if named_personal_group and named_personal_group.user_id == c.user.user_id:
                             # migrate the same named group, and mark it as personal
                             named_personal_group.personal = True
                             Session().add(named_personal_group)
                             Session().commit()
                             msg = _('Linked repository group `%s` as personal' % (
                                 personal_repo_group_name,))
                             h.flash(msg, category='success')
                         elif not named_personal_group:
                             RepoGroupModel().create_personal_repo_group(c.user)
                             msg = _('Created repository group `%s`' % (
                                 personal_repo_group_name,))
                             h.flash(msg, category='success')
                         else:
                             msg = _('Repository group `%s` is already taken' % (
                                 personal_repo_group_name,))
                             h.flash(msg, category='warning')
                     except Exception:
                         log.exception("Exception during repository group creation")
                         msg = _(
                             'An error occurred during repository group creation for user')
                         h.flash(msg, category='error')
                         Session().rollback()
                     raise HTTPFound(h.route_path('user_edit_advanced', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_auth_tokens', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def auth_tokens(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.user = self.db_user
                     c.active = 'auth_tokens'
                     c.lifetime_values = AuthTokenModel.get_lifetime_values(translator=_)
                     c.role_values = [
                         (x, AuthTokenModel.cls._get_role_name(x))
                         for x in AuthTokenModel.cls.ROLES]
                     c.role_options = [(c.role_values, _("Role"))]
                     c.user_auth_tokens = AuthTokenModel().get_auth_tokens(
                         c.user.user_id, show_expired=True)
                     c.role_vcs = AuthTokenModel.cls.ROLE_VCS
                     return self._get_template_context(c)
                 def maybe_attach_token_scope(self, token):
                     # implemented in EE edition
                     pass
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_auth_tokens_add', request_method='POST')
                 def auth_tokens_add(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     user_data = c.user.get_api_data()
                     lifetime = safe_int(self.request.POST.get('lifetime'), -1)
                     description = self.request.POST.get('description')
                     role = self.request.POST.get('role')
                     token = UserModel().add_auth_token(
                         user=c.user.user_id,
                         lifetime_minutes=lifetime, role=role, description=description,
                         scope_callback=self.maybe_attach_token_scope)
                     token_data = token.get_api_data()
                     audit_logger.store_web(
                         'user.edit.token.add', action_data={
                             'data': {'token': token_data, 'user': user_data}},
                         user=self._rhodecode_user, )
                     Session().commit()
                     h.flash(_("Auth token successfully created"), category='success')
                     return HTTPFound(h.route_path('edit_user_auth_tokens', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_auth_tokens_delete', request_method='POST')
                 def auth_tokens_delete(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     user_data = c.user.get_api_data()
                     del_auth_token = self.request.POST.get('del_auth_token')
                     if del_auth_token:
                         token = UserApiKeys.get_or_404(del_auth_token)
                         token_data = token.get_api_data()
                         AuthTokenModel().delete(del_auth_token, c.user.user_id)
                         audit_logger.store_web(
                             'user.edit.token.delete', action_data={
                                 'data': {'token': token_data, 'user': user_data}},
                             user=self._rhodecode_user,)
                         Session().commit()
                         h.flash(_("Auth token successfully deleted"), category='success')
                     return HTTPFound(h.route_path('edit_user_auth_tokens', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_ssh_keys', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def ssh_keys(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.user = self.db_user
                     c.active = 'ssh_keys'
                     c.default_key = self.request.GET.get('default_key')
                     c.user_ssh_keys = SshKeyModel().get_ssh_keys(c.user.user_id)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_ssh_keys_generate_keypair', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def ssh_keys_generate_keypair(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.user = self.db_user
                     c.active = 'ssh_keys_generate'
                     comment = 'RhodeCode-SSH {}'.format(c.user.email or '')
                     c.private, c.public = SshKeyModel().generate_keypair(comment=comment)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_ssh_keys_add', request_method='POST')
                 def ssh_keys_add(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     user_data = c.user.get_api_data()
                     key_data = self.request.POST.get('key_data')
                     description = self.request.POST.get('description')
                     fingerprint = 'unknown'
                     try:
                         if not key_data:
                             raise ValueError('Please add a valid public key')
                         key = SshKeyModel().parse_key(key_data.strip())
                         fingerprint = key.hash_md5()
                         ssh_key = SshKeyModel().create(
                             c.user.user_id, fingerprint, key.keydata, description)
                         ssh_key_data = ssh_key.get_api_data()
                         audit_logger.store_web(
                             'user.edit.ssh_key.add', action_data={
                                 'data': {'ssh_key': ssh_key_data, 'user': user_data}},
                             user=self._rhodecode_user, )
                         Session().commit()
                         # Trigger an event on change of keys.
                         trigger(SshKeyFileChangeEvent(), self.request.registry)
                         h.flash(_("Ssh Key successfully created"), category='success')
                     except IntegrityError:
                         log.exception("Exception during ssh key saving")
                         err = 'Such key with fingerprint `{}` already exists, ' \
                               'please use a different one'.format(fingerprint)
                         h.flash(_('An error occurred during ssh key saving: {}').format(err),
                                 category='error')
                     except Exception as e:
                         log.exception("Exception during ssh key saving")
                         h.flash(_('An error occurred during ssh key saving: {}').format(e),
                                 category='error')
                     return HTTPFound(
                         h.route_path('edit_user_ssh_keys', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_ssh_keys_delete', request_method='POST')
                 def ssh_keys_delete(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     user_data = c.user.get_api_data()
                     del_ssh_key = self.request.POST.get('del_ssh_key')
                     if del_ssh_key:
                         ssh_key = UserSshKeys.get_or_404(del_ssh_key)
                         ssh_key_data = ssh_key.get_api_data()
                         SshKeyModel().delete(del_ssh_key, c.user.user_id)
                         audit_logger.store_web(
                             'user.edit.ssh_key.delete', action_data={
                                 'data': {'ssh_key': ssh_key_data, 'user': user_data}},
                             user=self._rhodecode_user,)
                         Session().commit()
                         # Trigger an event on change of keys.
                         trigger(SshKeyFileChangeEvent(), self.request.registry)
                         h.flash(_("Ssh key successfully deleted"), category='success')
                     return HTTPFound(h.route_path('edit_user_ssh_keys', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_emails', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def emails(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.user = self.db_user
                     c.active = 'emails'
                     c.user_email_map = UserEmailMap.query() \
                         .filter(UserEmailMap.user == c.user).all()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_emails_add', request_method='POST')
                 def emails_add(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     email = self.request.POST.get('new_email')
                     user_data = c.user.get_api_data()
                     try:
                         form = UserExtraEmailForm(self.request.translate)()
                         data = form.to_python({'email': email})
                         email = data['email']
                         UserModel().add_extra_email(c.user.user_id, email)
                         audit_logger.store_web(
                             'user.edit.email.add',
                             action_data={'email': email, 'user': user_data},
                             user=self._rhodecode_user)
                         Session().commit()
                         h.flash(_("Added new email address `%s` for user account") % email,
                                 category='success')
                     except formencode.Invalid as error:
                         h.flash(h.escape(error.error_dict['email']), category='error')
                     except IntegrityError:
                         log.warning("Email %s already exists", email)
                         h.flash(_('Email `{}` is already registered for another user.').format(email),
                                 category='error')
                     except Exception:
                         log.exception("Exception during email saving")
                         h.flash(_('An error occurred during email saving'),
                                 category='error')
                     raise HTTPFound(h.route_path('edit_user_emails', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_emails_delete', request_method='POST')
                 def emails_delete(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     email_id = self.request.POST.get('del_email_id')
                     user_model = UserModel()
                     email = UserEmailMap.query().get(email_id).email
                     user_data = c.user.get_api_data()
                     user_model.delete_extra_email(c.user.user_id, email_id)
                     audit_logger.store_web(
                         'user.edit.email.delete',
                         action_data={'email': email, 'user': user_data},
                         user=self._rhodecode_user)
                     Session().commit()
                     h.flash(_("Removed email address from user account"),
                             category='success')
                     raise HTTPFound(h.route_path('edit_user_emails', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_ips', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def ips(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.user = self.db_user
                     c.active = 'ips'
                     c.user_ip_map = UserIpMap.query() \
                         .filter(UserIpMap.user == c.user).all()
                     c.inherit_default_ips = c.user.inherit_default_permissions
                     c.default_user_ip_map = UserIpMap.query() \
                         .filter(UserIpMap.user == User.get_default_user()).all()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_ips_add', request_method='POST')
                 # NOTE(marcink): this view is allowed for default users, as we can
                 # edit their IP white list
                 def ips_add(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     user_model = UserModel()
                     desc = self.request.POST.get('description')
                     try:
                         ip_list = user_model.parse_ip_range(
                             self.request.POST.get('new_ip'))
                     except Exception as e:
                         ip_list = []
                         log.exception("Exception during ip saving")
                         h.flash(_('An error occurred during ip saving:%s' % (e,)),
                                 category='error')
                     added = []
                     user_data = c.user.get_api_data()
                     for ip in ip_list:
                         try:
                             form = UserExtraIpForm(self.request.translate)()
                             data = form.to_python({'ip': ip})
                             ip = data['ip']
                             user_model.add_extra_ip(c.user.user_id, ip, desc)
                             audit_logger.store_web(
                                 'user.edit.ip.add',
                                 action_data={'ip': ip, 'user': user_data},
                                 user=self._rhodecode_user)
                             Session().commit()
                             added.append(ip)
                         except formencode.Invalid as error:
                             msg = error.error_dict['ip']
                             h.flash(msg, category='error')
                         except Exception:
                             log.exception("Exception during ip saving")
                             h.flash(_('An error occurred during ip saving'),
                                     category='error')
                     if added:
                         h.flash(
                             _("Added ips %s to user whitelist") % (', '.join(ip_list), ),
                             category='success')
                     if 'default_user' in self.request.POST:
                         # case for editing global IP list we do it for 'DEFAULT' user
                         raise HTTPFound(h.route_path('admin_permissions_ips'))
                     raise HTTPFound(h.route_path('edit_user_ips', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_ips_delete', request_method='POST')
                 # NOTE(marcink): this view is allowed for default users, as we can
                 # edit their IP white list
                 def ips_delete(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     ip_id = self.request.POST.get('del_ip_id')
                     user_model = UserModel()
                     user_data = c.user.get_api_data()
                     ip = UserIpMap.query().get(ip_id).ip_addr
                     user_model.delete_extra_ip(c.user.user_id, ip_id)
                     audit_logger.store_web(
                         'user.edit.ip.delete', action_data={'ip': ip, 'user': user_data},
                         user=self._rhodecode_user)
                     Session().commit()
                     h.flash(_("Removed ip address from user whitelist"), category='success')
                     if 'default_user' in self.request.POST:
                         # case for editing global IP list we do it for 'DEFAULT' user
                         raise HTTPFound(h.route_path('admin_permissions_ips'))
                     raise HTTPFound(h.route_path('edit_user_ips', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_groups_management', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def groups_management(self):
                     c = self.load_default_context()
                     c.user = self.db_user
                     c.data = c.user.group_member
                     groups = [UserGroupModel.get_user_groups_as_dict(group.users_group)
                               for group in c.user.group_member]
                     c.groups = json.dumps(groups)
                     c.active = 'groups'
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_groups_management_updates', request_method='POST')
                 def groups_management_updates(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.db_user_id
                     c.user = self.db_user
                     user_groups = set(self.request.POST.getall('users_group_id'))
                     user_groups_objects = []
                     for ugid in user_groups:
                         user_groups_objects.append(
                             UserGroupModel().get_group(safe_int(ugid)))
                     user_group_model = UserGroupModel()
                     added_to_groups, removed_from_groups = \
                         user_group_model.change_groups(c.user, user_groups_objects)
                     user_data = c.user.get_api_data()
                     for user_group_id in added_to_groups:
                         user_group = UserGroup.get(user_group_id)
                         old_values = user_group.get_api_data()
                         audit_logger.store_web(
                             'user_group.edit.member.add',
                             action_data={'user': user_data, 'old_data': old_values},
                             user=self._rhodecode_user)
                     for user_group_id in removed_from_groups:
                         user_group = UserGroup.get(user_group_id)
                         old_values = user_group.get_api_data()
                         audit_logger.store_web(
                             'user_group.edit.member.delete',
                             action_data={'user': user_data, 'old_data': old_values},
                             user=self._rhodecode_user)
                     Session().commit()
                     c.active = 'user_groups_management'
                     h.flash(_("Groups successfully changed"), category='success')
                     return HTTPFound(h.route_path(
                         'edit_user_groups_management', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_audit_logs', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_audit_logs(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.user = self.db_user
                     c.active = 'audit'
                     p = safe_int(self.request.GET.get('page', 1), 1)
                     filter_term = self.request.GET.get('filter')
                     user_log = UserModel().get_user_log(c.user, filter_term)
                     def url_generator(**kw):
                         if filter_term:
                             kw['filter'] = filter_term
                         return self.request.current_route_path(_query=kw)
                     c.audit_logs = h.Page(
                         user_log, page=p, items_per_page=10, url=url_generator)
                     c.filter_term = filter_term
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_perms_summary', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_perms_summary(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.user = self.db_user
                     c.active = 'perms_summary'
                     c.perm_user = c.user.AuthUser(ip_addr=self.request.remote_addr)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_perms_summary_json', request_method='GET',
                     renderer='json_ext')
                 def user_perms_summary_json(self):
                     self.load_default_context()
                     perm_user = self.db_user.AuthUser(ip_addr=self.request.remote_addr)
                     return perm_user.permissions
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_caches', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_caches(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.user = self.db_user
                     c.active = 'caches'
                     c.perm_user = c.user.AuthUser(ip_addr=self.request.remote_addr)
                     cache_namespace_uid = 'cache_user_auth.{}'.format(self.db_user.user_id)
                     c.region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid)
                     c.backend = c.region.backend
                     c.user_keys = sorted(c.region.backend.list_keys(prefix=cache_namespace_uid))
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_caches_update', request_method='POST')
                 def user_caches_update(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.user = self.db_user
                     c.active = 'caches'
                     c.perm_user = c.user.AuthUser(ip_addr=self.request.remote_addr)
                     cache_namespace_uid = 'cache_user_auth.{}'.format(self.db_user.user_id)
                     del_keys = rc_cache.clear_cache_namespace('cache_perms', cache_namespace_uid)
                     h.flash(_("Deleted {} cache keys").format(del_keys), category='success')
                     return HTTPFound(h.route_path(
                         'edit_user_caches', user_id=c.user.user_id))

rhodecode/apps/repo_group/views/repo_group_permissions.py

0 +2 -15

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from pyramid.view import view_config
             from pyramid.httpexceptions import HTTPFound
-            from rhodecode import events
             from rhodecode.apps._base import RepoGroupAppView
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import (
                 LoginRequired, HasRepoGroupPermissionAnyDecorator, CSRFRequired)
-            from rhodecode.lib.utils2 import safe_int
+            from rhodecode.model.permission import PermissionModel
-            from rhodecode.model.db import UserGroup
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.forms import RepoGroupPermsForm
             from rhodecode.model.meta import Session
             log = logging.getLogger(__name__)
             class RepoGroupPermissionsView(RepoGroupAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     return c
                 @LoginRequired()
                 @HasRepoGroupPermissionAnyDecorator('group.admin')
                 @view_config(
                     route_name='edit_repo_group_perms', request_method='GET',
                     renderer='rhodecode:templates/admin/repo_groups/repo_group_edit.mako')
                 def edit_repo_group_permissions(self):
                     c = self.load_default_context()
                     c.active = 'permissions'
                     c.repo_group = self.db_repo_group
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasRepoGroupPermissionAnyDecorator('group.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_group_perms_update', request_method='POST',
                     renderer='rhodecode:templates/admin/repo_groups/repo_group_edit.mako')
                 def edit_repo_groups_permissions_update(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'perms'
                     c.repo_group = self.db_repo_group
                     valid_recursive_choices = ['none', 'repos', 'groups', 'all']
                     form = RepoGroupPermsForm(self.request.translate, valid_recursive_choices)()\
                         .to_python(self.request.POST)
                     if not c.rhodecode_user.is_admin:
                         if self._revoke_perms_on_yourself(form):
                             msg = _('Cannot change permission for yourself as admin')
                             h.flash(msg, category='warning')
                             raise HTTPFound(
                                 h.route_path('edit_repo_group_perms',
                                              repo_group_name=self.db_repo_group_name))
                     # iterate over all members(if in recursive mode) of this groups and
                     # set the permissions !
                     # this can be potentially heavy operation
                     changes = RepoGroupModel().update_permissions(
                         c.repo_group,
                         form['perm_additions'], form['perm_updates'], form['perm_deletions'],
                         form['recursive'])
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_web(
                         'repo_group.edit.permissions', action_data=action_data,
                         user=c.rhodecode_user)
                     Session().commit()
                     h.flash(_('Repository Group permissions updated'), category='success')
+                    PermissionModel().flush_user_permission_caches(changes)
-                    affected_user_ids = []
-                    for change in changes['added'] + changes['updated'] + changes['deleted']:
-                        if change['type'] == 'user':
-                            affected_user_ids.append(change['id'])
-                        if change['type'] == 'user_group':
-                            user_group = UserGroup.get(safe_int(change['id']))
-                            if user_group:
-                                group_members_ids = [x.user_id for x in user_group.members]
-                                affected_user_ids.extend(group_members_ids)
-                    events.trigger(events.UserPermissionsChange(affected_user_ids))
                     raise HTTPFound(
                         h.route_path('edit_repo_group_perms',
                                      repo_group_name=self.db_repo_group_name))

rhodecode/apps/repo_group/views/repo_group_settings.py

0 +2 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import deform
             from pyramid.view import view_config
             from pyramid.httpexceptions import HTTPFound
             from rhodecode import events
             from rhodecode.apps._base import RepoGroupAppView
             from rhodecode.forms import RcForm
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import (
                 LoginRequired, HasPermissionAll,
                 HasRepoGroupPermissionAny, HasRepoGroupPermissionAnyDecorator, CSRFRequired)
             from rhodecode.model.db import Session, RepoGroup, User
+            from rhodecode.model.permission import PermissionModel
             from rhodecode.model.scm import RepoGroupList
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.validation_schema.schemas import repo_group_schema
             log = logging.getLogger(__name__)
             class RepoGroupSettingsView(RepoGroupAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     c.repo_group = self.db_repo_group
                     no_parrent = not c.repo_group.parent_group
                     can_create_in_root = self._can_create_repo_group()
                     show_root_location = False
                     if no_parrent or can_create_in_root:
                         # we're global admin, we're ok and we can create TOP level groups
                         # or in case this group is already at top-level we also allow
                         # creation in root
                         show_root_location = True
                     acl_groups = RepoGroupList(
                         RepoGroup.query().all(),
                         perm_set=['group.admin'])
                     c.repo_groups = RepoGroup.groups_choices(
                         groups=acl_groups,
                         show_empty_group=show_root_location)
                     # filter out current repo group
                     exclude_group_ids = [c.repo_group.group_id]
                     c.repo_groups = filter(lambda x: x[0] not in exclude_group_ids,
                                            c.repo_groups)
                     c.repo_groups_choices = map(lambda k: k[0], c.repo_groups)
                     parent_group = c.repo_group.parent_group
                     add_parent_group = (parent_group and (
                         parent_group.group_id not in c.repo_groups_choices))
                     if add_parent_group:
                         c.repo_groups_choices.append(parent_group.group_id)
                         c.repo_groups.append(RepoGroup._generate_choice(parent_group))
                     return c
                 def _can_create_repo_group(self, parent_group_id=None):
                     is_admin = HasPermissionAll('hg.admin')('group create controller')
                     create_repo_group = HasPermissionAll(
                         'hg.repogroup.create.true')('group create controller')
                     if is_admin or (create_repo_group and not parent_group_id):
                         # we're global admin, or we have global repo group create
                         # permission
                         # we're ok and we can create TOP level groups
                         return True
                     elif parent_group_id:
                         # we check the permission if we can write to parent group
                         group = RepoGroup.get(parent_group_id)
                         group_name = group.group_name if group else None
                         if HasRepoGroupPermissionAny('group.admin')(
                                 group_name, 'check if user is an admin of group'):
                             # we're an admin of passed in group, we're ok.
                             return True
                         else:
                             return False
                     return False
                 def _get_schema(self, c, old_values=None):
                     return repo_group_schema.RepoGroupSettingsSchema().bind(
                         repo_group_repo_group_options=c.repo_groups_choices,
                         repo_group_repo_group_items=c.repo_groups,
                         # user caller
                         user=self._rhodecode_user,
                         old_values=old_values
                     )
                 @LoginRequired()
                 @HasRepoGroupPermissionAnyDecorator('group.admin')
                 @view_config(
                     route_name='edit_repo_group', request_method='GET',
                     renderer='rhodecode:templates/admin/repo_groups/repo_group_edit.mako')
                 def edit_settings(self):
                     c = self.load_default_context()
                     c.active = 'settings'
                     defaults = RepoGroupModel()._get_defaults(self.db_repo_group_name)
                     defaults['repo_group_owner'] = defaults['user']
                     schema = self._get_schema(c)
                     c.form = RcForm(schema, appstruct=defaults)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasRepoGroupPermissionAnyDecorator('group.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_group', request_method='POST',
                     renderer='rhodecode:templates/admin/repo_groups/repo_group_edit.mako')
                 def edit_settings_update(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'settings'
                     old_repo_group_name = self.db_repo_group_name
                     new_repo_group_name = old_repo_group_name
                     old_values = RepoGroupModel()._get_defaults(self.db_repo_group_name)
                     schema = self._get_schema(c, old_values=old_values)
                     c.form = RcForm(schema)
                     pstruct = self.request.POST.items()
                     try:
                         schema_data = c.form.validate(pstruct)
                     except deform.ValidationFailure as err_form:
                         return self._get_template_context(c)
                     # data is now VALID, proceed with updates
                     # save validated data back into the updates dict
                     validated_updates = dict(
                         group_name=schema_data['repo_group']['repo_group_name_without_group'],
                         group_parent_id=schema_data['repo_group']['repo_group_id'],
                         user=schema_data['repo_group_owner'],
                         group_description=schema_data['repo_group_description'],
                         enable_locking=schema_data['repo_group_enable_locking'],
                     )
                     try:
                         RepoGroupModel().update(self.db_repo_group, validated_updates)
                         audit_logger.store_web(
                             'repo_group.edit', action_data={'old_data': old_values},
                             user=c.rhodecode_user)
                         Session().commit()
                         # use the new full name for redirect once we know we updated
                         # the name on filesystem and in DB
                         new_repo_group_name = schema_data['repo_group']['repo_group_name_with_group']
                         h.flash(_('Repository Group `{}` updated successfully').format(
                             old_repo_group_name), category='success')
                     except Exception:
                         log.exception("Exception during update or repository group")
                         h.flash(_('Error occurred during update of repository group %s')
                                 % old_repo_group_name, category='error')
                     name_changed = old_repo_group_name != new_repo_group_name
                     if name_changed:
                         current_perms = self.db_repo_group.permissions(expand_from_user_groups=True)
                         affected_user_ids = [perm['user_id'] for perm in current_perms]
                         # NOTE(marcink): also add owner maybe it has changed
                         owner = User.get_by_username(schema_data['repo_group_owner'])
                         owner_id = owner.user_id if owner else self._rhodecode_user.user_id
                         affected_user_ids.extend([self._rhodecode_user.user_id, owner_id])
-                        events.trigger(events.UserPermissionsChange(affected_user_ids))
+                        PermissionModel().trigger_permission_flush(affected_user_ids)
                     raise HTTPFound(
                         h.route_path('edit_repo_group', repo_group_name=new_repo_group_name))

rhodecode/apps/repository/views/repo_checks.py

0 +2 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from pyramid.view import view_config
             from pyramid.httpexceptions import HTTPFound, HTTPNotFound
             from rhodecode import events
             from rhodecode.apps._base import BaseAppView
             from rhodecode.lib import helpers as h
             from rhodecode.lib.auth import (NotAnonymous, HasRepoPermissionAny)
             from rhodecode.model.db import Repository
+            from rhodecode.model.permission import PermissionModel
             from rhodecode.model.validation_schema.types import RepoNameType
             log = logging.getLogger(__name__)
             class RepoChecksView(BaseAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     return c
                 @NotAnonymous()
                 @view_config(
                     route_name='repo_creating', request_method='GET',
                     renderer='rhodecode:templates/admin/repos/repo_creating.mako')
                 def repo_creating(self):
                     c = self.load_default_context()
                     repo_name = self.request.matchdict['repo_name']
                     repo_name = RepoNameType().deserialize(None, repo_name)
                     db_repo = Repository.get_by_repo_name(repo_name)
                     # check if maybe repo is already created
                     if db_repo and db_repo.repo_state in [Repository.STATE_CREATED]:
                         self.flush_permissions_on_creation(db_repo)
                         # re-check permissions before redirecting to prevent resource
                         # discovery by checking the 302 code
                         perm_set = ['repository.read', 'repository.write', 'repository.admin']
                         has_perm = HasRepoPermissionAny(*perm_set)(
                             db_repo.repo_name, 'Repo Creating check')
                         if not has_perm:
                             raise HTTPNotFound()
                         raise HTTPFound(h.route_path(
                             'repo_summary', repo_name=db_repo.repo_name))
                     c.task_id = self.request.GET.get('task_id')
                     c.repo_name = repo_name
                     return self._get_template_context(c)
                 @NotAnonymous()
                 @view_config(
                     route_name='repo_creating_check', request_method='GET',
                     renderer='json_ext')
                 def repo_creating_check(self):
                     _ = self.request.translate
                     task_id = self.request.GET.get('task_id')
                     self.load_default_context()
                     repo_name = self.request.matchdict['repo_name']
                     if task_id and task_id not in ['None']:
                         import rhodecode
                         from rhodecode.lib.celerylib.loader import celery_app, exceptions
                         if rhodecode.CELERY_ENABLED:
                             log.debug('celery: checking result for task:%s', task_id)
                             task = celery_app.AsyncResult(task_id)
                             try:
                                 task.get(timeout=10)
                             except exceptions.TimeoutError:
                                 task = None
                             if task and task.failed():
                                 msg = self._log_creation_exception(task.result, repo_name)
                                 h.flash(msg, category='error')
                                 raise HTTPFound(h.route_path('home'), code=501)
                     db_repo = Repository.get_by_repo_name(repo_name)
                     if db_repo and db_repo.repo_state == Repository.STATE_CREATED:
                         if db_repo.clone_uri:
                             clone_uri = db_repo.clone_uri_hidden
                             h.flash(_('Created repository %s from %s')
                                     % (db_repo.repo_name, clone_uri), category='success')
                         else:
                             repo_url = h.link_to(
                                 db_repo.repo_name,
                                 h.route_path('repo_summary', repo_name=db_repo.repo_name))
                             fork = db_repo.fork
                             if fork:
                                 fork_name = fork.repo_name
                                 h.flash(h.literal(_('Forked repository %s as %s')
                                                   % (fork_name, repo_url)), category='success')
                             else:
                                 h.flash(h.literal(_('Created repository %s') % repo_url),
                                         category='success')
                         self.flush_permissions_on_creation(db_repo)
                         return {'result': True}
                     return {'result': False}
                 def flush_permissions_on_creation(self, db_repo):
                     # repo is finished and created, we flush the permissions now
                     user_group_perms = db_repo.permissions(expand_from_user_groups=True)
                     affected_user_ids = [perm['user_id'] for perm in user_group_perms]
-                    events.trigger(events.UserPermissionsChange(affected_user_ids))
+                    PermissionModel().trigger_permission_flush(affected_user_ids)

rhodecode/apps/repository/views/repo_forks.py

0 +2 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import datetime
             import formencode
             import formencode.htmlfill
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from pyramid.renderers import render
             from pyramid.response import Response
             from rhodecode import events
             from rhodecode.apps._base import RepoAppView, DataGridAppView
             from rhodecode.lib.auth import (
                 LoginRequired, HasRepoPermissionAnyDecorator, NotAnonymous,
                 HasRepoPermissionAny, HasPermissionAnyDecorator, CSRFRequired)
             import rhodecode.lib.helpers as h
             from rhodecode.lib.celerylib.utils import get_task_id
             from rhodecode.model.db import coalesce, or_, Repository, RepoGroup
+            from rhodecode.model.permission import PermissionModel
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.forms import RepoForkForm
             from rhodecode.model.scm import ScmModel, RepoGroupList
             from rhodecode.lib.utils2 import safe_int, safe_unicode
             log = logging.getLogger(__name__)
             class RepoForksView(RepoAppView, DataGridAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context(include_app_defaults=True)
                     c.rhodecode_repo = self.rhodecode_vcs_repo
                     acl_groups = RepoGroupList(
                         RepoGroup.query().all(),
                         perm_set=['group.write', 'group.admin'])
                     c.repo_groups = RepoGroup.groups_choices(groups=acl_groups)
                     c.repo_groups_choices = map(lambda k: safe_unicode(k[0]), c.repo_groups)
                     c.personal_repo_group = c.rhodecode_user.personal_repo_group
                     return c
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @view_config(
                     route_name='repo_forks_show_all', request_method='GET',
                     renderer='rhodecode:templates/forks/forks.mako')
                 def repo_forks_show_all(self):
                     c = self.load_default_context()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @view_config(
                     route_name='repo_forks_data', request_method='GET',
                     renderer='json_ext', xhr=True)
                 def repo_forks_data(self):
                     _ = self.request.translate
                     self.load_default_context()
                     column_map = {
                         'fork_name': 'repo_name',
                         'fork_date': 'created_on',
                         'last_activity': 'updated_on'
                     }
                     draw, start, limit = self._extract_chunk(self.request)
                     search_q, order_by, order_dir = self._extract_ordering(
                         self.request, column_map=column_map)
                     acl_check = HasRepoPermissionAny(
                         'repository.read', 'repository.write', 'repository.admin')
                     repo_id = self.db_repo.repo_id
                     allowed_ids = [-1]
                     for f in Repository.query().filter(Repository.fork_id == repo_id):
                         if acl_check(f.repo_name, 'get forks check'):
                             allowed_ids.append(f.repo_id)
                     forks_data_total_count = Repository.query()\
                         .filter(Repository.fork_id == repo_id)\
                         .filter(Repository.repo_id.in_(allowed_ids))\
                         .count()
                     # json generate
                     base_q = Repository.query()\
                         .filter(Repository.fork_id == repo_id)\
                         .filter(Repository.repo_id.in_(allowed_ids))\
                     if search_q:
                         like_expression = u'%{}%'.format(safe_unicode(search_q))
                         base_q = base_q.filter(or_(
                             Repository.repo_name.ilike(like_expression),
                             Repository.description.ilike(like_expression),
                         ))
                     forks_data_total_filtered_count = base_q.count()
                     sort_col = getattr(Repository, order_by, None)
                     if sort_col:
                         if order_dir == 'asc':
                             # handle null values properly to order by NULL last
                             if order_by in ['last_activity']:
                                 sort_col = coalesce(sort_col, datetime.date.max)
                             sort_col = sort_col.asc()
                         else:
                             # handle null values properly to order by NULL last
                             if order_by in ['last_activity']:
                                 sort_col = coalesce(sort_col, datetime.date.min)
                             sort_col = sort_col.desc()
                     base_q = base_q.order_by(sort_col)
                     base_q = base_q.offset(start).limit(limit)
                     fork_list = base_q.all()
                     def fork_actions(fork):
                         url_link = h.route_path(
                             'repo_compare',
                             repo_name=fork.repo_name,
                             source_ref_type=self.db_repo.landing_rev[0],
                             source_ref=self.db_repo.landing_rev[1],
                             target_ref_type=self.db_repo.landing_rev[0],
                             target_ref=self.db_repo.landing_rev[1],
                             _query=dict(merge=1, target_repo=f.repo_name))
                         return h.link_to(_('Compare fork'), url_link, class_='btn-link')
                     def fork_name(fork):
                         return h.link_to(fork.repo_name,
                                   h.route_path('repo_summary', repo_name=fork.repo_name))
                     forks_data = []
                     for fork in fork_list:
                         forks_data.append({
                             "username": h.gravatar_with_user(self.request, fork.user.username),
                             "fork_name": fork_name(fork),
                             "description": fork.description_safe,
                             "fork_date": h.age_component(fork.created_on, time_is_local=True),
                             "last_activity": h.format_date(fork.updated_on),
                             "action": fork_actions(fork),
                         })
                     data = ({
                         'draw': draw,
                         'data': forks_data,
                         'recordsTotal': forks_data_total_count,
                         'recordsFiltered': forks_data_total_filtered_count,
                     })
                     return data
                 @LoginRequired()
                 @NotAnonymous()
                 @HasPermissionAnyDecorator('hg.admin', 'hg.fork.repository')
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @view_config(
                     route_name='repo_fork_new', request_method='GET',
                     renderer='rhodecode:templates/forks/forks.mako')
                 def repo_fork_new(self):
                     c = self.load_default_context()
                     defaults = RepoModel()._get_defaults(self.db_repo_name)
                     # alter the description to indicate a fork
                     defaults['description'] = (
                         'fork of repository: %s \n%s' % (
                             defaults['repo_name'], defaults['description']))
                     # add suffix to fork
                     defaults['repo_name'] = '%s-fork' % defaults['repo_name']
                     data = render('rhodecode:templates/forks/fork.mako',
                                   self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @NotAnonymous()
                 @HasPermissionAnyDecorator('hg.admin', 'hg.fork.repository')
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='repo_fork_create', request_method='POST',
                     renderer='rhodecode:templates/forks/fork.mako')
                 def repo_fork_create(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     _form = RepoForkForm(self.request.translate,
                                          old_data={'repo_type': self.db_repo.repo_type},
                                          repo_groups=c.repo_groups_choices)()
                     post_data = dict(self.request.POST)
                     # forbid injecting other repo by forging a request
                     post_data['fork_parent_id'] = self.db_repo.repo_id
                     form_result = {}
                     task_id = None
                     try:
                         form_result = _form.to_python(post_data)
                         copy_permissions = form_result.get('copy_permissions')
                         # create fork is done sometimes async on celery, db transaction
                         # management is handled there.
                         task = RepoModel().create_fork(
                             form_result, c.rhodecode_user.user_id)
                         task_id = get_task_id(task)
                     except formencode.Invalid as errors:
                         c.rhodecode_db_repo = self.db_repo
                         data = render('rhodecode:templates/forks/fork.mako',
                                       self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=errors.value,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception(
                             u'Exception while trying to fork the repository %s', self.db_repo_name)
                         msg = _('An error occurred during repository forking %s') % (self.db_repo_name, )
                         h.flash(msg, category='error')
                         raise HTTPFound(h.route_path('home'))
                     repo_name = form_result.get('repo_name_full', self.db_repo_name)
                     affected_user_ids = [self._rhodecode_user.user_id]
                     if copy_permissions:
                         # permission flush is done in repo creating
                         pass
-                    events.trigger(events.UserPermissionsChange(affected_user_ids))
+                    PermissionModel().trigger_permission_flush(affected_user_ids)
                     raise HTTPFound(
                         h.route_path('repo_creating', repo_name=repo_name,
                                      _query=dict(task_id=task_id)))

rhodecode/apps/repository/views/repo_permissions.py

0 +2 -14

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
-            from rhodecode import events
             from rhodecode.apps._base import RepoAppView
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import (
                 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired)
-            from rhodecode.lib.utils2 import safe_int
-            from rhodecode.model.db import UserGroup
             from rhodecode.model.forms import RepoPermsForm
             from rhodecode.model.meta import Session
+            from rhodecode.model.permission import PermissionModel
             from rhodecode.model.repo import RepoModel
             log = logging.getLogger(__name__)
             class RepoSettingsPermissionsView(RepoAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     return c
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @view_config(
                     route_name='edit_repo_perms', request_method='GET',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_permissions(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'permissions'
                     if self.request.GET.get('branch_permissions'):
                         h.flash(_('Explicitly add user or user group with write+ '
                                   'permission to modify their branch permissions.'),
                                 category='notice')
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_perms', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_permissions_update(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'permissions'
                     data = self.request.POST
                     # store private flag outside of HTML to verify if we can modify
                     # default user permissions, prevents submission of FAKE post data
                     # into the form for private repos
                     data['repo_private'] = self.db_repo.private
                     form = RepoPermsForm(self.request.translate)().to_python(data)
                     changes = RepoModel().update_permissions(
                         self.db_repo_name, form['perm_additions'], form['perm_updates'],
                         form['perm_deletions'])
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_web(
                         'repo.edit.permissions', action_data=action_data,
                         user=self._rhodecode_user, repo=self.db_repo)
                     Session().commit()
                     h.flash(_('Repository permissions updated'), category='success')
-                    affected_user_ids = []
+                    PermissionModel().flush_user_permission_caches(changes)
-                    for change in changes['added'] + changes['updated'] + changes['deleted']:
-                        if change['type'] == 'user':
-                            affected_user_ids.append(change['id'])
-                        if change['type'] == 'user_group':
-                            user_group = UserGroup.get(safe_int(change['id']))
-                            if user_group:
-                                group_members_ids = [x.user_id for x in user_group.members]
-                                affected_user_ids.extend(group_members_ids)
-                    events.trigger(events.UserPermissionsChange(affected_user_ids))
                     raise HTTPFound(
                         h.route_path('edit_repo_perms', repo_name=self.db_repo_name))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_perms_set_private', request_method='POST',
                     renderer='json_ext')
                 def edit_permissions_set_private_repo(self):
                     _ = self.request.translate
                     self.load_default_context()
                     try:
                         RepoModel().update(
                             self.db_repo, **{'repo_private': True, 'repo_name': self.db_repo_name})
                         Session().commit()
                         h.flash(_('Repository `{}` private mode set successfully').format(self.db_repo_name),
                                 category='success')
                     except Exception:
                         log.exception("Exception during update of repository")
                         h.flash(_('Error occurred during update of repository {}').format(
                             self.db_repo_name), category='error')
                     return {
                         'redirect_url': h.route_path('edit_repo_perms', repo_name=self.db_repo_name),
                         'private': True
                     }

rhodecode/apps/repository/views/repo_settings.py

0 +2 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import deform
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from rhodecode import events
             from rhodecode.apps._base import RepoAppView
             from rhodecode.forms import RcForm
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import (
                 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired)
             from rhodecode.model.db import RepositoryField, RepoGroup, Repository, User
             from rhodecode.model.meta import Session
+            from rhodecode.model.permission import PermissionModel
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.scm import RepoGroupList, ScmModel
             from rhodecode.model.validation_schema.schemas import repo_schema
             log = logging.getLogger(__name__)
             class RepoSettingsView(RepoAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     acl_groups = RepoGroupList(
                         RepoGroup.query().all(),
                         perm_set=['group.write', 'group.admin'])
                     c.repo_groups = RepoGroup.groups_choices(groups=acl_groups)
                     c.repo_groups_choices = map(lambda k: k[0], c.repo_groups)
                     # in case someone no longer have a group.write access to a repository
                     # pre fill the list with this entry, we don't care if this is the same
                     # but it will allow saving repo data properly.
                     repo_group = self.db_repo.group
                     if repo_group and repo_group.group_id not in c.repo_groups_choices:
                         c.repo_groups_choices.append(repo_group.group_id)
                         c.repo_groups.append(RepoGroup._generate_choice(repo_group))
                     if c.repository_requirements_missing or self.rhodecode_vcs_repo is None:
                         # we might be in missing requirement state, so we load things
                         # without touching scm_instance()
                         c.landing_revs_choices, c.landing_revs = \
                             ScmModel().get_repo_landing_revs(self.request.translate)
                     else:
                         c.landing_revs_choices, c.landing_revs = \
                             ScmModel().get_repo_landing_revs(
                                 self.request.translate, self.db_repo)
                     c.personal_repo_group = c.auth_user.personal_repo_group
                     c.repo_fields = RepositoryField.query()\
                         .filter(RepositoryField.repository == self.db_repo).all()
                     return c
                 def _get_schema(self, c, old_values=None):
                     return repo_schema.RepoSettingsSchema().bind(
                         repo_type=self.db_repo.repo_type,
                         repo_type_options=[self.db_repo.repo_type],
                         repo_ref_options=c.landing_revs_choices,
                         repo_ref_items=c.landing_revs,
                         repo_repo_group_options=c.repo_groups_choices,
                         repo_repo_group_items=c.repo_groups,
                         # user caller
                         user=self._rhodecode_user,
                         old_values=old_values
                     )
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @view_config(
                     route_name='edit_repo', request_method='GET',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_settings(self):
                     c = self.load_default_context()
                     c.active = 'settings'
                     defaults = RepoModel()._get_defaults(self.db_repo_name)
                     defaults['repo_owner'] = defaults['user']
                     defaults['repo_landing_commit_ref'] = defaults['repo_landing_rev']
                     schema = self._get_schema(c)
                     c.form = RcForm(schema, appstruct=defaults)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_settings_update(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'settings'
                     old_repo_name = self.db_repo_name
                     old_values = self.db_repo.get_api_data()
                     schema = self._get_schema(c, old_values=old_values)
                     c.form = RcForm(schema)
                     pstruct = self.request.POST.items()
                     pstruct.append(('repo_type', self.db_repo.repo_type))
                     try:
                         schema_data = c.form.validate(pstruct)
                     except deform.ValidationFailure as err_form:
                         return self._get_template_context(c)
                     # data is now VALID, proceed with updates
                     # save validated data back into the updates dict
                     validated_updates = dict(
                         repo_name=schema_data['repo_group']['repo_name_without_group'],
                         repo_group=schema_data['repo_group']['repo_group_id'],
                         user=schema_data['repo_owner'],
                         repo_description=schema_data['repo_description'],
                         repo_private=schema_data['repo_private'],
                         clone_uri=schema_data['repo_clone_uri'],
                         push_uri=schema_data['repo_push_uri'],
                         repo_landing_rev=schema_data['repo_landing_commit_ref'],
                         repo_enable_statistics=schema_data['repo_enable_statistics'],
                         repo_enable_locking=schema_data['repo_enable_locking'],
                         repo_enable_downloads=schema_data['repo_enable_downloads'],
                     )
                     # detect if SYNC URI changed, if we get OLD means we keep old values
                     if schema_data['repo_clone_uri_change'] == 'OLD':
                         validated_updates['clone_uri'] = self.db_repo.clone_uri
                     if schema_data['repo_push_uri_change'] == 'OLD':
                         validated_updates['push_uri'] = self.db_repo.push_uri
                     # use the new full name for redirect
                     new_repo_name = schema_data['repo_group']['repo_name_with_group']
                     # save extra fields into our validated data
                     for key, value in pstruct:
                         if key.startswith(RepositoryField.PREFIX):
                             validated_updates[key] = value
                     try:
                         RepoModel().update(self.db_repo, **validated_updates)
                         ScmModel().mark_for_invalidation(new_repo_name)
                         audit_logger.store_web(
                             'repo.edit', action_data={'old_data': old_values},
                             user=self._rhodecode_user, repo=self.db_repo)
                         Session().commit()
                         h.flash(_('Repository `{}` updated successfully').format(old_repo_name),
                                 category='success')
                     except Exception:
                         log.exception("Exception during update of repository")
                         h.flash(_('Error occurred during update of repository {}').format(
                             old_repo_name), category='error')
                     name_changed = old_repo_name != new_repo_name
                     if name_changed:
                         current_perms = self.db_repo.permissions(expand_from_user_groups=True)
                         affected_user_ids = [perm['user_id'] for perm in current_perms]
                         # NOTE(marcink): also add owner maybe it has changed
                         owner = User.get_by_username(schema_data['repo_owner'])
                         owner_id = owner.user_id if owner else self._rhodecode_user.user_id
                         affected_user_ids.extend([self._rhodecode_user.user_id, owner_id])
-                        events.trigger(events.UserPermissionsChange(affected_user_ids))
+                        PermissionModel().trigger_permission_flush(affected_user_ids)
                     raise HTTPFound(
                         h.route_path('edit_repo', repo_name=new_repo_name))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.write', 'repository.admin')
                 @view_config(
                     route_name='repo_edit_toggle_locking', request_method='GET',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def toggle_locking(self):
                     """
                     Toggle locking of repository by simple GET call to url
                     """
                     _ = self.request.translate
                     repo = self.db_repo
                     try:
                         if repo.enable_locking:
                             if repo.locked[0]:
                                 Repository.unlock(repo)
                                 action = _('Unlocked')
                             else:
                                 Repository.lock(
                                     repo, self._rhodecode_user.user_id,
                                     lock_reason=Repository.LOCK_WEB)
                                 action = _('Locked')
                             h.flash(_('Repository has been %s') % action,
                                     category='success')
                     except Exception:
                         log.exception("Exception during unlocking")
                         h.flash(_('An error occurred during unlocking'),
                                 category='error')
                     raise HTTPFound(
                         h.route_path('repo_summary', repo_name=self.db_repo_name))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @view_config(
                     route_name='edit_repo_statistics', request_method='GET',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_statistics_form(self):
                     c = self.load_default_context()
                     if self.db_repo.stats:
                         # this is on what revision we ended up so we add +1 for count
                         last_rev = self.db_repo.stats.stat_on_revision + 1
                     else:
                         last_rev = 0
                     c.active = 'statistics'
                     c.stats_revision = last_rev
                     c.repo_last_rev = self.rhodecode_vcs_repo.count()
                     if last_rev == 0 or c.repo_last_rev == 0:
                         c.stats_percentage = 0
                     else:
                         c.stats_percentage = '%.2f' % (
                         (float((last_rev)) / c.repo_last_rev) * 100)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_statistics_reset', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def repo_statistics_reset(self):
                     _ = self.request.translate
                     try:
                         RepoModel().delete_stats(self.db_repo_name)
                         Session().commit()
                     except Exception:
                         log.exception('Edit statistics failure')
                         h.flash(_('An error occurred during deletion of repository stats'),
                                 category='error')
                     raise HTTPFound(
                         h.route_path('edit_repo_statistics', repo_name=self.db_repo_name))

rhodecode/apps/repository/views/repo_settings_advanced.py

0 +2 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from pyramid.view import view_config
             from pyramid.httpexceptions import HTTPFound
             from rhodecode import events
             from rhodecode.apps._base import RepoAppView
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import (
                 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired,
                 HasRepoPermissionAny)
             from rhodecode.lib.exceptions import AttachedForksError, AttachedPullRequestsError
             from rhodecode.lib.utils2 import safe_int
             from rhodecode.lib.vcs import RepositoryError
             from rhodecode.model.db import Session, UserFollowing, User, Repository
+            from rhodecode.model.permission import PermissionModel
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.scm import ScmModel
             log = logging.getLogger(__name__)
             class RepoSettingsView(RepoAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     return c
                 def _get_users_with_permissions(self):
                     user_permissions = {}
                     for perm in self.db_repo.permissions():
                         user_permissions[perm.user_id] = perm
                     return user_permissions
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @view_config(
                     route_name='edit_repo_advanced', request_method='GET',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_advanced(self):
                     c = self.load_default_context()
                     c.active = 'advanced'
                     c.default_user_id = User.get_default_user().user_id
                     c.in_public_journal = UserFollowing.query() \
                         .filter(UserFollowing.user_id == c.default_user_id) \
                         .filter(UserFollowing.follows_repository == self.db_repo).scalar()
                     c.ver_info_dict = self.rhodecode_vcs_repo.get_hooks_info()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_advanced_archive', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_advanced_archive(self):
                     """
                     Archives the repository. It will become read-only, and not visible in search
                     or other queries. But still visible for super-admins.
                     """
                     _ = self.request.translate
                     try:
                         old_data = self.db_repo.get_api_data()
                         RepoModel().archive(self.db_repo)
                         repo = audit_logger.RepoWrap(repo_id=None, repo_name=self.db_repo.repo_name)
                         audit_logger.store_web(
                             'repo.archive', action_data={'old_data': old_data},
                             user=self._rhodecode_user, repo=repo)
                         ScmModel().mark_for_invalidation(self.db_repo_name, delete=True)
                         h.flash(
                             _('Archived repository `%s`') % self.db_repo_name,
                             category='success')
                         Session().commit()
                     except Exception:
                         log.exception("Exception during archiving of repository")
                         h.flash(_('An error occurred during archiving of `%s`')
                                 % self.db_repo_name, category='error')
                         # redirect to advanced for more deletion options
                         raise HTTPFound(
                             h.route_path('edit_repo_advanced', repo_name=self.db_repo_name,
                                          _anchor='advanced-archive'))
                     # flush permissions for all users defined in permissions
                     affected_user_ids = self._get_users_with_permissions().keys()
-                    events.trigger(events.UserPermissionsChange(affected_user_ids))
+                    PermissionModel().trigger_permission_flush(affected_user_ids)
                     raise HTTPFound(h.route_path('home'))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_advanced_delete', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_advanced_delete(self):
                     """
                     Deletes the repository, or shows warnings if deletion is not possible
                     because of attached forks or other errors.
                     """
                     _ = self.request.translate
                     handle_forks = self.request.POST.get('forks', None)
                     if handle_forks == 'detach_forks':
                         handle_forks = 'detach'
                     elif handle_forks == 'delete_forks':
                         handle_forks = 'delete'
                     try:
                         old_data = self.db_repo.get_api_data()
                         RepoModel().delete(self.db_repo, forks=handle_forks)
                         _forks = self.db_repo.forks.count()
                         if _forks and handle_forks:
                             if handle_forks == 'detach_forks':
                                 h.flash(_('Detached %s forks') % _forks, category='success')
                             elif handle_forks == 'delete_forks':
                                 h.flash(_('Deleted %s forks') % _forks, category='success')
                         repo = audit_logger.RepoWrap(repo_id=None, repo_name=self.db_repo.repo_name)
                         audit_logger.store_web(
                             'repo.delete', action_data={'old_data': old_data},
                             user=self._rhodecode_user, repo=repo)
                         ScmModel().mark_for_invalidation(self.db_repo_name, delete=True)
                         h.flash(
                             _('Deleted repository `%s`') % self.db_repo_name,
                             category='success')
                         Session().commit()
                     except AttachedForksError:
                         repo_advanced_url = h.route_path(
                             'edit_repo_advanced', repo_name=self.db_repo_name,
                             _anchor='advanced-delete')
                         delete_anchor = h.link_to(_('detach or delete'), repo_advanced_url)
                         h.flash(_('Cannot delete `{repo}` it still contains attached forks. '
                                   'Try using {delete_or_detach} option.')
                                 .format(repo=self.db_repo_name, delete_or_detach=delete_anchor),
                                 category='warning')
                         # redirect to advanced for forks handle action ?
                         raise HTTPFound(repo_advanced_url)
                     except AttachedPullRequestsError:
                         repo_advanced_url = h.route_path(
                             'edit_repo_advanced', repo_name=self.db_repo_name,
                             _anchor='advanced-delete')
                         attached_prs = len(self.db_repo.pull_requests_source +
                                            self.db_repo.pull_requests_target)
                         h.flash(
                             _('Cannot delete `{repo}` it still contains {num} attached pull requests. '
                               'Consider archiving the repository instead.').format(
                                 repo=self.db_repo_name, num=attached_prs), category='warning')
                         # redirect to advanced for forks handle action ?
                         raise HTTPFound(repo_advanced_url)
                     except Exception:
                         log.exception("Exception during deletion of repository")
                         h.flash(_('An error occurred during deletion of `%s`')
                                 % self.db_repo_name, category='error')
                         # redirect to advanced for more deletion options
                         raise HTTPFound(
                             h.route_path('edit_repo_advanced', repo_name=self.db_repo_name,
                                          _anchor='advanced-delete'))
                     raise HTTPFound(h.route_path('home'))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_advanced_journal', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_advanced_journal(self):
                     """
                     Set's this repository to be visible in public journal,
                     in other words making default user to follow this repo
                     """
                     _ = self.request.translate
                     try:
                         user_id = User.get_default_user().user_id
                         ScmModel().toggle_following_repo(self.db_repo.repo_id, user_id)
                         h.flash(_('Updated repository visibility in public journal'),
                                 category='success')
                         Session().commit()
                     except Exception:
                         h.flash(_('An error occurred during setting this '
                                   'repository in public journal'),
                                 category='error')
                     raise HTTPFound(
                         h.route_path('edit_repo_advanced', repo_name=self.db_repo_name))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_advanced_fork', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_advanced_fork(self):
                     """
                     Mark given repository as a fork of another
                     """
                     _ = self.request.translate
                     new_fork_id = safe_int(self.request.POST.get('id_fork_of'))
                     # valid repo, re-check permissions
                     if new_fork_id:
                         repo = Repository.get(new_fork_id)
                         # ensure we have at least read access to the repo we mark
                         perm_check = HasRepoPermissionAny(
                             'repository.read', 'repository.write', 'repository.admin')
                         if repo and perm_check(repo_name=repo.repo_name):
                             new_fork_id = repo.repo_id
                         else:
                             new_fork_id = None
                     try:
                         repo = ScmModel().mark_as_fork(
                             self.db_repo_name, new_fork_id, self._rhodecode_user.user_id)
                         fork = repo.fork.repo_name if repo.fork else _('Nothing')
                         Session().commit()
                         h.flash(
                             _('Marked repo %s as fork of %s') % (self.db_repo_name, fork),
                             category='success')
                     except RepositoryError as e:
                         log.exception("Repository Error occurred")
                         h.flash(str(e), category='error')
                     except Exception:
                         log.exception("Exception while editing fork")
                         h.flash(_('An error occurred during this operation'),
                                 category='error')
                     raise HTTPFound(
                         h.route_path('edit_repo_advanced', repo_name=self.db_repo_name))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_advanced_locking', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_advanced_locking(self):
                     """
                     Toggle locking of repository
                     """
                     _ = self.request.translate
                     set_lock = self.request.POST.get('set_lock')
                     set_unlock = self.request.POST.get('set_unlock')
                     try:
                         if set_lock:
                             Repository.lock(self.db_repo, self._rhodecode_user.user_id,
                                             lock_reason=Repository.LOCK_WEB)
                             h.flash(_('Locked repository'), category='success')
                         elif set_unlock:
                             Repository.unlock(self.db_repo)
                             h.flash(_('Unlocked repository'), category='success')
                     except Exception as e:
                         log.exception("Exception during unlocking")
                         h.flash(_('An error occurred during unlocking'), category='error')
                     raise HTTPFound(
                         h.route_path('edit_repo_advanced', repo_name=self.db_repo_name))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @view_config(
                     route_name='edit_repo_advanced_hooks', request_method='GET',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_advanced_install_hooks(self):
                     """
                     Install Hooks for repository
                     """
                     _ = self.request.translate
                     self.load_default_context()
                     self.rhodecode_vcs_repo.install_hooks(force=True)
                     h.flash(_('installed updated hooks into this repository'),
                             category='success')
                     raise HTTPFound(
                         h.route_path('edit_repo_advanced', repo_name=self.db_repo_name))

rhodecode/apps/user_group/views/__init__.py

0 +2 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import peppercorn
             import formencode
             import formencode.htmlfill
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from pyramid.response import Response
             from pyramid.renderers import render
             from rhodecode import events
             from rhodecode.lib.exceptions import (
                 RepoGroupAssignmentError, UserGroupAssignedException)
             from rhodecode.model.forms import (
                 UserGroupPermsForm, UserGroupForm, UserIndividualPermissionsForm,
                 UserPermissionsForm)
             from rhodecode.model.permission import PermissionModel
             from rhodecode.apps._base import UserGroupAppView
             from rhodecode.lib.auth import (
                 LoginRequired, HasUserGroupPermissionAnyDecorator, CSRFRequired)
             from rhodecode.lib import helpers as h, audit_logger
             from rhodecode.lib.utils2 import str2bool, safe_int
             from rhodecode.model.db import User, UserGroup
             from rhodecode.model.meta import Session
             from rhodecode.model.user_group import UserGroupModel
             log = logging.getLogger(__name__)
             class UserGroupsView(UserGroupAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     PermissionModel().set_global_permission_choices(
                         c, gettext_translator=self.request.translate)
                     return c
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='user_group_members_data', request_method='GET',
                     renderer='json_ext', xhr=True)
                 def user_group_members(self):
                     """
                     Return members of given user group
                     """
                     self.load_default_context()
                     user_group = self.db_user_group
                     group_members_obj = sorted((x.user for x in user_group.members),
                                                key=lambda u: u.username.lower())
                     group_members = [
                         {
                             'id': user.user_id,
                             'first_name': user.first_name,
                             'last_name': user.last_name,
                             'username': user.username,
                             'icon_link': h.gravatar_url(user.email, 30),
                             'value_display': h.person(user.email),
                             'value': user.username,
                             'value_type': 'user',
                             'active': user.active,
                         }
                         for user in group_members_obj
                     ]
                     return {
                         'members': group_members
                     }
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_perms_summary', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_perms_summary(self):
                     c = self.load_default_context()
                     c.user_group = self.db_user_group
                     c.active = 'perms_summary'
                     c.permissions = UserGroupModel().get_perms_summary(
                         c.user_group.users_group_id)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_perms_summary_json', request_method='GET',
                     renderer='json_ext')
                 def user_group_perms_summary_json(self):
                     self.load_default_context()
                     user_group = self.db_user_group
                     return UserGroupModel().get_perms_summary(user_group.users_group_id)
                 def _revoke_perms_on_yourself(self, form_result):
                     _updates = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),
                                       form_result['perm_updates'])
                     _additions = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),
                                         form_result['perm_additions'])
                     _deletions = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),
                                         form_result['perm_deletions'])
                     admin_perm = 'usergroup.admin'
                     if _updates   and _updates[0][1]   != admin_perm or \
                        _additions and _additions[0][1] != admin_perm or \
                        _deletions and _deletions[0][1] != admin_perm:
                         return True
                     return False
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_groups_update', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_update(self):
                     _ = self.request.translate
                     user_group = self.db_user_group
                     user_group_id = user_group.users_group_id
                     old_user_group_name = self.db_user_group_name
                     new_user_group_name = old_user_group_name
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.group_members_obj = [x.user for x in c.user_group.members]
                     c.group_members_obj.sort(key=lambda u: u.username.lower())
                     c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]
                     c.active = 'settings'
                     users_group_form = UserGroupForm(
                         self.request.translate, edit=True,
                         old_data=c.user_group.get_dict(), allow_disabled=True)()
                     old_values = c.user_group.get_api_data()
                     try:
                         form_result = users_group_form.to_python(self.request.POST)
                         pstruct = peppercorn.parse(self.request.POST.items())
                         form_result['users_group_members'] = pstruct['user_group_members']
                         user_group, added_members, removed_members = \
                             UserGroupModel().update(c.user_group, form_result)
                         new_user_group_name = form_result['users_group_name']
                         for user_id in added_members:
                             user = User.get(user_id)
                             user_data = user.get_api_data()
                             audit_logger.store_web(
                                 'user_group.edit.member.add',
                                 action_data={'user': user_data, 'old_data': old_values},
                                 user=self._rhodecode_user)
                         for user_id in removed_members:
                             user = User.get(user_id)
                             user_data = user.get_api_data()
                             audit_logger.store_web(
                                 'user_group.edit.member.delete',
                                 action_data={'user': user_data, 'old_data': old_values},
                                 user=self._rhodecode_user)
                         audit_logger.store_web(
                             'user_group.edit', action_data={'old_data': old_values},
                             user=self._rhodecode_user)
                         h.flash(_('Updated user group %s') % new_user_group_name,
                                 category='success')
                         affected_user_ids = []
                         for user_id in added_members + removed_members:
                             affected_user_ids.append(user_id)
                         name_changed = old_user_group_name != new_user_group_name
                         if name_changed:
                             owner = User.get_by_username(form_result['user'])
                             owner_id = owner.user_id if owner else self._rhodecode_user.user_id
                             affected_user_ids.append(self._rhodecode_user.user_id)
                             affected_user_ids.append(owner_id)
-                        events.trigger(events.UserPermissionsChange(affected_user_ids))
+                        PermissionModel().trigger_permission_flush(affected_user_ids)
                         Session().commit()
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         e = errors.error_dict or {}
                         data = render(
                             'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=defaults,
                             errors=e,
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception during update of user group")
                         h.flash(_('Error occurred during update of user group %s')
                                 % new_user_group_name, category='error')
                     raise HTTPFound(
                         h.route_path('edit_user_group', user_group_id=user_group_id))
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_groups_delete', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_delete(self):
                     _ = self.request.translate
                     user_group = self.db_user_group
                     self.load_default_context()
                     force = str2bool(self.request.POST.get('force'))
                     old_values = user_group.get_api_data()
                     try:
                         UserGroupModel().delete(user_group, force=force)
                         audit_logger.store_web(
                             'user.delete', action_data={'old_data': old_values},
                             user=self._rhodecode_user)
                         Session().commit()
                         h.flash(_('Successfully deleted user group'), category='success')
                     except UserGroupAssignedException as e:
                         h.flash(str(e), category='error')
                     except Exception:
                         log.exception("Exception during deletion of user group")
                         h.flash(_('An error occurred during deletion of user group'),
                                 category='error')
                     raise HTTPFound(h.route_path('user_groups'))
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_edit(self):
                     user_group = self.db_user_group
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.group_members_obj = [x.user for x in c.user_group.members]
                     c.group_members_obj.sort(key=lambda u: u.username.lower())
                     c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]
                     c.active = 'settings'
                     defaults = user_group.get_dict()
                     # fill owner
                     if user_group.user:
                         defaults.update({'user': user_group.user.username})
                     else:
                         replacement_user = User.get_first_super_admin().username
                         defaults.update({'user': replacement_user})
                     data = render(
                         'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_perms', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_edit_perms(self):
                     user_group = self.db_user_group
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.active = 'perms'
                     defaults = {}
                     # fill user group users
                     for p in c.user_group.user_user_group_to_perm:
                         defaults.update({'u_perm_%s' % p.user.user_id:
                                          p.permission.permission_name})
                     for p in c.user_group.user_group_user_group_to_perm:
                         defaults.update({'g_perm_%s' % p.user_group.users_group_id:
                                          p.permission.permission_name})
                     data = render(
                         'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_group_perms_update', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_update_perms(self):
                     """
                     grant permission for given user group
                     """
                     _ = self.request.translate
                     user_group = self.db_user_group
                     user_group_id = user_group.users_group_id
                     c = self.load_default_context()
                     c.user_group = user_group
                     form = UserGroupPermsForm(self.request.translate)().to_python(self.request.POST)
                     if not self._rhodecode_user.is_admin:
                         if self._revoke_perms_on_yourself(form):
                             msg = _('Cannot change permission for yourself as admin')
                             h.flash(msg, category='warning')
                             raise HTTPFound(
                                 h.route_path('edit_user_group_perms',
                                              user_group_id=user_group_id))
                     try:
                         changes = UserGroupModel().update_permissions(
                             user_group,
                             form['perm_additions'], form['perm_updates'],
                             form['perm_deletions'])
                     except RepoGroupAssignmentError:
                         h.flash(_('Target group cannot be the same'), category='error')
                         raise HTTPFound(
                             h.route_path('edit_user_group_perms',
                                          user_group_id=user_group_id))
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_web(
                         'user_group.edit.permissions', action_data=action_data,
                         user=self._rhodecode_user)
                     Session().commit()
                     h.flash(_('User Group permissions updated'), category='success')
                     affected_user_ids = []
                     for change in changes['added'] + changes['updated'] + changes['deleted']:
                         if change['type'] == 'user':
                             affected_user_ids.append(change['id'])
                         if change['type'] == 'user_group':
                             user_group = UserGroup.get(safe_int(change['id']))
                             if user_group:
                                 group_members_ids = [x.user_id for x in user_group.members]
                                 affected_user_ids.extend(group_members_ids)
-                    events.trigger(events.UserPermissionsChange(affected_user_ids))
+                    PermissionModel().trigger_permission_flush(affected_user_ids)
                     raise HTTPFound(
                         h.route_path('edit_user_group_perms', user_group_id=user_group_id))
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_global_perms', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_global_perms_edit(self):
                     user_group = self.db_user_group
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.active = 'global_perms'
                     c.default_user = User.get_default_user()
                     defaults = c.user_group.get_dict()
                     defaults.update(c.default_user.get_default_perms(suffix='_inherited'))
                     defaults.update(c.user_group.get_default_perms())
                     data = render(
                         'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_group_global_perms_update', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_global_perms_update(self):
                     _ = self.request.translate
                     user_group = self.db_user_group
                     user_group_id = self.db_user_group.users_group_id
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.active = 'global_perms'
                     try:
                         # first stage that verifies the checkbox
                         _form = UserIndividualPermissionsForm(self.request.translate)
                         form_result = _form.to_python(dict(self.request.POST))
                         inherit_perms = form_result['inherit_default_permissions']
                         user_group.inherit_default_permissions = inherit_perms
                         Session().add(user_group)
                         if not inherit_perms:
                             # only update the individual ones if we un check the flag
                             _form = UserPermissionsForm(
                                 self.request.translate,
                                 [x[0] for x in c.repo_create_choices],
                                 [x[0] for x in c.repo_create_on_write_choices],
                                 [x[0] for x in c.repo_group_create_choices],
                                 [x[0] for x in c.user_group_create_choices],
                                 [x[0] for x in c.fork_choices],
                                 [x[0] for x in c.inherit_default_permission_choices])()
                             form_result = _form.to_python(dict(self.request.POST))
                             form_result.update(
                                 {'perm_user_group_id': user_group.users_group_id})
                             PermissionModel().update_user_group_permissions(form_result)
                         Session().commit()
                         h.flash(_('User Group global permissions updated successfully'),
                                 category='success')
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         data = render(
                             'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=defaults,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception during permissions saving")
                         h.flash(_('An error occurred during permissions saving'),
                                 category='error')
                     raise HTTPFound(
                         h.route_path('edit_user_group_global_perms',
                                      user_group_id=user_group_id))
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_advanced', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_edit_advanced(self):
                     user_group = self.db_user_group
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.active = 'advanced'
                     c.group_members_obj = sorted(
                         (x.user for x in c.user_group.members),
                         key=lambda u: u.username.lower())
                     c.group_to_repos = sorted(
                         (x.repository for x in c.user_group.users_group_repo_to_perm),
                         key=lambda u: u.repo_name.lower())
                     c.group_to_repo_groups = sorted(
                         (x.group for x in c.user_group.users_group_repo_group_to_perm),
                         key=lambda u: u.group_name.lower())
                     c.group_to_review_rules = sorted(
                         (x.users_group for x in c.user_group.user_group_review_rules),
                         key=lambda u: u.users_group_name.lower())
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_group_advanced_sync', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_edit_advanced_set_synchronization(self):
                     _ = self.request.translate
                     user_group = self.db_user_group
                     user_group_id = user_group.users_group_id
                     existing = user_group.group_data.get('extern_type')
                     if existing:
                         new_state = user_group.group_data
                         new_state['extern_type'] = None
                     else:
                         new_state = user_group.group_data
                         new_state['extern_type'] = 'manual'
                         new_state['extern_type_set_by'] = self._rhodecode_user.username
                     try:
                         user_group.group_data = new_state
                         Session().add(user_group)
                         Session().commit()
                         h.flash(_('User Group synchronization updated successfully'),
                                 category='success')
                     except Exception:
                         log.exception("Exception during sync settings saving")
                         h.flash(_('An error occurred during synchronization update'),
                                 category='error')
                     raise HTTPFound(
                         h.route_path('edit_user_group_advanced',
                                      user_group_id=user_group_id))

rhodecode/model/permission.py

0 +19 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             permissions model for RhodeCode
             """
             import logging
             import traceback
             from sqlalchemy.exc import DatabaseError
+            from rhodecode import events
             from rhodecode.model import BaseModel
             from rhodecode.model.db import (
                 User, Permission, UserToPerm, UserRepoToPerm, UserRepoGroupToPerm,
                 UserUserGroupToPerm, UserGroup, UserGroupToPerm, UserToRepoBranchPermission)
             from rhodecode.lib.utils2 import str2bool, safe_int
             log = logging.getLogger(__name__)
             class PermissionModel(BaseModel):
                 """
                 Permissions model for RhodeCode
                 """
                 cls = Permission
                 global_perms = {
                     'default_repo_create': None,
                     # special case for create repos on write access to group
                     'default_repo_create_on_write': None,
                     'default_repo_group_create': None,
                     'default_user_group_create': None,
                     'default_fork_create': None,
                     'default_inherit_default_permissions': None,
                     'default_register': None,
                     'default_password_reset': None,
                     'default_extern_activate': None,
                     # object permissions below
                     'default_repo_perm': None,
                     'default_group_perm': None,
                     'default_user_group_perm': None,
                     # branch
                     'default_branch_perm': None,
                 }
                 def set_global_permission_choices(self, c_obj, gettext_translator):
                     _ = gettext_translator
                     c_obj.repo_perms_choices = [
                         ('repository.none', _('None'),),
                         ('repository.read', _('Read'),),
                         ('repository.write', _('Write'),),
                         ('repository.admin', _('Admin'),)]
                     c_obj.group_perms_choices = [
                         ('group.none', _('None'),),
                         ('group.read', _('Read'),),
                         ('group.write', _('Write'),),
                         ('group.admin', _('Admin'),)]
                     c_obj.user_group_perms_choices = [
                         ('usergroup.none', _('None'),),
                         ('usergroup.read', _('Read'),),
                         ('usergroup.write', _('Write'),),
                         ('usergroup.admin', _('Admin'),)]
                     c_obj.branch_perms_choices = [
                         ('branch.none', _('Protected/No Access'),),
                         ('branch.merge', _('Web merge'),),
                         ('branch.push', _('Push'),),
                         ('branch.push_force', _('Force Push'),)]
                     c_obj.register_choices = [
                         ('hg.register.none', _('Disabled')),
                         ('hg.register.manual_activate', _('Allowed with manual account activation')),
                         ('hg.register.auto_activate', _('Allowed with automatic account activation')),]
                     c_obj.password_reset_choices = [
                         ('hg.password_reset.enabled', _('Allow password recovery')),
                         ('hg.password_reset.hidden', _('Hide password recovery link')),
                         ('hg.password_reset.disabled', _('Disable password recovery')),]
                     c_obj.extern_activate_choices = [
                         ('hg.extern_activate.manual', _('Manual activation of external account')),
                         ('hg.extern_activate.auto', _('Automatic activation of external account')),]
                     c_obj.repo_create_choices = [
                         ('hg.create.none', _('Disabled')),
                         ('hg.create.repository', _('Enabled'))]
                     c_obj.repo_create_on_write_choices = [
                         ('hg.create.write_on_repogroup.false', _('Disabled')),
                         ('hg.create.write_on_repogroup.true', _('Enabled'))]
                     c_obj.user_group_create_choices = [
                         ('hg.usergroup.create.false', _('Disabled')),
                         ('hg.usergroup.create.true', _('Enabled'))]
                     c_obj.repo_group_create_choices = [
                         ('hg.repogroup.create.false', _('Disabled')),
                         ('hg.repogroup.create.true', _('Enabled'))]
                     c_obj.fork_choices = [
                         ('hg.fork.none', _('Disabled')),
                         ('hg.fork.repository', _('Enabled'))]
                     c_obj.inherit_default_permission_choices = [
                         ('hg.inherit_default_perms.false', _('Disabled')),
                         ('hg.inherit_default_perms.true', _('Enabled'))]
                 def get_default_perms(self, object_perms, suffix):
                     defaults = {}
                     for perm in object_perms:
                         # perms
                         if perm.permission.permission_name.startswith('repository.'):
                             defaults['default_repo_perm' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('group.'):
                             defaults['default_group_perm' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('usergroup.'):
                             defaults['default_user_group_perm' + suffix] = perm.permission.permission_name
                         # branch
                         if perm.permission.permission_name.startswith('branch.'):
                             defaults['default_branch_perm' + suffix] = perm.permission.permission_name
                         # creation of objects
                         if perm.permission.permission_name.startswith('hg.create.write_on_repogroup'):
                             defaults['default_repo_create_on_write' + suffix] = perm.permission.permission_name
                         elif perm.permission.permission_name.startswith('hg.create.'):
                             defaults['default_repo_create' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('hg.fork.'):
                             defaults['default_fork_create' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('hg.inherit_default_perms.'):
                             defaults['default_inherit_default_permissions' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('hg.repogroup.'):
                             defaults['default_repo_group_create' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('hg.usergroup.'):
                             defaults['default_user_group_create' + suffix] = perm.permission.permission_name
                         # registration and external account activation
                         if perm.permission.permission_name.startswith('hg.register.'):
                             defaults['default_register' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('hg.password_reset.'):
                             defaults['default_password_reset' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('hg.extern_activate.'):
                             defaults['default_extern_activate' + suffix] = perm.permission.permission_name
                     return defaults
                 def _make_new_user_perm(self, user, perm_name):
                     log.debug('Creating new user permission:%s', perm_name)
                     new = UserToPerm()
                     new.user = user
                     new.permission = Permission.get_by_key(perm_name)
                     return new
                 def _make_new_user_group_perm(self, user_group, perm_name):
                     log.debug('Creating new user group permission:%s', perm_name)
                     new = UserGroupToPerm()
                     new.users_group = user_group
                     new.permission = Permission.get_by_key(perm_name)
                     return new
                 def _keep_perm(self, perm_name, keep_fields):
                     def get_pat(field_name):
                         return {
                             # global perms
                             'default_repo_create': 'hg.create.',
                             # special case for create repos on write access to group
                             'default_repo_create_on_write': 'hg.create.write_on_repogroup.',
                             'default_repo_group_create': 'hg.repogroup.create.',
                             'default_user_group_create': 'hg.usergroup.create.',
                             'default_fork_create': 'hg.fork.',
                             'default_inherit_default_permissions': 'hg.inherit_default_perms.',
                             # application perms
                             'default_register': 'hg.register.',
                             'default_password_reset': 'hg.password_reset.',
                             'default_extern_activate': 'hg.extern_activate.',
                             # object permissions below
                             'default_repo_perm': 'repository.',
                             'default_group_perm': 'group.',
                             'default_user_group_perm': 'usergroup.',
                             # branch
                             'default_branch_perm': 'branch.',
                         }[field_name]
                     for field in keep_fields:
                         pat = get_pat(field)
                         if perm_name.startswith(pat):
                             return True
                     return False
                 def _clear_object_perm(self, object_perms, preserve=None):
                     preserve = preserve or []
                     _deleted = []
                     for perm in object_perms:
                         perm_name = perm.permission.permission_name
                         if not self._keep_perm(perm_name, keep_fields=preserve):
                             _deleted.append(perm_name)
                             self.sa.delete(perm)
                     return _deleted
                 def _clear_user_perms(self, user_id, preserve=None):
                     perms = self.sa.query(UserToPerm)\
                         .filter(UserToPerm.user_id == user_id)\
                         .all()
                     return self._clear_object_perm(perms, preserve=preserve)
                 def _clear_user_group_perms(self, user_group_id, preserve=None):
                     perms = self.sa.query(UserGroupToPerm)\
                         .filter(UserGroupToPerm.users_group_id == user_group_id)\
                         .all()
                     return self._clear_object_perm(perms, preserve=preserve)
                 def _set_new_object_perms(self, obj_type, object, form_result, preserve=None):
                     # clear current entries, to make this function idempotent
                     # it will fix even if we define more permissions or permissions
                     # are somehow missing
                     preserve = preserve or []
                     _global_perms = self.global_perms.copy()
                     if obj_type not in ['user', 'user_group']:
                         raise ValueError("obj_type must be on of 'user' or 'user_group'")
                     global_perms = len(_global_perms)
                     default_user_perms = len(Permission.DEFAULT_USER_PERMISSIONS)
                     if global_perms != default_user_perms:
                         raise Exception(
                             'Inconsistent permissions definition. Got {} vs {}'.format(
                                 global_perms, default_user_perms))
                     if obj_type == 'user':
                         self._clear_user_perms(object.user_id, preserve)
                     if obj_type == 'user_group':
                         self._clear_user_group_perms(object.users_group_id, preserve)
                     # now kill the keys that we want to preserve from the form.
                     for key in preserve:
                         del _global_perms[key]
                     for k in _global_perms.copy():
                         _global_perms[k] = form_result[k]
                     # at that stage we validate all are passed inside form_result
                     for _perm_key, perm_value in _global_perms.items():
                         if perm_value is None:
                             raise ValueError('Missing permission for %s' % (_perm_key,))
                         if obj_type == 'user':
                             p = self._make_new_user_perm(object, perm_value)
                             self.sa.add(p)
                         if obj_type == 'user_group':
                             p = self._make_new_user_group_perm(object, perm_value)
                             self.sa.add(p)
                 def _set_new_user_perms(self, user, form_result, preserve=None):
                     return self._set_new_object_perms(
                         'user', user, form_result, preserve)
                 def _set_new_user_group_perms(self, user_group, form_result, preserve=None):
                     return self._set_new_object_perms(
                         'user_group', user_group, form_result, preserve)
                 def set_new_user_perms(self, user, form_result):
                     # calculate what to preserve from what is given in form_result
                     preserve = set(self.global_perms.keys()).difference(set(form_result.keys()))
                     return self._set_new_user_perms(user, form_result, preserve)
                 def set_new_user_group_perms(self, user_group, form_result):
                     # calculate what to preserve from what is given in form_result
                     preserve = set(self.global_perms.keys()).difference(set(form_result.keys()))
                     return self._set_new_user_group_perms(user_group, form_result, preserve)
                 def create_permissions(self):
                     """
                     Create permissions for whole system
                     """
                     for p in Permission.PERMS:
                         if not Permission.get_by_key(p[0]):
                             new_perm = Permission()
                             new_perm.permission_name = p[0]
                             new_perm.permission_longname = p[0]  # translation err with p[1]
                             self.sa.add(new_perm)
                 def _create_default_object_permission(self, obj_type, obj, obj_perms,
                                                       force=False):
                     if obj_type not in ['user', 'user_group']:
                         raise ValueError("obj_type must be on of 'user' or 'user_group'")
                     def _get_group(perm_name):
                         return '.'.join(perm_name.split('.')[:1])
                     defined_perms_groups = map(
                         _get_group, (x.permission.permission_name for x in obj_perms))
                     log.debug('GOT ALREADY DEFINED:%s', obj_perms)
                     if force:
                         self._clear_object_perm(obj_perms)
                         self.sa.commit()
                         defined_perms_groups = []
                     # for every default permission that needs to be created, we check if
                     # it's group is already defined, if it's not we create default perm
                     for perm_name in Permission.DEFAULT_USER_PERMISSIONS:
                         gr = _get_group(perm_name)
                         if gr not in defined_perms_groups:
                             log.debug('GR:%s not found, creating permission %s',
                                       gr, perm_name)
                             if obj_type == 'user':
                                 new_perm = self._make_new_user_perm(obj, perm_name)
                                 self.sa.add(new_perm)
                             if obj_type == 'user_group':
                                 new_perm = self._make_new_user_group_perm(obj, perm_name)
                                 self.sa.add(new_perm)
                 def create_default_user_permissions(self, user, force=False):
                     """
                     Creates only missing default permissions for user, if force is set it
                     resets the default permissions for that user
                     :param user:
                     :param force:
                     """
                     user = self._get_user(user)
                     obj_perms = UserToPerm.query().filter(UserToPerm.user == user).all()
                     return self._create_default_object_permission(
                         'user', user, obj_perms, force)
                 def create_default_user_group_permissions(self, user_group, force=False):
                     """
                     Creates only missing default permissions for user group, if force is
                     set it resets the default permissions for that user group
                     :param user_group:
                     :param force:
                     """
                     user_group = self._get_user_group(user_group)
                     obj_perms = UserToPerm.query().filter(UserGroupToPerm.users_group == user_group).all()
                     return self._create_default_object_permission(
                         'user_group', user_group, obj_perms, force)
                 def update_application_permissions(self, form_result):
                     if 'perm_user_id' in form_result:
                         perm_user = User.get(safe_int(form_result['perm_user_id']))
                     else:
                         # used mostly to do lookup for default user
                         perm_user = User.get_by_username(form_result['perm_user_name'])
                     try:
                         # stage 1 set anonymous access
                         if perm_user.username == User.DEFAULT_USER:
                             perm_user.active = str2bool(form_result['anonymous'])
                             self.sa.add(perm_user)
                         # stage 2 reset defaults and set them from form data
                         self._set_new_user_perms(perm_user, form_result, preserve=[
                             'default_repo_perm',
                             'default_group_perm',
                             'default_user_group_perm',
                             'default_branch_perm',
                             'default_repo_group_create',
                             'default_user_group_create',
                             'default_repo_create_on_write',
                             'default_repo_create',
                             'default_fork_create',
                             'default_inherit_default_permissions',])
                         self.sa.commit()
                     except (DatabaseError,):
                         log.error(traceback.format_exc())
                         self.sa.rollback()
                         raise
                 def update_user_permissions(self, form_result):
                     if 'perm_user_id' in form_result:
                         perm_user = User.get(safe_int(form_result['perm_user_id']))
                     else:
                         # used mostly to do lookup for default user
                         perm_user = User.get_by_username(form_result['perm_user_name'])
                     try:
                         # stage 2 reset defaults and set them from form data
                         self._set_new_user_perms(perm_user, form_result, preserve=[
                             'default_repo_perm',
                             'default_group_perm',
                             'default_user_group_perm',
                             'default_branch_perm',
                             'default_register',
                             'default_password_reset',
                             'default_extern_activate'])
                         self.sa.commit()
                     except (DatabaseError,):
                         log.error(traceback.format_exc())
                         self.sa.rollback()
                         raise
                 def update_user_group_permissions(self, form_result):
                     if 'perm_user_group_id' in form_result:
                         perm_user_group = UserGroup.get(safe_int(form_result['perm_user_group_id']))
                     else:
                         # used mostly to do lookup for default user
                         perm_user_group = UserGroup.get_by_group_name(form_result['perm_user_group_name'])
                     try:
                         # stage 2 reset defaults and set them from form data
                         self._set_new_user_group_perms(perm_user_group, form_result, preserve=[
                             'default_repo_perm',
                             'default_group_perm',
                             'default_user_group_perm',
                             'default_branch_perm',
                             'default_register',
                             'default_password_reset',
                             'default_extern_activate'])
                         self.sa.commit()
                     except (DatabaseError,):
                         log.error(traceback.format_exc())
                         self.sa.rollback()
                         raise
                 def update_object_permissions(self, form_result):
                     if 'perm_user_id' in form_result:
                         perm_user = User.get(safe_int(form_result['perm_user_id']))
                     else:
                         # used mostly to do lookup for default user
                         perm_user = User.get_by_username(form_result['perm_user_name'])
                     try:
                         # stage 2 reset defaults and set them from form data
                         self._set_new_user_perms(perm_user, form_result, preserve=[
                             'default_repo_group_create',
                             'default_user_group_create',
                             'default_repo_create_on_write',
                             'default_repo_create',
                             'default_fork_create',
                             'default_inherit_default_permissions',
                             'default_branch_perm',
                             'default_register',
                             'default_password_reset',
                             'default_extern_activate'])
                         # overwrite default repo permissions
                         if form_result['overwrite_default_repo']:
                             _def_name = form_result['default_repo_perm'].split('repository.')[-1]
                             _def = Permission.get_by_key('repository.' + _def_name)
                             for r2p in self.sa.query(UserRepoToPerm)\
                                            .filter(UserRepoToPerm.user == perm_user)\
                                            .all():
                                 # don't reset PRIVATE repositories
                                 if not r2p.repository.private:
                                     r2p.permission = _def
                                     self.sa.add(r2p)
                         # overwrite default repo group permissions
                         if form_result['overwrite_default_group']:
                             _def_name = form_result['default_group_perm'].split('group.')[-1]
                             _def = Permission.get_by_key('group.' + _def_name)
                             for g2p in self.sa.query(UserRepoGroupToPerm)\
                                            .filter(UserRepoGroupToPerm.user == perm_user)\
                                            .all():
                                 g2p.permission = _def
                                 self.sa.add(g2p)
                         # overwrite default user group permissions
                         if form_result['overwrite_default_user_group']:
                             _def_name = form_result['default_user_group_perm'].split('usergroup.')[-1]
                             # user groups
                             _def = Permission.get_by_key('usergroup.' + _def_name)
                             for g2p in self.sa.query(UserUserGroupToPerm)\
                                            .filter(UserUserGroupToPerm.user == perm_user)\
                                            .all():
                                 g2p.permission = _def
                                 self.sa.add(g2p)
                         # COMMIT
                         self.sa.commit()
                     except (DatabaseError,):
                         log.exception('Failed to set default object permissions')
                         self.sa.rollback()
                         raise
                 def update_branch_permissions(self, form_result):
                     if 'perm_user_id' in form_result:
                         perm_user = User.get(safe_int(form_result['perm_user_id']))
                     else:
                         # used mostly to do lookup for default user
                         perm_user = User.get_by_username(form_result['perm_user_name'])
                     try:
                         # stage 2 reset defaults and set them from form data
                         self._set_new_user_perms(perm_user, form_result, preserve=[
                             'default_repo_perm',
                             'default_group_perm',
                             'default_user_group_perm',
                             'default_repo_group_create',
                             'default_user_group_create',
                             'default_repo_create_on_write',
                             'default_repo_create',
                             'default_fork_create',
                             'default_inherit_default_permissions',
                             'default_register',
                             'default_password_reset',
                             'default_extern_activate'])
                         # overwrite default branch permissions
                         if form_result['overwrite_default_branch']:
                             _def_name = \
                                 form_result['default_branch_perm'].split('branch.')[-1]
                             _def = Permission.get_by_key('branch.' + _def_name)
                             user_perms = UserToRepoBranchPermission.query()\
                                 .join(UserToRepoBranchPermission.user_repo_to_perm)\
                                 .filter(UserRepoToPerm.user == perm_user).all()
                             for g2p in user_perms:
                                 g2p.permission = _def
                                 self.sa.add(g2p)
                         # COMMIT
                         self.sa.commit()
                     except (DatabaseError,):
                         log.exception('Failed to set default branch permissions')
                         self.sa.rollback()
                         raise
+                def trigger_permission_flush(self, affected_user_ids):
+                    events.trigger(events.UserPermissionsChange(affected_user_ids))
+                def flush_user_permission_caches(self, changes, affected_user_ids=None):
+                    affected_user_ids = affected_user_ids or []
+                    for change in changes['added'] + changes['updated'] + changes['deleted']:
+                        if change['type'] == 'user':
+                            affected_user_ids.append(change['id'])
+                        if change['type'] == 'user_group':
+                            user_group = UserGroup.get(safe_int(change['id']))
+                            if user_group:
+                                group_members_ids = [x.user_id for x in user_group.members]
+                                affected_user_ids.extend(group_members_ids)
+                    self.trigger_permission_flush(affected_user_ids)
+                    return affected_user_ids

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages