##// END OF EJS Templates
permissions: fixed problem with permissions changes from permission page
marcink -
r4334:b3a3408e default
parent child Browse files
Show More
@@ -1,135 +1,140 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2011-2020 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 import logging
22 22
23 23 from pyramid.httpexceptions import HTTPFound
24 24 from pyramid.view import view_config
25 25
26 26 from rhodecode.apps._base import RepoAppView
27 27 from rhodecode.lib import helpers as h
28 28 from rhodecode.lib import audit_logger
29 29 from rhodecode.lib.auth import (
30 30 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired)
31 31 from rhodecode.lib.utils2 import str2bool
32 32 from rhodecode.model.db import User
33 33 from rhodecode.model.forms import RepoPermsForm
34 34 from rhodecode.model.meta import Session
35 35 from rhodecode.model.permission import PermissionModel
36 36 from rhodecode.model.repo import RepoModel
37 37
38 38 log = logging.getLogger(__name__)
39 39
40 40
41 41 class RepoSettingsPermissionsView(RepoAppView):
42 42
43 43 def load_default_context(self):
44 44 c = self._get_local_tmpl_context()
45 45 return c
46 46
47 47 @LoginRequired()
48 48 @HasRepoPermissionAnyDecorator('repository.admin')
49 49 @view_config(
50 50 route_name='edit_repo_perms', request_method='GET',
51 51 renderer='rhodecode:templates/admin/repos/repo_edit.mako')
52 52 def edit_permissions(self):
53 53 _ = self.request.translate
54 54 c = self.load_default_context()
55 55 c.active = 'permissions'
56 56 if self.request.GET.get('branch_permissions'):
57 57 h.flash(_('Explicitly add user or user group with write+ '
58 58 'permission to modify their branch permissions.'),
59 59 category='notice')
60 60 return self._get_template_context(c)
61 61
62 62 @LoginRequired()
63 63 @HasRepoPermissionAnyDecorator('repository.admin')
64 64 @CSRFRequired()
65 65 @view_config(
66 66 route_name='edit_repo_perms', request_method='POST',
67 67 renderer='rhodecode:templates/admin/repos/repo_edit.mako')
68 68 def edit_permissions_update(self):
69 69 _ = self.request.translate
70 70 c = self.load_default_context()
71 71 c.active = 'permissions'
72 72 data = self.request.POST
73 73 # store private flag outside of HTML to verify if we can modify
74 74 # default user permissions, prevents submission of FAKE post data
75 75 # into the form for private repos
76 76 data['repo_private'] = self.db_repo.private
77 77 form = RepoPermsForm(self.request.translate)().to_python(data)
78 78 changes = RepoModel().update_permissions(
79 79 self.db_repo_name, form['perm_additions'], form['perm_updates'],
80 80 form['perm_deletions'])
81 81
82 82 action_data = {
83 83 'added': changes['added'],
84 84 'updated': changes['updated'],
85 85 'deleted': changes['deleted'],
86 86 }
87 87 audit_logger.store_web(
88 88 'repo.edit.permissions', action_data=action_data,
89 89 user=self._rhodecode_user, repo=self.db_repo)
90 90
91 91 Session().commit()
92 92 h.flash(_('Repository access permissions updated'), category='success')
93 93
94 94 affected_user_ids = None
95 95 if changes.get('default_user_changed', False):
96 96 # if we change the default user, we need to flush everyone permissions
97 97 affected_user_ids = User.get_all_user_ids()
98 98 PermissionModel().flush_user_permission_caches(
99 99 changes, affected_user_ids=affected_user_ids)
100 100
101 101 raise HTTPFound(
102 102 h.route_path('edit_repo_perms', repo_name=self.db_repo_name))
103 103
104 104 @LoginRequired()
105 105 @HasRepoPermissionAnyDecorator('repository.admin')
106 106 @CSRFRequired()
107 107 @view_config(
108 108 route_name='edit_repo_perms_set_private', request_method='POST',
109 109 renderer='json_ext')
110 110 def edit_permissions_set_private_repo(self):
111 111 _ = self.request.translate
112 112 self.load_default_context()
113 113
114 114 private_flag = str2bool(self.request.POST.get('private'))
115 115
116 116 try:
117 RepoModel().update(
118 self.db_repo, **{'repo_private': private_flag, 'repo_name': self.db_repo_name})
117 repo = RepoModel().get(self.db_repo.repo_id)
118 repo.private = private_flag
119 Session().add(repo)
120 RepoModel().grant_user_permission(
121 repo=self.db_repo, user=User.DEFAULT_USER, perm='repository.none'
122 )
123
119 124 Session().commit()
120 125
121 126 h.flash(_('Repository `{}` private mode set successfully').format(self.db_repo_name),
122 127 category='success')
128 # NOTE(dan): we change repo private mode we need to notify all USERS
129 affected_user_ids = User.get_all_user_ids()
130 PermissionModel().trigger_permission_flush(affected_user_ids)
131
123 132 except Exception:
124 133 log.exception("Exception during update of repository")
125 134 h.flash(_('Error occurred during update of repository {}').format(
126 135 self.db_repo_name), category='error')
127 136
128 # NOTE(dan): we change repo private mode we need to notify all USERS
129 affected_user_ids = User.get_all_user_ids()
130 PermissionModel().trigger_permission_flush(affected_user_ids)
131
132 137 return {
133 138 'redirect_url': h.route_path('edit_repo_perms', repo_name=self.db_repo_name),
134 139 'private': private_flag
135 140 }
@@ -1,232 +1,239 b''
1 1 <%namespace name="base" file="/base/base.mako"/>
2 2
3 3 <div class="panel panel-default">
4 4 <div class="panel-heading">
5 5 <h3 class="panel-title">${_('Repository Access Permissions')}</h3>
6 6 </div>
7 7 <div class="panel-body">
8 8 ${h.secure_form(h.route_path('edit_repo_perms', repo_name=c.repo_name), request=request)}
9 9 <table id="permissions_manage" class="rctable permissions">
10 10 <tr>
11 11 <th class="td-radio">${_('None')}</th>
12 12 <th class="td-radio">${_('Read')}</th>
13 13 <th class="td-radio">${_('Write')}</th>
14 14 <th class="td-radio">${_('Admin')}</th>
15 15 <th class="td-owner">${_('User/User Group')}</th>
16 16 <th class="td-action"></th>
17 17 <th class="td-action"></th>
18 18 </tr>
19 19 ## USERS
20 20 %for _user in c.rhodecode_db_repo.permissions():
21 21 %if getattr(_user, 'admin_row', None) or getattr(_user, 'owner_row', None):
22 22 <tr class="perm_admin_row">
23 23 <td class="td-radio">${h.radio('admin_perm_%s' % _user.user_id,'repository.none', disabled="disabled")}</td>
24 24 <td class="td-radio">${h.radio('admin_perm_%s' % _user.user_id,'repository.read', disabled="disabled")}</td>
25 25 <td class="td-radio">${h.radio('admin_perm_%s' % _user.user_id,'repository.write', disabled="disabled")}</td>
26 26 <td class="td-radio">${h.radio('admin_perm_%s' % _user.user_id,'repository.admin', 'repository.admin', disabled="disabled")}</td>
27 27 <td class="td-user">
28 28 ${base.gravatar(_user.email, 16, user=_user, tooltip=True)}
29 29 ${h.link_to_user(_user.username)}
30 30 %if getattr(_user, 'admin_row', None):
31 31 (${_('super-admin')})
32 32 %endif
33 33 %if getattr(_user, 'owner_row', None):
34 34 (${_('owner')})
35 35 %endif
36 36 </td>
37 37 <td></td>
38 38 <td class="quick_repo_menu">
39 39 % if c.rhodecode_user.is_admin:
40 40 <i class="icon-more"></i>
41 41 <div class="menu_items_container" style="display: none;">
42 42 <ul class="menu_items">
43 43 <li>
44 44 ${h.link_to('show permissions', h.route_path('edit_user_perms_summary', user_id=_user.user_id, _anchor='repositories-permissions'))}
45 45 </li>
46 46 </ul>
47 47 </div>
48 48 % endif
49 49 </td>
50 50 </tr>
51 51 %elif _user.username == h.DEFAULT_USER and c.rhodecode_db_repo.private:
52 52 <tr>
53 53 <td colspan="4">
54 54 <span class="private_repo_msg">
55 55 <strong title="${h.tooltip(_user.permission)}">${_('private repository')}</strong>
56 56 </span>
57 57 </td>
58 58 <td class="private_repo_msg">
59 59 ${base.gravatar(h.DEFAULT_USER_EMAIL, 16)}
60 60 ${h.DEFAULT_USER} - ${_('only users/user groups explicitly added here will have access')}</td>
61 61 <td class="td-action">
62 <span class="tooltip btn btn-link btn-default" onclick="setPrivateRepo(false); return false" title="${_('Private repositories are only visible to people explicitly added as collaborators. Default permissions wont apply')}">
62 <span class="noselect tooltip btn btn-link btn-default" onclick="setPrivateRepo(this, false); return false" title="${_('Private repositories are only visible to people explicitly added as collaborators. Default permissions wont apply')}">
63 63 ${_('un-set private mode')}
64 64 </span>
65 65 </td>
66 66 <td class="quick_repo_menu">
67 67 % if c.rhodecode_user.is_admin:
68 68 <i class="icon-more"></i>
69 69 <div class="menu_items_container" style="display: none;">
70 70 <ul class="menu_items">
71 71 <li>
72 72 ${h.link_to('show permissions', h.route_path('admin_permissions_overview', _anchor='repositories-permissions'))}
73 73 </li>
74 74 </ul>
75 75 </div>
76 76 % endif
77 77 </td>
78 78 </tr>
79 79 %else:
80 80 <% used_by_n_rules = len(getattr(_user, 'branch_rules', None) or []) %>
81 81 <tr>
82 82 <td class="td-radio">${h.radio('u_perm_%s' % _user.user_id,'repository.none', checked=_user.permission=='repository.none', disabled="disabled" if (used_by_n_rules and _user.username != h.DEFAULT_USER) else None)}</td>
83 83 <td class="td-radio">${h.radio('u_perm_%s' % _user.user_id,'repository.read', checked=_user.permission=='repository.read', disabled="disabled" if (used_by_n_rules and _user.username != h.DEFAULT_USER) else None)}</td>
84 84 <td class="td-radio">${h.radio('u_perm_%s' % _user.user_id,'repository.write', checked=_user.permission=='repository.write')}</td>
85 85 <td class="td-radio">${h.radio('u_perm_%s' % _user.user_id,'repository.admin', checked=_user.permission=='repository.admin')}</td>
86 86 <td class="td-user">
87 87 ${base.gravatar(_user.email, 16, user=_user, tooltip=True)}
88 88 <span class="user">
89 89 % if _user.username == h.DEFAULT_USER:
90 90 ${h.DEFAULT_USER}
91 91 % if _user.active:
92 92 <span class="user-perm-help-text"> - ${_('permission for other logged in and anonymous users')}</span>
93 93 % else:
94 94 <span class="user-perm-help-text"> - ${_('permission for other logged in users')}</span>
95 95 % endif
96 96 % else:
97 97 ${h.link_to_user(_user.username)}
98 98 %if getattr(_user, 'duplicate_perm', None):
99 99 (${_('inactive duplicate')})
100 100 %endif
101 101 %if getattr(_user, 'branch_rules', None):
102 102 % if used_by_n_rules == 1:
103 103 (${_('used by {} branch rule, requires write+ permissions').format(used_by_n_rules)})
104 104 % else:
105 105 (${_('used by {} branch rules, requires write+ permissions').format(used_by_n_rules)})
106 106 % endif
107 107 %endif
108 108 % endif
109 109 </span>
110 110 </td>
111 111 <td class="td-action">
112 112 %if _user.username != h.DEFAULT_USER and getattr(_user, 'branch_rules', None) is None:
113 113 <span class="btn btn-link btn-danger revoke_perm"
114 114 member="${_user.user_id}" member_type="user">
115 115 ${_('Remove')}
116 116 </span>
117 117 %elif _user.username == h.DEFAULT_USER:
118 <span class="tooltip btn btn-link btn-default" onclick="setPrivateRepo(true); return false" title="${_('Private repositories are only visible to people explicitly added as collaborators. Default permissions wont apply')}">
118 <span class="noselect tooltip btn btn-link btn-default" onclick="setPrivateRepo(this, true); return false" title="${_('Private repositories are only visible to people explicitly added as collaborators. Default permissions wont apply')}">
119 119 ${_('set private mode')}
120 120 </span>
121 121 %endif
122 122 </td>
123 123 <td class="quick_repo_menu">
124 124 % if c.rhodecode_user.is_admin:
125 125 <i class="icon-more"></i>
126 126 <div class="menu_items_container" style="display: none;">
127 127 <ul class="menu_items">
128 128 <li>
129 129 % if _user.username == h.DEFAULT_USER:
130 130 ${h.link_to('show permissions', h.route_path('admin_permissions_overview', _anchor='repositories-permissions'))}
131 131 % else:
132 132 ${h.link_to('show permissions', h.route_path('edit_user_perms_summary', user_id=_user.user_id, _anchor='repositories-permissions'))}
133 133 % endif
134 134 </li>
135 135 </ul>
136 136 </div>
137 137 % endif
138 138 </td>
139 139 </tr>
140 140 %endif
141 141 %endfor
142 142
143 143 ## USER GROUPS
144 144 %for _user_group in c.rhodecode_db_repo.permission_user_groups(with_members=True):
145 145 <tr>
146 146 <td class="td-radio">${h.radio('g_perm_%s' % _user_group.users_group_id,'repository.none', checked=_user_group.permission=='repository.none')}</td>
147 147 <td class="td-radio">${h.radio('g_perm_%s' % _user_group.users_group_id,'repository.read', checked=_user_group.permission=='repository.read')}</td>
148 148 <td class="td-radio">${h.radio('g_perm_%s' % _user_group.users_group_id,'repository.write', checked=_user_group.permission=='repository.write')}</td>
149 149 <td class="td-radio">${h.radio('g_perm_%s' % _user_group.users_group_id,'repository.admin', checked=_user_group.permission=='repository.admin')}</td>
150 150 <td class="td-componentname">
151 151 ${base.user_group_icon(_user_group, tooltip=True)}
152 152 %if c.is_super_admin:
153 153 <a href="${h.route_path('edit_user_group',user_group_id=_user_group.users_group_id)}">
154 154 ${_user_group.users_group_name}
155 155 </a>
156 156 %else:
157 157 ${h.link_to_group(_user_group.users_group_name)}
158 158 %endif
159 159 (${_('members')}: ${len(_user_group.members)})
160 160 </td>
161 161 <td class="td-action">
162 162 <span class="btn btn-link btn-danger revoke_perm"
163 163 member="${_user_group.users_group_id}" member_type="user_group">
164 164 ${_('Remove')}
165 165 </span>
166 166 </td>
167 167 <td class="quick_repo_menu">
168 168 % if c.rhodecode_user.is_admin:
169 169 <i class="icon-more"></i>
170 170 <div class="menu_items_container" style="display: none;">
171 171 <ul class="menu_items">
172 172 <li>
173 173 ${h.link_to('show permissions', h.route_path('edit_user_group_perms_summary', user_group_id=_user_group.users_group_id, _anchor='repositories-permissions'))}
174 174 </li>
175 175 </ul>
176 176 </div>
177 177 % endif
178 178 </td>
179 179 </tr>
180 180 %endfor
181 181 <tr class="new_members" id="add_perm_input"></tr>
182 182
183 183 <tr>
184 184 <td></td>
185 185 <td></td>
186 186 <td></td>
187 187 <td></td>
188 188 <td></td>
189 189 <td>
190 190 <span id="add_perm" class="link">
191 191 ${_('Add user/user group')}
192 192 </span>
193 193 </td>
194 194 <td></td>
195 195 </tr>
196 196
197 197 </table>
198 198
199 199 <div class="buttons">
200 200 ${h.submit('save',_('Save'),class_="btn btn-primary")}
201 201 ${h.reset('reset',_('Reset'),class_="btn btn-danger")}
202 202 </div>
203 203 ${h.end_form()}
204 204 </div>
205 205 </div>
206 206
207 207 <script type="text/javascript">
208 208 $('#add_perm').on('click', function(e){
209 209 addNewPermInput($(this), 'repository');
210 210 });
211 211 $('.revoke_perm').on('click', function(e){
212 212 markRevokePermInput($(this), 'repository');
213 213 });
214 214 quick_repo_menu();
215 215
216 var setPrivateRepo = function (private) {
216 var setPrivateRepo = function (elem, private) {
217 var $elem = $(elem)
218 if ($elem.hasClass('disabled')) {
219 return
220 }
221 $elem.addClass('disabled');
222 $elem.css({"opacity": 0.3})
223
217 224 var postData = {
218 225 'csrf_token': CSRF_TOKEN,
219 226 'private': private
220 227 };
221 228
222 229 var success = function(o) {
223 230 var defaultUrl = pyroutes.url('edit_repo_perms', {"repo_name": templateContext.repo_name});
224 231 window.location = o.redirect_url || defaultUrl;
225 232 };
226 233
227 234 ajaxPOST(
228 235 pyroutes.url('edit_repo_perms_set_private', {"repo_name": templateContext.repo_name}),
229 236 postData,
230 237 success);
231 238 }
232 239 </script>
General Comments 0
You need to be logged in to leave comments. Login now