rhodecode-enterprise-ce Commit - r4462:91b375f2

permissions: rename write+ to write or higher for more explicit meaning.

marcink -

r4462:91b375f2 stable

parent child

rhodecode/apps/repository/views/repo_permissions.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2020 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from rhodecode.apps._base import RepoAppView
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import (
                 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired)
             from rhodecode.lib.utils2 import str2bool
             from rhodecode.model.db import User
             from rhodecode.model.forms import RepoPermsForm
             from rhodecode.model.meta import Session
             from rhodecode.model.permission import PermissionModel
             from rhodecode.model.repo import RepoModel
             log = logging.getLogger(__name__)
             class RepoSettingsPermissionsView(RepoAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     return c
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @view_config(
                     route_name='edit_repo_perms', request_method='GET',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_permissions(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'permissions'
                     if self.request.GET.get('branch_permissions'):
-                        h.flash(_('Explicitly add user or user group with write+ '
+                        h.flash(_('Explicitly add user or user group with write or higher '
                                   'permission to modify their branch permissions.'),
                                 category='notice')
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_perms', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_permissions_update(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'permissions'
                     data = self.request.POST
                     # store private flag outside of HTML to verify if we can modify
                     # default user permissions, prevents submission of FAKE post data
                     # into the form for private repos
                     data['repo_private'] = self.db_repo.private
                     form = RepoPermsForm(self.request.translate)().to_python(data)
                     changes = RepoModel().update_permissions(
                         self.db_repo_name, form['perm_additions'], form['perm_updates'],
                         form['perm_deletions'])
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_web(
                         'repo.edit.permissions', action_data=action_data,
                         user=self._rhodecode_user, repo=self.db_repo)
                     Session().commit()
                     h.flash(_('Repository access permissions updated'), category='success')
                     affected_user_ids = None
                     if changes.get('default_user_changed', False):
                         # if we change the default user, we need to flush everyone permissions
                         affected_user_ids = User.get_all_user_ids()
                     PermissionModel().flush_user_permission_caches(
                         changes, affected_user_ids=affected_user_ids)
                     raise HTTPFound(
                         h.route_path('edit_repo_perms', repo_name=self.db_repo_name))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_perms_set_private', request_method='POST',
                     renderer='json_ext')
                 def edit_permissions_set_private_repo(self):
                     _ = self.request.translate
                     self.load_default_context()
                     private_flag = str2bool(self.request.POST.get('private'))
                     try:
                         repo = RepoModel().get(self.db_repo.repo_id)
                         repo.private = private_flag
                         Session().add(repo)
                         RepoModel().grant_user_permission(
                             repo=self.db_repo, user=User.DEFAULT_USER, perm='repository.none'
                         )
                         Session().commit()
                         h.flash(_('Repository `{}` private mode set successfully').format(self.db_repo_name),
                                 category='success')
                         # NOTE(dan): we change repo private mode we need to notify all USERS
                         affected_user_ids = User.get_all_user_ids()
                         PermissionModel().trigger_permission_flush(affected_user_ids)
                     except Exception:
                         log.exception("Exception during update of repository")
                         h.flash(_('Error occurred during update of repository {}').format(
                             self.db_repo_name), category='error')
                     return {
                         'redirect_url': h.route_path('edit_repo_perms', repo_name=self.db_repo_name),
                         'private': private_flag
                     }

rhodecode/apps/ssh_support/lib/backends/base.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2020 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import os
             import sys
             import json
             import logging
             from rhodecode.lib.hooks_daemon import prepare_callback_daemon
             from rhodecode.lib.vcs.conf import settings as vcs_settings
             from rhodecode.model.scm import ScmModel
             log = logging.getLogger(__name__)
             class VcsServer(object):
                 _path = None  # set executable path for hg/git/svn binary
                 backend = None  # set in child classes
                 tunnel = None  # subprocess handling tunnel
                 write_perms = ['repository.admin', 'repository.write']
                 read_perms = ['repository.read', 'repository.admin', 'repository.write']
                 def __init__(self, user, user_permissions, config, env):
                     self.user = user
                     self.user_permissions = user_permissions
                     self.config = config
                     self.env = env
                     self.stdin = sys.stdin
                     self.repo_name = None
                     self.repo_mode = None
                     self.store = ''
                     self.ini_path = ''
                 def _invalidate_cache(self, repo_name):
                     """
                     Set's cache for this repository for invalidation on next access
                     :param repo_name: full repo name, also a cache key
                     """
                     ScmModel().mark_for_invalidation(repo_name)
                 def has_write_perm(self):
                     permission = self.user_permissions.get(self.repo_name)
                     if permission in ['repository.write', 'repository.admin']:
                         return True
                     return False
                 def _check_permissions(self, action):
                     permission = self.user_permissions.get(self.repo_name)
                     log.debug('permission for %s on %s are: %s',
                               self.user, self.repo_name, permission)
                     if not permission:
                         log.error('user `%s` permissions to repo:%s are empty. Forbidding access.',
                                   self.user, self.repo_name)
                         return -2
                     if action == 'pull':
                         if permission in self.read_perms:
                             log.info(
                                 'READ Permissions for User "%s" detected to repo "%s"!',
                                 self.user, self.repo_name)
                             return 0
                     else:
                         if permission in self.write_perms:
                             log.info(
-                                'WRITE+ Permissions for User "%s" detected to repo "%s"!',
+                                'WRITE, or Higher Permissions for User "%s" detected to repo "%s"!',
                                 self.user, self.repo_name)
                             return 0
                     log.error('Cannot properly fetch or verify user `%s` permissions. '
                               'Permissions: %s, vcs action: %s',
                               self.user, permission, action)
                     return -2
                 def update_environment(self, action, extras=None):
                     scm_data = {
                         'ip': os.environ['SSH_CLIENT'].split()[0],
                         'username': self.user.username,
                         'user_id': self.user.user_id,
                         'action': action,
                         'repository': self.repo_name,
                         'scm': self.backend,
                         'config': self.ini_path,
                         'repo_store': self.store,
                         'make_lock': None,
                         'locked_by': [None, None],
                         'server_url': None,
                         'user_agent': 'ssh-user-agent',
                         'hooks': ['push', 'pull'],
                         'hooks_module': 'rhodecode.lib.hooks_daemon',
                         'is_shadow_repo': False,
                         'detect_force_push': False,
                         'check_branch_perms': False,
                         'SSH': True,
                         'SSH_PERMISSIONS': self.user_permissions.get(self.repo_name),
                     }
                     if extras:
                         scm_data.update(extras)
                     os.putenv("RC_SCM_DATA", json.dumps(scm_data))
                 def get_root_store(self):
                     root_store = self.store
                     if not root_store.endswith('/'):
                         # always append trailing slash
                         root_store = root_store + '/'
                     return root_store
                 def _handle_tunnel(self, extras):
                     # pre-auth
                     action = 'pull'
                     exit_code = self._check_permissions(action)
                     if exit_code:
                         return exit_code, False
                     req = self.env['request']
                     server_url = req.host_url + req.script_name
                     extras['server_url'] = server_url
                     log.debug('Using %s binaries from path %s', self.backend, self._path)
                     exit_code = self.tunnel.run(extras)
                     return exit_code, action == "push"
                 def run(self, tunnel_extras=None):
                     tunnel_extras = tunnel_extras or {}
                     extras = {}
                     extras.update(tunnel_extras)
                     callback_daemon, extras = prepare_callback_daemon(
                         extras, protocol=vcs_settings.HOOKS_PROTOCOL,
                         host=vcs_settings.HOOKS_HOST,
                         use_direct_calls=False)
                     with callback_daemon:
                         try:
                             return self._handle_tunnel(extras)
                         finally:
                             log.debug('Running cleanup with cache invalidation')
                             if self.repo_name:
                                 self._invalidate_cache(self.repo_name)

rhodecode/model/permission.py

0 +2 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2020 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             permissions model for RhodeCode
             """
             import collections
             import logging
             import traceback
             from sqlalchemy.exc import DatabaseError
             from rhodecode import events
             from rhodecode.model import BaseModel
             from rhodecode.model.db import (
                 User, Permission, UserToPerm, UserRepoToPerm, UserRepoGroupToPerm,
                 UserUserGroupToPerm, UserGroup, UserGroupToPerm, UserToRepoBranchPermission)
             from rhodecode.lib.utils2 import str2bool, safe_int
             log = logging.getLogger(__name__)
             class PermissionModel(BaseModel):
                 """
                 Permissions model for RhodeCode
                 """
                 cls = Permission
                 global_perms = {
                     'default_repo_create': None,
                     # special case for create repos on write access to group
                     'default_repo_create_on_write': None,
                     'default_repo_group_create': None,
                     'default_user_group_create': None,
                     'default_fork_create': None,
                     'default_inherit_default_permissions': None,
                     'default_register': None,
                     'default_password_reset': None,
                     'default_extern_activate': None,
                     # object permissions below
                     'default_repo_perm': None,
                     'default_group_perm': None,
                     'default_user_group_perm': None,
                     # branch
                     'default_branch_perm': None,
                 }
                 def set_global_permission_choices(self, c_obj, gettext_translator):
                     _ = gettext_translator
                     c_obj.repo_perms_choices = [
                         ('repository.none', _('None'),),
                         ('repository.read', _('Read'),),
                         ('repository.write', _('Write'),),
                         ('repository.admin', _('Admin'),)]
                     c_obj.group_perms_choices = [
                         ('group.none', _('None'),),
                         ('group.read', _('Read'),),
                         ('group.write', _('Write'),),
                         ('group.admin', _('Admin'),)]
                     c_obj.user_group_perms_choices = [
                         ('usergroup.none', _('None'),),
                         ('usergroup.read', _('Read'),),
                         ('usergroup.write', _('Write'),),
                         ('usergroup.admin', _('Admin'),)]
                     c_obj.branch_perms_choices = [
                         ('branch.none', _('Protected/No Access'),),
                         ('branch.merge', _('Web merge'),),
                         ('branch.push', _('Push'),),
                         ('branch.push_force', _('Force Push'),)]
                     c_obj.register_choices = [
                         ('hg.register.none', _('Disabled')),
                         ('hg.register.manual_activate', _('Allowed with manual account activation')),
                         ('hg.register.auto_activate', _('Allowed with automatic account activation')),]
                     c_obj.password_reset_choices = [
                         ('hg.password_reset.enabled', _('Allow password recovery')),
                         ('hg.password_reset.hidden', _('Hide password recovery link')),
                         ('hg.password_reset.disabled', _('Disable password recovery')),]
                     c_obj.extern_activate_choices = [
                         ('hg.extern_activate.manual', _('Manual activation of external account')),
                         ('hg.extern_activate.auto', _('Automatic activation of external account')),]
                     c_obj.repo_create_choices = [
                         ('hg.create.none', _('Disabled')),
                         ('hg.create.repository', _('Enabled'))]
                     c_obj.repo_create_on_write_choices = [
                         ('hg.create.write_on_repogroup.false', _('Disabled')),
                         ('hg.create.write_on_repogroup.true', _('Enabled'))]
                     c_obj.user_group_create_choices = [
                         ('hg.usergroup.create.false', _('Disabled')),
                         ('hg.usergroup.create.true', _('Enabled'))]
                     c_obj.repo_group_create_choices = [
                         ('hg.repogroup.create.false', _('Disabled')),
                         ('hg.repogroup.create.true', _('Enabled'))]
                     c_obj.fork_choices = [
                         ('hg.fork.none', _('Disabled')),
                         ('hg.fork.repository', _('Enabled'))]
                     c_obj.inherit_default_permission_choices = [
                         ('hg.inherit_default_perms.false', _('Disabled')),
                         ('hg.inherit_default_perms.true', _('Enabled'))]
                 def get_default_perms(self, object_perms, suffix):
                     defaults = {}
                     for perm in object_perms:
                         # perms
                         if perm.permission.permission_name.startswith('repository.'):
                             defaults['default_repo_perm' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('group.'):
                             defaults['default_group_perm' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('usergroup.'):
                             defaults['default_user_group_perm' + suffix] = perm.permission.permission_name
                         # branch
                         if perm.permission.permission_name.startswith('branch.'):
                             defaults['default_branch_perm' + suffix] = perm.permission.permission_name
                         # creation of objects
                         if perm.permission.permission_name.startswith('hg.create.write_on_repogroup'):
                             defaults['default_repo_create_on_write' + suffix] = perm.permission.permission_name
                         elif perm.permission.permission_name.startswith('hg.create.'):
                             defaults['default_repo_create' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('hg.fork.'):
                             defaults['default_fork_create' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('hg.inherit_default_perms.'):
                             defaults['default_inherit_default_permissions' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('hg.repogroup.'):
                             defaults['default_repo_group_create' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('hg.usergroup.'):
                             defaults['default_user_group_create' + suffix] = perm.permission.permission_name
                         # registration and external account activation
                         if perm.permission.permission_name.startswith('hg.register.'):
                             defaults['default_register' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('hg.password_reset.'):
                             defaults['default_password_reset' + suffix] = perm.permission.permission_name
                         if perm.permission.permission_name.startswith('hg.extern_activate.'):
                             defaults['default_extern_activate' + suffix] = perm.permission.permission_name
                     return defaults
                 def _make_new_user_perm(self, user, perm_name):
                     log.debug('Creating new user permission:%s', perm_name)
                     new = UserToPerm()
                     new.user = user
                     new.permission = Permission.get_by_key(perm_name)
                     return new
                 def _make_new_user_group_perm(self, user_group, perm_name):
                     log.debug('Creating new user group permission:%s', perm_name)
                     new = UserGroupToPerm()
                     new.users_group = user_group
                     new.permission = Permission.get_by_key(perm_name)
                     return new
                 def _keep_perm(self, perm_name, keep_fields):
                     def get_pat(field_name):
                         return {
                             # global perms
                             'default_repo_create': 'hg.create.',
                             # special case for create repos on write access to group
                             'default_repo_create_on_write': 'hg.create.write_on_repogroup.',
                             'default_repo_group_create': 'hg.repogroup.create.',
                             'default_user_group_create': 'hg.usergroup.create.',
                             'default_fork_create': 'hg.fork.',
                             'default_inherit_default_permissions': 'hg.inherit_default_perms.',
                             # application perms
                             'default_register': 'hg.register.',
                             'default_password_reset': 'hg.password_reset.',
                             'default_extern_activate': 'hg.extern_activate.',
                             # object permissions below
                             'default_repo_perm': 'repository.',
                             'default_group_perm': 'group.',
                             'default_user_group_perm': 'usergroup.',
                             # branch
                             'default_branch_perm': 'branch.',
                         }[field_name]
                     for field in keep_fields:
                         pat = get_pat(field)
                         if perm_name.startswith(pat):
                             return True
                     return False
                 def _clear_object_perm(self, object_perms, preserve=None):
                     preserve = preserve or []
                     _deleted = []
                     for perm in object_perms:
                         perm_name = perm.permission.permission_name
                         if not self._keep_perm(perm_name, keep_fields=preserve):
                             _deleted.append(perm_name)
                             self.sa.delete(perm)
                     return _deleted
                 def _clear_user_perms(self, user_id, preserve=None):
                     perms = self.sa.query(UserToPerm)\
                         .filter(UserToPerm.user_id == user_id)\
                         .all()
                     return self._clear_object_perm(perms, preserve=preserve)
                 def _clear_user_group_perms(self, user_group_id, preserve=None):
                     perms = self.sa.query(UserGroupToPerm)\
                         .filter(UserGroupToPerm.users_group_id == user_group_id)\
                         .all()
                     return self._clear_object_perm(perms, preserve=preserve)
                 def _set_new_object_perms(self, obj_type, object, form_result, preserve=None):
                     # clear current entries, to make this function idempotent
                     # it will fix even if we define more permissions or permissions
                     # are somehow missing
                     preserve = preserve or []
                     _global_perms = self.global_perms.copy()
                     if obj_type not in ['user', 'user_group']:
                         raise ValueError("obj_type must be on of 'user' or 'user_group'")
                     global_perms = len(_global_perms)
                     default_user_perms = len(Permission.DEFAULT_USER_PERMISSIONS)
                     if global_perms != default_user_perms:
                         raise Exception(
                             'Inconsistent permissions definition. Got {} vs {}'.format(
                                 global_perms, default_user_perms))
                     if obj_type == 'user':
                         self._clear_user_perms(object.user_id, preserve)
                     if obj_type == 'user_group':
                         self._clear_user_group_perms(object.users_group_id, preserve)
                     # now kill the keys that we want to preserve from the form.
                     for key in preserve:
                         del _global_perms[key]
                     for k in _global_perms.copy():
                         _global_perms[k] = form_result[k]
                     # at that stage we validate all are passed inside form_result
                     for _perm_key, perm_value in _global_perms.items():
                         if perm_value is None:
                             raise ValueError('Missing permission for %s' % (_perm_key,))
                         if obj_type == 'user':
                             p = self._make_new_user_perm(object, perm_value)
                             self.sa.add(p)
                         if obj_type == 'user_group':
                             p = self._make_new_user_group_perm(object, perm_value)
                             self.sa.add(p)
                 def _set_new_user_perms(self, user, form_result, preserve=None):
                     return self._set_new_object_perms(
                         'user', user, form_result, preserve)
                 def _set_new_user_group_perms(self, user_group, form_result, preserve=None):
                     return self._set_new_object_perms(
                         'user_group', user_group, form_result, preserve)
                 def set_new_user_perms(self, user, form_result):
                     # calculate what to preserve from what is given in form_result
                     preserve = set(self.global_perms.keys()).difference(set(form_result.keys()))
                     return self._set_new_user_perms(user, form_result, preserve)
                 def set_new_user_group_perms(self, user_group, form_result):
                     # calculate what to preserve from what is given in form_result
                     preserve = set(self.global_perms.keys()).difference(set(form_result.keys()))
                     return self._set_new_user_group_perms(user_group, form_result, preserve)
                 def create_permissions(self):
                     """
                     Create permissions for whole system
                     """
                     for p in Permission.PERMS:
                         if not Permission.get_by_key(p[0]):
                             new_perm = Permission()
                             new_perm.permission_name = p[0]
                             new_perm.permission_longname = p[0]  # translation err with p[1]
                             self.sa.add(new_perm)
                 def _create_default_object_permission(self, obj_type, obj, obj_perms,
                                                       force=False):
                     if obj_type not in ['user', 'user_group']:
                         raise ValueError("obj_type must be on of 'user' or 'user_group'")
                     def _get_group(perm_name):
                         return '.'.join(perm_name.split('.')[:1])
                     defined_perms_groups = map(
                         _get_group, (x.permission.permission_name for x in obj_perms))
                     log.debug('GOT ALREADY DEFINED:%s', obj_perms)
                     if force:
                         self._clear_object_perm(obj_perms)
                         self.sa.commit()
                         defined_perms_groups = []
                     # for every default permission that needs to be created, we check if
                     # it's group is already defined, if it's not we create default perm
                     for perm_name in Permission.DEFAULT_USER_PERMISSIONS:
                         gr = _get_group(perm_name)
                         if gr not in defined_perms_groups:
                             log.debug('GR:%s not found, creating permission %s',
                                       gr, perm_name)
                             if obj_type == 'user':
                                 new_perm = self._make_new_user_perm(obj, perm_name)
                                 self.sa.add(new_perm)
                             if obj_type == 'user_group':
                                 new_perm = self._make_new_user_group_perm(obj, perm_name)
                                 self.sa.add(new_perm)
                 def create_default_user_permissions(self, user, force=False):
                     """
                     Creates only missing default permissions for user, if force is set it
                     resets the default permissions for that user
                     :param user:
                     :param force:
                     """
                     user = self._get_user(user)
                     obj_perms = UserToPerm.query().filter(UserToPerm.user == user).all()
                     return self._create_default_object_permission(
                         'user', user, obj_perms, force)
                 def create_default_user_group_permissions(self, user_group, force=False):
                     """
                     Creates only missing default permissions for user group, if force is
                     set it resets the default permissions for that user group
                     :param user_group:
                     :param force:
                     """
                     user_group = self._get_user_group(user_group)
                     obj_perms = UserToPerm.query().filter(UserGroupToPerm.users_group == user_group).all()
                     return self._create_default_object_permission(
                         'user_group', user_group, obj_perms, force)
                 def update_application_permissions(self, form_result):
                     if 'perm_user_id' in form_result:
                         perm_user = User.get(safe_int(form_result['perm_user_id']))
                     else:
                         # used mostly to do lookup for default user
                         perm_user = User.get_by_username(form_result['perm_user_name'])
                     try:
                         # stage 1 set anonymous access
                         if perm_user.username == User.DEFAULT_USER:
                             perm_user.active = str2bool(form_result['anonymous'])
                             self.sa.add(perm_user)
                         # stage 2 reset defaults and set them from form data
                         self._set_new_user_perms(perm_user, form_result, preserve=[
                             'default_repo_perm',
                             'default_group_perm',
                             'default_user_group_perm',
                             'default_branch_perm',
                             'default_repo_group_create',
                             'default_user_group_create',
                             'default_repo_create_on_write',
                             'default_repo_create',
                             'default_fork_create',
                             'default_inherit_default_permissions',])
                         self.sa.commit()
                     except (DatabaseError,):
                         log.error(traceback.format_exc())
                         self.sa.rollback()
                         raise
                 def update_user_permissions(self, form_result):
                     if 'perm_user_id' in form_result:
                         perm_user = User.get(safe_int(form_result['perm_user_id']))
                     else:
                         # used mostly to do lookup for default user
                         perm_user = User.get_by_username(form_result['perm_user_name'])
                     try:
                         # stage 2 reset defaults and set them from form data
                         self._set_new_user_perms(perm_user, form_result, preserve=[
                             'default_repo_perm',
                             'default_group_perm',
                             'default_user_group_perm',
                             'default_branch_perm',
                             'default_register',
                             'default_password_reset',
                             'default_extern_activate'])
                         self.sa.commit()
                     except (DatabaseError,):
                         log.error(traceback.format_exc())
                         self.sa.rollback()
                         raise
                 def update_user_group_permissions(self, form_result):
                     if 'perm_user_group_id' in form_result:
                         perm_user_group = UserGroup.get(safe_int(form_result['perm_user_group_id']))
                     else:
                         # used mostly to do lookup for default user
                         perm_user_group = UserGroup.get_by_group_name(form_result['perm_user_group_name'])
                     try:
                         # stage 2 reset defaults and set them from form data
                         self._set_new_user_group_perms(perm_user_group, form_result, preserve=[
                             'default_repo_perm',
                             'default_group_perm',
                             'default_user_group_perm',
                             'default_branch_perm',
                             'default_register',
                             'default_password_reset',
                             'default_extern_activate'])
                         self.sa.commit()
                     except (DatabaseError,):
                         log.error(traceback.format_exc())
                         self.sa.rollback()
                         raise
                 def update_object_permissions(self, form_result):
                     if 'perm_user_id' in form_result:
                         perm_user = User.get(safe_int(form_result['perm_user_id']))
                     else:
                         # used mostly to do lookup for default user
                         perm_user = User.get_by_username(form_result['perm_user_name'])
                     try:
                         # stage 2 reset defaults and set them from form data
                         self._set_new_user_perms(perm_user, form_result, preserve=[
                             'default_repo_group_create',
                             'default_user_group_create',
                             'default_repo_create_on_write',
                             'default_repo_create',
                             'default_fork_create',
                             'default_inherit_default_permissions',
                             'default_branch_perm',
                             'default_register',
                             'default_password_reset',
                             'default_extern_activate'])
                         # overwrite default repo permissions
                         if form_result['overwrite_default_repo']:
                             _def_name = form_result['default_repo_perm'].split('repository.')[-1]
                             _def = Permission.get_by_key('repository.' + _def_name)
                             for r2p in self.sa.query(UserRepoToPerm)\
                                            .filter(UserRepoToPerm.user == perm_user)\
                                            .all():
                                 # don't reset PRIVATE repositories
                                 if not r2p.repository.private:
                                     r2p.permission = _def
                                     self.sa.add(r2p)
                         # overwrite default repo group permissions
                         if form_result['overwrite_default_group']:
                             _def_name = form_result['default_group_perm'].split('group.')[-1]
                             _def = Permission.get_by_key('group.' + _def_name)
                             for g2p in self.sa.query(UserRepoGroupToPerm)\
                                            .filter(UserRepoGroupToPerm.user == perm_user)\
                                            .all():
                                 g2p.permission = _def
                                 self.sa.add(g2p)
                         # overwrite default user group permissions
                         if form_result['overwrite_default_user_group']:
                             _def_name = form_result['default_user_group_perm'].split('usergroup.')[-1]
                             # user groups
                             _def = Permission.get_by_key('usergroup.' + _def_name)
                             for g2p in self.sa.query(UserUserGroupToPerm)\
                                            .filter(UserUserGroupToPerm.user == perm_user)\
                                            .all():
                                 g2p.permission = _def
                                 self.sa.add(g2p)
                         # COMMIT
                         self.sa.commit()
                     except (DatabaseError,):
                         log.exception('Failed to set default object permissions')
                         self.sa.rollback()
                         raise
                 def update_branch_permissions(self, form_result):
                     if 'perm_user_id' in form_result:
                         perm_user = User.get(safe_int(form_result['perm_user_id']))
                     else:
                         # used mostly to do lookup for default user
                         perm_user = User.get_by_username(form_result['perm_user_name'])
                     try:
                         # stage 2 reset defaults and set them from form data
                         self._set_new_user_perms(perm_user, form_result, preserve=[
                             'default_repo_perm',
                             'default_group_perm',
                             'default_user_group_perm',
                             'default_repo_group_create',
                             'default_user_group_create',
                             'default_repo_create_on_write',
                             'default_repo_create',
                             'default_fork_create',
                             'default_inherit_default_permissions',
                             'default_register',
                             'default_password_reset',
                             'default_extern_activate'])
                         # overwrite default branch permissions
                         if form_result['overwrite_default_branch']:
                             _def_name = \
                                 form_result['default_branch_perm'].split('branch.')[-1]
                             _def = Permission.get_by_key('branch.' + _def_name)
                             user_perms = UserToRepoBranchPermission.query()\
                                 .join(UserToRepoBranchPermission.user_repo_to_perm)\
                                 .filter(UserRepoToPerm.user == perm_user).all()
                             for g2p in user_perms:
                                 g2p.permission = _def
                                 self.sa.add(g2p)
                         # COMMIT
                         self.sa.commit()
                     except (DatabaseError,):
                         log.exception('Failed to set default branch permissions')
                         self.sa.rollback()
                         raise
                 def get_users_with_repo_write(self, db_repo):
                     write_plus = ['repository.write', 'repository.admin']
                     default_user_id = User.get_default_user_id()
                     user_write_permissions = collections.OrderedDict()
-                    # write+ and DEFAULT user for inheritance
+                    # write or higher and DEFAULT user for inheritance
                     for perm in db_repo.permissions():
                         if perm.permission in write_plus or perm.user_id == default_user_id:
                             user_write_permissions[perm.user_id] = perm
                     return user_write_permissions
                 def get_user_groups_with_repo_write(self, db_repo):
                     write_plus = ['repository.write', 'repository.admin']
                     user_group_write_permissions = collections.OrderedDict()
-                    # write+ and DEFAULT user for inheritance
+                    # write or higher and DEFAULT user for inheritance
                     for p in db_repo.permission_user_groups():
                         if p.permission in write_plus:
                             user_group_write_permissions[p.users_group_id] = p
                     return user_group_write_permissions
                 def trigger_permission_flush(self, affected_user_ids=None):
                     affected_user_ids or User.get_all_user_ids()
                     events.trigger(events.UserPermissionsChange(affected_user_ids))
                 def flush_user_permission_caches(self, changes, affected_user_ids=None):
                     affected_user_ids = affected_user_ids or []
                     for change in changes['added'] + changes['updated'] + changes['deleted']:
                         if change['type'] == 'user':
                             affected_user_ids.append(change['id'])
                         if change['type'] == 'user_group':
                             user_group = UserGroup.get(safe_int(change['id']))
                             if user_group:
                                 group_members_ids = [x.user_id for x in user_group.members]
                                 affected_user_ids.extend(group_members_ids)
                     self.trigger_permission_flush(affected_user_ids)
                     return affected_user_ids

rhodecode/templates/admin/repos/repo_edit_permissions.mako

0 +2 -2

             <%namespace name="base" file="/base/base.mako"/>
             <div class="panel panel-default">
                 <div class="panel-heading">
                     <h3 class="panel-title">${_('Repository Access Permissions')}</h3>
                 </div>
                 <div class="panel-body">
                     ${h.secure_form(h.route_path('edit_repo_perms', repo_name=c.repo_name), request=request)}
                     <table id="permissions_manage" class="rctable permissions">
                         <tr>
                             <th class="td-radio">${_('None')}</th>
                             <th class="td-radio">${_('Read')}</th>
                             <th class="td-radio">${_('Write')}</th>
                             <th class="td-radio">${_('Admin')}</th>
                             <th class="td-owner">${_('User/User Group')}</th>
                             <th class="td-action"></th>
                             <th class="td-action"></th>
                         </tr>
                         ## USERS
                         %for _user in c.rhodecode_db_repo.permissions():
                             %if getattr(_user, 'admin_row', None) or getattr(_user, 'owner_row', None):
                                 <tr class="perm_admin_row">
                                     <td class="td-radio">${h.radio('admin_perm_%s' % _user.user_id,'repository.none', disabled="disabled")}</td>
                                     <td class="td-radio">${h.radio('admin_perm_%s' % _user.user_id,'repository.read', disabled="disabled")}</td>
                                     <td class="td-radio">${h.radio('admin_perm_%s' % _user.user_id,'repository.write', disabled="disabled")}</td>
                                     <td class="td-radio">${h.radio('admin_perm_%s' % _user.user_id,'repository.admin', 'repository.admin', disabled="disabled")}</td>
                                     <td class="td-user">
                                         ${base.gravatar(_user.email, 16, user=_user, tooltip=True)}
                                         ${h.link_to_user(_user.username)}
                                         %if getattr(_user, 'admin_row', None):
                                             (${_('super-admin')})
                                         %endif
                                         %if getattr(_user, 'owner_row', None):
                                             (${_('owner')})
                                         %endif
                                     </td>
                                     <td></td>
                                     <td class="quick_repo_menu">
                                         % if c.rhodecode_user.is_admin:
                                             <i class="icon-more"></i>
                                             <div class="menu_items_container" style="display: none;">
                                             <ul class="menu_items">
                                               <li>
                                                  ${h.link_to('show permissions', h.route_path('edit_user_perms_summary', user_id=_user.user_id, _anchor='repositories-permissions'))}
                                               </li>
                                             </ul>
                                             </div>
                                         % endif
                                     </td>
                                 </tr>
                             %elif _user.username == h.DEFAULT_USER and c.rhodecode_db_repo.private:
                                 <tr>
                                     <td colspan="4">
                                         <span class="private_repo_msg">
                                         <strong title="${h.tooltip(_user.permission)}">${_('private repository')}</strong>
                                         </span>
                                     </td>
                                     <td class="private_repo_msg">
                                         ${base.gravatar(h.DEFAULT_USER_EMAIL, 16)}
                                         ${h.DEFAULT_USER} - ${_('only users/user groups explicitly added here will have access')}</td>
                                     <td class="td-action">
                                         <span class="noselect tooltip btn btn-link btn-default" onclick="setPrivateRepo(this, false); return false" title="${_('Private repositories are only visible to people explicitly added as collaborators. Default permissions wont apply')}">
                                         ${_('un-set private mode')}
                                         </span>
                                     </td>
                                     <td class="quick_repo_menu">
                                         % if c.rhodecode_user.is_admin:
                                             <i class="icon-more"></i>
                                             <div class="menu_items_container" style="display: none;">
                                             <ul class="menu_items">
                                               <li>
                                                  ${h.link_to('show permissions', h.route_path('admin_permissions_overview', _anchor='repositories-permissions'))}
                                               </li>
                                             </ul>
                                             </div>
                                         % endif
                                     </td>
                                 </tr>
                             %else:
                                 <% used_by_n_rules = len(getattr(_user, 'branch_rules', None) or []) %>
                                 <tr>
                                     <td class="td-radio">${h.radio('u_perm_%s' % _user.user_id,'repository.none', checked=_user.permission=='repository.none', disabled="disabled" if (used_by_n_rules and _user.username != h.DEFAULT_USER) else None)}</td>
                                     <td class="td-radio">${h.radio('u_perm_%s' % _user.user_id,'repository.read', checked=_user.permission=='repository.read', disabled="disabled" if (used_by_n_rules and _user.username != h.DEFAULT_USER) else None)}</td>
                                     <td class="td-radio">${h.radio('u_perm_%s' % _user.user_id,'repository.write', checked=_user.permission=='repository.write')}</td>
                                     <td class="td-radio">${h.radio('u_perm_%s' % _user.user_id,'repository.admin', checked=_user.permission=='repository.admin')}</td>
                                     <td class="td-user">
                                         ${base.gravatar(_user.email, 16, user=_user, tooltip=True)}
                                         <span class="user">
                                             % if _user.username == h.DEFAULT_USER:
                                                 ${h.DEFAULT_USER}
                                                 % if _user.active:
                                                     <span class="user-perm-help-text"> - ${_('permission for other logged in and anonymous users')}</span>
                                                 % else:
                                                     <span class="user-perm-help-text"> - ${_('permission for other logged in users')}</span>
                                                 % endif
                                             % else:
                                                 % if getattr(_user, 'duplicate_perm', None):
                                                     <span class="user-perm-duplicate">
                                                         ${h.link_to_user(_user.username)}
                                                         <span class="tooltip" title="${_('This entry is a duplicate, most probably left-over from previously set permission. This user has a higher permission set, so this entry is inactive. Please revoke this permission manually.')}">(${_('inactive duplicate')})
                                                         </span>
                                                     </span>
                                                 % else:
                                                     ${h.link_to_user(_user.username)}
                                                 % endif
                                                 %if getattr(_user, 'branch_rules', None):
                                                     % if used_by_n_rules == 1:
-                                                        (${_('used by {} branch rule, requires write+ permissions').format(used_by_n_rules)})
+                                                        (${_('used by {} branch rule, requires write or higher permissions').format(used_by_n_rules)})
                                                     % else:
-                                                        (${_('used by {} branch rules, requires write+ permissions').format(used_by_n_rules)})
+                                                        (${_('used by {} branch rules, requires write or higher permissions').format(used_by_n_rules)})
                                                     % endif
                                                 %endif
                                             % endif
                                         </span>
                                     </td>
                                     <td class="td-action">
                                       %if _user.username != h.DEFAULT_USER and getattr(_user, 'branch_rules', None) is None:
                                         <span class="btn btn-link btn-danger revoke_perm"
                                               member="${_user.user_id}" member_type="user">
                                         ${_('Remove')}
                                         </span>
                                       %elif _user.username == h.DEFAULT_USER:
                                         <span class="noselect tooltip btn btn-link btn-default" onclick="setPrivateRepo(this, true); return false" title="${_('Private repositories are only visible to people explicitly added as collaborators. Default permissions wont apply')}">
                                         ${_('set private mode')}
                                         </span>
                                       %endif
                                     </td>
                                     <td class="quick_repo_menu">
                                         % if c.rhodecode_user.is_admin:
                                             <i class="icon-more"></i>
                                             <div class="menu_items_container" style="display: none;">
                                             <ul class="menu_items">
                                               <li>
                                                  % if _user.username == h.DEFAULT_USER:
                                                     ${h.link_to('show permissions', h.route_path('admin_permissions_overview', _anchor='repositories-permissions'))}
                                                 % else:
                                                     ${h.link_to('show permissions', h.route_path('edit_user_perms_summary', user_id=_user.user_id, _anchor='repositories-permissions'))}
                                                 % endif
                                               </li>
                                             </ul>
                                             </div>
                                         % endif
                                     </td>
                                 </tr>
                             %endif
                         %endfor
                         ## USER GROUPS
                         %for _user_group in c.rhodecode_db_repo.permission_user_groups(with_members=True):
                             <tr>
                                 <td class="td-radio">${h.radio('g_perm_%s' % _user_group.users_group_id,'repository.none', checked=_user_group.permission=='repository.none')}</td>
                                 <td class="td-radio">${h.radio('g_perm_%s' % _user_group.users_group_id,'repository.read', checked=_user_group.permission=='repository.read')}</td>
                                 <td class="td-radio">${h.radio('g_perm_%s' % _user_group.users_group_id,'repository.write', checked=_user_group.permission=='repository.write')}</td>
                                 <td class="td-radio">${h.radio('g_perm_%s' % _user_group.users_group_id,'repository.admin', checked=_user_group.permission=='repository.admin')}</td>
                                 <td class="td-componentname">
                                     ${base.user_group_icon(_user_group, tooltip=True)}
                                     %if c.is_super_admin:
                                      <a href="${h.route_path('edit_user_group',user_group_id=_user_group.users_group_id)}">
                                          ${_user_group.users_group_name}
                                      </a>
                                     %else:
                                      ${h.link_to_group(_user_group.users_group_name)}
                                     %endif
                                     (${_('members')}: ${len(_user_group.members)})
                                 </td>
                                 <td class="td-action">
                                     <span class="btn btn-link btn-danger revoke_perm"
                                           member="${_user_group.users_group_id}" member_type="user_group">
                                     ${_('Remove')}
                                     </span>
                                 </td>
                                 <td class="quick_repo_menu">
                                     % if c.rhodecode_user.is_admin:
                                         <i class="icon-more"></i>
                                         <div class="menu_items_container" style="display: none;">
                                         <ul class="menu_items">
                                           <li>
                                              ${h.link_to('show permissions', h.route_path('edit_user_group_perms_summary', user_group_id=_user_group.users_group_id, _anchor='repositories-permissions'))}
                                           </li>
                                         </ul>
                                         </div>
                                     % endif
                                 </td>
                             </tr>
                         %endfor
                         <tr class="new_members" id="add_perm_input"></tr>
                         <tr>
                             <td></td>
                             <td></td>
                             <td></td>
                             <td></td>
                             <td></td>
                             <td>
                                 <span id="add_perm" class="link">
                                     ${_('Add user/user group')}
                                 </span>
                             </td>
                             <td></td>
                         </tr>
                     </table>
                     <div class="buttons">
                       ${h.submit('save',_('Save'),class_="btn btn-primary")}
                       ${h.reset('reset',_('Reset'),class_="btn btn-danger")}
                     </div>
                     ${h.end_form()}
                 </div>
             </div>
             <script type="text/javascript">
                 $('#add_perm').on('click', function(e){
                     addNewPermInput($(this), 'repository');
                 });
                 $('.revoke_perm').on('click', function(e){
                     markRevokePermInput($(this), 'repository');
                 });
                 quick_repo_menu();
                 var setPrivateRepo = function (elem, private) {
                     var $elem = $(elem)
                     if ($elem.hasClass('disabled')) {
                         return
                     }
                     $elem.addClass('disabled');
                     $elem.css({"opacity": 0.3})
                     var postData = {
                         'csrf_token': CSRF_TOKEN,
                         'private': private
                     };
                     var success = function(o) {
                         var defaultUrl = pyroutes.url('edit_repo_perms', {"repo_name": templateContext.repo_name});
                         window.location = o.redirect_url || defaultUrl;
                     };
                     ajaxPOST(
                         pyroutes.url('edit_repo_perms_set_private', {"repo_name": templateContext.repo_name}),
                         postData,
                         success);
                 }
             </script>

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages