##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
auth: expose a option to calculate how we end up having super-admin permission....
marcink -
r2065:adc2d1ca default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -296,16 +296,17 b' class CookieStoreWrapper(object):'
296 296
297 297
298 298 def _cached_perms_data(user_id, scope, user_is_admin,
299 user_inherit_default_permissions, explicit, algo):
299 user_inherit_default_permissions, explicit, algo,
300 calculate_super_admin):
300 301
301 302 permissions = PermissionCalculator(
302 303 user_id, scope, user_is_admin, user_inherit_default_permissions,
303 explicit, algo)
304 explicit, algo, calculate_super_admin)
304 305 return permissions.calculate()
305 306
306 307
307 308 class PermOrigin(object):
308 ADMIN = 'superadmin'
309 SUPER_ADMIN = 'superadmin'
309 310
310 311 REPO_USER = 'user:%s'
311 312 REPO_USERGROUP = 'usergroup:%s'
@@ -359,12 +360,15 b' class PermissionCalculator(object):'
359 360
360 361 def __init__(
361 362 self, user_id, scope, user_is_admin,
362 user_inherit_default_permissions, explicit, algo):
363 user_inherit_default_permissions, explicit, algo,
364 calculate_super_admin=False):
365
363 366 self.user_id = user_id
364 367 self.user_is_admin = user_is_admin
365 368 self.inherit_default_permissions = user_inherit_default_permissions
366 369 self.explicit = explicit
367 370 self.algo = algo
371 self.calculate_super_admin = calculate_super_admin
368 372
369 373 scope = scope or {}
370 374 self.scope_repo_id = scope.get('repo_id')
@@ -387,7 +391,7 b' class PermissionCalculator(object):'
387 391 self.default_user_id, self.scope_user_group_id)
388 392
389 393 def calculate(self):
390 if self.user_is_admin:
394 if self.user_is_admin and not self.calculate_super_admin:
391 395 return self._admin_permissions()
392 396
393 397 self._calculate_global_default_permissions()
@@ -410,19 +414,19 b' class PermissionCalculator(object):'
410 414 for perm in self.default_repo_perms:
411 415 r_k = perm.UserRepoToPerm.repository.repo_name
412 416 p = 'repository.admin'
413 self.permissions_repositories[r_k] = p, PermOrigin.ADMIN
417 self.permissions_repositories[r_k] = p, PermOrigin.SUPER_ADMIN
414 418
415 419 # repository groups
416 420 for perm in self.default_repo_groups_perms:
417 421 rg_k = perm.UserRepoGroupToPerm.group.group_name
418 422 p = 'group.admin'
419 self.permissions_repository_groups[rg_k] = p, PermOrigin.ADMIN
423 self.permissions_repository_groups[rg_k] = p, PermOrigin.SUPER_ADMIN
420 424
421 425 # user groups
422 426 for perm in self.default_user_group_perms:
423 427 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
424 428 p = 'usergroup.admin'
425 self.permissions_user_groups[u_k] = p, PermOrigin.ADMIN
429 self.permissions_user_groups[u_k] = p, PermOrigin.SUPER_ADMIN
426 430
427 431 return self._permission_structure()
428 432
@@ -437,6 +441,10 b' class PermissionCalculator(object):'
437 441 for perm in default_global_perms:
438 442 self.permissions_global.add(perm.permission.permission_name)
439 443
444 if self.user_is_admin:
445 self.permissions_global.add('hg.admin')
446 self.permissions_global.add('hg.create.write_on_repogroup.true')
447
440 448 def _calculate_global_permissions(self):
441 449 """
442 450 Set global system permissions with user permissions or permissions
@@ -558,6 +566,11 b' class PermissionCalculator(object):'
558 566 o = PermOrigin.REPO_OWNER
559 567 self.permissions_repositories[r_k] = p, o
560 568
569 if self.user_is_admin:
570 p = 'repository.admin'
571 o = PermOrigin.SUPER_ADMIN
572 self.permissions_repositories[r_k] = p, o
573
561 574 # defaults for repository groups taken from `default` user permission
562 575 # on given group
563 576 for perm in self.default_repo_groups_perms:
@@ -579,6 +592,11 b' class PermissionCalculator(object):'
579 592 o = PermOrigin.REPOGROUP_OWNER
580 593 self.permissions_repository_groups[rg_k] = p, o
581 594
595 if self.user_is_admin:
596 p = 'group.admin'
597 o = PermOrigin.SUPER_ADMIN
598 self.permissions_repository_groups[rg_k] = p, o
599
582 600 # defaults for user groups taken from `default` user permission
583 601 # on given user group
584 602 for perm in self.default_user_group_perms:
@@ -600,6 +618,11 b' class PermissionCalculator(object):'
600 618 o = PermOrigin.USERGROUP_OWNER
601 619 self.permissions_user_groups[u_k] = p, o
602 620
621 if self.user_is_admin:
622 p = 'usergroup.admin'
623 o = PermOrigin.SUPER_ADMIN
624 self.permissions_user_groups[u_k] = p, o
625
603 626 def _calculate_repository_permissions(self):
604 627 """
605 628 Repository permissions for the current user.
@@ -634,6 +657,11 b' class PermissionCalculator(object):'
634 657 o = PermOrigin.REPO_OWNER
635 658 self.permissions_repositories[r_k] = p, o
636 659
660 if self.user_is_admin:
661 p = 'repository.admin'
662 o = PermOrigin.SUPER_ADMIN
663 self.permissions_repositories[r_k] = p, o
664
637 665 # user explicit permissions for repositories, overrides any specified
638 666 # by the group permission
639 667 user_repo_perms = Permission.get_default_repo_perms(
@@ -656,6 +684,11 b' class PermissionCalculator(object):'
656 684 o = PermOrigin.REPO_OWNER
657 685 self.permissions_repositories[r_k] = p, o
658 686
687 if self.user_is_admin:
688 p = 'repository.admin'
689 o = PermOrigin.SUPER_ADMIN
690 self.permissions_repositories[r_k] = p, o
691
659 692 def _calculate_repository_group_permissions(self):
660 693 """
661 694 Repository group permissions for the current user.
@@ -688,6 +721,11 b' class PermissionCalculator(object):'
688 721 o = PermOrigin.REPOGROUP_OWNER
689 722 self.permissions_repository_groups[rg_k] = p, o
690 723
724 if self.user_is_admin:
725 p = 'group.admin'
726 o = PermOrigin.SUPER_ADMIN
727 self.permissions_repository_groups[rg_k] = p, o
728
691 729 # user explicit permissions for repository groups
692 730 user_repo_groups_perms = Permission.get_default_group_perms(
693 731 self.user_id, self.scope_repo_group_id)
@@ -710,6 +748,11 b' class PermissionCalculator(object):'
710 748 o = PermOrigin.REPOGROUP_OWNER
711 749 self.permissions_repository_groups[rg_k] = p, o
712 750
751 if self.user_is_admin:
752 p = 'group.admin'
753 o = PermOrigin.SUPER_ADMIN
754 self.permissions_repository_groups[rg_k] = p, o
755
713 756 def _calculate_user_group_permissions(self):
714 757 """
715 758 User group permissions for the current user.
@@ -740,6 +783,11 b' class PermissionCalculator(object):'
740 783 o = PermOrigin.USERGROUP_OWNER
741 784 self.permissions_user_groups[ug_k] = p, o
742 785
786 if self.user_is_admin:
787 p = 'usergroup.admin'
788 o = PermOrigin.SUPER_ADMIN
789 self.permissions_user_groups[ug_k] = p, o
790
743 791 # user explicit permission for user groups
744 792 user_user_groups_perms = Permission.get_default_user_group_perms(
745 793 self.user_id, self.scope_user_group_id)
@@ -762,6 +810,11 b' class PermissionCalculator(object):'
762 810 o = PermOrigin.USERGROUP_OWNER
763 811 self.permissions_user_groups[ug_k] = p, o
764 812
813 if self.user_is_admin:
814 p = 'usergroup.admin'
815 o = PermOrigin.SUPER_ADMIN
816 self.permissions_user_groups[ug_k] = p, o
817
765 818 def _choose_permission(self, new_perm, cur_perm):
766 819 new_perm_val = Permission.PERM_WEIGHTS[new_perm]
767 820 cur_perm_val = Permission.PERM_WEIGHTS[cur_perm]
@@ -874,6 +927,11 b' class AuthUser(object):'
874 927 def permissions(self):
875 928 return self.get_perms(user=self, cache=False)
876 929
930 @LazyProperty
931 def permissions_full_details(self):
932 return self.get_perms(
933 user=self, cache=False, calculate_super_admin=True)
934
877 935 def permissions_with_scope(self, scope):
878 936 """
879 937 Call the get_perms function with scoped data. The scope in that function
@@ -957,7 +1015,7 b' class AuthUser(object):'
957 1015 log.debug('AuthUser: propagated user is now %s', self)
958 1016
959 1017 def get_perms(self, user, scope=None, explicit=True, algo='higherwin',
960 cache=False):
1018 calculate_super_admin=False, cache=False):
961 1019 """
962 1020 Fills user permission attribute with permissions taken from database
963 1021 works for permissions given for repositories, and for permissions that
@@ -984,7 +1042,8 b' class AuthUser(object):'
984 1042 'short_term', 'cache_desc',
985 1043 condition=cache, func=_cached_perms_data)
986 1044 result = compute(user_id, scope, user_is_admin,
987 user_inherit_default_permissions, explicit, algo)
1045 user_inherit_default_permissions, explicit, algo,
1046 calculate_super_admin)
988 1047
989 1048 result_repr = []
990 1049 for k in result:
Show file before | Show file after | Hide comments
@@ -1,5 +1,5 b''
1 1 ## permissions overview
2 2 <div id="perms_container">
3 3 <%namespace name="p" file="/base/perms_summary.mako"/>
4 ${p.perms_summary(c.perm_user.permissions, actions=False)}
4 ${p.perms_summary(c.perm_user.permissions_full_details, actions=False)}
5 5 </div>
Show file before | Show file after | Hide comments
@@ -2,4 +2,4 b''
2 2
3 3 ## permissions overview
4 4 <%namespace name="p" file="/base/perms_summary.mako"/>
5 ${p.perms_summary(c.perm_user.permissions, show_all=True)}
5 ${p.perms_summary(c.perm_user.permissions_full_details, show_all=True)}
Show file before | Show file after | Hide comments
@@ -1,3 +1,3 b''
1 1 ## permissions overview
2 2 <%namespace name="p" file="/base/perms_summary.mako"/>
3 ${p.perms_summary(c.perm_user.permissions, show_all=True, side_link=h.route_path('edit_user_perms_summary_json', user_id=c.user.user_id))}
3 ${p.perms_summary(c.perm_user.permissions_full_details, show_all=True, side_link=h.route_path('edit_user_perms_summary_json', user_id=c.user.user_id))}
Show file before | Show file after | Hide comments
@@ -79,6 +79,14 b' def test_cached_perms_data_with_admin_us'
79 79 assert permissions['repositories'][repo_name] == 'repository.admin'
80 80
81 81
82 def test_cached_perms_data_with_admin_user_extended_calculation(user_regular, backend_random):
83 permissions = get_permissions(user_regular, user_is_admin=True,
84 calculate_super_admin=True)
85 repo_name = backend_random.repo.repo_name
86 assert 'hg.admin' in permissions['global']
87 assert permissions['repositories'][repo_name] == 'repository.admin'
88
89
82 90 def test_cached_perms_data_user_group_global_permissions(user_util):
83 91 user, user_group = user_util.create_user_with_group()
84 92 user_group.inherit_default_permissions = False
@@ -559,6 +567,7 b' def get_permissions(user, **kwargs):'
559 567 'user_inherit_default_permissions': False,
560 568 'explicit': False,
561 569 'algo': 'higherwin',
570 'calculate_super_admin': False,
562 571 }
563 572 call_args.update(kwargs)
564 573 permissions = auth._cached_perms_data(**call_args)
General Comments 0
You need to be logged in to leave comments. Login now