rhodecode-enterprise-ce Commit - r1482:9278d852

auth-tokens: fixed tests

marcink -

r1482:9278d852 default

parent child

rhodecode/api/tests/conftest.py

0 +10 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import pytest
             from rhodecode.model.meta import Session
             from rhodecode.model.user import UserModel
+            from rhodecode.model.auth_token import AuthTokenModel
             from rhodecode.tests import TEST_USER_ADMIN_LOGIN
             @pytest.fixture(scope="class")
             def testuser_api(request, pylonsapp):
                 cls = request.cls
+                # ADMIN USER
                 cls.usr = UserModel().get_by_username(TEST_USER_ADMIN_LOGIN)
                 cls.apikey = cls.usr.api_key
+                # REGULAR USER
                 cls.test_user = UserModel().create_or_update(
                     username='test-api',
                     password='test',
                     email='test@api.rhodecode.org',
                     firstname='first',
                     lastname='last'
                 )
+                # create TOKEN for user, if he doesn't have one
+                if not cls.test_user.api_key:
+                    AuthTokenModel().create(
+                        user=cls.test_user, description='TEST_USER_TOKEN')
                 Session().commit()
                 cls.TEST_USER_LOGIN = cls.test_user.username
                 cls.apikey_regular = cls.test_user.api_key

rhodecode/api/tests/test_close_pull_request.py

0 +1 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import pytest
             from rhodecode.model.db import UserLog
             from rhodecode.model.pull_request import PullRequestModel
             from rhodecode.tests import TEST_USER_ADMIN_LOGIN
             from rhodecode.api.tests.utils import (
                 build_data, api_call, assert_error, assert_ok)
             @pytest.mark.usefixtures("testuser_api", "app")
             class TestClosePullRequest(object):
                 @pytest.mark.backends("git", "hg")
                 def test_api_close_pull_request(self, pr_util):
                     pull_request = pr_util.create_pull_request()
                     pull_request_id = pull_request.pull_request_id
                     author = pull_request.user_id
                     repo = pull_request.target_repo.repo_id
                     id_, params = build_data(
                         self.apikey, 'close_pull_request',
                         repoid=pull_request.target_repo.repo_name,
                         pullrequestid=pull_request.pull_request_id)
                     response = api_call(self.app, params)
                     expected = {
                         'pull_request_id': pull_request_id,
                         'closed': True,
                     }
                     assert_ok(id_, expected, response.body)
                     action = 'user_closed_pull_request:%d' % pull_request_id
                     journal = UserLog.query()\
                         .filter(UserLog.user_id == author)\
                         .filter(UserLog.repository_id == repo)\
                         .filter(UserLog.action == action)\
                         .all()
                     assert len(journal) == 1
                 @pytest.mark.backends("git", "hg")
                 def test_api_close_pull_request_already_closed_error(self, pr_util):
                     pull_request = pr_util.create_pull_request()
                     pull_request_id = pull_request.pull_request_id
                     pull_request_repo = pull_request.target_repo.repo_name
                     PullRequestModel().close_pull_request(
                         pull_request, pull_request.author)
                     id_, params = build_data(
                         self.apikey, 'close_pull_request',
                         repoid=pull_request_repo, pullrequestid=pull_request_id)
                     response = api_call(self.app, params)
                     expected = 'pull request `%s` is already closed' % pull_request_id
                     assert_error(id_, expected, given=response.body)
                 @pytest.mark.backends("git", "hg")
                 def test_api_close_pull_request_repo_error(self):
                     id_, params = build_data(
                         self.apikey, 'close_pull_request',
                         repoid=666, pullrequestid=1)
                     response = api_call(self.app, params)
                     expected = 'repository `666` does not exist'
                     assert_error(id_, expected, given=response.body)
                 @pytest.mark.backends("git", "hg")
                 def test_api_close_pull_request_non_admin_with_userid_error(self,
                                                                             pr_util):
                     pull_request = pr_util.create_pull_request()
                     id_, params = build_data(
                         self.apikey_regular, 'close_pull_request',
                         repoid=pull_request.target_repo.repo_name,
                         pullrequestid=pull_request.pull_request_id,
                         userid=TEST_USER_ADMIN_LOGIN)
                     response = api_call(self.app, params)
                     expected = 'userid is not the same as your user'
                     assert_error(id_, expected, given=response.body)
                 @pytest.mark.backends("git", "hg")
                 def test_api_close_pull_request_no_perms_to_close(
                         self, user_util, pr_util):
                     user = user_util.create_user()
                     pull_request = pr_util.create_pull_request()
                     id_, params = build_data(
                         user.api_key, 'close_pull_request',
                         repoid=pull_request.target_repo.repo_name,
                         pullrequestid=pull_request.pull_request_id,)
                     response = api_call(self.app, params)
                     expected = ('pull request `%s` close failed, '
                                 'no permission to close.') % pull_request.pull_request_id
                     response_json = response.json['error']
                     assert response_json == expected

rhodecode/api/tests/test_delete_repo.py

0 +2 -3

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import mock
             import pytest
             from rhodecode.model.repo import RepoModel
             from rhodecode.api.tests.utils import (
                 build_data, api_call, assert_error, assert_ok, crash)
             @pytest.mark.usefixtures("testuser_api", "app")
             class TestApiDeleteRepo(object):
                 def test_api_delete_repo(self, backend):
                     repo = backend.create_repo()
                     id_, params = build_data(
                         self.apikey, 'delete_repo', repoid=repo.repo_name, )
                     response = api_call(self.app, params)
                     expected = {
                         'msg': 'Deleted repository `%s`' % (repo.repo_name,),
                         'success': True
                     }
                     assert_ok(id_, expected, given=response.body)
                 def test_api_delete_repo_by_non_admin(self, backend, user_regular):
                     repo = backend.create_repo(cur_user=user_regular.username)
                     id_, params = build_data(
                         user_regular.api_key, 'delete_repo', repoid=repo.repo_name, )
                     response = api_call(self.app, params)
                     expected = {
                         'msg': 'Deleted repository `%s`' % (repo.repo_name,),
                         'success': True
                     }
                     assert_ok(id_, expected, given=response.body)
-                def test_api_delete_repo_by_non_admin_no_permission(
+                def test_api_delete_repo_by_non_admin_no_permission(self, backend):
-                        self, backend, user_regular):
                     repo = backend.create_repo()
                     id_, params = build_data(
-                        user_regular.api_key, 'delete_repo', repoid=repo.repo_name, )
+                        self.apikey_regular, 'delete_repo', repoid=repo.repo_name, )
                     response = api_call(self.app, params)
                     expected = 'repository `%s` does not exist' % (repo.repo_name)
                     assert_error(id_, expected, given=response.body)
                 def test_api_delete_repo_exception_occurred(self, backend):
                     repo = backend.create_repo()
                     id_, params = build_data(
                         self.apikey, 'delete_repo', repoid=repo.repo_name, )
                     with mock.patch.object(RepoModel, 'delete', crash):
                         response = api_call(self.app, params)
                     expected = 'failed to delete repository `%s`' % (
                         repo.repo_name,)
                     assert_error(id_, expected, given=response.body)

rhodecode/api/views/user_api.py

0 0 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from rhodecode.api import jsonrpc_method, JSONRPCError, JSONRPCForbidden
             from rhodecode.api.utils import (
                 Optional, OAttr, has_superadmin_permission, get_user_or_error, store_update)
             from rhodecode.lib.auth import AuthUser, PasswordGenerator
             from rhodecode.lib.exceptions import DefaultUserException
             from rhodecode.lib.utils2 import safe_int, str2bool
             from rhodecode.model.db import Session, User, Repository
             from rhodecode.model.user import UserModel
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_user(request, apiuser, userid=Optional(OAttr('apiuser'))):
                 """
                 Returns the information associated with a username or userid.
                 * If the ``userid`` is not set, this command returns the information
                   for the ``userid`` calling the method.
                 .. note::
                    Normal users may only run this command against their ``userid``. For
                    full privileges you must run this command using an |authtoken| with
                    admin rights.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Sets the userid for which data will be returned.
                 :type userid: Optional(str or int)
                 Example output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": <id>,
                       "result": {
                         "active": true,
                         "admin": false,
-                        "api_key": "api-key",
                         "api_keys": [ list of keys ],
                         "email": "user@example.com",
                         "emails": [
                           "user@example.com"
                         ],
                         "extern_name": "rhodecode",
                         "extern_type": "rhodecode",
                         "firstname": "username",
                         "ip_addresses": [],
                         "language": null,
                         "last_login": "Timestamp",
                         "lastname": "surnae",
                         "permissions": {
                           "global": [
                             "hg.inherit_default_perms.true",
                             "usergroup.read",
                             "hg.repogroup.create.false",
                             "hg.create.none",
                             "hg.password_reset.enabled",
                             "hg.extern_activate.manual",
                             "hg.create.write_on_repogroup.false",
                             "hg.usergroup.create.false",
                             "group.none",
                             "repository.none",
                             "hg.register.none",
                             "hg.fork.repository"
                           ],
                           "repositories": { "username/example": "repository.write"},
                           "repositories_groups": { "user-group/repo": "group.none" },
                           "user_groups": { "user_group_name": "usergroup.read" }
                         },
                         "user_id": 32,
                         "username": "username"
                       }
                     }
                 """
                 if not has_superadmin_permission(apiuser):
                     # make sure normal user does not pass someone else userid,
                     # he is not allowed to do that
                     if not isinstance(userid, Optional) and userid != apiuser.user_id:
                         raise JSONRPCError('userid is not the same as your user')
                 userid = Optional.extract(userid, evaluate_locals=locals())
                 userid = getattr(userid, 'user_id', userid)
                 user = get_user_or_error(userid)
                 data = user.get_api_data(include_secrets=True)
                 data['permissions'] = AuthUser(user_id=user.user_id).permissions
                 return data
             @jsonrpc_method()
             def get_users(request, apiuser):
                 """
                 Lists all users in the |RCE| user database.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                         result: [<user_object>, ...]
                     error:  null
                 """
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 result = []
                 users_list = User.query().order_by(User.username) \
                     .filter(User.username != User.DEFAULT_USER) \
                     .all()
                 for user in users_list:
                     result.append(user.get_api_data(include_secrets=True))
                 return result
             @jsonrpc_method()
             def create_user(request, apiuser, username, email, password=Optional(''),
                             firstname=Optional(''), lastname=Optional(''),
                             active=Optional(True), admin=Optional(False),
                             extern_name=Optional('rhodecode'),
                             extern_type=Optional('rhodecode'),
                             force_password_change=Optional(False),
                             create_personal_repo_group=Optional(None)):
                 """
                 Creates a new user and returns the new user object.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param username: Set the new username.
                 :type username: str or int
                 :param email: Set the user email address.
                 :type email: str
                 :param password: Set the new user password.
                 :type password: Optional(str)
                 :param firstname: Set the new user firstname.
                 :type firstname: Optional(str)
                 :param lastname: Set the new user surname.
                 :type lastname: Optional(str)
                 :param active: Set the user as active.
                 :type active: Optional(``True`` | ``False``)
                 :param admin: Give the new user admin rights.
                 :type admin: Optional(``True`` | ``False``)
                 :param extern_name: Set the authentication plugin name.
                     Using LDAP this is filled with LDAP UID.
                 :type extern_name: Optional(str)
                 :param extern_type: Set the new user authentication plugin.
                 :type extern_type: Optional(str)
                 :param force_password_change: Force the new user to change password
                     on next login.
                 :type force_password_change: Optional(``True`` | ``False``)
                 :param create_personal_repo_group: Create personal repo group for this user
                 :type create_personal_repo_group: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "created new user `<username>`",
                               "user": <user_obj>
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "user `<username>` already exist"
                     or
                     "email `<email>` already exist"
                     or
                     "failed to create user `<username>`"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 if UserModel().get_by_username(username):
                     raise JSONRPCError("user `%s` already exist" % (username,))
                 if UserModel().get_by_email(email, case_insensitive=True):
                     raise JSONRPCError("email `%s` already exist" % (email,))
                 # generate random password if we actually given the
                 # extern_name and it's not rhodecode
                 if (not isinstance(extern_name, Optional) and
                             Optional.extract(extern_name) != 'rhodecode'):
                     # generate temporary password if user is external
                     password = PasswordGenerator().gen_password(length=16)
                 create_repo_group = Optional.extract(create_personal_repo_group)
                 if isinstance(create_repo_group, basestring):
                     create_repo_group = str2bool(create_repo_group)
                 try:
                     user = UserModel().create_or_update(
                         username=Optional.extract(username),
                         password=Optional.extract(password),
                         email=Optional.extract(email),
                         firstname=Optional.extract(firstname),
                         lastname=Optional.extract(lastname),
                         active=Optional.extract(active),
                         admin=Optional.extract(admin),
                         extern_type=Optional.extract(extern_type),
                         extern_name=Optional.extract(extern_name),
                         force_password_change=Optional.extract(force_password_change),
                         create_repo_group=create_repo_group
                     )
                     Session().commit()
                     return {
                         'msg': 'created new user `%s`' % username,
                         'user': user.get_api_data(include_secrets=True)
                     }
                 except Exception:
                     log.exception('Error occurred during creation of user')
                     raise JSONRPCError('failed to create user `%s`' % (username,))
             @jsonrpc_method()
             def update_user(request, apiuser, userid, username=Optional(None),
                             email=Optional(None), password=Optional(None),
                             firstname=Optional(None), lastname=Optional(None),
                             active=Optional(None), admin=Optional(None),
                             extern_type=Optional(None), extern_name=Optional(None), ):
                 """
                 Updates the details for the specified user, if that user exists.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Set the ``userid`` to update.
                 :type userid: str or int
                 :param username: Set the new username.
                 :type username: str or int
                 :param email: Set the new email.
                 :type email: str
                 :param password: Set the new password.
                 :type password: Optional(str)
                 :param firstname: Set the new first name.
                 :type firstname: Optional(str)
                 :param lastname: Set the new surname.
                 :type lastname: Optional(str)
                 :param active: Set the new user as active.
                 :type active: Optional(``True`` | ``False``)
                 :param admin: Give the user admin rights.
                 :type admin: Optional(``True`` | ``False``)
                 :param extern_name: Set the authentication plugin user name.
                     Using LDAP this is filled with LDAP UID.
                 :type extern_name: Optional(str)
                 :param extern_type: Set the authentication plugin type.
                 :type extern_type: Optional(str)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "updated user ID:<userid> <username>",
                               "user": <user_object>,
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to update user `<username>`"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 user = get_user_or_error(userid)
                 # only non optional arguments will be stored in updates
                 updates = {}
                 try:
                     store_update(updates, username, 'username')
                     store_update(updates, password, 'password')
                     store_update(updates, email, 'email')
                     store_update(updates, firstname, 'name')
                     store_update(updates, lastname, 'lastname')
                     store_update(updates, active, 'active')
                     store_update(updates, admin, 'admin')
                     store_update(updates, extern_name, 'extern_name')
                     store_update(updates, extern_type, 'extern_type')
                     user = UserModel().update_user(user, **updates)
                     Session().commit()
                     return {
                         'msg': 'updated user ID:%s %s' % (user.user_id, user.username),
                         'user': user.get_api_data(include_secrets=True)
                     }
                 except DefaultUserException:
                     log.exception("Default user edit exception")
                     raise JSONRPCError('editing default user is forbidden')
                 except Exception:
                     log.exception("Error occurred during update of user")
                     raise JSONRPCError('failed to update user `%s`' % (userid,))
             @jsonrpc_method()
             def delete_user(request, apiuser, userid):
                 """
                 Deletes the specified user from the |RCE| user database.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 .. important::
                    Ensure all open pull requests and open code review
                    requests to this user are close.
                    Also ensure all repositories, or repository groups owned by this
                    user are reassigned before deletion.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Set the user to delete.
                 :type userid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "deleted user ID:<userid> <username>",
                               "user": null
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to delete user ID:<userid> <username>"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 user = get_user_or_error(userid)
                 try:
                     UserModel().delete(userid)
                     Session().commit()
                     return {
                         'msg': 'deleted user ID:%s %s' % (user.user_id, user.username),
                         'user': None
                     }
                 except Exception:
                     log.exception("Error occurred during deleting of user")
                     raise JSONRPCError(
                         'failed to delete user ID:%s %s' % (user.user_id, user.username))
             @jsonrpc_method()
             def get_user_locks(request, apiuser, userid=Optional(OAttr('apiuser'))):
                 """
                 Displays all repositories locked by the specified user.
                 * If this command is run by a non-admin user, it returns
                   a list of |repos| locked by that user.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Sets the userid whose list of locked |repos| will be
                     displayed.
                 :type userid: Optional(str or int)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result : {
                         [repo_object, repo_object,...]
                     }
                     error :  null
                 """
                 include_secrets = False
                 if not has_superadmin_permission(apiuser):
                     # make sure normal user does not pass someone else userid,
                     # he is not allowed to do that
                     if not isinstance(userid, Optional) and userid != apiuser.user_id:
                         raise JSONRPCError('userid is not the same as your user')
                 else:
                     include_secrets = True
                 userid = Optional.extract(userid, evaluate_locals=locals())
                 userid = getattr(userid, 'user_id', userid)
                 user = get_user_or_error(userid)
                 ret = []
                 # show all locks
                 for r in Repository.getAll():
                     _user_id, _time, _reason = r.locked
                     if _user_id and _time:
                         _api_data = r.get_api_data(include_secrets=include_secrets)
                         # if we use user filter just show the locks for this user
                         if safe_int(_user_id) == user.user_id:
                             ret.append(_api_data)
                 return ret

rhodecode/lib/db_manage.py

0 +6 -4

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Database creation, and setup module for RhodeCode Enterprise. Used for creation
             of database as well as for migration operations
             """
             import os
             import sys
             import time
             import uuid
             import logging
             import getpass
             from os.path import dirname as dn, join as jn
             from sqlalchemy.engine import create_engine
             from rhodecode import __dbversion__
             from rhodecode.model import init_model
             from rhodecode.model.user import UserModel
             from rhodecode.model.db import (
                 User, Permission, RhodeCodeUi, RhodeCodeSetting, UserToPerm,
                 DbMigrateVersion, RepoGroup, UserRepoGroupToPerm, CacheKey, Repository)
             from rhodecode.model.meta import Session, Base
             from rhodecode.model.permission import PermissionModel
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.settings import SettingsModel
             log = logging.getLogger(__name__)
             def notify(msg):
                 """
                 Notification for migrations messages
                 """
                 ml = len(msg) + (4 * 2)
                 print('\n%s\n*** %s ***\n%s' % ('*' * ml, msg, '*' * ml)).upper()
             class DbManage(object):
                 def __init__(self, log_sql, dbconf, root, tests=False,
                              SESSION=None, cli_args={}):
                     self.dbname = dbconf.split('/')[-1]
                     self.tests = tests
                     self.root = root
                     self.dburi = dbconf
                     self.log_sql = log_sql
                     self.db_exists = False
                     self.cli_args = cli_args
                     self.init_db(SESSION=SESSION)
                     self.ask_ok = self.get_ask_ok_func(self.cli_args.get('force_ask'))
                 def get_ask_ok_func(self, param):
                     if param not in [None]:
                         # return a function lambda that has a default set to param
                         return lambda *args, **kwargs: param
                     else:
                         from rhodecode.lib.utils import ask_ok
                         return ask_ok
                 def init_db(self, SESSION=None):
                     if SESSION:
                         self.sa = SESSION
                     else:
                         # init new sessions
                         engine = create_engine(self.dburi, echo=self.log_sql)
                         init_model(engine)
                         self.sa = Session()
                 def create_tables(self, override=False):
                     """
                     Create a auth database
                     """
                     log.info("Existing database with the same name is going to be destroyed.")
                     log.info("Setup command will run DROP ALL command on that database.")
                     if self.tests:
                         destroy = True
                     else:
                         destroy = self.ask_ok('Are you sure that you want to destroy the old database? [y/n]')
                     if not destroy:
                         log.info('Nothing done.')
                         sys.exit(0)
                     if destroy:
                         Base.metadata.drop_all()
                     checkfirst = not override
                     Base.metadata.create_all(checkfirst=checkfirst)
                     log.info('Created tables for %s' % self.dbname)
                 def set_db_version(self):
                     ver = DbMigrateVersion()
                     ver.version = __dbversion__
                     ver.repository_id = 'rhodecode_db_migrations'
                     ver.repository_path = 'versions'
                     self.sa.add(ver)
                     log.info('db version set to: %s' % __dbversion__)
                 def run_pre_migration_tasks(self):
                     """
                     Run various tasks before actually doing migrations
                     """
                     # delete cache keys on each upgrade
                     total = CacheKey.query().count()
                     log.info("Deleting (%s) cache keys now...", total)
                     CacheKey.delete_all_cache()
                 def upgrade(self):
                     """
                     Upgrades given database schema to given revision following
                     all needed steps, to perform the upgrade
                     """
                     from rhodecode.lib.dbmigrate.migrate.versioning import api
                     from rhodecode.lib.dbmigrate.migrate.exceptions import \
                         DatabaseNotControlledError
                     if 'sqlite' in self.dburi:
                         print (
                            '********************** WARNING **********************\n'
                            'Make sure your version of sqlite is at least 3.7.X.  \n'
                            'Earlier versions are known to fail on some migrations\n'
                            '*****************************************************\n')
                     upgrade = self.ask_ok(
                         'You are about to perform a database upgrade. Make '
                         'sure you have backed up your database. '
                         'Continue ? [y/n]')
                     if not upgrade:
                         log.info('No upgrade performed')
                         sys.exit(0)
                     repository_path = jn(dn(dn(dn(os.path.realpath(__file__)))),
                                          'rhodecode/lib/dbmigrate')
                     db_uri = self.dburi
                     try:
                         curr_version = api.db_version(db_uri, repository_path)
                         msg = ('Found current database under version '
                                'control with version %s' % curr_version)
                     except (RuntimeError, DatabaseNotControlledError):
                         curr_version = 1
                         msg = ('Current database is not under version control. Setting '
                                'as version %s' % curr_version)
                         api.version_control(db_uri, repository_path, curr_version)
                     notify(msg)
                     self.run_pre_migration_tasks()
                     if curr_version == __dbversion__:
                         log.info('This database is already at the newest version')
                         sys.exit(0)
                     upgrade_steps = range(curr_version + 1, __dbversion__ + 1)
                     notify('attempting to upgrade database from '
                            'version %s to version %s' % (curr_version, __dbversion__))
                     # CALL THE PROPER ORDER OF STEPS TO PERFORM FULL UPGRADE
                     _step = None
                     for step in upgrade_steps:
                         notify('performing upgrade step %s' % step)
                         time.sleep(0.5)
                         api.upgrade(db_uri, repository_path, step)
                         self.sa.rollback()
                         notify('schema upgrade for step %s completed' % (step,))
                         _step = step
                     notify('upgrade to version %s successful' % _step)
                 def fix_repo_paths(self):
                     """
                     Fixes an old RhodeCode version path into new one without a '*'
                     """
                     paths = self.sa.query(RhodeCodeUi)\
                             .filter(RhodeCodeUi.ui_key == '/')\
                             .scalar()
                     paths.ui_value = paths.ui_value.replace('*', '')
                     try:
                         self.sa.add(paths)
                         self.sa.commit()
                     except Exception:
                         self.sa.rollback()
                         raise
                 def fix_default_user(self):
                     """
                     Fixes an old default user with some 'nicer' default values,
                     used mostly for anonymous access
                     """
                     def_user = self.sa.query(User)\
                             .filter(User.username == User.DEFAULT_USER)\
                             .one()
                     def_user.name = 'Anonymous'
                     def_user.lastname = 'User'
                     def_user.email = User.DEFAULT_USER_EMAIL
                     try:
                         self.sa.add(def_user)
                         self.sa.commit()
                     except Exception:
                         self.sa.rollback()
                         raise
                 def fix_settings(self):
                     """
                     Fixes rhodecode settings and adds ga_code key for google analytics
                     """
                     hgsettings3 = RhodeCodeSetting('ga_code', '')
                     try:
                         self.sa.add(hgsettings3)
                         self.sa.commit()
                     except Exception:
                         self.sa.rollback()
                         raise
                 def create_admin_and_prompt(self):
                     # defaults
                     defaults = self.cli_args
                     username = defaults.get('username')
                     password = defaults.get('password')
                     email = defaults.get('email')
                     if username is None:
                         username = raw_input('Specify admin username:')
                     if password is None:
                         password = self._get_admin_password()
                         if not password:
                             # second try
                             password = self._get_admin_password()
                             if not password:
                                 sys.exit()
                     if email is None:
                         email = raw_input('Specify admin email:')
                     api_key = self.cli_args.get('api_key')
                     self.create_user(username, password, email, True,
                                      strict_creation_check=False,
                                      api_key=api_key)
                 def _get_admin_password(self):
                     password = getpass.getpass('Specify admin password '
                                                '(min 6 chars):')
                     confirm = getpass.getpass('Confirm password:')
                     if password != confirm:
                         log.error('passwords mismatch')
                         return False
                     if len(password) < 6:
                         log.error('password is too short - use at least 6 characters')
                         return False
                     return password
                 def create_test_admin_and_users(self):
                     log.info('creating admin and regular test users')
                     from rhodecode.tests import TEST_USER_ADMIN_LOGIN, \
                         TEST_USER_ADMIN_PASS, TEST_USER_ADMIN_EMAIL, \
                         TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS, \
                         TEST_USER_REGULAR_EMAIL, TEST_USER_REGULAR2_LOGIN, \
                         TEST_USER_REGULAR2_PASS, TEST_USER_REGULAR2_EMAIL
                     self.create_user(TEST_USER_ADMIN_LOGIN, TEST_USER_ADMIN_PASS,
-                                     TEST_USER_ADMIN_EMAIL, True)
+                                     TEST_USER_ADMIN_EMAIL, True, api_key=True)
                     self.create_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS,
-                                     TEST_USER_REGULAR_EMAIL, False)
+                                     TEST_USER_REGULAR_EMAIL, False, api_key=True)
                     self.create_user(TEST_USER_REGULAR2_LOGIN, TEST_USER_REGULAR2_PASS,
-                                     TEST_USER_REGULAR2_EMAIL, False)
+                                     TEST_USER_REGULAR2_EMAIL, False, api_key=True)
                 def create_ui_settings(self, repo_store_path):
                     """
                     Creates ui settings, fills out hooks
                     and disables dotencode
                     """
                     settings_model = SettingsModel(sa=self.sa)
                     # Build HOOKS
                     hooks = [
                         (RhodeCodeUi.HOOK_REPO_SIZE, 'python:vcsserver.hooks.repo_size'),
                         # HG
                         (RhodeCodeUi.HOOK_PRE_PULL, 'python:vcsserver.hooks.pre_pull'),
                         (RhodeCodeUi.HOOK_PULL, 'python:vcsserver.hooks.log_pull_action'),
                         (RhodeCodeUi.HOOK_PRE_PUSH, 'python:vcsserver.hooks.pre_push'),
                         (RhodeCodeUi.HOOK_PRETX_PUSH, 'python:vcsserver.hooks.pre_push'),
                         (RhodeCodeUi.HOOK_PUSH, 'python:vcsserver.hooks.log_push_action'),
                     ]
                     for key, value in hooks:
                         hook_obj = settings_model.get_ui_by_key(key)
                         hooks2 = hook_obj if hook_obj else RhodeCodeUi()
                         hooks2.ui_section = 'hooks'
                         hooks2.ui_key = key
                         hooks2.ui_value = value
                         self.sa.add(hooks2)
                     # enable largefiles
                     largefiles = RhodeCodeUi()
                     largefiles.ui_section = 'extensions'
                     largefiles.ui_key = 'largefiles'
                     largefiles.ui_value = ''
                     self.sa.add(largefiles)
                     # set default largefiles cache dir, defaults to
                     # /repo location/.cache/largefiles
                     largefiles = RhodeCodeUi()
                     largefiles.ui_section = 'largefiles'
                     largefiles.ui_key = 'usercache'
                     largefiles.ui_value = os.path.join(repo_store_path, '.cache',
                                                        'largefiles')
                     self.sa.add(largefiles)
                     # enable hgsubversion disabled by default
                     hgsubversion = RhodeCodeUi()
                     hgsubversion.ui_section = 'extensions'
                     hgsubversion.ui_key = 'hgsubversion'
                     hgsubversion.ui_value = ''
                     hgsubversion.ui_active = False
                     self.sa.add(hgsubversion)
                     # enable hggit disabled by default
                     hggit = RhodeCodeUi()
                     hggit.ui_section = 'extensions'
                     hggit.ui_key = 'hggit'
                     hggit.ui_value = ''
                     hggit.ui_active = False
                     self.sa.add(hggit)
                     # set svn branch defaults
                     branches = ["/branches/*", "/trunk"]
                     tags = ["/tags/*"]
                     for branch in branches:
                         settings_model.create_ui_section_value(
                             RhodeCodeUi.SVN_BRANCH_ID, branch)
                     for tag in tags:
                         settings_model.create_ui_section_value(RhodeCodeUi.SVN_TAG_ID, tag)
                 def create_auth_plugin_options(self, skip_existing=False):
                     """
                     Create default auth plugin settings, and make it active
                     :param skip_existing:
                     """
                     for k, v, t in [('auth_plugins', 'egg:rhodecode-enterprise-ce#rhodecode', 'list'),
                                     ('auth_rhodecode_enabled', 'True', 'bool')]:
                         if (skip_existing and
                                 SettingsModel().get_setting_by_name(k) is not None):
                             log.debug('Skipping option %s' % k)
                             continue
                         setting = RhodeCodeSetting(k, v, t)
                         self.sa.add(setting)
                 def create_default_options(self, skip_existing=False):
                     """Creates default settings"""
                     for k, v, t in [
                         ('default_repo_enable_locking',  False, 'bool'),
                         ('default_repo_enable_downloads', False, 'bool'),
                         ('default_repo_enable_statistics', False, 'bool'),
                         ('default_repo_private', False, 'bool'),
                         ('default_repo_type', 'hg', 'unicode')]:
                         if (skip_existing and
                                 SettingsModel().get_setting_by_name(k) is not None):
                             log.debug('Skipping option %s' % k)
                             continue
                         setting = RhodeCodeSetting(k, v, t)
                         self.sa.add(setting)
                 def fixup_groups(self):
                     def_usr = User.get_default_user()
                     for g in RepoGroup.query().all():
                         g.group_name = g.get_new_name(g.name)
                         self.sa.add(g)
                         # get default perm
                         default = UserRepoGroupToPerm.query()\
                             .filter(UserRepoGroupToPerm.group == g)\
                             .filter(UserRepoGroupToPerm.user == def_usr)\
                             .scalar()
                         if default is None:
                             log.debug('missing default permission for group %s adding' % g)
                             perm_obj = RepoGroupModel()._create_default_perms(g)
                             self.sa.add(perm_obj)
                 def reset_permissions(self, username):
                     """
                     Resets permissions to default state, useful when old systems had
                     bad permissions, we must clean them up
                     :param username:
                     """
                     default_user = User.get_by_username(username)
                     if not default_user:
                         return
                     u2p = UserToPerm.query()\
                         .filter(UserToPerm.user == default_user).all()
                     fixed = False
                     if len(u2p) != len(Permission.DEFAULT_USER_PERMISSIONS):
                         for p in u2p:
                             Session().delete(p)
                         fixed = True
                         self.populate_default_permissions()
                     return fixed
                 def update_repo_info(self):
                     RepoModel.update_repoinfo()
                 def config_prompt(self, test_repo_path='', retries=3):
                     defaults = self.cli_args
                     _path = defaults.get('repos_location')
                     if retries == 3:
                         log.info('Setting up repositories config')
                     if _path is not None:
                         path = _path
                     elif not self.tests and not test_repo_path:
                         path = raw_input(
                              'Enter a valid absolute path to store repositories. '
                              'All repositories in that path will be added automatically:'
                         )
                     else:
                         path = test_repo_path
                     path_ok = True
                     # check proper dir
                     if not os.path.isdir(path):
                         path_ok = False
                         log.error('Given path %s is not a valid directory' % (path,))
                     elif not os.path.isabs(path):
                         path_ok = False
                         log.error('Given path %s is not an absolute path' % (path,))
                     # check if path is at least readable.
                     if not os.access(path, os.R_OK):
                         path_ok = False
                         log.error('Given path %s is not readable' % (path,))
                     # check write access, warn user about non writeable paths
                     elif not os.access(path, os.W_OK) and path_ok:
                         log.warning('No write permission to given path %s' % (path,))
                         q = ('Given path %s is not writeable, do you want to '
                              'continue with read only mode ? [y/n]' % (path,))
                         if not self.ask_ok(q):
                             log.error('Canceled by user')
                             sys.exit(-1)
                     if retries == 0:
                         sys.exit('max retries reached')
                     if not path_ok:
                         retries -= 1
                         return self.config_prompt(test_repo_path, retries)
                     real_path = os.path.normpath(os.path.realpath(path))
                     if real_path != os.path.normpath(path):
                         q = ('Path looks like a symlink, RhodeCode Enterprise will store '
                              'given path as %s ? [y/n]') % (real_path,)
                         if not self.ask_ok(q):
                             log.error('Canceled by user')
                             sys.exit(-1)
                     return real_path
                 def create_settings(self, path):
                     self.create_ui_settings(path)
                     ui_config = [
                         ('web', 'push_ssl', 'false'),
                         ('web', 'allow_archive', 'gz zip bz2'),
                         ('web', 'allow_push', '*'),
                         ('web', 'baseurl', '/'),
                         ('paths', '/', path),
                         ('phases', 'publish', 'true')
                     ]
                     for section, key, value in ui_config:
                         ui_conf = RhodeCodeUi()
                         setattr(ui_conf, 'ui_section', section)
                         setattr(ui_conf, 'ui_key', key)
                         setattr(ui_conf, 'ui_value', value)
                         self.sa.add(ui_conf)
                     # rhodecode app settings
                     settings = [
                         ('realm', 'RhodeCode', 'unicode'),
                         ('title', '', 'unicode'),
                         ('pre_code', '', 'unicode'),
                         ('post_code', '', 'unicode'),
                         ('show_public_icon', True, 'bool'),
                         ('show_private_icon', True, 'bool'),
                         ('stylify_metatags', False, 'bool'),
                         ('dashboard_items', 100, 'int'),
                         ('admin_grid_items', 25, 'int'),
                         ('show_version', True, 'bool'),
                         ('use_gravatar', False, 'bool'),
                         ('gravatar_url', User.DEFAULT_GRAVATAR_URL, 'unicode'),
                         ('clone_uri_tmpl', Repository.DEFAULT_CLONE_URI, 'unicode'),
                         ('support_url', '', 'unicode'),
                         ('update_url', RhodeCodeSetting.DEFAULT_UPDATE_URL, 'unicode'),
                         ('show_revision_number', True, 'bool'),
                         ('show_sha_length', 12, 'int'),
                     ]
                     for key, val, type_ in settings:
                         sett = RhodeCodeSetting(key, val, type_)
                         self.sa.add(sett)
                     self.create_auth_plugin_options()
                     self.create_default_options()
                     log.info('created ui config')
                 def create_user(self, username, password, email='', admin=False,
                                 strict_creation_check=True, api_key=None):
                     log.info('creating user %s' % username)
                     user = UserModel().create_or_update(
                         username, password, email, firstname='RhodeCode', lastname='Admin',
                         active=True, admin=admin, extern_type="rhodecode",
                         strict_creation_check=strict_creation_check)
                     if api_key:
                         log.info('setting a provided api key for the user %s', username)
-                        user.api_key = api_key
+                        from rhodecode.model.auth_token import AuthTokenModel
+                        AuthTokenModel().create(
+                            user=user, description='BUILTIN TOKEN')
                 def create_default_user(self):
                     log.info('creating default user')
                     # create default user for handling default permissions.
                     user = UserModel().create_or_update(username=User.DEFAULT_USER,
                                                         password=str(uuid.uuid1())[:20],
                                                         email=User.DEFAULT_USER_EMAIL,
                                                         firstname='Anonymous',
                                                         lastname='User',
                                                         strict_creation_check=False)
                     # based on configuration options activate/deactive this user which
                     # controlls anonymous access
                     if self.cli_args.get('public_access') is False:
                         log.info('Public access disabled')
                         user.active = False
                         Session().add(user)
                         Session().commit()
                 def create_permissions(self):
                     """
                     Creates all permissions defined in the system
                     """
                     # module.(access|create|change|delete)_[name]
                     # module.(none|read|write|admin)
                     log.info('creating permissions')
                     PermissionModel(self.sa).create_permissions()
                 def populate_default_permissions(self):
                     """
                     Populate default permissions. It will create only the default
                     permissions that are missing, and not alter already defined ones
                     """
                     log.info('creating default user permissions')
                     PermissionModel(self.sa).create_default_user_permissions(user=User.DEFAULT_USER)

rhodecode/lib/hooks_base.py

0 +7 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2013-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Set of hooks run by RhodeCode Enterprise
             """
             import os
             import collections
             import logging
             import rhodecode
             from rhodecode import events
             from rhodecode.lib import helpers as h
             from rhodecode.lib.utils import action_logger
             from rhodecode.lib.utils2 import safe_str
             from rhodecode.lib.exceptions import HTTPLockedRC, UserCreationError
             from rhodecode.model.db import Repository, User
             log = logging.getLogger(__name__)
             HookResponse = collections.namedtuple('HookResponse', ('status', 'output'))
             def is_shadow_repo(extras):
                 """
                 Returns ``True`` if this is an action executed against a shadow repository.
                 """
                 return extras['is_shadow_repo']
             def _get_scm_size(alias, root_path):
                 if not alias.startswith('.'):
                     alias += '.'
                 size_scm, size_root = 0, 0
                 for path, unused_dirs, files in os.walk(safe_str(root_path)):
                     if path.find(alias) != -1:
                         for f in files:
                             try:
                                 size_scm += os.path.getsize(os.path.join(path, f))
                             except OSError:
                                 pass
                     else:
                         for f in files:
                             try:
                                 size_root += os.path.getsize(os.path.join(path, f))
                             except OSError:
                                 pass
                 size_scm_f = h.format_byte_size_binary(size_scm)
                 size_root_f = h.format_byte_size_binary(size_root)
                 size_total_f = h.format_byte_size_binary(size_root + size_scm)
                 return size_scm_f, size_root_f, size_total_f
             # actual hooks called by Mercurial internally, and GIT by our Python Hooks
             def repo_size(extras):
                 """Present size of repository after push."""
                 repo = Repository.get_by_repo_name(extras.repository)
                 vcs_part = safe_str(u'.%s' % repo.repo_type)
                 size_vcs, size_root, size_total = _get_scm_size(vcs_part,
                                                                 repo.repo_full_path)
                 msg = ('Repository `%s` size summary %s:%s repo:%s total:%s\n'
                        % (repo.repo_name, vcs_part, size_vcs, size_root, size_total))
                 return HookResponse(0, msg)
             def pre_push(extras):
                 """
                 Hook executed before pushing code.
                 It bans pushing when the repository is locked.
                 """
                 usr = User.get_by_username(extras.username)
                 output = ''
                 if extras.locked_by[0] and usr.user_id != int(extras.locked_by[0]):
                     locked_by = User.get(extras.locked_by[0]).username
                     reason = extras.locked_by[2]
                     # this exception is interpreted in git/hg middlewares and based
                     # on that proper return code is server to client
                     _http_ret = HTTPLockedRC(
                         _locked_by_explanation(extras.repository, locked_by, reason))
                     if str(_http_ret.code).startswith('2'):
                         # 2xx Codes don't raise exceptions
                         output = _http_ret.title
                     else:
                         raise _http_ret
                 # Propagate to external components. This is done after checking the
                 # lock, for consistent behavior.
                 if not is_shadow_repo(extras):
                     pre_push_extension(repo_store_path=Repository.base_path(), **extras)
                     events.trigger(events.RepoPrePushEvent(
                         repo_name=extras.repository, extras=extras))
                 return HookResponse(0, output)
             def pre_pull(extras):
                 """
                 Hook executed before pulling the code.
                 It bans pulling when the repository is locked.
                 """
                 output = ''
                 if extras.locked_by[0]:
                     locked_by = User.get(extras.locked_by[0]).username
                     reason = extras.locked_by[2]
                     # this exception is interpreted in git/hg middlewares and based
                     # on that proper return code is server to client
                     _http_ret = HTTPLockedRC(
                         _locked_by_explanation(extras.repository, locked_by, reason))
                     if str(_http_ret.code).startswith('2'):
                         # 2xx Codes don't raise exceptions
                         output = _http_ret.title
                     else:
                         raise _http_ret
                 # Propagate to external components. This is done after checking the
                 # lock, for consistent behavior.
                 if not is_shadow_repo(extras):
                     pre_pull_extension(**extras)
                     events.trigger(events.RepoPrePullEvent(
                         repo_name=extras.repository, extras=extras))
                 return HookResponse(0, output)
             def post_pull(extras):
                 """Hook executed after client pulls the code."""
                 user = User.get_by_username(extras.username)
                 action = 'pull'
                 action_logger(user, action, extras.repository, extras.ip, commit=True)
                 # Propagate to external components.
                 if not is_shadow_repo(extras):
                     post_pull_extension(**extras)
                     events.trigger(events.RepoPullEvent(
                         repo_name=extras.repository, extras=extras))
                 output = ''
                 # make lock is a tri state False, True, None. We only make lock on True
                 if extras.make_lock is True and not is_shadow_repo(extras):
                     Repository.lock(Repository.get_by_repo_name(extras.repository),
                                     user.user_id,
                                     lock_reason=Repository.LOCK_PULL)
                     msg = 'Made lock on repo `%s`' % (extras.repository,)
                     output += msg
                 if extras.locked_by[0]:
                     locked_by = User.get(extras.locked_by[0]).username
                     reason = extras.locked_by[2]
                     _http_ret = HTTPLockedRC(
                         _locked_by_explanation(extras.repository, locked_by, reason))
                     if str(_http_ret.code).startswith('2'):
                         # 2xx Codes don't raise exceptions
                         output += _http_ret.title
                 return HookResponse(0, output)
             def post_push(extras):
                 """Hook executed after user pushes to the repository."""
                 action_tmpl = extras.action + ':%s'
                 commit_ids = extras.commit_ids[:29000]
                 action = action_tmpl % ','.join(commit_ids)
                 action_logger(
                     extras.username, action, extras.repository, extras.ip, commit=True)
                 # Propagate to external components.
                 if not is_shadow_repo(extras):
                     post_push_extension(
                         repo_store_path=Repository.base_path(),
                         pushed_revs=commit_ids,
                         **extras)
                     events.trigger(events.RepoPushEvent(
                         repo_name=extras.repository,
                         pushed_commit_ids=commit_ids,
                         extras=extras))
                 output = ''
                 # make lock is a tri state False, True, None. We only release lock on False
                 if extras.make_lock is False and not is_shadow_repo(extras):
                     Repository.unlock(Repository.get_by_repo_name(extras.repository))
                     msg = 'Released lock on repo `%s`\n' % extras.repository
                     output += msg
                 if extras.locked_by[0]:
                     locked_by = User.get(extras.locked_by[0]).username
                     reason = extras.locked_by[2]
                     _http_ret = HTTPLockedRC(
                         _locked_by_explanation(extras.repository, locked_by, reason))
                     # TODO: johbo: if not?
                     if str(_http_ret.code).startswith('2'):
                         # 2xx Codes don't raise exceptions
                         output += _http_ret.title
                 output += 'RhodeCode: push completed\n'
                 return HookResponse(0, output)
             def _locked_by_explanation(repo_name, user_name, reason):
                 message = (
                     'Repository `%s` locked by user `%s`. Reason:`%s`'
                     % (repo_name, user_name, reason))
                 return message
             def check_allowed_create_user(user_dict, created_by, **kwargs):
                 # pre create hooks
                 if pre_create_user.is_active():
                     allowed, reason = pre_create_user(created_by=created_by, **user_dict)
                     if not allowed:
                         raise UserCreationError(reason)
             class ExtensionCallback(object):
                 """
                 Forwards a given call to rcextensions, sanitizes keyword arguments.
                 Does check if there is an extension active for that hook. If it is
                 there, it will forward all `kwargs_keys` keyword arguments to the
                 extension callback.
                 """
                 def __init__(self, hook_name, kwargs_keys):
                     self._hook_name = hook_name
                     self._kwargs_keys = set(kwargs_keys)
                 def __call__(self, *args, **kwargs):
                     log.debug('Calling extension callback for %s', self._hook_name)
                     kwargs_to_pass = dict((key, kwargs[key]) for key in self._kwargs_keys)
+                    # backward compat for removed api_key for old hooks. THis was it works
+                    # with older rcextensions that require api_key present
+                    if self._hook_name in ['CREATE_USER_HOOK', 'DELETE_USER_HOOK']:
+                        kwargs_to_pass['api_key'] = '_DEPRECATED_'
                     callback = self._get_callback()
                     if callback:
                         return callback(**kwargs_to_pass)
                     else:
                         log.debug('extensions callback not found skipping...')
                 def is_active(self):
                     return hasattr(rhodecode.EXTENSIONS, self._hook_name)
                 def _get_callback(self):
                     return getattr(rhodecode.EXTENSIONS, self._hook_name, None)
             pre_pull_extension = ExtensionCallback(
                 hook_name='PRE_PULL_HOOK',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository'))
             post_pull_extension = ExtensionCallback(
                 hook_name='PULL_HOOK',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository'))
             pre_push_extension = ExtensionCallback(
                 hook_name='PRE_PUSH_HOOK',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'repo_store_path', 'commit_ids'))
             post_push_extension = ExtensionCallback(
                 hook_name='PUSH_HOOK',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'repo_store_path', 'pushed_revs'))
             pre_create_user = ExtensionCallback(
                 hook_name='PRE_CREATE_USER_HOOK',
                 kwargs_keys=(
                     'username', 'password', 'email', 'firstname', 'lastname', 'active',
                     'admin', 'created_by'))
             log_create_pull_request = ExtensionCallback(
                 hook_name='CREATE_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_merge_pull_request = ExtensionCallback(
                 hook_name='MERGE_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_close_pull_request = ExtensionCallback(
                 hook_name='CLOSE_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_review_pull_request = ExtensionCallback(
                 hook_name='REVIEW_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_update_pull_request = ExtensionCallback(
                 hook_name='UPDATE_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_create_user = ExtensionCallback(
                 hook_name='CREATE_USER_HOOK',
                 kwargs_keys=(
                     'username', 'full_name_or_username', 'full_contact', 'user_id',
                     'name', 'firstname', 'short_contact', 'admin', 'lastname',
                     'ip_addresses', 'extern_type', 'extern_name',
-                    'email', 'api_key', 'api_keys', 'last_login',
+                    'email', 'api_keys', 'last_login',
                     'full_name', 'active', 'password', 'emails',
                     'inherit_default_permissions', 'created_by', 'created_on'))
             log_delete_user = ExtensionCallback(
                 hook_name='DELETE_USER_HOOK',
                 kwargs_keys=(
                     'username', 'full_name_or_username', 'full_contact', 'user_id',
                     'name', 'firstname', 'short_contact', 'admin', 'lastname',
                     'ip_addresses',
-                    'email', 'api_key', 'last_login',
+                    'email', 'last_login',
                     'full_name', 'active', 'password', 'emails',
                     'inherit_default_permissions', 'deleted_by'))
             log_create_repository = ExtensionCallback(
                 hook_name='CREATE_REPO_HOOK',
                 kwargs_keys=(
                     'repo_name', 'repo_type', 'description', 'private', 'created_on',
                     'enable_downloads', 'repo_id', 'user_id', 'enable_statistics',
                     'clone_uri', 'fork_id', 'group_id', 'created_by'))
             log_delete_repository = ExtensionCallback(
                 hook_name='DELETE_REPO_HOOK',
                 kwargs_keys=(
                     'repo_name', 'repo_type', 'description', 'private', 'created_on',
                     'enable_downloads', 'repo_id', 'user_id', 'enable_statistics',
                     'clone_uri', 'fork_id', 'group_id', 'deleted_by', 'deleted_on'))
             log_create_repository_group = ExtensionCallback(
                 hook_name='CREATE_REPO_GROUP_HOOK',
                 kwargs_keys=(
                     'group_name', 'group_parent_id', 'group_description',
                     'group_id', 'user_id', 'created_by', 'created_on',
                     'enable_locking'))

rhodecode/model/db.py

0 +6 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Database Models for RhodeCode Enterprise
             """
             import re
             import os
             import time
             import hashlib
             import logging
             import datetime
             import warnings
             import ipaddress
             import functools
             import traceback
             import collections
             from sqlalchemy import *
             from sqlalchemy.ext.declarative import declared_attr
             from sqlalchemy.ext.hybrid import hybrid_property
             from sqlalchemy.orm import (
                 relationship, joinedload, class_mapper, validates, aliased)
             from sqlalchemy.sql.expression import true
             from beaker.cache import cache_region
             from webob.exc import HTTPNotFound
             from zope.cachedescriptors.property import Lazy as LazyProperty
             from pylons import url
             from pylons.i18n.translation import lazy_ugettext as _
             from rhodecode.lib.vcs import get_vcs_instance
             from rhodecode.lib.vcs.backends.base import EmptyCommit, Reference
             from rhodecode.lib.utils2 import (
                 str2bool, safe_str, get_commit_safe, safe_unicode, md5_safe,
                 time_to_datetime, aslist, Optional, safe_int, get_clone_url, AttributeDict,
                 glob2re, StrictAttributeDict, cleaned_uri)
             from rhodecode.lib.jsonalchemy import MutationObj, MutationList, JsonType
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.caching_query import FromCache
             from rhodecode.lib.encrypt import AESCipher
             from rhodecode.model.meta import Base, Session
             URL_SEP = '/'
             log = logging.getLogger(__name__)
             # =============================================================================
             # BASE CLASSES
             # =============================================================================
             # this is propagated from .ini file rhodecode.encrypted_values.secret or
             # beaker.session.secret if first is not set.
             # and initialized at environment.py
             ENCRYPTION_KEY = None
             # used to sort permissions by types, '#' used here is not allowed to be in
             # usernames, and it's very early in sorted string.printable table.
             PERMISSION_TYPE_SORT = {
                 'admin': '####',
                 'write': '###',
                 'read':  '##',
                 'none':  '#',
             }
             def display_sort(obj):
                 """
                 Sort function used to sort permissions in .permissions() function of
                 Repository, RepoGroup, UserGroup. Also it put the default user in front
                 of all other resources
                 """
                 if obj.username == User.DEFAULT_USER:
                     return '#####'
                 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
                 return prefix + obj.username
             def _hash_key(k):
                 return md5_safe(k)
             class EncryptedTextValue(TypeDecorator):
                 """
                 Special column for encrypted long text data, use like::
                     value = Column("encrypted_value", EncryptedValue(), nullable=False)
                 This column is intelligent so if value is in unencrypted form it return
                 unencrypted form, but on save it always encrypts
                 """
                 impl = Text
                 def process_bind_param(self, value, dialect):
                     if not value:
                         return value
                     if value.startswith('enc$aes$') or value.startswith('enc$aes_hmac$'):
                         # protect against double encrypting if someone manually starts
                         # doing
                         raise ValueError('value needs to be in unencrypted format, ie. '
                                          'not starting with enc$aes')
                     return 'enc$aes_hmac$%s' % AESCipher(
                         ENCRYPTION_KEY, hmac=True).encrypt(value)
                 def process_result_value(self, value, dialect):
                     import rhodecode
                     if not value:
                         return value
                     parts = value.split('$', 3)
                     if not len(parts) == 3:
                         # probably not encrypted values
                         return value
                     else:
                         if parts[0] != 'enc':
                             # parts ok but without our header ?
                             return value
                         enc_strict_mode = str2bool(rhodecode.CONFIG.get(
                             'rhodecode.encrypted_values.strict') or True)
                         # at that stage we know it's our encryption
                         if parts[1] == 'aes':
                             decrypted_data = AESCipher(ENCRYPTION_KEY).decrypt(parts[2])
                         elif parts[1] == 'aes_hmac':
                             decrypted_data = AESCipher(
                                 ENCRYPTION_KEY, hmac=True,
                                 strict_verification=enc_strict_mode).decrypt(parts[2])
                         else:
                             raise ValueError(
                                 'Encryption type part is wrong, must be `aes` '
                                 'or `aes_hmac`, got `%s` instead' % (parts[1]))
                         return decrypted_data
             class BaseModel(object):
                 """
                 Base Model for all classes
                 """
                 @classmethod
                 def _get_keys(cls):
                     """return column names for this model """
                     return class_mapper(cls).c.keys()
                 def get_dict(self):
                     """
                     return dict with keys and values corresponding
                     to this model data """
                     d = {}
                     for k in self._get_keys():
                         d[k] = getattr(self, k)
                     # also use __json__() if present to get additional fields
                     _json_attr = getattr(self, '__json__', None)
                     if _json_attr:
                         # update with attributes from __json__
                         if callable(_json_attr):
                             _json_attr = _json_attr()
                         for k, val in _json_attr.iteritems():
                             d[k] = val
                     return d
                 def get_appstruct(self):
                     """return list with keys and values tuples corresponding
                     to this model data """
                     l = []
                     for k in self._get_keys():
                         l.append((k, getattr(self, k),))
                     return l
                 def populate_obj(self, populate_dict):
                     """populate model with data from given populate_dict"""
                     for k in self._get_keys():
                         if k in populate_dict:
                             setattr(self, k, populate_dict[k])
                 @classmethod
                 def query(cls):
                     return Session().query(cls)
                 @classmethod
                 def get(cls, id_):
                     if id_:
                         return cls.query().get(id_)
                 @classmethod
                 def get_or_404(cls, id_):
                     try:
                         id_ = int(id_)
                     except (TypeError, ValueError):
                         raise HTTPNotFound
                     res = cls.query().get(id_)
                     if not res:
                         raise HTTPNotFound
                     return res
                 @classmethod
                 def getAll(cls):
                     # deprecated and left for backward compatibility
                     return cls.get_all()
                 @classmethod
                 def get_all(cls):
                     return cls.query().all()
                 @classmethod
                 def delete(cls, id_):
                     obj = cls.query().get(id_)
                     Session().delete(obj)
                 @classmethod
                 def identity_cache(cls, session, attr_name, value):
                     exist_in_session = []
                     for (item_cls, pkey), instance in session.identity_map.items():
                         if cls == item_cls and getattr(instance, attr_name) == value:
                             exist_in_session.append(instance)
                     if exist_in_session:
                         if len(exist_in_session) == 1:
                             return exist_in_session[0]
                         log.exception(
                             'multiple objects with attr %s and '
                             'value %s found with same name: %r',
                             attr_name, value, exist_in_session)
                 def __repr__(self):
                     if hasattr(self, '__unicode__'):
                         # python repr needs to return str
                         try:
                             return safe_str(self.__unicode__())
                         except UnicodeDecodeError:
                             pass
                     return '<DB:%s>' % (self.__class__.__name__)
             class RhodeCodeSetting(Base, BaseModel):
                 __tablename__ = 'rhodecode_settings'
                 __table_args__ = (
                     UniqueConstraint('app_settings_name'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 SETTINGS_TYPES = {
                     'str': safe_str,
                     'int': safe_int,
                     'unicode': safe_unicode,
                     'bool': str2bool,
                     'list': functools.partial(aslist, sep=',')
                 }
                 DEFAULT_UPDATE_URL = 'https://rhodecode.com/api/v1/info/versions'
                 GLOBAL_CONF_KEY = 'app_settings'
                 app_settings_id = Column("app_settings_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 app_settings_name = Column("app_settings_name", String(255), nullable=True, unique=None, default=None)
                 _app_settings_value = Column("app_settings_value", String(4096), nullable=True, unique=None, default=None)
                 _app_settings_type = Column("app_settings_type", String(255), nullable=True, unique=None, default=None)
                 def __init__(self, key='', val='', type='unicode'):
                     self.app_settings_name = key
                     self.app_settings_type = type
                     self.app_settings_value = val
                 @validates('_app_settings_value')
                 def validate_settings_value(self, key, val):
                     assert type(val) == unicode
                     return val
                 @hybrid_property
                 def app_settings_value(self):
                     v = self._app_settings_value
                     _type = self.app_settings_type
                     if _type:
                         _type = self.app_settings_type.split('.')[0]
                         # decode the encrypted value
                         if 'encrypted' in self.app_settings_type:
                             cipher = EncryptedTextValue()
                             v = safe_unicode(cipher.process_result_value(v, None))
                     converter = self.SETTINGS_TYPES.get(_type) or \
                         self.SETTINGS_TYPES['unicode']
                     return converter(v)
                 @app_settings_value.setter
                 def app_settings_value(self, val):
                     """
                     Setter that will always make sure we use unicode in app_settings_value
                     :param val:
                     """
                     val = safe_unicode(val)
                     # encode the encrypted value
                     if 'encrypted' in self.app_settings_type:
                         cipher = EncryptedTextValue()
                         val = safe_unicode(cipher.process_bind_param(val, None))
                     self._app_settings_value = val
                 @hybrid_property
                 def app_settings_type(self):
                     return self._app_settings_type
                 @app_settings_type.setter
                 def app_settings_type(self, val):
                     if val.split('.')[0] not in self.SETTINGS_TYPES:
                         raise Exception('type must be one of %s got %s'
                                         % (self.SETTINGS_TYPES.keys(), val))
                     self._app_settings_type = val
                 def __unicode__(self):
                     return u"<%s('%s:%s[%s]')>" % (
                         self.__class__.__name__,
                         self.app_settings_name, self.app_settings_value,
                         self.app_settings_type
                     )
             class RhodeCodeUi(Base, BaseModel):
                 __tablename__ = 'rhodecode_ui'
                 __table_args__ = (
                     UniqueConstraint('ui_key'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 HOOK_REPO_SIZE = 'changegroup.repo_size'
                 # HG
                 HOOK_PRE_PULL = 'preoutgoing.pre_pull'
                 HOOK_PULL = 'outgoing.pull_logger'
                 HOOK_PRE_PUSH = 'prechangegroup.pre_push'
                 HOOK_PRETX_PUSH = 'pretxnchangegroup.pre_push'
                 HOOK_PUSH = 'changegroup.push_logger'
                 # TODO: johbo: Unify way how hooks are configured for git and hg,
                 # git part is currently hardcoded.
                 # SVN PATTERNS
                 SVN_BRANCH_ID = 'vcs_svn_branch'
                 SVN_TAG_ID = 'vcs_svn_tag'
                 ui_id = Column(
                     "ui_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 ui_section = Column(
                     "ui_section", String(255), nullable=True, unique=None, default=None)
                 ui_key = Column(
                     "ui_key", String(255), nullable=True, unique=None, default=None)
                 ui_value = Column(
                     "ui_value", String(255), nullable=True, unique=None, default=None)
                 ui_active = Column(
                     "ui_active", Boolean(), nullable=True, unique=None, default=True)
                 def __repr__(self):
                     return '<%s[%s]%s=>%s]>' % (self.__class__.__name__, self.ui_section,
                                                 self.ui_key, self.ui_value)
             class RepoRhodeCodeSetting(Base, BaseModel):
                 __tablename__ = 'repo_rhodecode_settings'
                 __table_args__ = (
                     UniqueConstraint(
                         'app_settings_name', 'repository_id',
                         name='uq_repo_rhodecode_setting_name_repo_id'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 repository_id = Column(
                     "repository_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=False)
                 app_settings_id = Column(
                     "app_settings_id", Integer(), nullable=False, unique=True,
                     default=None, primary_key=True)
                 app_settings_name = Column(
                     "app_settings_name", String(255), nullable=True, unique=None,
                     default=None)
                 _app_settings_value = Column(
                     "app_settings_value", String(4096), nullable=True, unique=None,
                     default=None)
                 _app_settings_type = Column(
                     "app_settings_type", String(255), nullable=True, unique=None,
                     default=None)
                 repository = relationship('Repository')
                 def __init__(self, repository_id, key='', val='', type='unicode'):
                     self.repository_id = repository_id
                     self.app_settings_name = key
                     self.app_settings_type = type
                     self.app_settings_value = val
                 @validates('_app_settings_value')
                 def validate_settings_value(self, key, val):
                     assert type(val) == unicode
                     return val
                 @hybrid_property
                 def app_settings_value(self):
                     v = self._app_settings_value
                     type_ = self.app_settings_type
                     SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
                     converter = SETTINGS_TYPES.get(type_) or SETTINGS_TYPES['unicode']
                     return converter(v)
                 @app_settings_value.setter
                 def app_settings_value(self, val):
                     """
                     Setter that will always make sure we use unicode in app_settings_value
                     :param val:
                     """
                     self._app_settings_value = safe_unicode(val)
                 @hybrid_property
                 def app_settings_type(self):
                     return self._app_settings_type
                 @app_settings_type.setter
                 def app_settings_type(self, val):
                     SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
                     if val not in SETTINGS_TYPES:
                         raise Exception('type must be one of %s got %s'
                                         % (SETTINGS_TYPES.keys(), val))
                     self._app_settings_type = val
                 def __unicode__(self):
                     return u"<%s('%s:%s:%s[%s]')>" % (
                         self.__class__.__name__, self.repository.repo_name,
                         self.app_settings_name, self.app_settings_value,
                         self.app_settings_type
                     )
             class RepoRhodeCodeUi(Base, BaseModel):
                 __tablename__ = 'repo_rhodecode_ui'
                 __table_args__ = (
                     UniqueConstraint(
                         'repository_id', 'ui_section', 'ui_key',
                         name='uq_repo_rhodecode_ui_repository_id_section_key'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 repository_id = Column(
                     "repository_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=False)
                 ui_id = Column(
                     "ui_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 ui_section = Column(
                     "ui_section", String(255), nullable=True, unique=None, default=None)
                 ui_key = Column(
                     "ui_key", String(255), nullable=True, unique=None, default=None)
                 ui_value = Column(
                     "ui_value", String(255), nullable=True, unique=None, default=None)
                 ui_active = Column(
                     "ui_active", Boolean(), nullable=True, unique=None, default=True)
                 repository = relationship('Repository')
                 def __repr__(self):
                     return '<%s[%s:%s]%s=>%s]>' % (
                         self.__class__.__name__, self.repository.repo_name,
                         self.ui_section, self.ui_key, self.ui_value)
             class User(Base, BaseModel):
                 __tablename__ = 'users'
                 __table_args__ = (
                     UniqueConstraint('username'), UniqueConstraint('email'),
                     Index('u_username_idx', 'username'),
                     Index('u_email_idx', 'email'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 DEFAULT_USER = 'default'
                 DEFAULT_USER_EMAIL = 'anonymous@rhodecode.org'
                 DEFAULT_GRAVATAR_URL = 'https://secure.gravatar.com/avatar/{md5email}?d=identicon&s={size}'
                 user_id = Column("user_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 username = Column("username", String(255), nullable=True, unique=None, default=None)
                 password = Column("password", String(255), nullable=True, unique=None, default=None)
                 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 admin = Column("admin", Boolean(), nullable=True, unique=None, default=False)
                 name = Column("firstname", String(255), nullable=True, unique=None, default=None)
                 lastname = Column("lastname", String(255), nullable=True, unique=None, default=None)
                 _email = Column("email", String(255), nullable=True, unique=None, default=None)
                 last_login = Column("last_login", DateTime(timezone=False), nullable=True, unique=None, default=None)
                 extern_type = Column("extern_type", String(255), nullable=True, unique=None, default=None)
                 extern_name = Column("extern_name", String(255), nullable=True, unique=None, default=None)
                 _api_key = Column("api_key", String(255), nullable=True, unique=None, default=None)
                 inherit_default_permissions = Column("inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 _user_data = Column("user_data", LargeBinary(), nullable=True)  # JSON data
                 user_log = relationship('UserLog')
                 user_perms = relationship('UserToPerm', primaryjoin="User.user_id==UserToPerm.user_id", cascade='all')
                 repositories = relationship('Repository')
                 repository_groups = relationship('RepoGroup')
                 user_groups = relationship('UserGroup')
                 user_followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_user_id==User.user_id', cascade='all')
                 followings = relationship('UserFollowing', primaryjoin='UserFollowing.user_id==User.user_id', cascade='all')
                 repo_to_perm = relationship('UserRepoToPerm', primaryjoin='UserRepoToPerm.user_id==User.user_id', cascade='all')
                 repo_group_to_perm = relationship('UserRepoGroupToPerm', primaryjoin='UserRepoGroupToPerm.user_id==User.user_id', cascade='all')
                 user_group_to_perm = relationship('UserUserGroupToPerm', primaryjoin='UserUserGroupToPerm.user_id==User.user_id', cascade='all')
                 group_member = relationship('UserGroupMember', cascade='all')
                 notifications = relationship('UserNotification', cascade='all')
                 # notifications assigned to this user
                 user_created_notifications = relationship('Notification', cascade='all')
                 # comments created by this user
                 user_comments = relationship('ChangesetComment', cascade='all')
                 # user profile extra info
                 user_emails = relationship('UserEmailMap', cascade='all')
                 user_ip_map = relationship('UserIpMap', cascade='all')
                 user_auth_tokens = relationship('UserApiKeys', cascade='all')
                 # gists
                 user_gists = relationship('Gist', cascade='all')
                 # user pull requests
                 user_pull_requests = relationship('PullRequest', cascade='all')
                 # external identities
                 extenal_identities = relationship(
                     'ExternalIdentity',
                     primaryjoin="User.user_id==ExternalIdentity.local_user_id",
                     cascade='all')
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
                                                   self.user_id, self.username)
                 @hybrid_property
                 def email(self):
                     return self._email
                 @email.setter
                 def email(self, val):
                     self._email = val.lower() if val else None
                 @hybrid_property
                 def api_key(self):
                     """
                     Fetch if exist an auth-token with role ALL connected to this user
                     """
                     user_auth_token = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == self.user_id)\
                         .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_ALL).first()
+                    if user_auth_token:
+                        user_auth_token = user_auth_token.api_key
                     return user_auth_token
                 @api_key.setter
                 def api_key(self, val):
                     # don't allow to set API key this is deprecated for now
                     self._api_key = None
                 @property
                 def firstname(self):
                     # alias for future
                     return self.name
                 @property
                 def emails(self):
                     other = UserEmailMap.query().filter(UserEmailMap.user==self).all()
                     return [self.email] + [x.email for x in other]
                 @property
                 def auth_tokens(self):
                     return [x.api_key for x in self.extra_auth_tokens]
                 @property
                 def extra_auth_tokens(self):
                     return UserApiKeys.query().filter(UserApiKeys.user == self).all()
                 @property
                 def feed_token(self):
                     return self.get_feed_token()
                 def get_feed_token(self):
                     feed_tokens = UserApiKeys.query()\
                         .filter(UserApiKeys.user == self)\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_FEED)\
                         .all()
                     if feed_tokens:
                         return feed_tokens[0].api_key
                     return 'NO_FEED_TOKEN_AVAILABLE'
                 @classmethod
                 def extra_valid_auth_tokens(cls, user, role=None):
                     tokens = UserApiKeys.query().filter(UserApiKeys.user == user)\
                             .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time()))
                     if role:
                         tokens = tokens.filter(or_(UserApiKeys.role == role,
                                                    UserApiKeys.role == UserApiKeys.ROLE_ALL))
                     return tokens.all()
                 def authenticate_by_token(self, auth_token, roles=None):
                     from rhodecode.lib import auth
                     log.debug('Trying to authenticate user: %s via auth-token, '
                               'and roles: %s', self, roles)
                     if not auth_token:
                         return False
                     crypto_backend = auth.crypto_backend()
                     roles = (roles or []) + [UserApiKeys.ROLE_ALL]
                     tokens_q = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == self.user_id)\
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time()))
                     tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles))
                     plain_tokens = []
                     hash_tokens = []
                     for token in tokens_q.all():
                         if token.api_key.startswith(crypto_backend.ENC_PREF):
                             hash_tokens.append(token.api_key)
                         else:
                             plain_tokens.append(token.api_key)
                     is_plain_match = auth_token in plain_tokens
                     if is_plain_match:
                         return True
                     for hashed in hash_tokens:
                         # marcink: this is expensive to calculate, but the most secure
                         match = crypto_backend.hash_check(auth_token, hashed)
                         if match:
                             return True
                     return False
                 @property
                 def ip_addresses(self):
                     ret = UserIpMap.query().filter(UserIpMap.user == self).all()
                     return [x.ip_addr for x in ret]
                 @property
                 def username_and_name(self):
                     return '%s (%s %s)' % (self.username, self.firstname, self.lastname)
                 @property
                 def username_or_name_or_email(self):
                     full_name = self.full_name if self.full_name is not ' ' else None
                     return self.username or full_name or self.email
                 @property
                 def full_name(self):
                     return '%s %s' % (self.firstname, self.lastname)
                 @property
                 def full_name_or_username(self):
                     return ('%s %s' % (self.firstname, self.lastname)
                             if (self.firstname and self.lastname) else self.username)
                 @property
                 def full_contact(self):
                     return '%s %s <%s>' % (self.firstname, self.lastname, self.email)
                 @property
                 def short_contact(self):
                     return '%s %s' % (self.firstname, self.lastname)
                 @property
                 def is_admin(self):
                     return self.admin
                 @property
                 def AuthUser(self):
                     """
                     Returns instance of AuthUser for this user
                     """
                     from rhodecode.lib.auth import AuthUser
                     return AuthUser(user_id=self.user_id, username=self.username)
                 @hybrid_property
                 def user_data(self):
                     if not self._user_data:
                         return {}
                     try:
                         return json.loads(self._user_data)
                     except TypeError:
                         return {}
                 @user_data.setter
                 def user_data(self, val):
                     if not isinstance(val, dict):
                         raise Exception('user_data must be dict, got %s' % type(val))
                     try:
                         self._user_data = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @classmethod
                 def get_by_username(cls, username, case_insensitive=False,
                                     cache=False, identity_cache=False):
                     session = Session()
                     if case_insensitive:
                         q = cls.query().filter(
                             func.lower(cls.username) == func.lower(username))
                     else:
                         q = cls.query().filter(cls.username == username)
                     if cache:
                         if identity_cache:
                             val = cls.identity_cache(session, 'username', username)
                             if val:
                                 return val
                         else:
                             q = q.options(
                                 FromCache("sql_cache_short",
                                           "get_user_by_name_%s" % _hash_key(username)))
                     return q.scalar()
                 @classmethod
                 def get_by_auth_token(cls, auth_token, cache=False):
                     q = UserApiKeys.query()\
                         .filter(UserApiKeys.api_key == auth_token)\
                         .filter(or_(UserApiKeys.expires == -1,
                                     UserApiKeys.expires >= time.time()))
                     if cache:
                         q = q.options(FromCache("sql_cache_short",
                                                 "get_auth_token_%s" % auth_token))
                     match = q.first()
                     if match:
                         return match.user
                 @classmethod
                 def get_by_email(cls, email, case_insensitive=False, cache=False):
                     if case_insensitive:
                         q = cls.query().filter(func.lower(cls.email) == func.lower(email))
                     else:
                         q = cls.query().filter(cls.email == email)
                     if cache:
                         q = q.options(FromCache("sql_cache_short",
                                                 "get_email_key_%s" % _hash_key(email)))
                     ret = q.scalar()
                     if ret is None:
                         q = UserEmailMap.query()
                         # try fetching in alternate email map
                         if case_insensitive:
                             q = q.filter(func.lower(UserEmailMap.email) == func.lower(email))
                         else:
                             q = q.filter(UserEmailMap.email == email)
                         q = q.options(joinedload(UserEmailMap.user))
                         if cache:
                             q = q.options(FromCache("sql_cache_short",
                                                     "get_email_map_key_%s" % email))
                         ret = getattr(q.scalar(), 'user', None)
                     return ret
                 @classmethod
                 def get_from_cs_author(cls, author):
                     """
                     Tries to get User objects out of commit author string
                     :param author:
                     """
                     from rhodecode.lib.helpers import email, author_name
                     # Valid email in the attribute passed, see if they're in the system
                     _email = email(author)
                     if _email:
                         user = cls.get_by_email(_email, case_insensitive=True)
                         if user:
                             return user
                     # Maybe we can match by username?
                     _author = author_name(author)
                     user = cls.get_by_username(_author, case_insensitive=True)
                     if user:
                         return user
                 def update_userdata(self, **kwargs):
                     usr = self
                     old = usr.user_data
                     old.update(**kwargs)
                     usr.user_data = old
                     Session().add(usr)
                     log.debug('updated userdata with ', kwargs)
                 def update_lastlogin(self):
                     """Update user lastlogin"""
                     self.last_login = datetime.datetime.now()
                     Session().add(self)
                     log.debug('updated user %s lastlogin', self.username)
                 def update_lastactivity(self):
                     """Update user lastactivity"""
                     usr = self
                     old = usr.user_data
                     old.update({'last_activity': time.time()})
                     usr.user_data = old
                     Session().add(usr)
                     log.debug('updated user %s lastactivity', usr.username)
                 def update_password(self, new_password):
                     from rhodecode.lib.auth import get_crypt_password
                     self.password = get_crypt_password(new_password)
                     Session().add(self)
                 @classmethod
                 def get_first_super_admin(cls):
                     user = User.query().filter(User.admin == true()).first()
                     if user is None:
                         raise Exception('FATAL: Missing administrative account!')
                     return user
                 @classmethod
                 def get_all_super_admins(cls):
                     """
                     Returns all admin accounts sorted by username
                     """
                     return User.query().filter(User.admin == true())\
                         .order_by(User.username.asc()).all()
                 @classmethod
                 def get_default_user(cls, cache=False):
                     user = User.get_by_username(User.DEFAULT_USER, cache=cache)
                     if user is None:
                         raise Exception('FATAL: Missing default account!')
                     return user
                 def _get_default_perms(self, user, suffix=''):
                     from rhodecode.model.permission import PermissionModel
                     return PermissionModel().get_default_perms(user.user_perms, suffix)
                 def get_default_perms(self, suffix=''):
                     return self._get_default_perms(self, suffix)
                 def get_api_data(self, include_secrets=False, details='full'):
                     """
                     Common function for generating user related data for API
                     :param include_secrets: By default secrets in the API data will be replaced
                        by a placeholder value to prevent exposing this data by accident. In case
                        this data shall be exposed, set this flag to ``True``.
                     :param details: details can be 'basic|full' basic gives only a subset of
                        the available user information that includes user_id, name and emails.
                     """
                     user = self
                     user_data = self.user_data
                     data = {
                         'user_id': user.user_id,
                         'username': user.username,
                         'firstname': user.name,
                         'lastname': user.lastname,
                         'email': user.email,
                         'emails': user.emails,
                     }
                     if details == 'basic':
                         return data
                     api_key_length = 40
                     api_key_replacement = '*' * api_key_length
                     extras = {
                         'api_keys': [api_key_replacement],
                         'active': user.active,
                         'admin': user.admin,
                         'extern_type': user.extern_type,
                         'extern_name': user.extern_name,
                         'last_login': user.last_login,
                         'ip_addresses': user.ip_addresses,
                         'language': user_data.get('language')
                     }
                     data.update(extras)
                     if include_secrets:
                         data['api_keys'] = user.auth_tokens
                     return data
                 def __json__(self):
                     data = {
                         'full_name': self.full_name,
                         'full_name_or_username': self.full_name_or_username,
                         'short_contact': self.short_contact,
                         'full_contact': self.full_contact,
                     }
                     data.update(self.get_api_data())
                     return data
             class UserApiKeys(Base, BaseModel):
                 __tablename__ = 'user_api_keys'
                 __table_args__ = (
                     Index('uak_api_key_idx', 'api_key'),
                     Index('uak_api_key_expires_idx', 'api_key', 'expires'),
                     UniqueConstraint('api_key'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 __mapper_args__ = {}
                 # ApiKey role
                 ROLE_ALL = 'token_role_all'
                 ROLE_HTTP = 'token_role_http'
                 ROLE_VCS = 'token_role_vcs'
                 ROLE_API = 'token_role_api'
                 ROLE_FEED = 'token_role_feed'
                 ROLE_PASSWORD_RESET = 'token_password_reset'
                 ROLES = [ROLE_ALL, ROLE_HTTP, ROLE_VCS, ROLE_API, ROLE_FEED]
                 user_api_key_id = Column("user_api_key_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 api_key = Column("api_key", String(255), nullable=False, unique=True)
                 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 expires = Column('expires', Float(53), nullable=False)
                 role = Column('role', String(255), nullable=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 # scope columns
                 repo_id = Column(
                     'repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 repo_group_id = Column(
                     'repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 user = relationship('User', lazy='joined')
+                def __unicode__(self):
+                    return u"<%s('%s')>" % (self.__class__.__name__, self.role)
                 @classmethod
                 def _get_role_name(cls, role):
                     return {
                         cls.ROLE_ALL: _('all'),
                         cls.ROLE_HTTP: _('http/web interface'),
                         cls.ROLE_VCS: _('vcs (git/hg/svn protocol)'),
                         cls.ROLE_API: _('api calls'),
                         cls.ROLE_FEED: _('feed access'),
                     }.get(role, role)
                 @property
                 def expired(self):
                     if self.expires == -1:
                         return False
                     return time.time() > self.expires
                 @property
                 def role_humanized(self):
                     return self._get_role_name(self.role)
                 def _get_scope(self):
                     if self.repo:
                         return repr(self.repo)
                     if self.repo_group:
                         return repr(self.repo_group) + ' (recursive)'
                     return 'global'
                 @property
                 def scope_humanized(self):
                     return self._get_scope()
             class UserEmailMap(Base, BaseModel):
                 __tablename__ = 'user_email_map'
                 __table_args__ = (
                     Index('uem_email_idx', 'email'),
                     UniqueConstraint('email'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 __mapper_args__ = {}
                 email_id = Column("email_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 _email = Column("email", String(255), nullable=True, unique=False, default=None)
                 user = relationship('User', lazy='joined')
                 @validates('_email')
                 def validate_email(self, key, email):
                     # check if this email is not main one
                     main_email = Session().query(User).filter(User.email == email).scalar()
                     if main_email is not None:
                         raise AttributeError('email %s is present is user table' % email)
                     return email
                 @hybrid_property
                 def email(self):
                     return self._email
                 @email.setter
                 def email(self, val):
                     self._email = val.lower() if val else None
             class UserIpMap(Base, BaseModel):
                 __tablename__ = 'user_ip_map'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'ip_addr'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 __mapper_args__ = {}
                 ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 ip_addr = Column("ip_addr", String(255), nullable=True, unique=False, default=None)
                 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
                 description = Column("description", String(10000), nullable=True, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 @classmethod
                 def _get_ip_range(cls, ip_addr):
                     net = ipaddress.ip_network(ip_addr, strict=False)
                     return [str(net.network_address), str(net.broadcast_address)]
                 def __json__(self):
                     return {
                       'ip_addr': self.ip_addr,
                       'ip_range': self._get_ip_range(self.ip_addr),
                     }
                 def __unicode__(self):
                     return u"<%s('user_id:%s=>%s')>" % (self.__class__.__name__,
                                                         self.user_id, self.ip_addr)
             class UserLog(Base, BaseModel):
                 __tablename__ = 'user_logs'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 user_log_id = Column("user_log_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 username = Column("username", String(255), nullable=True, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True)
                 repository_name = Column("repository_name", String(255), nullable=True, unique=None, default=None)
                 user_ip = Column("user_ip", String(255), nullable=True, unique=None, default=None)
                 action = Column("action", Text().with_variant(Text(1200000), 'mysql'), nullable=True, unique=None, default=None)
                 action_date = Column("action_date", DateTime(timezone=False), nullable=True, unique=None, default=None)
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
                                                   self.repository_name,
                                                   self.action)
                 @property
                 def action_as_day(self):
                     return datetime.date(*self.action_date.timetuple()[:3])
                 user = relationship('User')
                 repository = relationship('Repository', cascade='')
             class UserGroup(Base, BaseModel):
                 __tablename__ = 'users_groups'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 users_group_id = Column("users_group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_name = Column("users_group_name", String(255), nullable=False, unique=True, default=None)
                 user_group_description = Column("user_group_description", String(10000), nullable=True, unique=None, default=None)
                 users_group_active = Column("users_group_active", Boolean(), nullable=True, unique=None, default=None)
                 inherit_default_permissions = Column("users_group_inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 _group_data = Column("group_data", LargeBinary(), nullable=True)  # JSON data
                 members = relationship('UserGroupMember', cascade="all, delete, delete-orphan", lazy="joined")
                 users_group_to_perm = relationship('UserGroupToPerm', cascade='all')
                 users_group_repo_to_perm = relationship('UserGroupRepoToPerm', cascade='all')
                 users_group_repo_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
                 user_user_group_to_perm = relationship('UserUserGroupToPerm', cascade='all')
                 user_group_user_group_to_perm = relationship('UserGroupUserGroupToPerm ', primaryjoin="UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id", cascade='all')
                 user = relationship('User')
                 @hybrid_property
                 def group_data(self):
                     if not self._group_data:
                         return {}
                     try:
                         return json.loads(self._group_data)
                     except TypeError:
                         return {}
                 @group_data.setter
                 def group_data(self, val):
                     try:
                         self._group_data = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (self.__class__.__name__,
                                                   self.users_group_id,
                                                   self.users_group_name)
                 @classmethod
                 def get_by_group_name(cls, group_name, cache=False,
                                       case_insensitive=False):
                     if case_insensitive:
                         q = cls.query().filter(func.lower(cls.users_group_name) ==
                                                func.lower(group_name))
                     else:
                         q = cls.query().filter(cls.users_group_name == group_name)
                     if cache:
                         q = q.options(FromCache(
                                         "sql_cache_short",
                                         "get_group_%s" % _hash_key(group_name)))
                     return q.scalar()
                 @classmethod
                 def get(cls, user_group_id, cache=False):
                     user_group = cls.query()
                     if cache:
                         user_group = user_group.options(FromCache("sql_cache_short",
                                                 "get_users_group_%s" % user_group_id))
                     return user_group.get(user_group_id)
                 def permissions(self, with_admins=True, with_owner=True):
                     q = UserUserGroupToPerm.query().filter(UserUserGroupToPerm.user_group == self)
                     q = q.options(joinedload(UserUserGroupToPerm.user_group),
                                   joinedload(UserUserGroupToPerm.user),
                                   joinedload(UserUserGroupToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_sort)
                     _admin_perm = 'usergroup.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     return super_admin_rows + owner_row + perm_rows
                 def permission_user_groups(self):
                     q = UserGroupUserGroupToPerm.query().filter(UserGroupUserGroupToPerm.target_user_group == self)
                     q = q.options(joinedload(UserGroupUserGroupToPerm.user_group),
                                   joinedload(UserGroupUserGroupToPerm.target_user_group),
                                   joinedload(UserGroupUserGroupToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         usr = AttributeDict(_user_group.user_group.get_dict())
                         usr.permission = _user_group.permission.permission_name
                         perm_rows.append(usr)
                     return perm_rows
                 def _get_default_perms(self, user_group, suffix=''):
                     from rhodecode.model.permission import PermissionModel
                     return PermissionModel().get_default_perms(user_group.users_group_to_perm, suffix)
                 def get_default_perms(self, suffix=''):
                     return self._get_default_perms(self, suffix)
                 def get_api_data(self, with_group_members=True, include_secrets=False):
                     """
                     :param include_secrets: See :meth:`User.get_api_data`, this parameter is
                        basically forwarded.
                     """
                     user_group = self
                     data = {
                         'users_group_id': user_group.users_group_id,
                         'group_name': user_group.users_group_name,
                         'group_description': user_group.user_group_description,
                         'active': user_group.users_group_active,
                         'owner': user_group.user.username,
                     }
                     if with_group_members:
                         users = []
                         for user in user_group.members:
                             user = user.user
                             users.append(user.get_api_data(include_secrets=include_secrets))
                         data['users'] = users
                     return data
             class UserGroupMember(Base, BaseModel):
                 __tablename__ = 'users_groups_members'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 users_group_member_id = Column("users_group_member_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 user = relationship('User', lazy='joined')
                 users_group = relationship('UserGroup')
                 def __init__(self, gr_id='', u_id=''):
                     self.users_group_id = gr_id
                     self.user_id = u_id
             class RepositoryField(Base, BaseModel):
                 __tablename__ = 'repositories_fields'
                 __table_args__ = (
                     UniqueConstraint('repository_id', 'field_key'),  # no-multi field
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 PREFIX = 'ex_'  # prefix used in form to not conflict with already existing fields
                 repo_field_id = Column("repo_field_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 field_key = Column("field_key", String(250))
                 field_label = Column("field_label", String(1024), nullable=False)
                 field_value = Column("field_value", String(10000), nullable=False)
                 field_desc = Column("field_desc", String(1024), nullable=False)
                 field_type = Column("field_type", String(255), nullable=False, unique=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 repository = relationship('Repository')
                 @property
                 def field_key_prefixed(self):
                     return 'ex_%s' % self.field_key
                 @classmethod
                 def un_prefix_key(cls, key):
                     if key.startswith(cls.PREFIX):
                         return key[len(cls.PREFIX):]
                     return key
                 @classmethod
                 def get_by_key_name(cls, key, repo):
                     row = cls.query()\
                             .filter(cls.repository == repo)\
                             .filter(cls.field_key == key).scalar()
                     return row
             class Repository(Base, BaseModel):
                 __tablename__ = 'repositories'
                 __table_args__ = (
                     Index('r_repo_name_idx', 'repo_name', mysql_length=255),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 DEFAULT_CLONE_URI = '{scheme}://{user}@{netloc}/{repo}'
                 DEFAULT_CLONE_URI_ID = '{scheme}://{user}@{netloc}/_{repoid}'
                 STATE_CREATED = 'repo_state_created'
                 STATE_PENDING = 'repo_state_pending'
                 STATE_ERROR = 'repo_state_error'
                 LOCK_AUTOMATIC = 'lock_auto'
                 LOCK_API = 'lock_api'
                 LOCK_WEB = 'lock_web'
                 LOCK_PULL = 'lock_pull'
                 NAME_SEP = URL_SEP
                 repo_id = Column(
                     "repo_id", Integer(), nullable=False, unique=True, default=None,
                     primary_key=True)
                 _repo_name = Column(
                     "repo_name", Text(), nullable=False, default=None)
                 _repo_name_hash = Column(
                     "repo_name_hash", String(255), nullable=False, unique=True)
                 repo_state = Column("repo_state", String(255), nullable=True)
                 clone_uri = Column(
                     "clone_uri", EncryptedTextValue(), nullable=True, unique=False,
                     default=None)
                 repo_type = Column(
                     "repo_type", String(255), nullable=False, unique=False, default=None)
                 user_id = Column(
                     "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
                     unique=False, default=None)
                 private = Column(
                     "private", Boolean(), nullable=True, unique=None, default=None)
                 enable_statistics = Column(
                     "statistics", Boolean(), nullable=True, unique=None, default=True)
                 enable_downloads = Column(
                     "downloads", Boolean(), nullable=True, unique=None, default=True)
                 description = Column(
                     "description", String(10000), nullable=True, unique=None, default=None)
                 created_on = Column(
                     'created_on', DateTime(timezone=False), nullable=True, unique=None,
                     default=datetime.datetime.now)
                 updated_on = Column(
                     'updated_on', DateTime(timezone=False), nullable=True, unique=None,
                     default=datetime.datetime.now)
                 _landing_revision = Column(
                     "landing_revision", String(255), nullable=False, unique=False,
                     default=None)
                 enable_locking = Column(
                     "enable_locking", Boolean(), nullable=False, unique=None,
                     default=False)
                 _locked = Column(
                     "locked", String(255), nullable=True, unique=False, default=None)
                 _changeset_cache = Column(
                     "changeset_cache", LargeBinary(), nullable=True)  # JSON data
                 fork_id = Column(
                     "fork_id", Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=False, default=None)
                 group_id = Column(
                     "group_id", Integer(), ForeignKey('groups.group_id'), nullable=True,
                     unique=False, default=None)
                 user = relationship('User', lazy='joined')
                 fork = relationship('Repository', remote_side=repo_id, lazy='joined')
                 group = relationship('RepoGroup', lazy='joined')
                 repo_to_perm = relationship(
                     'UserRepoToPerm', cascade='all',
                     order_by='UserRepoToPerm.repo_to_perm_id')
                 users_group_to_perm = relationship('UserGroupRepoToPerm', cascade='all')
                 stats = relationship('Statistics', cascade='all', uselist=False)
                 followers = relationship(
                     'UserFollowing',
                     primaryjoin='UserFollowing.follows_repo_id==Repository.repo_id',
                     cascade='all')
                 extra_fields = relationship(
                     'RepositoryField', cascade="all, delete, delete-orphan")
                 logs = relationship('UserLog')
                 comments = relationship(
                     'ChangesetComment', cascade="all, delete, delete-orphan")
                 pull_requests_source = relationship(
                     'PullRequest',
                     primaryjoin='PullRequest.source_repo_id==Repository.repo_id',
                     cascade="all, delete, delete-orphan")
                 pull_requests_target = relationship(
                     'PullRequest',
                     primaryjoin='PullRequest.target_repo_id==Repository.repo_id',
                     cascade="all, delete, delete-orphan")
                 ui = relationship('RepoRhodeCodeUi', cascade="all")
                 settings = relationship('RepoRhodeCodeSetting', cascade="all")
                 integrations = relationship('Integration',
                                             cascade="all, delete, delete-orphan")
                 def __unicode__(self):
                     return u"<%s('%s:%s')>" % (self.__class__.__name__, self.repo_id,
                                                safe_unicode(self.repo_name))
                 @hybrid_property
                 def landing_rev(self):
                     # always should return [rev_type, rev]
                     if self._landing_revision:
                         _rev_info = self._landing_revision.split(':')
                         if len(_rev_info) < 2:
                             _rev_info.insert(0, 'rev')
                         return [_rev_info[0], _rev_info[1]]
                     return [None, None]
                 @landing_rev.setter
                 def landing_rev(self, val):
                     if ':' not in val:
                         raise ValueError('value must be delimited with `:` and consist '
                                          'of <rev_type>:<rev>, got %s instead' % val)
                     self._landing_revision = val
                 @hybrid_property
                 def locked(self):
                     if self._locked:
                         user_id, timelocked, reason = self._locked.split(':')
                         lock_values = int(user_id), timelocked, reason
                     else:
                         lock_values = [None, None, None]
                     return lock_values
                 @locked.setter
                 def locked(self, val):
                     if val and isinstance(val, (list, tuple)):
                         self._locked = ':'.join(map(str, val))
                     else:
                         self._locked = None
                 @hybrid_property
                 def changeset_cache(self):
                     from rhodecode.lib.vcs.backends.base import EmptyCommit
                     dummy = EmptyCommit().__json__()
                     if not self._changeset_cache:
                         return dummy
                     try:
                         return json.loads(self._changeset_cache)
                     except TypeError:
                         return dummy
                     except Exception:
                         log.error(traceback.format_exc())
                         return dummy
                 @changeset_cache.setter
                 def changeset_cache(self, val):
                     try:
                         self._changeset_cache = json.dumps(val)
                     except Exception:
                         log.error(traceback.format_exc())
                 @hybrid_property
                 def repo_name(self):
                     return self._repo_name
                 @repo_name.setter
                 def repo_name(self, value):
                     self._repo_name = value
                     self._repo_name_hash = hashlib.sha1(safe_str(value)).hexdigest()
                 @classmethod
                 def normalize_repo_name(cls, repo_name):
                     """
                     Normalizes os specific repo_name to the format internally stored inside
                     database using URL_SEP
                     :param cls:
                     :param repo_name:
                     """
                     return cls.NAME_SEP.join(repo_name.split(os.sep))
                 @classmethod
                 def get_by_repo_name(cls, repo_name, cache=False, identity_cache=False):
                     session = Session()
                     q = session.query(cls).filter(cls.repo_name == repo_name)
                     if cache:
                         if identity_cache:
                             val = cls.identity_cache(session, 'repo_name', repo_name)
                             if val:
                                 return val
                         else:
                             q = q.options(
                                 FromCache("sql_cache_short",
                                           "get_repo_by_name_%s" % _hash_key(repo_name)))
                     return q.scalar()
                 @classmethod
                 def get_by_full_path(cls, repo_full_path):
                     repo_name = repo_full_path.split(cls.base_path(), 1)[-1]
                     repo_name = cls.normalize_repo_name(repo_name)
                     return cls.get_by_repo_name(repo_name.strip(URL_SEP))
                 @classmethod
                 def get_repo_forks(cls, repo_id):
                     return cls.query().filter(Repository.fork_id == repo_id)
                 @classmethod
                 def base_path(cls):
                     """
                     Returns base path when all repos are stored
                     :param cls:
                     """
                     q = Session().query(RhodeCodeUi)\
                         .filter(RhodeCodeUi.ui_key == cls.NAME_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return q.one().ui_value
                 @classmethod
                 def is_valid(cls, repo_name):
                     """
                     returns True if given repo name is a valid filesystem repository
                     :param cls:
                     :param repo_name:
                     """
                     from rhodecode.lib.utils import is_valid_repo
                     return is_valid_repo(repo_name, cls.base_path())
                 @classmethod
                 def get_all_repos(cls, user_id=Optional(None), group_id=Optional(None),
                                   case_insensitive=True):
                     q = Repository.query()
                     if not isinstance(user_id, Optional):
                         q = q.filter(Repository.user_id == user_id)
                     if not isinstance(group_id, Optional):
                         q = q.filter(Repository.group_id == group_id)
                     if case_insensitive:
                         q = q.order_by(func.lower(Repository.repo_name))
                     else:
                         q = q.order_by(Repository.repo_name)
                     return q.all()
                 @property
                 def forks(self):
                     """
                     Return forks of this repo
                     """
                     return Repository.get_repo_forks(self.repo_id)
                 @property
                 def parent(self):
                     """
                     Returns fork parent
                     """
                     return self.fork
                 @property
                 def just_name(self):
                     return self.repo_name.split(self.NAME_SEP)[-1]
                 @property
                 def groups_with_parents(self):
                     groups = []
                     if self.group is None:
                         return groups
                     cur_gr = self.group
                     groups.insert(0, cur_gr)
                     while 1:
                         gr = getattr(cur_gr, 'parent_group', None)
                         cur_gr = cur_gr.parent_group
                         if gr is None:
                             break
                         groups.insert(0, gr)
                     return groups
                 @property
                 def groups_and_repo(self):
                     return self.groups_with_parents, self
                 @LazyProperty
                 def repo_path(self):
                     """
                     Returns base full path for that repository means where it actually
                     exists on a filesystem
                     """
                     q = Session().query(RhodeCodeUi).filter(
                         RhodeCodeUi.ui_key == self.NAME_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return q.one().ui_value
                 @property
                 def repo_full_path(self):
                     p = [self.repo_path]
                     # we need to split the name by / since this is how we store the
                     # names in the database, but that eventually needs to be converted
                     # into a valid system path
                     p += self.repo_name.split(self.NAME_SEP)
                     return os.path.join(*map(safe_unicode, p))
                 @property
                 def cache_keys(self):
                     """
                     Returns associated cache keys for that repo
                     """
                     return CacheKey.query()\
                         .filter(CacheKey.cache_args == self.repo_name)\
                         .order_by(CacheKey.cache_key)\
                         .all()
                 def get_new_name(self, repo_name):
                     """
                     returns new full repository name based on assigned group and new new
                     :param group_name:
                     """
                     path_prefix = self.group.full_path_splitted if self.group else []
                     return self.NAME_SEP.join(path_prefix + [repo_name])
                 @property
                 def _config(self):
                     """
                     Returns db based config object.
                     """
                     from rhodecode.lib.utils import make_db_config
                     return make_db_config(clear_session=False, repo=self)
                 def permissions(self, with_admins=True, with_owner=True):
                     q = UserRepoToPerm.query().filter(UserRepoToPerm.repository == self)
                     q = q.options(joinedload(UserRepoToPerm.repository),
                                   joinedload(UserRepoToPerm.user),
                                   joinedload(UserRepoToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_sort)
                     _admin_perm = 'repository.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     return super_admin_rows + owner_row + perm_rows
                 def permission_user_groups(self):
                     q = UserGroupRepoToPerm.query().filter(
                         UserGroupRepoToPerm.repository == self)
                     q = q.options(joinedload(UserGroupRepoToPerm.repository),
                                   joinedload(UserGroupRepoToPerm.users_group),
                                   joinedload(UserGroupRepoToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         usr = AttributeDict(_user_group.users_group.get_dict())
                         usr.permission = _user_group.permission.permission_name
                         perm_rows.append(usr)
                     return perm_rows
                 def get_api_data(self, include_secrets=False):
                     """
                     Common function for generating repo api data
                     :param include_secrets: See :meth:`User.get_api_data`.
                     """
                     # TODO: mikhail: Here there is an anti-pattern, we probably need to
                     # move this methods on models level.
                     from rhodecode.model.settings import SettingsModel
                     repo = self
                     _user_id, _time, _reason = self.locked
                     data = {
                         'repo_id': repo.repo_id,
                         'repo_name': repo.repo_name,
                         'repo_type': repo.repo_type,
                         'clone_uri': repo.clone_uri or '',
                         'url': url('summary_home', repo_name=self.repo_name, qualified=True),
                         'private': repo.private,
                         'created_on': repo.created_on,
                         'description': repo.description,
                         'landing_rev': repo.landing_rev,
                         'owner': repo.user.username,
                         'fork_of': repo.fork.repo_name if repo.fork else None,
                         'enable_statistics': repo.enable_statistics,
                         'enable_locking': repo.enable_locking,
                         'enable_downloads': repo.enable_downloads,
                         'last_changeset': repo.changeset_cache,
                         'locked_by': User.get(_user_id).get_api_data(
                             include_secrets=include_secrets) if _user_id else None,
                         'locked_date': time_to_datetime(_time) if _time else None,
                         'lock_reason': _reason if _reason else None,
                     }
                     # TODO: mikhail: should be per-repo settings here
                     rc_config = SettingsModel().get_all_settings()
                     repository_fields = str2bool(
                         rc_config.get('rhodecode_repository_fields'))
                     if repository_fields:
                         for f in self.extra_fields:
                             data[f.field_key_prefixed] = f.field_value
                     return data
                 @classmethod
                 def lock(cls, repo, user_id, lock_time=None, lock_reason=None):
                     if not lock_time:
                         lock_time = time.time()
                     if not lock_reason:
                         lock_reason = cls.LOCK_AUTOMATIC
                     repo.locked = [user_id, lock_time, lock_reason]
                     Session().add(repo)
                     Session().commit()
                 @classmethod
                 def unlock(cls, repo):
                     repo.locked = None
                     Session().add(repo)
                     Session().commit()
                 @classmethod
                 def getlock(cls, repo):
                     return repo.locked
                 def is_user_lock(self, user_id):
                     if self.lock[0]:
                         lock_user_id = safe_int(self.lock[0])
                         user_id = safe_int(user_id)
                         # both are ints, and they are equal
                         return all([lock_user_id, user_id]) and lock_user_id == user_id
                     return False
                 def get_locking_state(self, action, user_id, only_when_enabled=True):
                     """
                     Checks locking on this repository, if locking is enabled and lock is
                     present returns a tuple of make_lock, locked, locked_by.
                     make_lock can have 3 states None (do nothing) True, make lock
                     False release lock, This value is later propagated to hooks, which
                     do the locking. Think about this as signals passed to hooks what to do.
                     """
                     # TODO: johbo: This is part of the business logic and should be moved
                     # into the RepositoryModel.
                     if action not in ('push', 'pull'):
                         raise ValueError("Invalid action value: %s" % repr(action))
                     # defines if locked error should be thrown to user
                     currently_locked = False
                     # defines if new lock should be made, tri-state
                     make_lock = None
                     repo = self
                     user = User.get(user_id)
                     lock_info = repo.locked
                     if repo and (repo.enable_locking or not only_when_enabled):
                         if action == 'push':
                             # check if it's already locked !, if it is compare users
                             locked_by_user_id = lock_info[0]
                             if user.user_id == locked_by_user_id:
                                 log.debug(
                                     'Got `push` action from user %s, now unlocking', user)
                                 # unlock if we have push from user who locked
                                 make_lock = False
                             else:
                                 # we're not the same user who locked, ban with
                                 # code defined in settings (default is 423 HTTP Locked) !
                                 log.debug('Repo %s is currently locked by %s', repo, user)
                                 currently_locked = True
                         elif action == 'pull':
                             # [0] user [1] date
                             if lock_info[0] and lock_info[1]:
                                 log.debug('Repo %s is currently locked by %s', repo, user)
                                 currently_locked = True
                             else:
                                 log.debug('Setting lock on repo %s by %s', repo, user)
                                 make_lock = True
                     else:
                         log.debug('Repository %s do not have locking enabled', repo)
                     log.debug('FINAL locking values make_lock:%s,locked:%s,locked_by:%s',
                               make_lock, currently_locked, lock_info)
                     from rhodecode.lib.auth import HasRepoPermissionAny
                     perm_check = HasRepoPermissionAny('repository.write', 'repository.admin')
                     if make_lock and not perm_check(repo_name=repo.repo_name, user=user):
                         # if we don't have at least write permission we cannot make a lock
                         log.debug('lock state reset back to FALSE due to lack '
                                   'of at least read permission')
                         make_lock = False
                     return make_lock, currently_locked, lock_info
                 @property
                 def last_db_change(self):
                     return self.updated_on
                 @property
                 def clone_uri_hidden(self):
                     clone_uri = self.clone_uri
                     if clone_uri:
                         import urlobject
                         url_obj = urlobject.URLObject(cleaned_uri(clone_uri))
                         if url_obj.password:
                             clone_uri = url_obj.with_password('*****')
                     return clone_uri
                 def clone_url(self, **override):
                     qualified_home_url = url('home', qualified=True)
                     uri_tmpl = None
                     if 'with_id' in override:
                         uri_tmpl = self.DEFAULT_CLONE_URI_ID
                         del override['with_id']
                     if 'uri_tmpl' in override:
                         uri_tmpl = override['uri_tmpl']
                         del override['uri_tmpl']
                     # we didn't override our tmpl from **overrides
                     if not uri_tmpl:
                         uri_tmpl = self.DEFAULT_CLONE_URI
                         try:
                             from pylons import tmpl_context as c
                             uri_tmpl = c.clone_uri_tmpl
                         except Exception:
                             # in any case if we call this outside of request context,
                             # ie, not having tmpl_context set up
                             pass
                     return get_clone_url(uri_tmpl=uri_tmpl,
                                          qualifed_home_url=qualified_home_url,
                                          repo_name=self.repo_name,
                                          repo_id=self.repo_id, **override)
                 def set_state(self, state):
                     self.repo_state = state
                     Session().add(self)
                 #==========================================================================
                 # SCM PROPERTIES
                 #==========================================================================
                 def get_commit(self, commit_id=None, commit_idx=None, pre_load=None):
                     return get_commit_safe(
                         self.scm_instance(), commit_id, commit_idx, pre_load=pre_load)
                 def get_changeset(self, rev=None, pre_load=None):
                     warnings.warn("Use get_commit", DeprecationWarning)
                     commit_id = None
                     commit_idx = None
                     if isinstance(rev, basestring):
                         commit_id = rev
                     else:
                         commit_idx = rev
                     return self.get_commit(commit_id=commit_id, commit_idx=commit_idx,
                                            pre_load=pre_load)
                 def get_landing_commit(self):
                     """
                     Returns landing commit, or if that doesn't exist returns the tip
                     """
                     _rev_type, _rev = self.landing_rev
                     commit = self.get_commit(_rev)
                     if isinstance(commit, EmptyCommit):
                         return self.get_commit()
                     return commit
                 def update_commit_cache(self, cs_cache=None, config=None):
                     """
                     Update cache of last changeset for repository, keys should be::
                         short_id
                         raw_id
                         revision
                         parents
                         message
                         date
                         author
                     :param cs_cache:
                     """
                     from rhodecode.lib.vcs.backends.base import BaseChangeset
                     if cs_cache is None:
                         # use no-cache version here
                         scm_repo = self.scm_instance(cache=False, config=config)
                         if scm_repo:
                             cs_cache = scm_repo.get_commit(
                                 pre_load=["author", "date", "message", "parents"])
                         else:
                             cs_cache = EmptyCommit()
                     if isinstance(cs_cache, BaseChangeset):
                         cs_cache = cs_cache.__json__()
                     def is_outdated(new_cs_cache):
                         if (new_cs_cache['raw_id'] != self.changeset_cache['raw_id'] or
                             new_cs_cache['revision'] != self.changeset_cache['revision']):
                             return True
                         return False
                     # check if we have maybe already latest cached revision
                     if is_outdated(cs_cache) or not self.changeset_cache:
                         _default = datetime.datetime.fromtimestamp(0)
                         last_change = cs_cache.get('date') or _default
                         log.debug('updated repo %s with new cs cache %s',
                                   self.repo_name, cs_cache)
                         self.updated_on = last_change
                         self.changeset_cache = cs_cache
                         Session().add(self)
                         Session().commit()
                     else:
                         log.debug('Skipping update_commit_cache for repo:`%s` '
                                   'commit already with latest changes', self.repo_name)
                 @property
                 def tip(self):
                     return self.get_commit('tip')
                 @property
                 def author(self):
                     return self.tip.author
                 @property
                 def last_change(self):
                     return self.scm_instance().last_change
                 def get_comments(self, revisions=None):
                     """
                     Returns comments for this repository grouped by revisions
                     :param revisions: filter query by revisions only
                     """
                     cmts = ChangesetComment.query()\
                         .filter(ChangesetComment.repo == self)
                     if revisions:
                         cmts = cmts.filter(ChangesetComment.revision.in_(revisions))
                     grouped = collections.defaultdict(list)
                     for cmt in cmts.all():
                         grouped[cmt.revision].append(cmt)
                     return grouped
                 def statuses(self, revisions=None):
                     """
                     Returns statuses for this repository
                     :param revisions: list of revisions to get statuses for
                     """
                     statuses = ChangesetStatus.query()\
                         .filter(ChangesetStatus.repo == self)\
                         .filter(ChangesetStatus.version == 0)
                     if revisions:
                         # Try doing the filtering in chunks to avoid hitting limits
                         size = 500
                         status_results = []
                         for chunk in xrange(0, len(revisions), size):
                             status_results += statuses.filter(
                                 ChangesetStatus.revision.in_(
                                     revisions[chunk: chunk+size])
                             ).all()
                     else:
                         status_results = statuses.all()
                     grouped = {}
                     # maybe we have open new pullrequest without a status?
                     stat = ChangesetStatus.STATUS_UNDER_REVIEW
                     status_lbl = ChangesetStatus.get_status_lbl(stat)
                     for pr in PullRequest.query().filter(PullRequest.source_repo == self).all():
                         for rev in pr.revisions:
                             pr_id = pr.pull_request_id
                             pr_repo = pr.target_repo.repo_name
                             grouped[rev] = [stat, status_lbl, pr_id, pr_repo]
                     for stat in status_results:
                         pr_id = pr_repo = None
                         if stat.pull_request:
                             pr_id = stat.pull_request.pull_request_id
                             pr_repo = stat.pull_request.target_repo.repo_name
                         grouped[stat.revision] = [str(stat.status), stat.status_lbl,
                                                   pr_id, pr_repo]
                     return grouped
                 # ==========================================================================
                 # SCM CACHE INSTANCE
                 # ==========================================================================
                 def scm_instance(self, **kwargs):
                     import rhodecode
                     # Passing a config will not hit the cache currently only used
                     # for repo2dbmapper
                     config = kwargs.pop('config', None)
                     cache = kwargs.pop('cache', None)
                     full_cache = str2bool(rhodecode.CONFIG.get('vcs_full_cache'))
                     # if cache is NOT defined use default global, else we have a full
                     # control over cache behaviour
                     if cache is None and full_cache and not config:
                         return self._get_instance_cached()
                     return self._get_instance(cache=bool(cache), config=config)
                 def _get_instance_cached(self):
                     @cache_region('long_term')
                     def _get_repo(cache_key):
                         return self._get_instance()
                     invalidator_context = CacheKey.repo_context_cache(
                         _get_repo, self.repo_name, None, thread_scoped=True)
                     with invalidator_context as context:
                         context.invalidate()
                         repo = context.compute()
                     return repo
                 def _get_instance(self, cache=True, config=None):
                     config = config or self._config
                     custom_wire = {
                         'cache': cache  # controls the vcs.remote cache
                     }
                     repo = get_vcs_instance(
                         repo_path=safe_str(self.repo_full_path),
                         config=config,
                         with_wire=custom_wire,
                         create=False,
                         _vcs_alias=self.repo_type)
                     return repo
                 def __json__(self):
                     return {'landing_rev': self.landing_rev}
                 def get_dict(self):
                     # Since we transformed `repo_name` to a hybrid property, we need to
                     # keep compatibility with the code which uses `repo_name` field.
                     result = super(Repository, self).get_dict()
                     result['repo_name'] = result.pop('_repo_name', None)
                     return result
             class RepoGroup(Base, BaseModel):
                 __tablename__ = 'groups'
                 __table_args__ = (
                     UniqueConstraint('group_name', 'group_parent_id'),
                     CheckConstraint('group_id != group_parent_id'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 __mapper_args__ = {'order_by': 'group_name'}
                 CHOICES_SEPARATOR = '/'  # used to generate select2 choices for nested groups
                 group_id = Column("group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 group_name = Column("group_name", String(255), nullable=False, unique=True, default=None)
                 group_parent_id = Column("group_parent_id", Integer(), ForeignKey('groups.group_id'), nullable=True, unique=None, default=None)
                 group_description = Column("group_description", String(10000), nullable=True, unique=None, default=None)
                 enable_locking = Column("enable_locking", Boolean(), nullable=False, unique=None, default=False)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 personal = Column('personal', Boolean(), nullable=True, unique=None, default=None)
                 repo_group_to_perm = relationship('UserRepoGroupToPerm', cascade='all', order_by='UserRepoGroupToPerm.group_to_perm_id')
                 users_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')
                 parent_group = relationship('RepoGroup', remote_side=group_id)
                 user = relationship('User')
                 integrations = relationship('Integration',
                                             cascade="all, delete, delete-orphan")
                 def __init__(self, group_name='', parent_group=None):
                     self.group_name = group_name
                     self.parent_group = parent_group
                 def __unicode__(self):
                     return u"<%s('id:%s:%s')>" % (self.__class__.__name__, self.group_id,
                                                   self.group_name)
                 @classmethod
                 def _generate_choice(cls, repo_group):
                     from webhelpers.html import literal as _literal
                     _name = lambda k: _literal(cls.CHOICES_SEPARATOR.join(k))
                     return repo_group.group_id, _name(repo_group.full_path_splitted)
                 @classmethod
                 def groups_choices(cls, groups=None, show_empty_group=True):
                     if not groups:
                         groups = cls.query().all()
                     repo_groups = []
                     if show_empty_group:
                         repo_groups = [('-1', u'-- %s --' % _('No parent'))]
                     repo_groups.extend([cls._generate_choice(x) for x in groups])
                     repo_groups = sorted(
                         repo_groups, key=lambda t: t[1].split(cls.CHOICES_SEPARATOR)[0])
                     return repo_groups
                 @classmethod
                 def url_sep(cls):
                     return URL_SEP
                 @classmethod
                 def get_by_group_name(cls, group_name, cache=False, case_insensitive=False):
                     if case_insensitive:
                         gr = cls.query().filter(func.lower(cls.group_name)
                                                 == func.lower(group_name))
                     else:
                         gr = cls.query().filter(cls.group_name == group_name)
                     if cache:
                         gr = gr.options(FromCache(
                                         "sql_cache_short",
                                         "get_group_%s" % _hash_key(group_name)))
                     return gr.scalar()
                 @classmethod
                 def get_user_personal_repo_group(cls, user_id):
                     user = User.get(user_id)
                     return cls.query()\
                         .filter(cls.personal == true())\
                         .filter(cls.user == user).scalar()
                 @classmethod
                 def get_all_repo_groups(cls, user_id=Optional(None), group_id=Optional(None),
                                         case_insensitive=True):
                     q = RepoGroup.query()
                     if not isinstance(user_id, Optional):
                         q = q.filter(RepoGroup.user_id == user_id)
                     if not isinstance(group_id, Optional):
                         q = q.filter(RepoGroup.group_parent_id == group_id)
                     if case_insensitive:
                         q = q.order_by(func.lower(RepoGroup.group_name))
                     else:
                         q = q.order_by(RepoGroup.group_name)
                     return q.all()
                 @property
                 def parents(self):
                     parents_recursion_limit = 10
                     groups = []
                     if self.parent_group is None:
                         return groups
                     cur_gr = self.parent_group
                     groups.insert(0, cur_gr)
                     cnt = 0
                     while 1:
                         cnt += 1
                         gr = getattr(cur_gr, 'parent_group', None)
                         cur_gr = cur_gr.parent_group
                         if gr is None:
                             break
                         if cnt == parents_recursion_limit:
                             # this will prevent accidental infinit loops
                             log.error(('more than %s parents found for group %s, stopping '
                                        'recursive parent fetching' % (parents_recursion_limit, self)))
                             break
                         groups.insert(0, gr)
                     return groups
                 @property
                 def children(self):
                     return RepoGroup.query().filter(RepoGroup.parent_group == self)
                 @property
                 def name(self):
                     return self.group_name.split(RepoGroup.url_sep())[-1]
                 @property
                 def full_path(self):
                     return self.group_name
                 @property
                 def full_path_splitted(self):
                     return self.group_name.split(RepoGroup.url_sep())
                 @property
                 def repositories(self):
                     return Repository.query()\
                             .filter(Repository.group == self)\
                             .order_by(Repository.repo_name)
                 @property
                 def repositories_recursive_count(self):
                     cnt = self.repositories.count()
                     def children_count(group):
                         cnt = 0
                         for child in group.children:
                             cnt += child.repositories.count()
                             cnt += children_count(child)
                         return cnt
                     return cnt + children_count(self)
                 def _recursive_objects(self, include_repos=True):
                     all_ = []
                     def _get_members(root_gr):
                         if include_repos:
                             for r in root_gr.repositories:
                                 all_.append(r)
                         childs = root_gr.children.all()
                         if childs:
                             for gr in childs:
                                 all_.append(gr)
                                 _get_members(gr)
                     _get_members(self)
                     return [self] + all_
                 def recursive_groups_and_repos(self):
                     """
                     Recursive return all groups, with repositories in those groups
                     """
                     return self._recursive_objects()
                 def recursive_groups(self):
                     """
                     Returns all children groups for this group including children of children
                     """
                     return self._recursive_objects(include_repos=False)
                 def get_new_name(self, group_name):
                     """
                     returns new full group name based on parent and new name
                     :param group_name:
                     """
                     path_prefix = (self.parent_group.full_path_splitted if
                                    self.parent_group else [])
                     return RepoGroup.url_sep().join(path_prefix + [group_name])
                 def permissions(self, with_admins=True, with_owner=True):
                     q = UserRepoGroupToPerm.query().filter(UserRepoGroupToPerm.group == self)
                     q = q.options(joinedload(UserRepoGroupToPerm.group),
                                   joinedload(UserRepoGroupToPerm.user),
                                   joinedload(UserRepoGroupToPerm.permission),)
                     # get owners and admins and permissions. We do a trick of re-writing
                     # objects from sqlalchemy to named-tuples due to sqlalchemy session
                     # has a global reference and changing one object propagates to all
                     # others. This means if admin is also an owner admin_row that change
                     # would propagate to both objects
                     perm_rows = []
                     for _usr in q.all():
                         usr = AttributeDict(_usr.user.get_dict())
                         usr.permission = _usr.permission.permission_name
                         perm_rows.append(usr)
                     # filter the perm rows by 'default' first and then sort them by
                     # admin,write,read,none permissions sorted again alphabetically in
                     # each group
                     perm_rows = sorted(perm_rows, key=display_sort)
                     _admin_perm = 'group.admin'
                     owner_row = []
                     if with_owner:
                         usr = AttributeDict(self.user.get_dict())
                         usr.owner_row = True
                         usr.permission = _admin_perm
                         owner_row.append(usr)
                     super_admin_rows = []
                     if with_admins:
                         for usr in User.get_all_super_admins():
                             # if this admin is also owner, don't double the record
                             if usr.user_id == owner_row[0].user_id:
                                 owner_row[0].admin_row = True
                             else:
                                 usr = AttributeDict(usr.get_dict())
                                 usr.admin_row = True
                                 usr.permission = _admin_perm
                                 super_admin_rows.append(usr)
                     return super_admin_rows + owner_row + perm_rows
                 def permission_user_groups(self):
                     q = UserGroupRepoGroupToPerm.query().filter(UserGroupRepoGroupToPerm.group == self)
                     q = q.options(joinedload(UserGroupRepoGroupToPerm.group),
                                   joinedload(UserGroupRepoGroupToPerm.users_group),
                                   joinedload(UserGroupRepoGroupToPerm.permission),)
                     perm_rows = []
                     for _user_group in q.all():
                         usr = AttributeDict(_user_group.users_group.get_dict())
                         usr.permission = _user_group.permission.permission_name
                         perm_rows.append(usr)
                     return perm_rows
                 def get_api_data(self):
                     """
                     Common function for generating api data
                     """
                     group = self
                     data = {
                         'group_id': group.group_id,
                         'group_name': group.group_name,
                         'group_description': group.group_description,
                         'parent_group': group.parent_group.group_name if group.parent_group else None,
                         'repositories': [x.repo_name for x in group.repositories],
                         'owner': group.user.username,
                     }
                     return data
             class Permission(Base, BaseModel):
                 __tablename__ = 'permissions'
                 __table_args__ = (
                     Index('p_perm_name_idx', 'permission_name'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 PERMS = [
                     ('hg.admin', _('RhodeCode Super Administrator')),
                     ('repository.none', _('Repository no access')),
                     ('repository.read', _('Repository read access')),
                     ('repository.write', _('Repository write access')),
                     ('repository.admin', _('Repository admin access')),
                     ('group.none', _('Repository group no access')),
                     ('group.read', _('Repository group read access')),
                     ('group.write', _('Repository group write access')),
                     ('group.admin', _('Repository group admin access')),
                     ('usergroup.none', _('User group no access')),
                     ('usergroup.read', _('User group read access')),
                     ('usergroup.write', _('User group write access')),
                     ('usergroup.admin', _('User group admin access')),
                     ('hg.repogroup.create.false', _('Repository Group creation disabled')),
                     ('hg.repogroup.create.true', _('Repository Group creation enabled')),
                     ('hg.usergroup.create.false', _('User Group creation disabled')),
                     ('hg.usergroup.create.true', _('User Group creation enabled')),
                     ('hg.create.none', _('Repository creation disabled')),
                     ('hg.create.repository', _('Repository creation enabled')),
                     ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')),
                     ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')),
                     ('hg.fork.none', _('Repository forking disabled')),
                     ('hg.fork.repository', _('Repository forking enabled')),
                     ('hg.register.none', _('Registration disabled')),
                     ('hg.register.manual_activate', _('User Registration with manual account activation')),
                     ('hg.register.auto_activate', _('User Registration with automatic account activation')),
                     ('hg.password_reset.enabled', _('Password reset enabled')),
                     ('hg.password_reset.hidden', _('Password reset hidden')),
                     ('hg.password_reset.disabled', _('Password reset disabled')),
                     ('hg.extern_activate.manual', _('Manual activation of external account')),
                     ('hg.extern_activate.auto', _('Automatic activation of external account')),
                     ('hg.inherit_default_perms.false', _('Inherit object permissions from default user disabled')),
                     ('hg.inherit_default_perms.true', _('Inherit object permissions from default user enabled')),
                 ]
                 # definition of system default permissions for DEFAULT user
                 DEFAULT_USER_PERMISSIONS = [
                     'repository.read',
                     'group.read',
                     'usergroup.read',
                     'hg.create.repository',
                     'hg.repogroup.create.false',
                     'hg.usergroup.create.false',
                     'hg.create.write_on_repogroup.true',
                     'hg.fork.repository',
                     'hg.register.manual_activate',
                     'hg.password_reset.enabled',
                     'hg.extern_activate.auto',
                     'hg.inherit_default_perms.true',
                 ]
                 # defines which permissions are more important higher the more important
                 # Weight defines which permissions are more important.
                 # The higher number the more important.
                 PERM_WEIGHTS = {
                     'repository.none': 0,
                     'repository.read': 1,
                     'repository.write': 3,
                     'repository.admin': 4,
                     'group.none': 0,
                     'group.read': 1,
                     'group.write': 3,
                     'group.admin': 4,
                     'usergroup.none': 0,
                     'usergroup.read': 1,
                     'usergroup.write': 3,
                     'usergroup.admin': 4,
                     'hg.repogroup.create.false': 0,
                     'hg.repogroup.create.true': 1,
                     'hg.usergroup.create.false': 0,
                     'hg.usergroup.create.true': 1,
                     'hg.fork.none': 0,
                     'hg.fork.repository': 1,
                     'hg.create.none': 0,
                     'hg.create.repository': 1
                 }
                 permission_id = Column("permission_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 permission_name = Column("permission_name", String(255), nullable=True, unique=None, default=None)
                 permission_longname = Column("permission_longname", String(255), nullable=True, unique=None, default=None)
                 def __unicode__(self):
                     return u"<%s('%s:%s')>" % (
                         self.__class__.__name__, self.permission_id, self.permission_name
                     )
                 @classmethod
                 def get_by_key(cls, key):
                     return cls.query().filter(cls.permission_name == key).scalar()
                 @classmethod
                 def get_default_repo_perms(cls, user_id, repo_id=None):
                     q = Session().query(UserRepoToPerm, Repository, Permission)\
                         .join((Permission, UserRepoToPerm.permission_id == Permission.permission_id))\
                         .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\
                         .filter(UserRepoToPerm.user_id == user_id)
                     if repo_id:
                         q = q.filter(UserRepoToPerm.repository_id == repo_id)
                     return q.all()
                 @classmethod
                 def get_default_repo_perms_from_user_group(cls, user_id, repo_id=None):
                     q = Session().query(UserGroupRepoToPerm, Repository, Permission)\
                         .join(
                             Permission,
                             UserGroupRepoToPerm.permission_id == Permission.permission_id)\
                         .join(
                             Repository,
                             UserGroupRepoToPerm.repository_id == Repository.repo_id)\
                         .join(
                             UserGroup,
                             UserGroupRepoToPerm.users_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupRepoToPerm.users_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_id:
                         q = q.filter(UserGroupRepoToPerm.repository_id == repo_id)
                     return q.all()
                 @classmethod
                 def get_default_group_perms(cls, user_id, repo_group_id=None):
                     q = Session().query(UserRepoGroupToPerm, RepoGroup, Permission)\
                         .join((Permission, UserRepoGroupToPerm.permission_id == Permission.permission_id))\
                         .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\
                         .filter(UserRepoGroupToPerm.user_id == user_id)
                     if repo_group_id:
                         q = q.filter(UserRepoGroupToPerm.group_id == repo_group_id)
                     return q.all()
                 @classmethod
                 def get_default_group_perms_from_user_group(
                         cls, user_id, repo_group_id=None):
                     q = Session().query(UserGroupRepoGroupToPerm, RepoGroup, Permission)\
                         .join(
                             Permission,
                             UserGroupRepoGroupToPerm.permission_id ==
                             Permission.permission_id)\
                         .join(
                             RepoGroup,
                             UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id)\
                         .join(
                             UserGroup,
                             UserGroupRepoGroupToPerm.users_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupRepoGroupToPerm.users_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if repo_group_id:
                         q = q.filter(UserGroupRepoGroupToPerm.group_id == repo_group_id)
                     return q.all()
                 @classmethod
                 def get_default_user_group_perms(cls, user_id, user_group_id=None):
                     q = Session().query(UserUserGroupToPerm, UserGroup, Permission)\
                         .join((Permission, UserUserGroupToPerm.permission_id == Permission.permission_id))\
                         .join((UserGroup, UserUserGroupToPerm.user_group_id == UserGroup.users_group_id))\
                         .filter(UserUserGroupToPerm.user_id == user_id)
                     if user_group_id:
                         q = q.filter(UserUserGroupToPerm.user_group_id == user_group_id)
                     return q.all()
                 @classmethod
                 def get_default_user_group_perms_from_user_group(
                         cls, user_id, user_group_id=None):
                     TargetUserGroup = aliased(UserGroup, name='target_user_group')
                     q = Session().query(UserGroupUserGroupToPerm, UserGroup, Permission)\
                         .join(
                             Permission,
                             UserGroupUserGroupToPerm.permission_id ==
                             Permission.permission_id)\
                         .join(
                             TargetUserGroup,
                             UserGroupUserGroupToPerm.target_user_group_id ==
                             TargetUserGroup.users_group_id)\
                         .join(
                             UserGroup,
                             UserGroupUserGroupToPerm.user_group_id ==
                             UserGroup.users_group_id)\
                         .join(
                             UserGroupMember,
                             UserGroupUserGroupToPerm.user_group_id ==
                             UserGroupMember.users_group_id)\
                         .filter(
                             UserGroupMember.user_id == user_id,
                             UserGroup.users_group_active == true())
                     if user_group_id:
                         q = q.filter(
                             UserGroupUserGroupToPerm.user_group_id == user_group_id)
                     return q.all()
             class UserRepoToPerm(Base, BaseModel):
                 __tablename__ = 'repo_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'repository_id', 'permission_id'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 repo_to_perm_id = Column("repo_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 repository = relationship('Repository')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, repository, permission):
                     n = cls()
                     n.user = user
                     n.repository = repository
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.repository)
             class UserUserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_user_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'user_group_id', 'permission_id'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 user_user_group_to_perm_id = Column("user_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 user_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, user_group, permission):
                     n = cls()
                     n.user = user
                     n.user_group = user_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.user_group)
             class UserToPerm(Base, BaseModel):
                 __tablename__ = 'user_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'permission_id'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 user_to_perm_id = Column("user_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 permission = relationship('Permission', lazy='joined')
                 def __unicode__(self):
                     return u'<%s => %s >' % (self.user, self.permission)
             class UserGroupRepoToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_repo_to_perm'
                 __table_args__ = (
                     UniqueConstraint('repository_id', 'users_group_id', 'permission_id'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 repository = relationship('Repository')
                 @classmethod
                 def create(cls, users_group, repository, permission):
                     n = cls()
                     n.users_group = users_group
                     n.repository = repository
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupRepoToPerm:%s => %s >' % (self.users_group, self.repository)
             class UserGroupUserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_group_user_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('target_user_group_id', 'user_group_id', 'permission_id'),
                     CheckConstraint('target_user_group_id != user_group_id'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 user_group_user_group_to_perm_id = Column("user_group_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 target_user_group_id = Column("target_user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 target_user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id')
                 user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.user_group_id==UserGroup.users_group_id')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, target_user_group, user_group, permission):
                     n = cls()
                     n.target_user_group = target_user_group
                     n.user_group = user_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupUserGroup:%s => %s >' % (self.target_user_group, self.user_group)
             class UserGroupToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('users_group_id', 'permission_id',),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
             class UserRepoGroupToPerm(Base, BaseModel):
                 __tablename__ = 'user_repo_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'group_id', 'permission_id'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 group_to_perm_id = Column("group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 user = relationship('User')
                 group = relationship('RepoGroup')
                 permission = relationship('Permission')
                 @classmethod
                 def create(cls, user, repository_group, permission):
                     n = cls()
                     n.user = user
                     n.group = repository_group
                     n.permission = permission
                     Session().add(n)
                     return n
             class UserGroupRepoGroupToPerm(Base, BaseModel):
                 __tablename__ = 'users_group_repo_group_to_perm'
                 __table_args__ = (
                     UniqueConstraint('users_group_id', 'group_id'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 users_group_repo_group_to_perm_id = Column("users_group_repo_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
                 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
                 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
                 users_group = relationship('UserGroup')
                 permission = relationship('Permission')
                 group = relationship('RepoGroup')
                 @classmethod
                 def create(cls, user_group, repository_group, permission):
                     n = cls()
                     n.users_group = user_group
                     n.group = repository_group
                     n.permission = permission
                     Session().add(n)
                     return n
                 def __unicode__(self):
                     return u'<UserGroupRepoGroupToPerm:%s => %s >' % (self.users_group, self.group)
             class Statistics(Base, BaseModel):
                 __tablename__ = 'statistics'
                 __table_args__ = (
                      UniqueConstraint('repository_id'),
                      {'extend_existing': True, 'mysql_engine': 'InnoDB',
                       'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 stat_id = Column("stat_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=True, default=None)
                 stat_on_revision = Column("stat_on_revision", Integer(), nullable=False)
                 commit_activity = Column("commit_activity", LargeBinary(1000000), nullable=False)#JSON data
                 commit_activity_combined = Column("commit_activity_combined", LargeBinary(), nullable=False)#JSON data
                 languages = Column("languages", LargeBinary(1000000), nullable=False)#JSON data
                 repository = relationship('Repository', single_parent=True)
             class UserFollowing(Base, BaseModel):
                 __tablename__ = 'user_followings'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'follows_repository_id'),
                     UniqueConstraint('user_id', 'follows_user_id'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 user_following_id = Column("user_following_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
                 follows_repo_id = Column("follows_repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=None, default=None)
                 follows_user_id = Column("follows_user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
                 follows_from = Column('follows_from', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
                 user = relationship('User', primaryjoin='User.user_id==UserFollowing.user_id')
                 follows_user = relationship('User', primaryjoin='User.user_id==UserFollowing.follows_user_id')
                 follows_repository = relationship('Repository', order_by='Repository.repo_name')
                 @classmethod
                 def get_repo_followers(cls, repo_id):
                     return cls.query().filter(cls.follows_repo_id == repo_id)
             class CacheKey(Base, BaseModel):
                 __tablename__ = 'cache_invalidation'
                 __table_args__ = (
                     UniqueConstraint('cache_key'),
                     Index('key_idx', 'cache_key'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 CACHE_TYPE_ATOM = 'ATOM'
                 CACHE_TYPE_RSS = 'RSS'
                 CACHE_TYPE_README = 'README'
                 cache_id = Column("cache_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
                 cache_key = Column("cache_key", String(255), nullable=True, unique=None, default=None)
                 cache_args = Column("cache_args", String(255), nullable=True, unique=None, default=None)
                 cache_active = Column("cache_active", Boolean(), nullable=True, unique=None, default=False)
                 def __init__(self, cache_key, cache_args=''):
                     self.cache_key = cache_key
                     self.cache_args = cache_args
                     self.cache_active = False
                 def __unicode__(self):
                     return u"<%s('%s:%s[%s]')>" % (
                         self.__class__.__name__,
                         self.cache_id, self.cache_key, self.cache_active)
                 def _cache_key_partition(self):
                     prefix, repo_name, suffix = self.cache_key.partition(self.cache_args)
                     return prefix, repo_name, suffix
                 def get_prefix(self):
                     """
                     Try to extract prefix from existing cache key. The key could consist
                     of prefix, repo_name, suffix
                     """
                     # this returns prefix, repo_name, suffix
                     return self._cache_key_partition()[0]
                 def get_suffix(self):
                     """
                     get suffix that might have been used in _get_cache_key to
                     generate self.cache_key. Only used for informational purposes
                     in repo_edit.mako.
                     """
                     # prefix, repo_name, suffix
                     return self._cache_key_partition()[2]
                 @classmethod
                 def delete_all_cache(cls):
                     """
                     Delete all cache keys from database.
                     Should only be run when all instances are down and all entries
                     thus stale.
                     """
                     cls.query().delete()
                     Session().commit()
                 @classmethod
                 def get_cache_key(cls, repo_name, cache_type):
                     """
                     Generate a cache key for this process of RhodeCode instance.
                     Prefix most likely will be process id or maybe explicitly set
                     instance_id from .ini file.
                     """
                     import rhodecode
                     prefix = safe_unicode(rhodecode.CONFIG.get('instance_id') or '')
                     repo_as_unicode = safe_unicode(repo_name)
                     key = u'{}_{}'.format(repo_as_unicode, cache_type) \
                         if cache_type else repo_as_unicode
                     return u'{}{}'.format(prefix, key)
                 @classmethod
                 def set_invalidate(cls, repo_name, delete=False):
                     """
                     Mark all caches of a repo as invalid in the database.
                     """
                     try:
                         qry = Session().query(cls).filter(cls.cache_args == repo_name)
                         if delete:
                             log.debug('cache objects deleted for repo %s',
                                       safe_str(repo_name))
                             qry.delete()
                         else:
                             log.debug('cache objects marked as invalid for repo %s',
                                       safe_str(repo_name))
                             qry.update({"cache_active": False})
                         Session().commit()
                     except Exception:
                         log.exception(
                             'Cache key invalidation failed for repository %s',
                             safe_str(repo_name))
                         Session().rollback()
                 @classmethod
                 def get_active_cache(cls, cache_key):
                     inv_obj = cls.query().filter(cls.cache_key == cache_key).scalar()
                     if inv_obj:
                         return inv_obj
                     return None
                 @classmethod
                 def repo_context_cache(cls, compute_func, repo_name, cache_type,
                                        thread_scoped=False):
                     """
                     @cache_region('long_term')
                     def _heavy_calculation(cache_key):
                         return 'result'
                     cache_context = CacheKey.repo_context_cache(
                         _heavy_calculation, repo_name, cache_type)
                     with cache_context as context:
                         context.invalidate()
                         computed = context.compute()
                     assert computed == 'result'
                     """
                     from rhodecode.lib import caches
                     return caches.InvalidationContext(
                         compute_func, repo_name, cache_type, thread_scoped=thread_scoped)
             class ChangesetComment(Base, BaseModel):
                 __tablename__ = 'changeset_comments'
                 __table_args__ = (
                     Index('cc_revision_idx', 'revision'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 COMMENT_OUTDATED = u'comment_outdated'
                 COMMENT_TYPE_NOTE = u'note'
                 COMMENT_TYPE_TODO = u'todo'
                 COMMENT_TYPES = [COMMENT_TYPE_NOTE, COMMENT_TYPE_TODO]
                 comment_id = Column('comment_id', Integer(), nullable=False, primary_key=True)
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
                 revision = Column('revision', String(40), nullable=True)
                 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
                 pull_request_version_id = Column("pull_request_version_id", Integer(), ForeignKey('pull_request_versions.pull_request_version_id'), nullable=True)
                 line_no = Column('line_no', Unicode(10), nullable=True)
                 hl_lines = Column('hl_lines', Unicode(512), nullable=True)
                 f_path = Column('f_path', Unicode(1000), nullable=True)
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
                 text = Column('text', UnicodeText().with_variant(UnicodeText(25000), 'mysql'), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 renderer = Column('renderer', Unicode(64), nullable=True)
                 display_state = Column('display_state',  Unicode(128), nullable=True)
                 comment_type = Column('comment_type',  Unicode(128), nullable=True, default=COMMENT_TYPE_NOTE)
                 resolved_comment_id = Column('resolved_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'), nullable=True)
                 resolved_comment = relationship('ChangesetComment', remote_side=comment_id, backref='resolved_by')
                 author = relationship('User', lazy='joined')
                 repo = relationship('Repository')
                 status_change = relationship('ChangesetStatus', cascade="all, delete, delete-orphan", lazy='joined')
                 pull_request = relationship('PullRequest', lazy='joined')
                 pull_request_version = relationship('PullRequestVersion')
                 @classmethod
                 def get_users(cls, revision=None, pull_request_id=None):
                     """
                     Returns user associated with this ChangesetComment. ie those
                     who actually commented
                     :param cls:
                     :param revision:
                     """
                     q = Session().query(User)\
                             .join(ChangesetComment.author)
                     if revision:
                         q = q.filter(cls.revision == revision)
                     elif pull_request_id:
                         q = q.filter(cls.pull_request_id == pull_request_id)
                     return q.all()
                 @classmethod
                 def get_index_from_version(cls, pr_version, versions):
                     num_versions = [x.pull_request_version_id for x in versions]
                     try:
                         return num_versions.index(pr_version) +1
                     except (IndexError, ValueError):
                         return
                 @property
                 def outdated(self):
                     return self.display_state == self.COMMENT_OUTDATED
                 def outdated_at_version(self, version):
                     """
                     Checks if comment is outdated for given pull request version
                     """
                     return self.outdated and self.pull_request_version_id != version
                 def older_than_version(self, version):
                     """
                     Checks if comment is made from previous version than given
                     """
                     if version is None:
                         return self.pull_request_version_id is not None
                     return self.pull_request_version_id < version
                 @property
                 def resolved(self):
                     return self.resolved_by[0] if self.resolved_by else None
                 @property
                 def is_todo(self):
                     return self.comment_type == self.COMMENT_TYPE_TODO
                 def get_index_version(self, versions):
                     return self.get_index_from_version(
                         self.pull_request_version_id, versions)
                 def render(self, mentions=False):
                     from rhodecode.lib import helpers as h
                     return h.render(self.text, renderer=self.renderer, mentions=mentions)
                 def __repr__(self):
                     if self.comment_id:
                         return '<DB:Comment #%s>' % self.comment_id
                     else:
                         return '<DB:Comment at %#x>' % id(self)
             class ChangesetStatus(Base, BaseModel):
                 __tablename__ = 'changeset_statuses'
                 __table_args__ = (
                     Index('cs_revision_idx', 'revision'),
                     Index('cs_version_idx', 'version'),
                     UniqueConstraint('repo_id', 'revision', 'version'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 STATUS_NOT_REVIEWED = DEFAULT = 'not_reviewed'
                 STATUS_APPROVED = 'approved'
                 STATUS_REJECTED = 'rejected'
                 STATUS_UNDER_REVIEW = 'under_review'
                 STATUSES = [
                     (STATUS_NOT_REVIEWED, _("Not Reviewed")),  # (no icon) and default
                     (STATUS_APPROVED, _("Approved")),
                     (STATUS_REJECTED, _("Rejected")),
                     (STATUS_UNDER_REVIEW, _("Under Review")),
                 ]
                 changeset_status_id = Column('changeset_status_id', Integer(), nullable=False, primary_key=True)
                 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None)
                 revision = Column('revision', String(40), nullable=False)
                 status = Column('status', String(128), nullable=False, default=DEFAULT)
                 changeset_comment_id = Column('changeset_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'))
                 modified_at = Column('modified_at', DateTime(), nullable=False, default=datetime.datetime.now)
                 version = Column('version', Integer(), nullable=False, default=0)
                 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
                 author = relationship('User', lazy='joined')
                 repo = relationship('Repository')
                 comment = relationship('ChangesetComment', lazy='joined')
                 pull_request = relationship('PullRequest', lazy='joined')
                 def __unicode__(self):
                     return u"<%s('%s[v%s]:%s')>" % (
                         self.__class__.__name__,
                         self.status, self.version, self.author
                     )
                 @classmethod
                 def get_status_lbl(cls, value):
                     return dict(cls.STATUSES).get(value)
                 @property
                 def status_lbl(self):
                     return ChangesetStatus.get_status_lbl(self.status)
             class _PullRequestBase(BaseModel):
                 """
                 Common attributes of pull request and version entries.
                 """
                 # .status values
                 STATUS_NEW = u'new'
                 STATUS_OPEN = u'open'
                 STATUS_CLOSED = u'closed'
                 title = Column('title', Unicode(255), nullable=True)
                 description = Column(
                     'description', UnicodeText().with_variant(UnicodeText(10240), 'mysql'),
                     nullable=True)
                 # new/open/closed status of pull request (not approve/reject/etc)
                 status = Column('status', Unicode(255), nullable=False, default=STATUS_NEW)
                 created_on = Column(
                     'created_on', DateTime(timezone=False), nullable=False,
                     default=datetime.datetime.now)
                 updated_on = Column(
                     'updated_on', DateTime(timezone=False), nullable=False,
                     default=datetime.datetime.now)
                 @declared_attr
                 def user_id(cls):
                     return Column(
                         "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
                         unique=None)
                 # 500 revisions max
                 _revisions = Column(
                     'revisions', UnicodeText().with_variant(UnicodeText(20500), 'mysql'))
                 @declared_attr
                 def source_repo_id(cls):
                     # TODO: dan: rename column to source_repo_id
                     return Column(
                         'org_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                         nullable=False)
                 source_ref = Column('org_ref', Unicode(255), nullable=False)
                 @declared_attr
                 def target_repo_id(cls):
                     # TODO: dan: rename column to target_repo_id
                     return Column(
                         'other_repo_id', Integer(), ForeignKey('repositories.repo_id'),
                         nullable=False)
                 target_ref = Column('other_ref', Unicode(255), nullable=False)
                 _shadow_merge_ref = Column('shadow_merge_ref', Unicode(255), nullable=True)
                 # TODO: dan: rename column to last_merge_source_rev
                 _last_merge_source_rev = Column(
                     'last_merge_org_rev', String(40), nullable=True)
                 # TODO: dan: rename column to last_merge_target_rev
                 _last_merge_target_rev = Column(
                     'last_merge_other_rev', String(40), nullable=True)
                 _last_merge_status = Column('merge_status', Integer(), nullable=True)
                 merge_rev = Column('merge_rev', String(40), nullable=True)
                 @hybrid_property
                 def revisions(self):
                     return self._revisions.split(':') if self._revisions else []
                 @revisions.setter
                 def revisions(self, val):
                     self._revisions = ':'.join(val)
                 @declared_attr
                 def author(cls):
                     return relationship('User', lazy='joined')
                 @declared_attr
                 def source_repo(cls):
                     return relationship(
                         'Repository',
                         primaryjoin='%s.source_repo_id==Repository.repo_id' % cls.__name__)
                 @property
                 def source_ref_parts(self):
                     return self.unicode_to_reference(self.source_ref)
                 @declared_attr
                 def target_repo(cls):
                     return relationship(
                         'Repository',
                         primaryjoin='%s.target_repo_id==Repository.repo_id' % cls.__name__)
                 @property
                 def target_ref_parts(self):
                     return self.unicode_to_reference(self.target_ref)
                 @property
                 def shadow_merge_ref(self):
                     return self.unicode_to_reference(self._shadow_merge_ref)
                 @shadow_merge_ref.setter
                 def shadow_merge_ref(self, ref):
                     self._shadow_merge_ref = self.reference_to_unicode(ref)
                 def unicode_to_reference(self, raw):
                     """
                     Convert a unicode (or string) to a reference object.
                     If unicode evaluates to False it returns None.
                     """
                     if raw:
                         refs = raw.split(':')
                         return Reference(*refs)
                     else:
                         return None
                 def reference_to_unicode(self, ref):
                     """
                     Convert a reference object to unicode.
                     If reference is None it returns None.
                     """
                     if ref:
                         return u':'.join(ref)
                     else:
                         return None
                 def get_api_data(self):
                     from rhodecode.model.pull_request import PullRequestModel
                     pull_request = self
                     merge_status = PullRequestModel().merge_status(pull_request)
                     pull_request_url = url(
                         'pullrequest_show', repo_name=self.target_repo.repo_name,
                         pull_request_id=self.pull_request_id, qualified=True)
                     merge_data = {
                         'clone_url': PullRequestModel().get_shadow_clone_url(pull_request),
                         'reference': (
                             pull_request.shadow_merge_ref._asdict()
                             if pull_request.shadow_merge_ref else None),
                     }
                     data = {
                         'pull_request_id': pull_request.pull_request_id,
                         'url': pull_request_url,
                         'title': pull_request.title,
                         'description': pull_request.description,
                         'status': pull_request.status,
                         'created_on': pull_request.created_on,
                         'updated_on': pull_request.updated_on,
                         'commit_ids': pull_request.revisions,
                         'review_status': pull_request.calculated_review_status(),
                         'mergeable': {
                             'status': merge_status[0],
                             'message': unicode(merge_status[1]),
                         },
                         'source': {
                             'clone_url': pull_request.source_repo.clone_url(),
                             'repository': pull_request.source_repo.repo_name,
                             'reference': {
                                 'name': pull_request.source_ref_parts.name,
                                 'type': pull_request.source_ref_parts.type,
                                 'commit_id': pull_request.source_ref_parts.commit_id,
                             },
                         },
                         'target': {
                             'clone_url': pull_request.target_repo.clone_url(),
                             'repository': pull_request.target_repo.repo_name,
                             'reference': {
                                 'name': pull_request.target_ref_parts.name,
                                 'type': pull_request.target_ref_parts.type,
                                 'commit_id': pull_request.target_ref_parts.commit_id,
                             },
                         },
                         'merge': merge_data,
                         'author': pull_request.author.get_api_data(include_secrets=False,
                                                                    details='basic'),
                         'reviewers': [
                             {
                                 'user': reviewer.get_api_data(include_secrets=False,
                                                               details='basic'),
                                 'reasons': reasons,
                                 'review_status': st[0][1].status if st else 'not_reviewed',
                             }
                             for reviewer, reasons, st in pull_request.reviewers_statuses()
                         ]
                     }
                     return data
             class PullRequest(Base, _PullRequestBase):
                 __tablename__ = 'pull_requests'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 pull_request_id = Column(
                     'pull_request_id', Integer(), nullable=False, primary_key=True)
                 def __repr__(self):
                     if self.pull_request_id:
                         return '<DB:PullRequest #%s>' % self.pull_request_id
                     else:
                         return '<DB:PullRequest at %#x>' % id(self)
                 reviewers = relationship('PullRequestReviewers',
                                          cascade="all, delete, delete-orphan")
                 statuses = relationship('ChangesetStatus')
                 comments = relationship('ChangesetComment',
                                         cascade="all, delete, delete-orphan")
                 versions = relationship('PullRequestVersion',
                                         cascade="all, delete, delete-orphan",
                                         lazy='dynamic')
                 @classmethod
                 def get_pr_display_object(cls, pull_request_obj, org_pull_request_obj,
                                           internal_methods=None):
                     class PullRequestDisplay(object):
                         """
                         Special object wrapper for showing PullRequest data via Versions
                         It mimics PR object as close as possible. This is read only object
                         just for display
                         """
                         def __init__(self, attrs, internal=None):
                             self.attrs = attrs
                             # internal have priority over the given ones via attrs
                             self.internal = internal or ['versions']
                         def __getattr__(self, item):
                             if item in self.internal:
                                 return getattr(self, item)
                             try:
                                 return self.attrs[item]
                             except KeyError:
                                 raise AttributeError(
                                     '%s object has no attribute %s' % (self, item))
                         def __repr__(self):
                             return '<DB:PullRequestDisplay #%s>' % self.attrs.get('pull_request_id')
                         def versions(self):
                             return pull_request_obj.versions.order_by(
                                 PullRequestVersion.pull_request_version_id).all()
                         def is_closed(self):
                             return pull_request_obj.is_closed()
                         @property
                         def pull_request_version_id(self):
                             return getattr(pull_request_obj, 'pull_request_version_id', None)
                     attrs = StrictAttributeDict(pull_request_obj.get_api_data())
                     attrs.author = StrictAttributeDict(
                         pull_request_obj.author.get_api_data())
                     if pull_request_obj.target_repo:
                         attrs.target_repo = StrictAttributeDict(
                             pull_request_obj.target_repo.get_api_data())
                         attrs.target_repo.clone_url = pull_request_obj.target_repo.clone_url
                     if pull_request_obj.source_repo:
                         attrs.source_repo = StrictAttributeDict(
                             pull_request_obj.source_repo.get_api_data())
                         attrs.source_repo.clone_url = pull_request_obj.source_repo.clone_url
                     attrs.source_ref_parts = pull_request_obj.source_ref_parts
                     attrs.target_ref_parts = pull_request_obj.target_ref_parts
                     attrs.revisions = pull_request_obj.revisions
                     attrs.shadow_merge_ref = org_pull_request_obj.shadow_merge_ref
                     return PullRequestDisplay(attrs, internal=internal_methods)
                 def is_closed(self):
                     return self.status == self.STATUS_CLOSED
                 def __json__(self):
                     return {
                         'revisions': self.revisions,
                     }
                 def calculated_review_status(self):
                     from rhodecode.model.changeset_status import ChangesetStatusModel
                     return ChangesetStatusModel().calculated_review_status(self)
                 def reviewers_statuses(self):
                     from rhodecode.model.changeset_status import ChangesetStatusModel
                     return ChangesetStatusModel().reviewers_statuses(self)
                 @property
                 def workspace_id(self):
                     from rhodecode.model.pull_request import PullRequestModel
                     return PullRequestModel()._workspace_id(self)
                 def get_shadow_repo(self):
                     workspace_id = self.workspace_id
                     vcs_obj = self.target_repo.scm_instance()
                     shadow_repository_path = vcs_obj._get_shadow_repository_path(
                         workspace_id)
                     return vcs_obj._get_shadow_instance(shadow_repository_path)
             class PullRequestVersion(Base, _PullRequestBase):
                 __tablename__ = 'pull_request_versions'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 pull_request_version_id = Column(
                     'pull_request_version_id', Integer(), nullable=False, primary_key=True)
                 pull_request_id = Column(
                     'pull_request_id', Integer(),
                     ForeignKey('pull_requests.pull_request_id'), nullable=False)
                 pull_request = relationship('PullRequest')
                 def __repr__(self):
                     if self.pull_request_version_id:
                         return '<DB:PullRequestVersion #%s>' % self.pull_request_version_id
                     else:
                         return '<DB:PullRequestVersion at %#x>' % id(self)
                 @property
                 def reviewers(self):
                     return self.pull_request.reviewers
                 @property
                 def versions(self):
                     return self.pull_request.versions
                 def is_closed(self):
                     # calculate from original
                     return self.pull_request.status == self.STATUS_CLOSED
                 def calculated_review_status(self):
                     return self.pull_request.calculated_review_status()
                 def reviewers_statuses(self):
                     return self.pull_request.reviewers_statuses()
             class PullRequestReviewers(Base, BaseModel):
                 __tablename__ = 'pull_request_reviewers'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 def __init__(self, user=None, pull_request=None, reasons=None):
                     self.user = user
                     self.pull_request = pull_request
                     self.reasons = reasons or []
                 @hybrid_property
                 def reasons(self):
                     if not self._reasons:
                         return []
                     return self._reasons
                 @reasons.setter
                 def reasons(self, val):
                     val = val or []
                     if any(not isinstance(x, basestring) for x in val):
                         raise Exception('invalid reasons type, must be list of strings')
                     self._reasons = val
                 pull_requests_reviewers_id = Column(
                     'pull_requests_reviewers_id', Integer(), nullable=False,
                     primary_key=True)
                 pull_request_id = Column(
                     "pull_request_id", Integer(),
                     ForeignKey('pull_requests.pull_request_id'), nullable=False)
                 user_id = Column(
                     "user_id", Integer(), ForeignKey('users.user_id'), nullable=True)
                 _reasons = Column(
                     'reason', MutationList.as_mutable(
                         JsonType('list', dialect_map=dict(mysql=UnicodeText(16384)))))
                 user = relationship('User')
                 pull_request = relationship('PullRequest')
             class Notification(Base, BaseModel):
                 __tablename__ = 'notifications'
                 __table_args__ = (
                     Index('notification_type_idx', 'type'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 TYPE_CHANGESET_COMMENT = u'cs_comment'
                 TYPE_MESSAGE = u'message'
                 TYPE_MENTION = u'mention'
                 TYPE_REGISTRATION = u'registration'
                 TYPE_PULL_REQUEST = u'pull_request'
                 TYPE_PULL_REQUEST_COMMENT = u'pull_request_comment'
                 notification_id = Column('notification_id', Integer(), nullable=False, primary_key=True)
                 subject = Column('subject', Unicode(512), nullable=True)
                 body = Column('body', UnicodeText().with_variant(UnicodeText(50000), 'mysql'), nullable=True)
                 created_by = Column("created_by", Integer(), ForeignKey('users.user_id'), nullable=True)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 type_ = Column('type', Unicode(255))
                 created_by_user = relationship('User')
                 notifications_to_users = relationship('UserNotification', lazy='joined',
                                                       cascade="all, delete, delete-orphan")
                 @property
                 def recipients(self):
                     return [x.user for x in UserNotification.query()\
                             .filter(UserNotification.notification == self)\
                             .order_by(UserNotification.user_id.asc()).all()]
                 @classmethod
                 def create(cls, created_by, subject, body, recipients, type_=None):
                     if type_ is None:
                         type_ = Notification.TYPE_MESSAGE
                     notification = cls()
                     notification.created_by_user = created_by
                     notification.subject = subject
                     notification.body = body
                     notification.type_ = type_
                     notification.created_on = datetime.datetime.now()
                     for u in recipients:
                         assoc = UserNotification()
                         assoc.notification = notification
                         # if created_by is inside recipients mark his notification
                         # as read
                         if u.user_id == created_by.user_id:
                             assoc.read = True
                         u.notifications.append(assoc)
                     Session().add(notification)
                     return notification
                 @property
                 def description(self):
                     from rhodecode.model.notification import NotificationModel
                     return NotificationModel().make_description(self)
             class UserNotification(Base, BaseModel):
                 __tablename__ = 'user_to_notification'
                 __table_args__ = (
                     UniqueConstraint('user_id', 'notification_id'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
                 notification_id = Column("notification_id", Integer(), ForeignKey('notifications.notification_id'), primary_key=True)
                 read = Column('read', Boolean, default=False)
                 sent_on = Column('sent_on', DateTime(timezone=False), nullable=True, unique=None)
                 user = relationship('User', lazy="joined")
                 notification = relationship('Notification', lazy="joined",
                                             order_by=lambda: Notification.created_on.desc(),)
                 def mark_as_read(self):
                     self.read = True
                     Session().add(self)
             class Gist(Base, BaseModel):
                 __tablename__ = 'gists'
                 __table_args__ = (
                     Index('g_gist_access_id_idx', 'gist_access_id'),
                     Index('g_created_on_idx', 'created_on'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 GIST_PUBLIC = u'public'
                 GIST_PRIVATE = u'private'
                 DEFAULT_FILENAME = u'gistfile1.txt'
                 ACL_LEVEL_PUBLIC = u'acl_public'
                 ACL_LEVEL_PRIVATE = u'acl_private'
                 gist_id = Column('gist_id', Integer(), primary_key=True)
                 gist_access_id = Column('gist_access_id', Unicode(250))
                 gist_description = Column('gist_description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
                 gist_owner = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True)
                 gist_expires = Column('gist_expires', Float(53), nullable=False)
                 gist_type = Column('gist_type', Unicode(128), nullable=False)
                 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
                 acl_level = Column('acl_level', Unicode(128), nullable=True)
                 owner = relationship('User')
                 def __repr__(self):
                     return '<Gist:[%s]%s>' % (self.gist_type, self.gist_access_id)
                 @classmethod
                 def get_or_404(cls, id_):
                     res = cls.query().filter(cls.gist_access_id == id_).scalar()
                     if not res:
                         raise HTTPNotFound
                     return res
                 @classmethod
                 def get_by_access_id(cls, gist_access_id):
                     return cls.query().filter(cls.gist_access_id == gist_access_id).scalar()
                 def gist_url(self):
                     import rhodecode
                     alias_url = rhodecode.CONFIG.get('gist_alias_url')
                     if alias_url:
                         return alias_url.replace('{gistid}', self.gist_access_id)
                     return url('gist', gist_id=self.gist_access_id, qualified=True)
                 @classmethod
                 def base_path(cls):
                     """
                     Returns base path when all gists are stored
                     :param cls:
                     """
                     from rhodecode.model.gist import GIST_STORE_LOC
                     q = Session().query(RhodeCodeUi)\
                         .filter(RhodeCodeUi.ui_key == URL_SEP)
                     q = q.options(FromCache("sql_cache_short", "repository_repo_path"))
                     return os.path.join(q.one().ui_value, GIST_STORE_LOC)
                 def get_api_data(self):
                     """
                     Common function for generating gist related data for API
                     """
                     gist = self
                     data = {
                         'gist_id': gist.gist_id,
                         'type': gist.gist_type,
                         'access_id': gist.gist_access_id,
                         'description': gist.gist_description,
                         'url': gist.gist_url(),
                         'expires': gist.gist_expires,
                         'created_on': gist.created_on,
                         'modified_at': gist.modified_at,
                         'content': None,
                         'acl_level': gist.acl_level,
                     }
                     return data
                 def __json__(self):
                     data = dict(
                     )
                     data.update(self.get_api_data())
                     return data
                 # SCM functions
                 def scm_instance(self, **kwargs):
                     full_repo_path = os.path.join(self.base_path(), self.gist_access_id)
                     return get_vcs_instance(
                         repo_path=safe_str(full_repo_path), create=False)
             class ExternalIdentity(Base, BaseModel):
                 __tablename__ = 'external_identities'
                 __table_args__ = (
                     Index('local_user_id_idx', 'local_user_id'),
                     Index('external_id_idx', 'external_id'),
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8'})
                 external_id = Column('external_id', Unicode(255), default=u'',
                                      primary_key=True)
                 external_username = Column('external_username', Unicode(1024), default=u'')
                 local_user_id = Column('local_user_id', Integer(),
                                        ForeignKey('users.user_id'), primary_key=True)
                 provider_name = Column('provider_name', Unicode(255), default=u'',
                                        primary_key=True)
                 access_token = Column('access_token', String(1024), default=u'')
                 alt_token = Column('alt_token', String(1024), default=u'')
                 token_secret = Column('token_secret', String(1024), default=u'')
                 @classmethod
                 def by_external_id_and_provider(cls, external_id, provider_name,
                                                 local_user_id=None):
                     """
                     Returns ExternalIdentity instance based on search params
                     :param external_id:
                     :param provider_name:
                     :return: ExternalIdentity
                     """
                     query = cls.query()
                     query = query.filter(cls.external_id == external_id)
                     query = query.filter(cls.provider_name == provider_name)
                     if local_user_id:
                         query = query.filter(cls.local_user_id == local_user_id)
                     return query.first()
                 @classmethod
                 def user_by_external_id_and_provider(cls, external_id, provider_name):
                     """
                     Returns User instance based on search params
                     :param external_id:
                     :param provider_name:
                     :return: User
                     """
                     query = User.query()
                     query = query.filter(cls.external_id == external_id)
                     query = query.filter(cls.provider_name == provider_name)
                     query = query.filter(User.user_id == cls.local_user_id)
                     return query.first()
                 @classmethod
                 def by_local_user_id(cls, local_user_id):
                     """
                     Returns all tokens for user
                     :param local_user_id:
                     :return: ExternalIdentity
                     """
                     query = cls.query()
                     query = query.filter(cls.local_user_id == local_user_id)
                     return query
             class Integration(Base, BaseModel):
                 __tablename__ = 'integrations'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True}
                 )
                 integration_id = Column('integration_id', Integer(), primary_key=True)
                 integration_type = Column('integration_type', String(255))
                 enabled = Column('enabled', Boolean(), nullable=False)
                 name = Column('name', String(255), nullable=False)
                 child_repos_only = Column('child_repos_only', Boolean(), nullable=False,
                     default=False)
                 settings = Column(
                     'settings_json', MutationObj.as_mutable(
                         JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
                 repo_id = Column(
                     'repo_id', Integer(), ForeignKey('repositories.repo_id'),
                     nullable=True, unique=None, default=None)
                 repo = relationship('Repository', lazy='joined')
                 repo_group_id = Column(
                     'repo_group_id', Integer(), ForeignKey('groups.group_id'),
                     nullable=True, unique=None, default=None)
                 repo_group = relationship('RepoGroup', lazy='joined')
                 @property
                 def scope(self):
                     if self.repo:
                         return repr(self.repo)
                     if self.repo_group:
                         if self.child_repos_only:
                             return repr(self.repo_group) + ' (child repos only)'
                         else:
                             return repr(self.repo_group) + ' (recursive)'
                     if self.child_repos_only:
                         return 'root_repos'
                     return 'global'
                 def __repr__(self):
                     return '<Integration(%r, %r)>' % (self.integration_type, self.scope)
             class RepoReviewRuleUser(Base, BaseModel):
                 __tablename__ = 'repo_review_rules_users'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True,}
                 )
                 repo_review_rule_user_id = Column(
                     'repo_review_rule_user_id', Integer(), primary_key=True)
                 repo_review_rule_id = Column("repo_review_rule_id",
                     Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
                 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'),
                     nullable=False)
                 user = relationship('User')
             class RepoReviewRuleUserGroup(Base, BaseModel):
                 __tablename__ = 'repo_review_rules_users_groups'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True,}
                 )
                 repo_review_rule_users_group_id = Column(
                     'repo_review_rule_users_group_id', Integer(), primary_key=True)
                 repo_review_rule_id = Column("repo_review_rule_id",
                     Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
                 users_group_id = Column("users_group_id", Integer(),
                     ForeignKey('users_groups.users_group_id'), nullable=False)
                 users_group = relationship('UserGroup')
             class RepoReviewRule(Base, BaseModel):
                 __tablename__ = 'repo_review_rules'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True,}
                 )
                 repo_review_rule_id = Column(
                     'repo_review_rule_id', Integer(), primary_key=True)
                 repo_id = Column(
                     "repo_id", Integer(), ForeignKey('repositories.repo_id'))
                 repo = relationship('Repository', backref='review_rules')
                 _branch_pattern = Column("branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'),
                     default=u'*') # glob
                 _file_pattern = Column("file_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'),
                     default=u'*') # glob
                 use_authors_for_review = Column("use_authors_for_review", Boolean(),
                     nullable=False, default=False)
                 rule_users = relationship('RepoReviewRuleUser')
                 rule_user_groups = relationship('RepoReviewRuleUserGroup')
                 @hybrid_property
                 def branch_pattern(self):
                     return self._branch_pattern or '*'
                 def _validate_glob(self, value):
                     re.compile('^' + glob2re(value) + '$')
                 @branch_pattern.setter
                 def branch_pattern(self, value):
                     self._validate_glob(value)
                     self._branch_pattern = value or '*'
                 @hybrid_property
                 def file_pattern(self):
                     return self._file_pattern or '*'
                 @file_pattern.setter
                 def file_pattern(self, value):
                     self._validate_glob(value)
                     self._file_pattern = value or '*'
                 def matches(self, branch, files_changed):
                     """
                     Check if this review rule matches a branch/files in a pull request
                     :param branch: branch name for the commit
                     :param files_changed: list of file paths changed in the pull request
                     """
                     branch = branch or ''
                     files_changed = files_changed or []
                     branch_matches = True
                     if branch:
                         branch_regex = re.compile('^' + glob2re(self.branch_pattern) + '$')
                         branch_matches = bool(branch_regex.search(branch))
                     files_matches = True
                     if self.file_pattern != '*':
                         files_matches = False
                         file_regex = re.compile(glob2re(self.file_pattern))
                         for filename in files_changed:
                             if file_regex.search(filename):
                                 files_matches = True
                                 break
                     return branch_matches and files_matches
                 @property
                 def review_users(self):
                     """ Returns the users which this rule applies to """
                     users = set()
                     users |= set([
                         rule_user.user for rule_user in self.rule_users
                         if rule_user.user.active])
                     users |= set(
                         member.user
                         for rule_user_group in self.rule_user_groups
                         for member in rule_user_group.users_group.members
                         if member.user.active
                     )
                     return users
                 def __repr__(self):
                     return '<RepoReviewerRule(id=%r, repo=%r)>' % (
                         self.repo_review_rule_id, self.repo)
             class DbMigrateVersion(Base, BaseModel):
                 __tablename__ = 'db_migrate_version'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 repository_id = Column('repository_id', String(250), primary_key=True)
                 repository_path = Column('repository_path', Text)
                 version = Column('version', Integer)
             class DbSession(Base, BaseModel):
                 __tablename__ = 'db_session'
                 __table_args__ = (
                     {'extend_existing': True, 'mysql_engine': 'InnoDB',
                      'mysql_charset': 'utf8', 'sqlite_autoincrement': True},
                 )
                 def __repr__(self):
                     return '<DB:DbSession({})>'.format(self.id)
                 id = Column('id', Integer())
                 namespace = Column('namespace', String(255), primary_key=True)
                 accessed = Column('accessed', DateTime, nullable=False)
                 created = Column('created', DateTime, nullable=False)
                 data = Column('data', PickleType, nullable=False)

rhodecode/tests/fixture.py

0 +6 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Helpers for fixture generation
             """
             import os
             import time
             import tempfile
             import shutil
             import configobj
             from rhodecode.tests import *
             from rhodecode.model.db import Repository, User, RepoGroup, UserGroup, Gist
             from rhodecode.model.meta import Session
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.user import UserModel
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.user_group import UserGroupModel
             from rhodecode.model.gist import GistModel
+            from rhodecode.model.auth_token import AuthTokenModel
             dn = os.path.dirname
             FIXTURES = os.path.join(dn(dn(os.path.abspath(__file__))), 'tests', 'fixtures')
             def error_function(*args, **kwargs):
                 raise Exception('Total Crash !')
             class TestINI(object):
                 """
                 Allows to create a new test.ini file as a copy of existing one with edited
                 data. Example usage::
                     with TestINI('test.ini', [{'section':{'key':val'}]) as new_test_ini_path:
                         print 'paster server %s' % new_test_ini
                 """
                 def __init__(self, ini_file_path, ini_params, new_file_prefix='DEFAULT',
                              destroy=True, dir=None):
                     self.ini_file_path = ini_file_path
                     self.ini_params = ini_params
                     self.new_path = None
                     self.new_path_prefix = new_file_prefix
                     self._destroy = destroy
                     self._dir = dir
                 def __enter__(self):
                     return self.create()
                 def __exit__(self, exc_type, exc_val, exc_tb):
                     self.destroy()
                 def create(self):
                     config = configobj.ConfigObj(
                         self.ini_file_path, file_error=True, write_empty_values=True)
                     for data in self.ini_params:
                         section, ini_params = data.items()[0]
                         for key, val in ini_params.items():
                             config[section][key] = val
                     with tempfile.NamedTemporaryFile(
                             prefix=self.new_path_prefix, suffix='.ini', dir=self._dir,
                             delete=False) as new_ini_file:
                         config.write(new_ini_file)
                         self.new_path = new_ini_file.name
                     return self.new_path
                 def destroy(self):
                     if self._destroy:
                         os.remove(self.new_path)
             class Fixture(object):
                 def anon_access(self, status):
                     """
                     Context process for disabling anonymous access. use like:
                     fixture = Fixture()
                     with fixture.anon_access(False):
                         #tests
                     after this block anon access will be set to `not status`
                     """
                     class context(object):
                         def __enter__(self):
                             anon = User.get_default_user()
                             anon.active = status
                             Session().add(anon)
                             Session().commit()
                             time.sleep(1.5)  # must sleep for cache (1s to expire)
                         def __exit__(self, exc_type, exc_val, exc_tb):
                             anon = User.get_default_user()
                             anon.active = not status
                             Session().add(anon)
                             Session().commit()
                     return context()
                 def _get_repo_create_params(self, **custom):
                     defs = {
                         'repo_name': None,
                         'repo_type': 'hg',
                         'clone_uri': '',
                         'repo_group': '-1',
                         'repo_description': 'DESC',
                         'repo_private': False,
                         'repo_landing_rev': 'rev:tip',
                         'repo_copy_permissions': False,
                         'repo_state': Repository.STATE_CREATED,
                     }
                     defs.update(custom)
                     if 'repo_name_full' not in custom:
                         defs.update({'repo_name_full': defs['repo_name']})
                     # fix the repo name if passed as repo_name_full
                     if defs['repo_name']:
                         defs['repo_name'] = defs['repo_name'].split('/')[-1]
                     return defs
                 def _get_group_create_params(self, **custom):
                     defs = {
                         'group_name': None,
                         'group_description': 'DESC',
                         'perm_updates': [],
                         'perm_additions': [],
                         'perm_deletions': [],
                         'group_parent_id': -1,
                         'enable_locking': False,
                         'recursive': False,
                     }
                     defs.update(custom)
                     return defs
                 def _get_user_create_params(self, name, **custom):
                     defs = {
                         'username': name,
                         'password': 'qweqwe',
                         'email': '%s+test@rhodecode.org' % name,
                         'firstname': 'TestUser',
                         'lastname': 'Test',
                         'active': True,
                         'admin': False,
                         'extern_type': 'rhodecode',
                         'extern_name': None,
                     }
                     defs.update(custom)
                     return defs
                 def _get_user_group_create_params(self, name, **custom):
                     defs = {
                         'users_group_name': name,
                         'user_group_description': 'DESC',
                         'users_group_active': True,
                         'user_group_data': {},
                     }
                     defs.update(custom)
                     return defs
                 def create_repo(self, name, **kwargs):
                     repo_group = kwargs.get('repo_group')
                     if isinstance(repo_group, RepoGroup):
                         kwargs['repo_group'] = repo_group.group_id
                         name = name.split(Repository.NAME_SEP)[-1]
                         name = Repository.NAME_SEP.join((repo_group.group_name, name))
                     if 'skip_if_exists' in kwargs:
                         del kwargs['skip_if_exists']
                         r = Repository.get_by_repo_name(name)
                         if r:
                             return r
                     form_data = self._get_repo_create_params(repo_name=name, **kwargs)
                     cur_user = kwargs.get('cur_user', TEST_USER_ADMIN_LOGIN)
                     RepoModel().create(form_data, cur_user)
                     Session().commit()
                     repo = Repository.get_by_repo_name(name)
                     assert repo
                     return repo
                 def create_fork(self, repo_to_fork, fork_name, **kwargs):
                     repo_to_fork = Repository.get_by_repo_name(repo_to_fork)
                     form_data = self._get_repo_create_params(repo_name=fork_name,
                                                         fork_parent_id=repo_to_fork.repo_id,
                                                         repo_type=repo_to_fork.repo_type,
                                                         **kwargs)
                     #TODO: fix it !!
                     form_data['description'] = form_data['repo_description']
                     form_data['private'] = form_data['repo_private']
                     form_data['landing_rev'] = form_data['repo_landing_rev']
                     owner = kwargs.get('cur_user', TEST_USER_ADMIN_LOGIN)
                     RepoModel().create_fork(form_data, cur_user=owner)
                     Session().commit()
                     r = Repository.get_by_repo_name(fork_name)
                     assert r
                     return r
                 def destroy_repo(self, repo_name, **kwargs):
                     RepoModel().delete(repo_name, **kwargs)
                     Session().commit()
                 def destroy_repo_on_filesystem(self, repo_name):
                     rm_path = os.path.join(RepoModel().repos_path, repo_name)
                     if os.path.isdir(rm_path):
                         shutil.rmtree(rm_path)
                 def create_repo_group(self, name, **kwargs):
                     if 'skip_if_exists' in kwargs:
                         del kwargs['skip_if_exists']
                         gr = RepoGroup.get_by_group_name(group_name=name)
                         if gr:
                             return gr
                     form_data = self._get_group_create_params(group_name=name, **kwargs)
                     owner = kwargs.get('cur_user', TEST_USER_ADMIN_LOGIN)
                     gr = RepoGroupModel().create(
                         group_name=form_data['group_name'],
                         group_description=form_data['group_name'],
                         owner=owner)
                     Session().commit()
                     gr = RepoGroup.get_by_group_name(gr.group_name)
                     return gr
                 def destroy_repo_group(self, repogroupid):
                     RepoGroupModel().delete(repogroupid)
                     Session().commit()
                 def create_user(self, name, **kwargs):
                     if 'skip_if_exists' in kwargs:
                         del kwargs['skip_if_exists']
                         user = User.get_by_username(name)
                         if user:
                             return user
                     form_data = self._get_user_create_params(name, **kwargs)
                     user = UserModel().create(form_data)
+                    # create token for user
+                    AuthTokenModel().create(
+                            user=user, description='TEST_USER_TOKEN')
                     Session().commit()
                     user = User.get_by_username(user.username)
                     return user
                 def destroy_user(self, userid):
                     UserModel().delete(userid)
                     Session().commit()
                 def destroy_users(self, userid_iter):
                     for user_id in userid_iter:
                         if User.get_by_username(user_id):
                             UserModel().delete(user_id)
                             Session().commit()
                 def create_user_group(self, name, **kwargs):
                     if 'skip_if_exists' in kwargs:
                         del kwargs['skip_if_exists']
                         gr = UserGroup.get_by_group_name(group_name=name)
                         if gr:
                             return gr
                     form_data = self._get_user_group_create_params(name, **kwargs)
                     owner = kwargs.get('cur_user', TEST_USER_ADMIN_LOGIN)
                     user_group = UserGroupModel().create(
                         name=form_data['users_group_name'],
                         description=form_data['user_group_description'],
                         owner=owner, active=form_data['users_group_active'],
                         group_data=form_data['user_group_data'])
                     Session().commit()
                     user_group = UserGroup.get_by_group_name(user_group.users_group_name)
                     return user_group
                 def destroy_user_group(self, usergroupid):
                     UserGroupModel().delete(user_group=usergroupid, force=True)
                     Session().commit()
                 def create_gist(self, **kwargs):
                     form_data = {
                         'description': 'new-gist',
                         'owner': TEST_USER_ADMIN_LOGIN,
                         'gist_type': GistModel.cls.GIST_PUBLIC,
                         'lifetime': -1,
                         'acl_level': Gist.ACL_LEVEL_PUBLIC,
                         'gist_mapping': {'filename1.txt': {'content': 'hello world'},}
                     }
                     form_data.update(kwargs)
                     gist = GistModel().create(
                         description=form_data['description'], owner=form_data['owner'],
                         gist_mapping=form_data['gist_mapping'], gist_type=form_data['gist_type'],
                         lifetime=form_data['lifetime'], gist_acl_level=form_data['acl_level']
                     )
                     Session().commit()
                     return gist
                 def destroy_gists(self, gistid=None):
                     for g in GistModel.cls.get_all():
                         if gistid:
                             if gistid == g.gist_access_id:
                                 GistModel().delete(g)
                         else:
                             GistModel().delete(g)
                     Session().commit()
                 def load_resource(self, resource_name, strip=False):
                     with open(os.path.join(FIXTURES, resource_name)) as f:
                         source = f.read()
                         if strip:
                             source = source.strip()
                     return source

rhodecode/tests/functional/test_admin_my_account.py

0 +15 -16

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import pytest
             from rhodecode.lib import helpers as h
             from rhodecode.lib.auth import check_password
             from rhodecode.model.db import User, UserFollowing, Repository, UserApiKeys
             from rhodecode.model.meta import Session
             from rhodecode.tests import (
                 TestController, url, TEST_USER_ADMIN_LOGIN, TEST_USER_REGULAR_EMAIL,
                 assert_session_flash)
             from rhodecode.tests.fixture import Fixture
             from rhodecode.tests.utils import AssertResponse
             fixture = Fixture()
             class TestMyAccountController(TestController):
                 test_user_1 = 'testme'
                 test_user_1_password = '0jd83nHNS/d23n'
                 destroy_users = set()
                 @classmethod
                 def teardown_class(cls):
                     fixture.destroy_users(cls.destroy_users)
                 def test_my_account(self):
                     self.log_user()
                     response = self.app.get(url('my_account'))
                     response.mustcontain('test_admin')
                     response.mustcontain('href="/_admin/my_account/edit"')
                 def test_logout_form_contains_csrf(self, autologin_user, csrf_token):
                     response = self.app.get(url('my_account'))
                     assert_response = AssertResponse(response)
                     element = assert_response.get_element('.logout #csrf_token')
                     assert element.value == csrf_token
                 def test_my_account_edit(self):
                     self.log_user()
                     response = self.app.get(url('my_account_edit'))
                     response.mustcontain('value="test_admin')
                 def test_my_account_my_repos(self):
                     self.log_user()
                     response = self.app.get(url('my_account_repos'))
                     repos = Repository.query().filter(
                         Repository.user == User.get_by_username(
                             TEST_USER_ADMIN_LOGIN)).all()
                     for repo in repos:
                         response.mustcontain('"name_raw": "%s"' % repo.repo_name)
                 def test_my_account_my_watched(self):
                     self.log_user()
                     response = self.app.get(url('my_account_watched'))
                     repos = UserFollowing.query().filter(
                         UserFollowing.user == User.get_by_username(
                             TEST_USER_ADMIN_LOGIN)).all()
                     for repo in repos:
                         response.mustcontain(
                             '"name_raw": "%s"' % repo.follows_repository.repo_name)
                 @pytest.mark.backends("git", "hg")
                 def test_my_account_my_pullrequests(self, pr_util):
                     self.log_user()
                     response = self.app.get(url('my_account_pullrequests'))
                     response.mustcontain('There are currently no open pull '
                                          'requests requiring your participation.')
                     pr = pr_util.create_pull_request(title='TestMyAccountPR')
                     response = self.app.get(url('my_account_pullrequests'))
                     response.mustcontain('"name_raw": %s' % pr.pull_request_id)
                     response.mustcontain('TestMyAccountPR')
                 def test_my_account_my_emails(self):
                     self.log_user()
                     response = self.app.get(url('my_account_emails'))
                     response.mustcontain('No additional emails specified')
                 def test_my_account_my_emails_add_existing_email(self):
                     self.log_user()
                     response = self.app.get(url('my_account_emails'))
                     response.mustcontain('No additional emails specified')
                     response = self.app.post(url('my_account_emails'),
                                              {'new_email': TEST_USER_REGULAR_EMAIL,
                                               'csrf_token': self.csrf_token})
                     assert_session_flash(response, 'This e-mail address is already taken')
                 def test_my_account_my_emails_add_mising_email_in_form(self):
                     self.log_user()
                     response = self.app.get(url('my_account_emails'))
                     response.mustcontain('No additional emails specified')
                     response = self.app.post(url('my_account_emails'),
                                              {'csrf_token': self.csrf_token})
                     assert_session_flash(response, 'Please enter an email address')
                 def test_my_account_my_emails_add_remove(self):
                     self.log_user()
                     response = self.app.get(url('my_account_emails'))
                     response.mustcontain('No additional emails specified')
                     response = self.app.post(url('my_account_emails'),
                                              {'new_email': 'foo@barz.com',
                                               'csrf_token': self.csrf_token})
                     response = self.app.get(url('my_account_emails'))
                     from rhodecode.model.db import UserEmailMap
                     email_id = UserEmailMap.query().filter(
                         UserEmailMap.user == User.get_by_username(
                             TEST_USER_ADMIN_LOGIN)).filter(
                                 UserEmailMap.email == 'foo@barz.com').one().email_id
                     response.mustcontain('foo@barz.com')
                     response.mustcontain('<input id="del_email_id" name="del_email_id" '
                                          'type="hidden" value="%s" />' % email_id)
                     response = self.app.post(
                         url('my_account_emails'), {
                             'del_email_id': email_id, '_method': 'delete',
                             'csrf_token': self.csrf_token})
                     assert_session_flash(response, 'Removed email address from user account')
                     response = self.app.get(url('my_account_emails'))
                     response.mustcontain('No additional emails specified')
                 @pytest.mark.parametrize(
                     "name, attrs", [
                         ('firstname', {'firstname': 'new_username'}),
                         ('lastname', {'lastname': 'new_username'}),
                         ('admin', {'admin': True}),
                         ('admin', {'admin': False}),
                         ('extern_type', {'extern_type': 'ldap'}),
                         ('extern_type', {'extern_type': None}),
                         # ('extern_name', {'extern_name': 'test'}),
                         # ('extern_name', {'extern_name': None}),
                         ('active', {'active': False}),
                         ('active', {'active': True}),
                         ('email', {'email': 'some@email.com'}),
                     ])
                 def test_my_account_update(self, name, attrs):
                     usr = fixture.create_user(self.test_user_1,
                                               password=self.test_user_1_password,
                                               email='testme@rhodecode.org',
                                               extern_type='rhodecode',
                                               extern_name=self.test_user_1,
                                               skip_if_exists=True)
                     self.destroy_users.add(self.test_user_1)
                     params = usr.get_api_data()  # current user data
                     user_id = usr.user_id
                     self.log_user(
                         username=self.test_user_1, password=self.test_user_1_password)
                     params.update({'password_confirmation': ''})
                     params.update({'new_password': ''})
                     params.update({'extern_type': 'rhodecode'})
                     params.update({'extern_name': self.test_user_1})
                     params.update({'csrf_token': self.csrf_token})
                     params.update(attrs)
                     # my account page cannot set language param yet, only for admins
                     del params['language']
                     response = self.app.post(url('my_account'), params)
                     assert_session_flash(
                         response, 'Your account was updated successfully')
                     del params['csrf_token']
                     updated_user = User.get_by_username(self.test_user_1)
                     updated_params = updated_user.get_api_data()
                     updated_params.update({'password_confirmation': ''})
                     updated_params.update({'new_password': ''})
                     params['last_login'] = updated_params['last_login']
                     # my account page cannot set language param yet, only for admins
                     # but we get this info from API anyway
                     params['language'] = updated_params['language']
                     if name == 'email':
                         params['emails'] = [attrs['email']]
                     if name == 'extern_type':
                         # cannot update this via form, expected value is original one
                         params['extern_type'] = "rhodecode"
                     if name == 'extern_name':
                         # cannot update this via form, expected value is original one
                         params['extern_name'] = str(user_id)
                     if name == 'active':
                         # my account cannot deactivate account
                         params['active'] = True
                     if name == 'admin':
                         # my account cannot make you an admin !
                         params['admin'] = False
                     assert params == updated_params
                 def test_my_account_update_err_email_exists(self):
                     self.log_user()
                     new_email = 'test_regular@mail.com'  # already exisitn email
                     response = self.app.post(url('my_account'),
                                              params={
                                                  'username': 'test_admin',
                                                  'new_password': 'test12',
                                                  'password_confirmation': 'test122',
                                                  'firstname': 'NewName',
                                                  'lastname': 'NewLastname',
                                                  'email': new_email,
                                                  'csrf_token': self.csrf_token,
                         })
                     response.mustcontain('This e-mail address is already taken')
                 def test_my_account_update_err(self):
                     self.log_user('test_regular2', 'test12')
                     new_email = 'newmail.pl'
                     response = self.app.post(url('my_account'),
                                              params={
                                                  'username': 'test_admin',
                                                  'new_password': 'test12',
                                                  'password_confirmation': 'test122',
                                                  'firstname': 'NewName',
                                                  'lastname': 'NewLastname',
                                                  'email': new_email,
                                                  'csrf_token': self.csrf_token,
                         })
                     response.mustcontain('An email address must contain a single @')
                     from rhodecode.model import validators
                     msg = validators.ValidUsername(
                         edit=False, old_data={})._messages['username_exists']
                     msg = h.html_escape(msg % {'username': 'test_admin'})
                     response.mustcontain(u"%s" % msg)
                 def test_my_account_auth_tokens(self):
                     usr = self.log_user('test_regular2', 'test12')
                     user = User.get(usr['user_id'])
                     response = self.app.get(url('my_account_auth_tokens'))
-                    response.mustcontain(user.api_key)
+                    for token in user.auth_tokens:
-                    response.mustcontain('expires: never')
+                        response.mustcontain(token)
+                        response.mustcontain('never')
                 @pytest.mark.parametrize("desc, lifetime", [
                     ('forever', -1),
                     ('5mins', 60*5),
                     ('30days', 60*60*24*30),
                 ])
-                def test_my_account_add_auth_tokens(self, desc, lifetime):
+                def test_my_account_add_auth_tokens(self, desc, lifetime, user_util):
-                    usr = self.log_user('test_regular2', 'test12')
+                    user = user_util.create_user(password='qweqwe')
-                    user = User.get(usr['user_id'])
+                    user_id = user.user_id
+                    self.log_user(user.username, 'qweqwe')
                     response = self.app.post(url('my_account_auth_tokens'),
                                              {'description': desc, 'lifetime': lifetime,
                                               'csrf_token': self.csrf_token})
                     assert_session_flash(response, 'Auth token successfully created')
-                    try:
                     response = response.follow()
-                        user = User.get(usr['user_id'])
+                    user = User.get(user_id)
                     for auth_token in user.auth_tokens:
                         response.mustcontain(auth_token)
-                    finally:
-                        for auth_token in UserApiKeys.query().all():
-                            Session().delete(auth_token)
-                            Session().commit()
                 def test_my_account_remove_auth_token(self, user_util):
-                    user = user_util.create_user(password=self.test_user_1_password)
+                    user = user_util.create_user(password='qweqwe')
                     user_id = user.user_id
-                    self.log_user(user.username, self.test_user_1_password)
+                    self.log_user(user.username, 'qweqwe')
                     user = User.get(user_id)
                     keys = user.extra_auth_tokens
-                    assert 1 == len(keys)
+                    assert 2 == len(keys)
                     response = self.app.post(url('my_account_auth_tokens'),
                                              {'description': 'desc', 'lifetime': -1,
                                               'csrf_token': self.csrf_token})
                     assert_session_flash(response, 'Auth token successfully created')
                     response.follow()
                     user = User.get(user_id)
                     keys = user.extra_auth_tokens
-                    assert 2 == len(keys)
+                    assert 3 == len(keys)
                     response = self.app.post(
                         url('my_account_auth_tokens'),
                         {'_method': 'delete', 'del_auth_token': keys[0].api_key,
                             'csrf_token': self.csrf_token})
                     assert_session_flash(response, 'Auth token successfully deleted')
                     user = User.get(user_id)
                     keys = user.extra_auth_tokens
-                    assert 1 == len(keys)
+                    assert 2 == len(keys)
                 def test_valid_change_password(self, user_util):
                     new_password = 'my_new_valid_password'
                     user = user_util.create_user(password=self.test_user_1_password)
                     session = self.log_user(user.username, self.test_user_1_password)
                     form_data = [
                         ('current_password', self.test_user_1_password),
                         ('__start__', 'new_password:mapping'),
                         ('new_password', new_password),
                         ('new_password-confirm', new_password),
                         ('__end__', 'new_password:mapping'),
                         ('csrf_token', self.csrf_token),
                     ]
                     response = self.app.post(url('my_account_password'), form_data).follow()
                     assert 'Successfully updated password' in response
                     # check_password depends on user being in session
                     Session().add(user)
                     try:
                         assert check_password(new_password, user.password)
                     finally:
                         Session().expunge(user)
                 @pytest.mark.parametrize('current_pw,new_pw,confirm_pw', [
                     ('', 'abcdef123', 'abcdef123'),
                     ('wrong_pw', 'abcdef123', 'abcdef123'),
                     (test_user_1_password, test_user_1_password, test_user_1_password),
                     (test_user_1_password, '', ''),
                     (test_user_1_password, 'abcdef123', ''),
                     (test_user_1_password, '', 'abcdef123'),
                     (test_user_1_password, 'not_the', 'same_pw'),
                     (test_user_1_password, 'short', 'short'),
                 ])
                 def test_invalid_change_password(self, current_pw, new_pw, confirm_pw,
                                                  user_util):
                     user = user_util.create_user(password=self.test_user_1_password)
                     session = self.log_user(user.username, self.test_user_1_password)
                     old_password_hash = session['password']
                     form_data = [
                         ('current_password', current_pw),
                         ('__start__', 'new_password:mapping'),
                         ('new_password', new_pw),
                         ('new_password-confirm', confirm_pw),
                         ('__end__', 'new_password:mapping'),
                         ('csrf_token', self.csrf_token),
                     ]
                     response = self.app.post(url('my_account_password'), form_data)
                     assert 'Error occurred' in response
                 def test_password_is_updated_in_session_on_password_change(self, user_util):
                     old_password = 'abcdef123'
                     new_password = 'abcdef124'
                     user = user_util.create_user(password=old_password)
                     session = self.log_user(user.username, old_password)
                     old_password_hash = session['password']
                     form_data = [
                         ('current_password', old_password),
                         ('__start__', 'new_password:mapping'),
                         ('new_password', new_password),
                         ('new_password-confirm', new_password),
                         ('__end__', 'new_password:mapping'),
                         ('csrf_token', self.csrf_token),
                     ]
                     self.app.post(url('my_account_password'), form_data)
                     response = self.app.get(url('home'))
                     new_password_hash = response.session['rhodecode_user']['password']
                     assert old_password_hash != new_password_hash

rhodecode/tests/functional/test_admin_users.py

0 +10 -14

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import pytest
             from sqlalchemy.orm.exc import NoResultFound
             from rhodecode.lib.auth import check_password
             from rhodecode.lib import helpers as h
             from rhodecode.model import validators
             from rhodecode.model.db import User, UserIpMap, UserApiKeys
             from rhodecode.model.meta import Session
             from rhodecode.model.user import UserModel
             from rhodecode.tests import (
                 TestController, url, link_to, TEST_USER_ADMIN_LOGIN,
                 TEST_USER_REGULAR_LOGIN, assert_session_flash)
             from rhodecode.tests.fixture import Fixture
             from rhodecode.tests.utils import AssertResponse
             fixture = Fixture()
             class TestAdminUsersController(TestController):
                 test_user_1 = 'testme'
                 destroy_users = set()
                 @classmethod
                 def teardown_method(cls, method):
                     fixture.destroy_users(cls.destroy_users)
                 def test_index(self):
                     self.log_user()
                     self.app.get(url('users'))
                 def test_create(self):
                     self.log_user()
                     username = 'newtestuser'
                     password = 'test12'
                     password_confirmation = password
                     name = 'name'
                     lastname = 'lastname'
                     email = 'mail@mail.com'
                     response = self.app.get(url('new_user'))
                     response = self.app.post(url('users'), params={
                         'username': username,
                         'password': password,
                         'password_confirmation': password_confirmation,
                         'firstname': name,
                         'active': True,
                         'lastname': lastname,
                         'extern_name': 'rhodecode',
                         'extern_type': 'rhodecode',
                         'email': email,
                         'csrf_token': self.csrf_token,
                     })
                     user_link = link_to(
                         username,
                         url('edit_user', user_id=User.get_by_username(username).user_id))
                     assert_session_flash(response, 'Created user %s' % (user_link,))
                     self.destroy_users.add(username)
                     new_user = User.query().filter(User.username == username).one()
                     assert new_user.username == username
                     assert check_password(password, new_user.password)
                     assert new_user.name == name
                     assert new_user.lastname == lastname
                     assert new_user.email == email
                     response.follow()
                     response = response.follow()
                     response.mustcontain(username)
                 def test_create_err(self):
                     self.log_user()
                     username = 'new_user'
                     password = ''
                     name = 'name'
                     lastname = 'lastname'
                     email = 'errmail.com'
                     response = self.app.get(url('new_user'))
                     response = self.app.post(url('users'), params={
                         'username': username,
                         'password': password,
                         'name': name,
                         'active': False,
                         'lastname': lastname,
                         'email': email,
                         'csrf_token': self.csrf_token,
                     })
                     msg = validators.ValidUsername(
                         False, {})._messages['system_invalid_username']
                     msg = h.html_escape(msg % {'username': 'new_user'})
                     response.mustcontain('<span class="error-message">%s</span>' % msg)
                     response.mustcontain(
                         '<span class="error-message">Please enter a value</span>')
                     response.mustcontain(
                         '<span class="error-message">An email address must contain a'
                         ' single @</span>')
                     def get_user():
                         Session().query(User).filter(User.username == username).one()
                     with pytest.raises(NoResultFound):
                         get_user()
                 def test_new(self):
                     self.log_user()
                     self.app.get(url('new_user'))
                 @pytest.mark.parametrize("name, attrs", [
                     ('firstname', {'firstname': 'new_username'}),
                     ('lastname', {'lastname': 'new_username'}),
                     ('admin', {'admin': True}),
                     ('admin', {'admin': False}),
                     ('extern_type', {'extern_type': 'ldap'}),
                     ('extern_type', {'extern_type': None}),
                     ('extern_name', {'extern_name': 'test'}),
                     ('extern_name', {'extern_name': None}),
                     ('active', {'active': False}),
                     ('active', {'active': True}),
                     ('email', {'email': 'some@email.com'}),
                     ('language', {'language': 'de'}),
                     ('language', {'language': 'en'}),
                     # ('new_password', {'new_password': 'foobar123',
                     #                   'password_confirmation': 'foobar123'})
                     ])
                 def test_update(self, name, attrs):
                     self.log_user()
                     usr = fixture.create_user(self.test_user_1, password='qweqwe',
                                               email='testme@rhodecode.org',
                                               extern_type='rhodecode',
                                               extern_name=self.test_user_1,
                                               skip_if_exists=True)
                     Session().commit()
                     self.destroy_users.add(self.test_user_1)
                     params = usr.get_api_data()
                     cur_lang = params['language'] or 'en'
                     params.update({
                         'password_confirmation': '',
                         'new_password': '',
                         'language': cur_lang,
                         '_method': 'put',
                         'csrf_token': self.csrf_token,
                     })
                     params.update({'new_password': ''})
                     params.update(attrs)
                     if name == 'email':
                         params['emails'] = [attrs['email']]
                     elif name == 'extern_type':
                         # cannot update this via form, expected value is original one
                         params['extern_type'] = "rhodecode"
                     elif name == 'extern_name':
                         # cannot update this via form, expected value is original one
                         params['extern_name'] = self.test_user_1
                         # special case since this user is not
                         # logged in yet his data is not filled
                         # so we use creation data
                     response = self.app.post(url('user', user_id=usr.user_id), params)
                     assert response.status_int == 302
                     assert_session_flash(response, 'User updated successfully')
                     updated_user = User.get_by_username(self.test_user_1)
                     updated_params = updated_user.get_api_data()
                     updated_params.update({'password_confirmation': ''})
                     updated_params.update({'new_password': ''})
                     del params['_method']
                     del params['csrf_token']
                     assert params == updated_params
                 def test_update_and_migrate_password(
                         self, autologin_user, real_crypto_backend):
                     from rhodecode.lib import auth
                     # create new user, with sha256 password
                     temp_user = 'test_admin_sha256'
                     user = fixture.create_user(temp_user)
                     user.password = auth._RhodeCodeCryptoSha256().hash_create(
                         b'test123')
                     Session().add(user)
                     Session().commit()
                     self.destroy_users.add('test_admin_sha256')
                     params = user.get_api_data()
                     params.update({
                         'password_confirmation': 'qweqwe123',
                         'new_password': 'qweqwe123',
                         'language': 'en',
                         '_method': 'put',
                         'csrf_token': autologin_user.csrf_token,
                     })
                     response = self.app.post(url('user', user_id=user.user_id), params)
                     assert response.status_int == 302
                     assert_session_flash(response, 'User updated successfully')
                     # new password should be bcrypted, after log-in and transfer
                     user = User.get_by_username(temp_user)
                     assert user.password.startswith('$')
                     updated_user = User.get_by_username(temp_user)
                     updated_params = updated_user.get_api_data()
                     updated_params.update({'password_confirmation': 'qweqwe123'})
                     updated_params.update({'new_password': 'qweqwe123'})
                     del params['_method']
                     del params['csrf_token']
                     assert params == updated_params
                 def test_delete(self):
                     self.log_user()
                     username = 'newtestuserdeleteme'
                     fixture.create_user(name=username)
                     new_user = Session().query(User)\
                         .filter(User.username == username).one()
                     response = self.app.post(url('user', user_id=new_user.user_id),
                                              params={'_method': 'delete',
                                                      'csrf_token': self.csrf_token})
                     assert_session_flash(response, 'Successfully deleted user')
                 def test_delete_owner_of_repository(self):
                     self.log_user()
                     username = 'newtestuserdeleteme_repo_owner'
                     obj_name = 'test_repo'
                     usr = fixture.create_user(name=username)
                     self.destroy_users.add(username)
                     fixture.create_repo(obj_name, cur_user=usr.username)
                     new_user = Session().query(User)\
                         .filter(User.username == username).one()
                     response = self.app.post(url('user', user_id=new_user.user_id),
                                              params={'_method': 'delete',
                                                      'csrf_token': self.csrf_token})
                     msg = 'user "%s" still owns 1 repositories and cannot be removed. ' \
                           'Switch owners or remove those repositories:%s' % (username,
                                                                              obj_name)
                     assert_session_flash(response, msg)
                     fixture.destroy_repo(obj_name)
                 def test_delete_owner_of_repository_detaching(self):
                     self.log_user()
                     username = 'newtestuserdeleteme_repo_owner_detach'
                     obj_name = 'test_repo'
                     usr = fixture.create_user(name=username)
                     self.destroy_users.add(username)
                     fixture.create_repo(obj_name, cur_user=usr.username)
                     new_user = Session().query(User)\
                         .filter(User.username == username).one()
                     response = self.app.post(url('user', user_id=new_user.user_id),
                                              params={'_method': 'delete',
                                                      'user_repos': 'detach',
                                                      'csrf_token': self.csrf_token})
                     msg = 'Detached 1 repositories'
                     assert_session_flash(response, msg)
                     fixture.destroy_repo(obj_name)
                 def test_delete_owner_of_repository_deleting(self):
                     self.log_user()
                     username = 'newtestuserdeleteme_repo_owner_delete'
                     obj_name = 'test_repo'
                     usr = fixture.create_user(name=username)
                     self.destroy_users.add(username)
                     fixture.create_repo(obj_name, cur_user=usr.username)
                     new_user = Session().query(User)\
                         .filter(User.username == username).one()
                     response = self.app.post(url('user', user_id=new_user.user_id),
                                              params={'_method': 'delete',
                                                      'user_repos': 'delete',
                                                      'csrf_token': self.csrf_token})
                     msg = 'Deleted 1 repositories'
                     assert_session_flash(response, msg)
                 def test_delete_owner_of_repository_group(self):
                     self.log_user()
                     username = 'newtestuserdeleteme_repo_group_owner'
                     obj_name = 'test_group'
                     usr = fixture.create_user(name=username)
                     self.destroy_users.add(username)
                     fixture.create_repo_group(obj_name, cur_user=usr.username)
                     new_user = Session().query(User)\
                         .filter(User.username == username).one()
                     response = self.app.post(url('user', user_id=new_user.user_id),
                                              params={'_method': 'delete',
                                                      'csrf_token': self.csrf_token})
                     msg = 'user "%s" still owns 1 repository groups and cannot be removed. ' \
                           'Switch owners or remove those repository groups:%s' % (username,
                                                                                   obj_name)
                     assert_session_flash(response, msg)
                     fixture.destroy_repo_group(obj_name)
                 def test_delete_owner_of_repository_group_detaching(self):
                     self.log_user()
                     username = 'newtestuserdeleteme_repo_group_owner_detach'
                     obj_name = 'test_group'
                     usr = fixture.create_user(name=username)
                     self.destroy_users.add(username)
                     fixture.create_repo_group(obj_name, cur_user=usr.username)
                     new_user = Session().query(User)\
                         .filter(User.username == username).one()
                     response = self.app.post(url('user', user_id=new_user.user_id),
                                              params={'_method': 'delete',
                                                      'user_repo_groups': 'delete',
                                                      'csrf_token': self.csrf_token})
                     msg = 'Deleted 1 repository groups'
                     assert_session_flash(response, msg)
                 def test_delete_owner_of_repository_group_deleting(self):
                     self.log_user()
                     username = 'newtestuserdeleteme_repo_group_owner_delete'
                     obj_name = 'test_group'
                     usr = fixture.create_user(name=username)
                     self.destroy_users.add(username)
                     fixture.create_repo_group(obj_name, cur_user=usr.username)
                     new_user = Session().query(User)\
                         .filter(User.username == username).one()
                     response = self.app.post(url('user', user_id=new_user.user_id),
                                              params={'_method': 'delete',
                                                      'user_repo_groups': 'detach',
                                                      'csrf_token': self.csrf_token})
                     msg = 'Detached 1 repository groups'
                     assert_session_flash(response, msg)
                     fixture.destroy_repo_group(obj_name)
                 def test_delete_owner_of_user_group(self):
                     self.log_user()
                     username = 'newtestuserdeleteme_user_group_owner'
                     obj_name = 'test_user_group'
                     usr = fixture.create_user(name=username)
                     self.destroy_users.add(username)
                     fixture.create_user_group(obj_name, cur_user=usr.username)
                     new_user = Session().query(User)\
                         .filter(User.username == username).one()
                     response = self.app.post(url('user', user_id=new_user.user_id),
                                              params={'_method': 'delete',
                                                      'csrf_token': self.csrf_token})
                     msg = 'user "%s" still owns 1 user groups and cannot be removed. ' \
                           'Switch owners or remove those user groups:%s' % (username,
                                                                             obj_name)
                     assert_session_flash(response, msg)
                     fixture.destroy_user_group(obj_name)
                 def test_delete_owner_of_user_group_detaching(self):
                     self.log_user()
                     username = 'newtestuserdeleteme_user_group_owner_detaching'
                     obj_name = 'test_user_group'
                     usr = fixture.create_user(name=username)
                     self.destroy_users.add(username)
                     fixture.create_user_group(obj_name, cur_user=usr.username)
                     new_user = Session().query(User)\
                         .filter(User.username == username).one()
                     try:
                         response = self.app.post(url('user', user_id=new_user.user_id),
                                                  params={'_method': 'delete',
                                                          'user_user_groups': 'detach',
                                                          'csrf_token': self.csrf_token})
                         msg = 'Detached 1 user groups'
                         assert_session_flash(response, msg)
                     finally:
                         fixture.destroy_user_group(obj_name)
                 def test_delete_owner_of_user_group_deleting(self):
                     self.log_user()
                     username = 'newtestuserdeleteme_user_group_owner_deleting'
                     obj_name = 'test_user_group'
                     usr = fixture.create_user(name=username)
                     self.destroy_users.add(username)
                     fixture.create_user_group(obj_name, cur_user=usr.username)
                     new_user = Session().query(User)\
                         .filter(User.username == username).one()
                     response = self.app.post(url('user', user_id=new_user.user_id),
                                              params={'_method': 'delete',
                                                      'user_user_groups': 'delete',
                                                      'csrf_token': self.csrf_token})
                     msg = 'Deleted 1 user groups'
                     assert_session_flash(response, msg)
                 def test_show(self):
                     self.app.get(url('user', user_id=1))
                 def test_edit(self):
                     self.log_user()
                     user = User.get_by_username(TEST_USER_ADMIN_LOGIN)
                     self.app.get(url('edit_user', user_id=user.user_id))
                 @pytest.mark.parametrize(
                     'repo_create, repo_create_write, user_group_create, repo_group_create,'
                     'fork_create, inherit_default_permissions, expect_error,'
                     'expect_form_error', [
                         ('hg.create.none', 'hg.create.write_on_repogroup.false',
                          'hg.usergroup.create.false', 'hg.repogroup.create.false',
                          'hg.fork.none', 'hg.inherit_default_perms.false', False, False),
                         ('hg.create.repository', 'hg.create.write_on_repogroup.false',
                          'hg.usergroup.create.false', 'hg.repogroup.create.false',
                          'hg.fork.none', 'hg.inherit_default_perms.false', False, False),
                         ('hg.create.repository', 'hg.create.write_on_repogroup.true',
                          'hg.usergroup.create.true', 'hg.repogroup.create.true',
                          'hg.fork.repository', 'hg.inherit_default_perms.false', False,
                          False),
                         ('hg.create.XXX', 'hg.create.write_on_repogroup.true',
                          'hg.usergroup.create.true', 'hg.repogroup.create.true',
                          'hg.fork.repository', 'hg.inherit_default_perms.false', False,
                          True),
                         ('', '', '', '', '', '', True, False),
                     ])
                 def test_global_perms_on_user(
                         self, repo_create, repo_create_write, user_group_create,
                         repo_group_create, fork_create, expect_error, expect_form_error,
                         inherit_default_permissions):
                     self.log_user()
                     user = fixture.create_user('dummy')
                     uid = user.user_id
                     # ENABLE REPO CREATE ON A GROUP
                     perm_params = {
                         'inherit_default_permissions': False,
                         'default_repo_create': repo_create,
                         'default_repo_create_on_write': repo_create_write,
                         'default_user_group_create': user_group_create,
                         'default_repo_group_create': repo_group_create,
                         'default_fork_create': fork_create,
                         'default_inherit_default_permissions': inherit_default_permissions,
                         '_method': 'put',
                         'csrf_token': self.csrf_token,
                     }
                     response = self.app.post(
                         url('edit_user_global_perms', user_id=uid),
                         params=perm_params)
                     if expect_form_error:
                         assert response.status_int == 200
                         response.mustcontain('Value must be one of')
                     else:
                         if expect_error:
                             msg = 'An error occurred during permissions saving'
                         else:
                             msg = 'User global permissions updated successfully'
                             ug = User.get(uid)
                             del perm_params['_method']
                             del perm_params['inherit_default_permissions']
                             del perm_params['csrf_token']
                             assert perm_params == ug.get_default_perms()
                         assert_session_flash(response, msg)
                     fixture.destroy_user(uid)
                 def test_global_permissions_initial_values(self, user_util):
                     self.log_user()
                     user = user_util.create_user()
                     uid = user.user_id
                     response = self.app.get(url('edit_user_global_perms', user_id=uid))
                     default_user = User.get_default_user()
                     default_permissions = default_user.get_default_perms()
                     assert_response = AssertResponse(response)
                     expected_permissions = (
                         'default_repo_create', 'default_repo_create_on_write',
                         'default_fork_create', 'default_repo_group_create',
                         'default_user_group_create', 'default_inherit_default_permissions')
                     for permission in expected_permissions:
                         css_selector = '[name={}][checked=checked]'.format(permission)
                         element = assert_response.get_element(css_selector)
                         assert element.value == default_permissions[permission]
                 def test_ips(self):
                     self.log_user()
                     user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
                     response = self.app.get(url('edit_user_ips', user_id=user.user_id))
                     response.mustcontain('All IP addresses are allowed')
                 @pytest.mark.parametrize("test_name, ip, ip_range, failure", [
                     ('127/24', '127.0.0.1/24', '127.0.0.0 - 127.0.0.255', False),
                     ('10/32', '10.0.0.10/32', '10.0.0.10 - 10.0.0.10', False),
                     ('0/16', '0.0.0.0/16', '0.0.0.0 - 0.0.255.255', False),
                     ('0/8', '0.0.0.0/8', '0.0.0.0 - 0.255.255.255', False),
                     ('127_bad_mask', '127.0.0.1/99', '127.0.0.1 - 127.0.0.1', True),
                     ('127_bad_ip', 'foobar', 'foobar', True),
                 ])
                 def test_add_ip(self, test_name, ip, ip_range, failure):
                     self.log_user()
                     user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
                     user_id = user.user_id
                     response = self.app.post(url('edit_user_ips', user_id=user_id),
                                              params={'new_ip': ip, '_method': 'put',
                                                      'csrf_token': self.csrf_token})
                     if failure:
                         assert_session_flash(
                             response, 'Please enter a valid IPv4 or IpV6 address')
                         response = self.app.get(url('edit_user_ips', user_id=user_id))
                         response.mustcontain(no=[ip])
                         response.mustcontain(no=[ip_range])
                     else:
                         response = self.app.get(url('edit_user_ips', user_id=user_id))
                         response.mustcontain(ip)
                         response.mustcontain(ip_range)
                     # cleanup
                     for del_ip in UserIpMap.query().filter(
                             UserIpMap.user_id == user_id).all():
                         Session().delete(del_ip)
                         Session().commit()
                 def test_delete_ip(self):
                     self.log_user()
                     user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
                     user_id = user.user_id
                     ip = '127.0.0.1/32'
                     ip_range = '127.0.0.1 - 127.0.0.1'
                     new_ip = UserModel().add_extra_ip(user_id, ip)
                     Session().commit()
                     new_ip_id = new_ip.ip_id
                     response = self.app.get(url('edit_user_ips', user_id=user_id))
                     response.mustcontain(ip)
                     response.mustcontain(ip_range)
                     self.app.post(url('edit_user_ips', user_id=user_id),
                                   params={'_method': 'delete', 'del_ip_id': new_ip_id,
                                           'csrf_token': self.csrf_token})
                     response = self.app.get(url('edit_user_ips', user_id=user_id))
                     response.mustcontain('All IP addresses are allowed')
                     response.mustcontain(no=[ip])
                     response.mustcontain(no=[ip_range])
                 def test_auth_tokens(self):
                     self.log_user()
                     user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
                     response = self.app.get(
                         url('edit_user_auth_tokens', user_id=user.user_id))
-                    response.mustcontain(user.api_key)
+                    for token in user.auth_tokens:
-                    response.mustcontain('expires: never')
+                        response.mustcontain(token)
+                        response.mustcontain('never')
                 @pytest.mark.parametrize("desc, lifetime", [
                     ('forever', -1),
                     ('5mins', 60*5),
                     ('30days', 60*60*24*30),
                 ])
-                def test_add_auth_token(self, desc, lifetime):
+                def test_add_auth_token(self, desc, lifetime, user_util):
                     self.log_user()
-                    user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
+                    user = user_util.create_user()
                     user_id = user.user_id
                     response = self.app.post(
                         url('edit_user_auth_tokens', user_id=user_id),
                         {'_method': 'put', 'description': desc, 'lifetime': lifetime,
                          'csrf_token': self.csrf_token})
                     assert_session_flash(response, 'Auth token successfully created')
-                    try:
                     response = response.follow()
                     user = User.get(user_id)
                     for auth_token in user.auth_tokens:
                         response.mustcontain(auth_token)
-                    finally:
-                        for api_key in UserApiKeys.query().filter(
-                                UserApiKeys.user_id == user_id).all():
-                            Session().delete(api_key)
-                            Session().commit()
-                def test_remove_auth_token(self):
+                def test_remove_auth_token(self, user_util):
                     self.log_user()
-                    user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
+                    user = user_util.create_user()
                     user_id = user.user_id
                     response = self.app.post(
                         url('edit_user_auth_tokens', user_id=user_id),
                         {'_method': 'put', 'description': 'desc', 'lifetime': -1,
                          'csrf_token': self.csrf_token})
                     assert_session_flash(response, 'Auth token successfully created')
                     response = response.follow()
                     # now delete our key
                     keys = UserApiKeys.query().filter(UserApiKeys.user_id == user_id).all()
-                    assert 1 == len(keys)
+                    assert 3 == len(keys)
                     response = self.app.post(
                         url('edit_user_auth_tokens', user_id=user_id),
                         {'_method': 'delete', 'del_auth_token': keys[0].api_key,
                          'csrf_token': self.csrf_token})
                     assert_session_flash(response, 'Auth token successfully deleted')
                     keys = UserApiKeys.query().filter(UserApiKeys.user_id == user_id).all()
-                    assert 0 == len(keys)
+                    assert 2 == len(keys)

rhodecode/tests/functional/test_login.py

0 +2 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import urlparse
             import mock
             import pytest
             from rhodecode.config.routing import ADMIN_PREFIX
             from rhodecode.tests import (
                 assert_session_flash, url, HG_REPO, TEST_USER_ADMIN_LOGIN)
             from rhodecode.tests.fixture import Fixture
             from rhodecode.tests.utils import AssertResponse, get_session_from_response
             from rhodecode.lib.auth import check_password
             from rhodecode.model.auth_token import AuthTokenModel
             from rhodecode.model import validators
             from rhodecode.model.db import User, Notification, UserApiKeys
             from rhodecode.model.meta import Session
             fixture = Fixture()
             # Hardcode URLs because we don't have a request object to use
             # pyramids URL generation methods.
             index_url = '/'
             login_url = ADMIN_PREFIX + '/login'
             logut_url = ADMIN_PREFIX + '/logout'
             register_url = ADMIN_PREFIX + '/register'
             pwd_reset_url = ADMIN_PREFIX + '/password_reset'
             pwd_reset_confirm_url = ADMIN_PREFIX + '/password_reset_confirmation'
             @pytest.mark.usefixtures('app')
             class TestLoginController(object):
                 destroy_users = set()
                 @classmethod
                 def teardown_class(cls):
                     fixture.destroy_users(cls.destroy_users)
                 def teardown_method(self, method):
                     for n in Notification.query().all():
                         Session().delete(n)
                     Session().commit()
                     assert Notification.query().all() == []
                 def test_index(self):
                     response = self.app.get(login_url)
                     assert response.status == '200 OK'
                     # Test response...
                 def test_login_admin_ok(self):
                     response = self.app.post(login_url,
                                              {'username': 'test_admin',
                                               'password': 'test12'})
                     assert response.status == '302 Found'
                     session = get_session_from_response(response)
                     username = session['rhodecode_user'].get('username')
                     assert username == 'test_admin'
                     response = response.follow()
                     response.mustcontain('/%s' % HG_REPO)
                 def test_login_regular_ok(self):
                     response = self.app.post(login_url,
                                              {'username': 'test_regular',
                                               'password': 'test12'})
                     assert response.status == '302 Found'
                     session = get_session_from_response(response)
                     username = session['rhodecode_user'].get('username')
                     assert username == 'test_regular'
                     response = response.follow()
                     response.mustcontain('/%s' % HG_REPO)
                 def test_login_ok_came_from(self):
                     test_came_from = '/_admin/users?branch=stable'
                     _url = '{}?came_from={}'.format(login_url, test_came_from)
                     response = self.app.post(
                         _url, {'username': 'test_admin', 'password': 'test12'})
                     assert response.status == '302 Found'
                     assert 'branch=stable' in response.location
                     response = response.follow()
                     assert response.status == '200 OK'
                     response.mustcontain('Users administration')
                 def test_redirect_to_login_with_get_args(self):
                     with fixture.anon_access(False):
                         kwargs = {'branch': 'stable'}
                         response = self.app.get(
                             url('summary_home', repo_name=HG_REPO, **kwargs))
                         assert response.status == '302 Found'
                         response_query = urlparse.parse_qsl(response.location)
                         assert 'branch=stable' in response_query[0][1]
                 def test_login_form_with_get_args(self):
                     _url = '{}?came_from=/_admin/users,branch=stable'.format(login_url)
                     response = self.app.get(_url)
                     assert 'branch%3Dstable' in response.form.action
                 @pytest.mark.parametrize("url_came_from", [
                     'data:text/html,<script>window.alert("xss")</script>',
                     'mailto:test@rhodecode.org',
                     'file:///etc/passwd',
                     'ftp://some.ftp.server',
                     'http://other.domain',
                     '/\r\nX-Forwarded-Host: http://example.org',
                 ])
                 def test_login_bad_came_froms(self, url_came_from):
                     _url = '{}?came_from={}'.format(login_url, url_came_from)
                     response = self.app.post(
                         _url,
                         {'username': 'test_admin', 'password': 'test12'})
                     assert response.status == '302 Found'
                     response = response.follow()
                     assert response.status == '200 OK'
                     assert response.request.path == '/'
                 def test_login_short_password(self):
                     response = self.app.post(login_url,
                                              {'username': 'test_admin',
                                               'password': 'as'})
                     assert response.status == '200 OK'
                     response.mustcontain('Enter 3 characters or more')
                 def test_login_wrong_non_ascii_password(self, user_regular):
                     response = self.app.post(
                         login_url,
                         {'username': user_regular.username,
                          'password': u'invalid-non-asci\xe4'.encode('utf8')})
                     response.mustcontain('invalid user name')
                     response.mustcontain('invalid password')
                 def test_login_with_non_ascii_password(self, user_util):
                     password = u'valid-non-ascii\xe4'
                     user = user_util.create_user(password=password)
                     response = self.app.post(
                         login_url,
                         {'username': user.username,
                          'password': password.encode('utf-8')})
                     assert response.status_code == 302
                 def test_login_wrong_username_password(self):
                     response = self.app.post(login_url,
                                              {'username': 'error',
                                               'password': 'test12'})
                     response.mustcontain('invalid user name')
                     response.mustcontain('invalid password')
                 def test_login_admin_ok_password_migration(self, real_crypto_backend):
                     from rhodecode.lib import auth
                     # create new user, with sha256 password
                     temp_user = 'test_admin_sha256'
                     user = fixture.create_user(temp_user)
                     user.password = auth._RhodeCodeCryptoSha256().hash_create(
                         b'test123')
                     Session().add(user)
                     Session().commit()
                     self.destroy_users.add(temp_user)
                     response = self.app.post(login_url,
                                              {'username': temp_user,
                                               'password': 'test123'})
                     assert response.status == '302 Found'
                     session = get_session_from_response(response)
                     username = session['rhodecode_user'].get('username')
                     assert username == temp_user
                     response = response.follow()
                     response.mustcontain('/%s' % HG_REPO)
                     # new password should be bcrypted, after log-in and transfer
                     user = User.get_by_username(temp_user)
                     assert user.password.startswith('$')
                 # REGISTRATIONS
                 def test_register(self):
                     response = self.app.get(register_url)
                     response.mustcontain('Create an Account')
                 def test_register_err_same_username(self):
                     uname = 'test_admin'
                     response = self.app.post(
                         register_url,
                         {
                             'username': uname,
                             'password': 'test12',
                             'password_confirmation': 'test12',
                             'email': 'goodmail@domain.com',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     assertr = AssertResponse(response)
                     msg = validators.ValidUsername()._messages['username_exists']
                     msg = msg % {'username': uname}
                     assertr.element_contains('#username+.error-message', msg)
                 def test_register_err_same_email(self):
                     response = self.app.post(
                         register_url,
                         {
                             'username': 'test_admin_0',
                             'password': 'test12',
                             'password_confirmation': 'test12',
                             'email': 'test_admin@mail.com',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     assertr = AssertResponse(response)
                     msg = validators.UniqSystemEmail()()._messages['email_taken']
                     assertr.element_contains('#email+.error-message', msg)
                 def test_register_err_same_email_case_sensitive(self):
                     response = self.app.post(
                         register_url,
                         {
                             'username': 'test_admin_1',
                             'password': 'test12',
                             'password_confirmation': 'test12',
                             'email': 'TesT_Admin@mail.COM',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     assertr = AssertResponse(response)
                     msg = validators.UniqSystemEmail()()._messages['email_taken']
                     assertr.element_contains('#email+.error-message', msg)
                 def test_register_err_wrong_data(self):
                     response = self.app.post(
                         register_url,
                         {
                             'username': 'xs',
                             'password': 'test',
                             'password_confirmation': 'test',
                             'email': 'goodmailm',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     assert response.status == '200 OK'
                     response.mustcontain('An email address must contain a single @')
                     response.mustcontain('Enter a value 6 characters long or more')
                 def test_register_err_username(self):
                     response = self.app.post(
                         register_url,
                         {
                             'username': 'error user',
                             'password': 'test12',
                             'password_confirmation': 'test12',
                             'email': 'goodmailm',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     response.mustcontain('An email address must contain a single @')
                     response.mustcontain(
                         'Username may only contain '
                         'alphanumeric characters underscores, '
                         'periods or dashes and must begin with '
                         'alphanumeric character')
                 def test_register_err_case_sensitive(self):
                     usr = 'Test_Admin'
                     response = self.app.post(
                         register_url,
                         {
                             'username': usr,
                             'password': 'test12',
                             'password_confirmation': 'test12',
                             'email': 'goodmailm',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     assertr = AssertResponse(response)
                     msg = validators.ValidUsername()._messages['username_exists']
                     msg = msg % {'username': usr}
                     assertr.element_contains('#username+.error-message', msg)
                 def test_register_special_chars(self):
                     response = self.app.post(
                         register_url,
                         {
                             'username': 'xxxaxn',
                             'password': 'ąćźżąśśśś',
                             'password_confirmation': 'ąćźżąśśśś',
                             'email': 'goodmailm@test.plx',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     msg = validators.ValidPassword()._messages['invalid_password']
                     response.mustcontain(msg)
                 def test_register_password_mismatch(self):
                     response = self.app.post(
                         register_url,
                         {
                             'username': 'xs',
                             'password': '123qwe',
                             'password_confirmation': 'qwe123',
                             'email': 'goodmailm@test.plxa',
                             'firstname': 'test',
                             'lastname': 'test'
                         }
                     )
                     msg = validators.ValidPasswordsMatch()._messages['password_mismatch']
                     response.mustcontain(msg)
                 def test_register_ok(self):
                     username = 'test_regular4'
                     password = 'qweqwe'
                     email = 'marcin@test.com'
                     name = 'testname'
                     lastname = 'testlastname'
                     response = self.app.post(
                         register_url,
                         {
                             'username': username,
                             'password': password,
                             'password_confirmation': password,
                             'email': email,
                             'firstname': name,
                             'lastname': lastname,
                             'admin': True
                         }
                     )  # This should be overriden
                     assert response.status == '302 Found'
                     assert_session_flash(
                         response, 'You have successfully registered with RhodeCode')
                     ret = Session().query(User).filter(
                         User.username == 'test_regular4').one()
                     assert ret.username == username
                     assert check_password(password, ret.password)
                     assert ret.email == email
                     assert ret.name == name
                     assert ret.lastname == lastname
-                    assert ret.api_key is not None
+                    assert ret.auth_tokens is not None
                     assert not ret.admin
                 def test_forgot_password_wrong_mail(self):
                     bad_email = 'marcin@wrongmail.org'
                     response = self.app.post(
                         pwd_reset_url, {'email': bad_email, }
                     )
                     assert_session_flash(response,
                         'If such email exists, a password reset link was sent to it.')
                 def test_forgot_password(self, user_util):
                     response = self.app.get(pwd_reset_url)
                     assert response.status == '200 OK'
                     user = user_util.create_user()
                     user_id = user.user_id
                     email = user.email
                     response = self.app.post(pwd_reset_url, {'email': email, })
                     assert_session_flash(response,
                         'If such email exists, a password reset link was sent to it.')
                     # BAD KEY
                     confirm_url = '{}?key={}'.format(pwd_reset_confirm_url, 'badkey')
                     response = self.app.get(confirm_url)
                     assert response.status == '302 Found'
                     assert response.location.endswith(pwd_reset_url)
                     assert_session_flash(response, 'Given reset token is invalid')
                     response.follow()  # cleanup flash
                     # GOOD KEY
                     key = UserApiKeys.query()\
                         .filter(UserApiKeys.user_id == user_id)\
                         .filter(UserApiKeys.role == UserApiKeys.ROLE_PASSWORD_RESET)\
                         .first()
                     assert key
                     confirm_url = '{}?key={}'.format(pwd_reset_confirm_url, key.api_key)
                     response = self.app.get(confirm_url)
                     assert response.status == '302 Found'
                     assert response.location.endswith(login_url)
                     assert_session_flash(
                         response,
                         'Your password reset was successful, '
                         'a new password has been sent to your email')
                     response.follow()
                 def _get_api_whitelist(self, values=None):
                     config = {'api_access_controllers_whitelist': values or []}
                     return config
                 @pytest.mark.parametrize("test_name, auth_token", [
                     ('none', None),
                     ('empty_string', ''),
                     ('fake_number', '123456'),
                     ('proper_auth_token', None)
                 ])
                 def test_access_not_whitelisted_page_via_auth_token(
                         self, test_name, auth_token, user_admin):
                     whitelist = self._get_api_whitelist([])
                     with mock.patch.dict('rhodecode.CONFIG', whitelist):
                         assert [] == whitelist['api_access_controllers_whitelist']
                         if test_name == 'proper_auth_token':
                             # use builtin if api_key is None
                             auth_token = user_admin.api_key
                         with fixture.anon_access(False):
                             self.app.get(url(controller='changeset',
                                              action='changeset_raw',
                                              repo_name=HG_REPO, revision='tip',
                                              api_key=auth_token),
                                          status=302)
                 @pytest.mark.parametrize("test_name, auth_token, code", [
                     ('none', None, 302),
                     ('empty_string', '', 302),
                     ('fake_number', '123456', 302),
                     ('proper_auth_token', None, 200)
                 ])
                 def test_access_whitelisted_page_via_auth_token(
                         self, test_name, auth_token, code, user_admin):
                     whitelist_entry = ['ChangesetController:changeset_raw']
                     whitelist = self._get_api_whitelist(whitelist_entry)
                     with mock.patch.dict('rhodecode.CONFIG', whitelist):
                         assert whitelist_entry == whitelist['api_access_controllers_whitelist']
                         if test_name == 'proper_auth_token':
                             auth_token = user_admin.api_key
+                            assert auth_token
                         with fixture.anon_access(False):
                             self.app.get(url(controller='changeset',
                                              action='changeset_raw',
                                              repo_name=HG_REPO, revision='tip',
                                              api_key=auth_token),
                                          status=code)
                 def test_access_page_via_extra_auth_token(self):
                     whitelist = self._get_api_whitelist(
                         ['ChangesetController:changeset_raw'])
                     with mock.patch.dict('rhodecode.CONFIG', whitelist):
                         assert ['ChangesetController:changeset_raw'] == \
                             whitelist['api_access_controllers_whitelist']
                         new_auth_token = AuthTokenModel().create(
                             TEST_USER_ADMIN_LOGIN, 'test')
                         Session().commit()
                         with fixture.anon_access(False):
                             self.app.get(url(controller='changeset',
                                              action='changeset_raw',
                                              repo_name=HG_REPO, revision='tip',
                                              api_key=new_auth_token.api_key),
                                          status=200)
                 def test_access_page_via_expired_auth_token(self):
                     whitelist = self._get_api_whitelist(
                         ['ChangesetController:changeset_raw'])
                     with mock.patch.dict('rhodecode.CONFIG', whitelist):
                         assert ['ChangesetController:changeset_raw'] == \
                             whitelist['api_access_controllers_whitelist']
                         new_auth_token = AuthTokenModel().create(
                             TEST_USER_ADMIN_LOGIN, 'test')
                         Session().commit()
                         # patch the api key and make it expired
                         new_auth_token.expires = 0
                         Session().add(new_auth_token)
                         Session().commit()
                         with fixture.anon_access(False):
                             self.app.get(url(controller='changeset',
                                              action='changeset_raw',
                                              repo_name=HG_REPO, revision='tip',
                                              api_key=new_auth_token.api_key),
                                          status=302)

rhodecode/tests/lib/test_db_manage.py

0 +12 -6

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import mock
             import pytest
             from rhodecode.lib.db_manage import DbManage
             from rhodecode.model import db
             @pytest.fixture
             def db_manage(pylonsapp):
                 db_manage = DbManage(
                     log_sql=True, dbconf='fake', root='fake', tests=False,
                     cli_args={}, SESSION=db.Session())
                 return db_manage
             @pytest.fixture(autouse=True)
             def session_rollback(pylonsapp, request):
                 """
                 Rollback the database session after the test run.
                 Intended usage is for tests wich mess with the database but don't
                 commit. In this case a rollback after the test run will leave the database
                 in a clean state.
                 This is still a workaround until we find a way to isolate the tests better
                 from each other.
                 """
                 @request.addfinalizer
                 def cleanup():
                     db.Session().rollback()
             def test_create_admin_and_prompt_uses_getpass(db_manage):
                 db_manage.cli_args = {
                     'username': 'test',
                     'email': 'test@example.com'}
                 with mock.patch('getpass.getpass', return_value='password') as getpass:
                     db_manage.create_admin_and_prompt()
                 assert getpass.called
             def test_create_admin_and_prompt_sets_the_api_key(db_manage):
                 db_manage.cli_args = {
                     'username': 'test',
                     'password': 'testpassword',
                     'email': 'test@example.com',
                     'api_key': 'testkey'}
                 with mock.patch.object(db_manage, 'create_user') as create_user:
                     db_manage.create_admin_and_prompt()
                 assert create_user.call_args[1]['api_key'] == 'testkey'
-            def test_create_user_sets_the_api_key(db_manage):
+            @pytest.mark.parametrize('add_keys', [True, False])
+            def test_create_user_sets_the_api_key(db_manage, add_keys):
+                username = 'test_add_keys_{}'.format(add_keys)
                 db_manage.create_user(
-                    'test', 'testpassword', 'test@example.com',
+                    username, 'testpassword', 'test@example.com',
-                    api_key='testkey')
+                    api_key=add_keys)
-                user = db.User.get_by_username('test')
+                user = db.User.get_by_username(username)
-                assert user.api_key == 'testkey'
+                if add_keys:
+                    assert 2 == len(user.auth_tokens)
+                else:
+                    # only feed token
+                    assert 1 == len(user.auth_tokens)
             def test_create_user_without_api_key(db_manage):
                 db_manage.create_user('test', 'testpassword', 'test@example.com')
                 user = db.User.get_by_username('test')
-                assert user.api_key
+                assert user.api_key is None

rhodecode/tests/models/test_users.py

0 0 -3

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import pytest
             from sqlalchemy.sql.expression import true
             from rhodecode.model.db import User, UserGroup, UserGroupMember, UserEmailMap,\
                 Permission, UserIpMap
             from rhodecode.model.meta import Session
             from rhodecode.model.user import UserModel
             from rhodecode.model.user_group import UserGroupModel
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.tests.fixture import Fixture
             fixture = Fixture()
             @pytest.fixture
             def test_user(request, pylonsapp):
                 usr = UserModel().create_or_update(
                     username=u'test_user',
                     password=u'qweqwe',
                     email=u'main_email@rhodecode.org',
                     firstname=u'u1', lastname=u'u1')
                 Session().commit()
                 assert User.get_by_username(u'test_user') == usr
                 @request.addfinalizer
                 def cleanup():
                     if UserModel().get_user(usr.user_id) is None:
                         return
                     perm = Permission.query().all()
                     for p in perm:
                         UserModel().revoke_perm(usr, p)
                     UserModel().delete(usr.user_id)
                     Session().commit()
                 return usr
             def test_create_and_remove(test_user):
                 usr = test_user
                 # make user group
                 user_group = fixture.create_user_group('some_example_group')
                 Session().commit()
                 UserGroupModel().add_user_to_group(user_group, usr)
                 Session().commit()
                 assert UserGroup.get(user_group.users_group_id) == user_group
                 assert UserGroupMember.query().count() == 1
                 UserModel().delete(usr.user_id)
                 Session().commit()
                 assert UserGroupMember.query().all() == []
             def test_additonal_email_as_main(test_user):
                 with pytest.raises(AttributeError):
                     m = UserEmailMap()
                     m.email = test_user.email
                     m.user = test_user
                     Session().add(m)
                     Session().commit()
             def test_extra_email_map(test_user):
                 m = UserEmailMap()
                 m.email = u'main_email2@rhodecode.org'
                 m.user = test_user
                 Session().add(m)
                 Session().commit()
                 u = User.get_by_email(email='main_email@rhodecode.org')
                 assert test_user.user_id == u.user_id
                 assert test_user.username == u.username
                 u = User.get_by_email(email='main_email2@rhodecode.org')
                 assert test_user.user_id == u.user_id
                 assert test_user.username == u.username
                 u = User.get_by_email(email='main_email3@rhodecode.org')
                 assert u is None
             def test_get_api_data_replaces_secret_data_by_default(test_user):
                 api_data = test_user.get_api_data()
                 api_key_length = 40
                 expected_replacement = '*' * api_key_length
-                assert api_data['api_key'] == expected_replacement
                 for key in api_data['api_keys']:
                     assert key == expected_replacement
             def test_get_api_data_includes_secret_data_if_activated(test_user):
                 api_data = test_user.get_api_data(include_secrets=True)
-                assert api_data['api_key'] == test_user.api_key
                 assert api_data['api_keys'] == test_user.auth_tokens
             def test_add_perm(test_user):
                 perm = Permission.query().all()[0]
                 UserModel().grant_perm(test_user, perm)
                 Session().commit()
                 assert UserModel().has_perm(test_user, perm)
             def test_has_perm(test_user):
                 perm = Permission.query().all()
                 for p in perm:
                     assert not UserModel().has_perm(test_user, p)
             def test_revoke_perm(test_user):
                 perm = Permission.query().all()[0]
                 UserModel().grant_perm(test_user, perm)
                 Session().commit()
                 assert UserModel().has_perm(test_user, perm)
                 # revoke
                 UserModel().revoke_perm(test_user, perm)
                 Session().commit()
                 assert not UserModel().has_perm(test_user, perm)
             @pytest.mark.parametrize("ip_range, expected, expect_errors", [
                 ('', [], False),
                 ('127.0.0.1', ['127.0.0.1'], False),
                 ('127.0.0.1,127.0.0.2', ['127.0.0.1', '127.0.0.2'], False),
                 ('127.0.0.1 ,  127.0.0.2', ['127.0.0.1', '127.0.0.2'], False),
                 (
                     '127.0.0.1,172.172.172.0,127.0.0.2',
                     ['127.0.0.1', '172.172.172.0', '127.0.0.2'], False),
                 (
                     '127.0.0.1-127.0.0.5',
                     ['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4', '127.0.0.5'],
                     False),
                 (
                     '127.0.0.1 - 127.0.0.5',
                     ['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4', '127.0.0.5'],
                     False
                 ),
                 ('-', [], True),
                 ('127.0.0.1-32', [], True),
                 (
                     '127.0.0.1,127.0.0.1,127.0.0.1,127.0.0.1-127.0.0.2,127.0.0.2',
                     ['127.0.0.1', '127.0.0.2'], False),
                 (
                     '127.0.0.1-127.0.0.2,127.0.0.4-127.0.0.6,',
                     ['127.0.0.1', '127.0.0.2', '127.0.0.4', '127.0.0.5', '127.0.0.6'],
                     False
                 ),
                 (
                     '127.0.0.1-127.0.0.2,127.0.0.1-127.0.0.6,',
                     ['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4', '127.0.0.5',
                      '127.0.0.6'],
                     False
                 ),
             ])
             def test_ip_range_generator(ip_range, expected, expect_errors):
                 func = UserModel().parse_ip_range
                 if expect_errors:
                     pytest.raises(Exception, func, ip_range)
                 else:
                     parsed_list = func(ip_range)
                     assert parsed_list == expected
             def test_user_delete_cascades_ip_whitelist(test_user):
                 sample_ip = '1.1.1.1'
                 uid_map = UserIpMap(user_id=test_user.user_id, ip_addr=sample_ip)
                 Session().add(uid_map)
                 Session().delete(test_user)
                 try:
                     Session().flush()
                 finally:
                     Session().rollback()
             def test_account_for_deactivation_generation(test_user):
                 accounts = UserModel().get_accounts_in_creation_order(
                     current_user=test_user)
                 # current user should be #1 in the list
                 assert accounts[0] == test_user.user_id
                 active_users = User.query().filter(User.active == true()).count()
                 assert active_users == len(accounts)
             def test_user_delete_cascades_permissions_on_repo(backend, test_user):
                 test_repo = backend.create_repo()
                 RepoModel().grant_user_permission(
                     test_repo, test_user, 'repository.write')
                 Session().commit()
                 assert test_user.repo_to_perm
                 UserModel().delete(test_user)
                 Session().commit()
             def test_user_delete_cascades_permissions_on_repo_group(
                     test_repo_group, test_user):
                 RepoGroupModel().grant_user_permission(
                     test_repo_group, test_user, 'group.write')
                 Session().commit()
                 assert test_user.repo_group_to_perm
                 Session().delete(test_user)
                 Session().commit()
             def test_user_delete_cascades_permissions_on_user_group(
                     test_user_group, test_user):
                 UserGroupModel().grant_user_permission(
                     test_user_group, test_user, 'usergroup.write')
                 Session().commit()
                 assert test_user.user_group_to_perm
                 Session().delete(test_user)
                 Session().commit()

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages