##// END OF EJS Templates
auth: expose a option to calculate how we end up having super-admin permission....
marcink -
r2065:adc2d1ca default
parent child Browse files
Show More
@@ -296,16 +296,17 b' class CookieStoreWrapper(object):'
296
296
297
297
298 def _cached_perms_data(user_id, scope, user_is_admin,
298 def _cached_perms_data(user_id, scope, user_is_admin,
299 user_inherit_default_permissions, explicit, algo):
299 user_inherit_default_permissions, explicit, algo,
300 calculate_super_admin):
300
301
301 permissions = PermissionCalculator(
302 permissions = PermissionCalculator(
302 user_id, scope, user_is_admin, user_inherit_default_permissions,
303 user_id, scope, user_is_admin, user_inherit_default_permissions,
303 explicit, algo)
304 explicit, algo, calculate_super_admin)
304 return permissions.calculate()
305 return permissions.calculate()
305
306
306
307
307 class PermOrigin(object):
308 class PermOrigin(object):
308 ADMIN = 'superadmin'
309 SUPER_ADMIN = 'superadmin'
309
310
310 REPO_USER = 'user:%s'
311 REPO_USER = 'user:%s'
311 REPO_USERGROUP = 'usergroup:%s'
312 REPO_USERGROUP = 'usergroup:%s'
@@ -359,12 +360,15 b' class PermissionCalculator(object):'
359
360
360 def __init__(
361 def __init__(
361 self, user_id, scope, user_is_admin,
362 self, user_id, scope, user_is_admin,
362 user_inherit_default_permissions, explicit, algo):
363 user_inherit_default_permissions, explicit, algo,
364 calculate_super_admin=False):
365
363 self.user_id = user_id
366 self.user_id = user_id
364 self.user_is_admin = user_is_admin
367 self.user_is_admin = user_is_admin
365 self.inherit_default_permissions = user_inherit_default_permissions
368 self.inherit_default_permissions = user_inherit_default_permissions
366 self.explicit = explicit
369 self.explicit = explicit
367 self.algo = algo
370 self.algo = algo
371 self.calculate_super_admin = calculate_super_admin
368
372
369 scope = scope or {}
373 scope = scope or {}
370 self.scope_repo_id = scope.get('repo_id')
374 self.scope_repo_id = scope.get('repo_id')
@@ -387,7 +391,7 b' class PermissionCalculator(object):'
387 self.default_user_id, self.scope_user_group_id)
391 self.default_user_id, self.scope_user_group_id)
388
392
389 def calculate(self):
393 def calculate(self):
390 if self.user_is_admin:
394 if self.user_is_admin and not self.calculate_super_admin:
391 return self._admin_permissions()
395 return self._admin_permissions()
392
396
393 self._calculate_global_default_permissions()
397 self._calculate_global_default_permissions()
@@ -410,19 +414,19 b' class PermissionCalculator(object):'
410 for perm in self.default_repo_perms:
414 for perm in self.default_repo_perms:
411 r_k = perm.UserRepoToPerm.repository.repo_name
415 r_k = perm.UserRepoToPerm.repository.repo_name
412 p = 'repository.admin'
416 p = 'repository.admin'
413 self.permissions_repositories[r_k] = p, PermOrigin.ADMIN
417 self.permissions_repositories[r_k] = p, PermOrigin.SUPER_ADMIN
414
418
415 # repository groups
419 # repository groups
416 for perm in self.default_repo_groups_perms:
420 for perm in self.default_repo_groups_perms:
417 rg_k = perm.UserRepoGroupToPerm.group.group_name
421 rg_k = perm.UserRepoGroupToPerm.group.group_name
418 p = 'group.admin'
422 p = 'group.admin'
419 self.permissions_repository_groups[rg_k] = p, PermOrigin.ADMIN
423 self.permissions_repository_groups[rg_k] = p, PermOrigin.SUPER_ADMIN
420
424
421 # user groups
425 # user groups
422 for perm in self.default_user_group_perms:
426 for perm in self.default_user_group_perms:
423 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
427 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
424 p = 'usergroup.admin'
428 p = 'usergroup.admin'
425 self.permissions_user_groups[u_k] = p, PermOrigin.ADMIN
429 self.permissions_user_groups[u_k] = p, PermOrigin.SUPER_ADMIN
426
430
427 return self._permission_structure()
431 return self._permission_structure()
428
432
@@ -437,6 +441,10 b' class PermissionCalculator(object):'
437 for perm in default_global_perms:
441 for perm in default_global_perms:
438 self.permissions_global.add(perm.permission.permission_name)
442 self.permissions_global.add(perm.permission.permission_name)
439
443
444 if self.user_is_admin:
445 self.permissions_global.add('hg.admin')
446 self.permissions_global.add('hg.create.write_on_repogroup.true')
447
440 def _calculate_global_permissions(self):
448 def _calculate_global_permissions(self):
441 """
449 """
442 Set global system permissions with user permissions or permissions
450 Set global system permissions with user permissions or permissions
@@ -558,6 +566,11 b' class PermissionCalculator(object):'
558 o = PermOrigin.REPO_OWNER
566 o = PermOrigin.REPO_OWNER
559 self.permissions_repositories[r_k] = p, o
567 self.permissions_repositories[r_k] = p, o
560
568
569 if self.user_is_admin:
570 p = 'repository.admin'
571 o = PermOrigin.SUPER_ADMIN
572 self.permissions_repositories[r_k] = p, o
573
561 # defaults for repository groups taken from `default` user permission
574 # defaults for repository groups taken from `default` user permission
562 # on given group
575 # on given group
563 for perm in self.default_repo_groups_perms:
576 for perm in self.default_repo_groups_perms:
@@ -579,6 +592,11 b' class PermissionCalculator(object):'
579 o = PermOrigin.REPOGROUP_OWNER
592 o = PermOrigin.REPOGROUP_OWNER
580 self.permissions_repository_groups[rg_k] = p, o
593 self.permissions_repository_groups[rg_k] = p, o
581
594
595 if self.user_is_admin:
596 p = 'group.admin'
597 o = PermOrigin.SUPER_ADMIN
598 self.permissions_repository_groups[rg_k] = p, o
599
582 # defaults for user groups taken from `default` user permission
600 # defaults for user groups taken from `default` user permission
583 # on given user group
601 # on given user group
584 for perm in self.default_user_group_perms:
602 for perm in self.default_user_group_perms:
@@ -600,6 +618,11 b' class PermissionCalculator(object):'
600 o = PermOrigin.USERGROUP_OWNER
618 o = PermOrigin.USERGROUP_OWNER
601 self.permissions_user_groups[u_k] = p, o
619 self.permissions_user_groups[u_k] = p, o
602
620
621 if self.user_is_admin:
622 p = 'usergroup.admin'
623 o = PermOrigin.SUPER_ADMIN
624 self.permissions_user_groups[u_k] = p, o
625
603 def _calculate_repository_permissions(self):
626 def _calculate_repository_permissions(self):
604 """
627 """
605 Repository permissions for the current user.
628 Repository permissions for the current user.
@@ -634,6 +657,11 b' class PermissionCalculator(object):'
634 o = PermOrigin.REPO_OWNER
657 o = PermOrigin.REPO_OWNER
635 self.permissions_repositories[r_k] = p, o
658 self.permissions_repositories[r_k] = p, o
636
659
660 if self.user_is_admin:
661 p = 'repository.admin'
662 o = PermOrigin.SUPER_ADMIN
663 self.permissions_repositories[r_k] = p, o
664
637 # user explicit permissions for repositories, overrides any specified
665 # user explicit permissions for repositories, overrides any specified
638 # by the group permission
666 # by the group permission
639 user_repo_perms = Permission.get_default_repo_perms(
667 user_repo_perms = Permission.get_default_repo_perms(
@@ -656,6 +684,11 b' class PermissionCalculator(object):'
656 o = PermOrigin.REPO_OWNER
684 o = PermOrigin.REPO_OWNER
657 self.permissions_repositories[r_k] = p, o
685 self.permissions_repositories[r_k] = p, o
658
686
687 if self.user_is_admin:
688 p = 'repository.admin'
689 o = PermOrigin.SUPER_ADMIN
690 self.permissions_repositories[r_k] = p, o
691
659 def _calculate_repository_group_permissions(self):
692 def _calculate_repository_group_permissions(self):
660 """
693 """
661 Repository group permissions for the current user.
694 Repository group permissions for the current user.
@@ -688,6 +721,11 b' class PermissionCalculator(object):'
688 o = PermOrigin.REPOGROUP_OWNER
721 o = PermOrigin.REPOGROUP_OWNER
689 self.permissions_repository_groups[rg_k] = p, o
722 self.permissions_repository_groups[rg_k] = p, o
690
723
724 if self.user_is_admin:
725 p = 'group.admin'
726 o = PermOrigin.SUPER_ADMIN
727 self.permissions_repository_groups[rg_k] = p, o
728
691 # user explicit permissions for repository groups
729 # user explicit permissions for repository groups
692 user_repo_groups_perms = Permission.get_default_group_perms(
730 user_repo_groups_perms = Permission.get_default_group_perms(
693 self.user_id, self.scope_repo_group_id)
731 self.user_id, self.scope_repo_group_id)
@@ -710,6 +748,11 b' class PermissionCalculator(object):'
710 o = PermOrigin.REPOGROUP_OWNER
748 o = PermOrigin.REPOGROUP_OWNER
711 self.permissions_repository_groups[rg_k] = p, o
749 self.permissions_repository_groups[rg_k] = p, o
712
750
751 if self.user_is_admin:
752 p = 'group.admin'
753 o = PermOrigin.SUPER_ADMIN
754 self.permissions_repository_groups[rg_k] = p, o
755
713 def _calculate_user_group_permissions(self):
756 def _calculate_user_group_permissions(self):
714 """
757 """
715 User group permissions for the current user.
758 User group permissions for the current user.
@@ -740,6 +783,11 b' class PermissionCalculator(object):'
740 o = PermOrigin.USERGROUP_OWNER
783 o = PermOrigin.USERGROUP_OWNER
741 self.permissions_user_groups[ug_k] = p, o
784 self.permissions_user_groups[ug_k] = p, o
742
785
786 if self.user_is_admin:
787 p = 'usergroup.admin'
788 o = PermOrigin.SUPER_ADMIN
789 self.permissions_user_groups[ug_k] = p, o
790
743 # user explicit permission for user groups
791 # user explicit permission for user groups
744 user_user_groups_perms = Permission.get_default_user_group_perms(
792 user_user_groups_perms = Permission.get_default_user_group_perms(
745 self.user_id, self.scope_user_group_id)
793 self.user_id, self.scope_user_group_id)
@@ -762,6 +810,11 b' class PermissionCalculator(object):'
762 o = PermOrigin.USERGROUP_OWNER
810 o = PermOrigin.USERGROUP_OWNER
763 self.permissions_user_groups[ug_k] = p, o
811 self.permissions_user_groups[ug_k] = p, o
764
812
813 if self.user_is_admin:
814 p = 'usergroup.admin'
815 o = PermOrigin.SUPER_ADMIN
816 self.permissions_user_groups[ug_k] = p, o
817
765 def _choose_permission(self, new_perm, cur_perm):
818 def _choose_permission(self, new_perm, cur_perm):
766 new_perm_val = Permission.PERM_WEIGHTS[new_perm]
819 new_perm_val = Permission.PERM_WEIGHTS[new_perm]
767 cur_perm_val = Permission.PERM_WEIGHTS[cur_perm]
820 cur_perm_val = Permission.PERM_WEIGHTS[cur_perm]
@@ -874,6 +927,11 b' class AuthUser(object):'
874 def permissions(self):
927 def permissions(self):
875 return self.get_perms(user=self, cache=False)
928 return self.get_perms(user=self, cache=False)
876
929
930 @LazyProperty
931 def permissions_full_details(self):
932 return self.get_perms(
933 user=self, cache=False, calculate_super_admin=True)
934
877 def permissions_with_scope(self, scope):
935 def permissions_with_scope(self, scope):
878 """
936 """
879 Call the get_perms function with scoped data. The scope in that function
937 Call the get_perms function with scoped data. The scope in that function
@@ -957,7 +1015,7 b' class AuthUser(object):'
957 log.debug('AuthUser: propagated user is now %s', self)
1015 log.debug('AuthUser: propagated user is now %s', self)
958
1016
959 def get_perms(self, user, scope=None, explicit=True, algo='higherwin',
1017 def get_perms(self, user, scope=None, explicit=True, algo='higherwin',
960 cache=False):
1018 calculate_super_admin=False, cache=False):
961 """
1019 """
962 Fills user permission attribute with permissions taken from database
1020 Fills user permission attribute with permissions taken from database
963 works for permissions given for repositories, and for permissions that
1021 works for permissions given for repositories, and for permissions that
@@ -984,7 +1042,8 b' class AuthUser(object):'
984 'short_term', 'cache_desc',
1042 'short_term', 'cache_desc',
985 condition=cache, func=_cached_perms_data)
1043 condition=cache, func=_cached_perms_data)
986 result = compute(user_id, scope, user_is_admin,
1044 result = compute(user_id, scope, user_is_admin,
987 user_inherit_default_permissions, explicit, algo)
1045 user_inherit_default_permissions, explicit, algo,
1046 calculate_super_admin)
988
1047
989 result_repr = []
1048 result_repr = []
990 for k in result:
1049 for k in result:
@@ -1,5 +1,5 b''
1 ## permissions overview
1 ## permissions overview
2 <div id="perms_container">
2 <div id="perms_container">
3 <%namespace name="p" file="/base/perms_summary.mako"/>
3 <%namespace name="p" file="/base/perms_summary.mako"/>
4 ${p.perms_summary(c.perm_user.permissions, actions=False)}
4 ${p.perms_summary(c.perm_user.permissions_full_details, actions=False)}
5 </div>
5 </div>
@@ -2,4 +2,4 b''
2
2
3 ## permissions overview
3 ## permissions overview
4 <%namespace name="p" file="/base/perms_summary.mako"/>
4 <%namespace name="p" file="/base/perms_summary.mako"/>
5 ${p.perms_summary(c.perm_user.permissions, show_all=True)}
5 ${p.perms_summary(c.perm_user.permissions_full_details, show_all=True)}
@@ -1,3 +1,3 b''
1 ## permissions overview
1 ## permissions overview
2 <%namespace name="p" file="/base/perms_summary.mako"/>
2 <%namespace name="p" file="/base/perms_summary.mako"/>
3 ${p.perms_summary(c.perm_user.permissions, show_all=True, side_link=h.route_path('edit_user_perms_summary_json', user_id=c.user.user_id))}
3 ${p.perms_summary(c.perm_user.permissions_full_details, show_all=True, side_link=h.route_path('edit_user_perms_summary_json', user_id=c.user.user_id))}
@@ -79,6 +79,14 b' def test_cached_perms_data_with_admin_us'
79 assert permissions['repositories'][repo_name] == 'repository.admin'
79 assert permissions['repositories'][repo_name] == 'repository.admin'
80
80
81
81
82 def test_cached_perms_data_with_admin_user_extended_calculation(user_regular, backend_random):
83 permissions = get_permissions(user_regular, user_is_admin=True,
84 calculate_super_admin=True)
85 repo_name = backend_random.repo.repo_name
86 assert 'hg.admin' in permissions['global']
87 assert permissions['repositories'][repo_name] == 'repository.admin'
88
89
82 def test_cached_perms_data_user_group_global_permissions(user_util):
90 def test_cached_perms_data_user_group_global_permissions(user_util):
83 user, user_group = user_util.create_user_with_group()
91 user, user_group = user_util.create_user_with_group()
84 user_group.inherit_default_permissions = False
92 user_group.inherit_default_permissions = False
@@ -559,6 +567,7 b' def get_permissions(user, **kwargs):'
559 'user_inherit_default_permissions': False,
567 'user_inherit_default_permissions': False,
560 'explicit': False,
568 'explicit': False,
561 'algo': 'higherwin',
569 'algo': 'higherwin',
570 'calculate_super_admin': False,
562 }
571 }
563 call_args.update(kwargs)
572 call_args.update(kwargs)
564 permissions = auth._cached_perms_data(**call_args)
573 permissions = auth._cached_perms_data(**call_args)
General Comments 0
You need to be logged in to leave comments. Login now