Show More
| @@ -1,4 +1,4 b'' | |||
|
|
1 |
# Copyright (C) 2011-202 |
|
|
|
1 | # Copyright (C) 2011-2024 RhodeCode GmbH | |
|
|
2 | 2 | # |
|
|
3 | 3 | # This program is free software: you can redistribute it and/or modify |
|
|
4 | 4 | # it under the terms of the GNU Affero General Public License, version 3 |
| @@ -30,7 +30,6 b' import time' | |||
|
|
30 | 30 | import traceback |
|
|
31 | 31 | import string |
|
|
32 | 32 | |
|
|
33 | from zope.cachedescriptors.property import Lazy as LazyProperty | |
|
|
34 | 33 | |
|
|
35 | 34 | from rhodecode import events |
|
|
36 | 35 | from rhodecode.model import BaseModel |
| @@ -38,7 +37,7 b' from rhodecode.model.db import (_hash_ke' | |||
|
|
38 | 37 | Session, RepoGroup, UserRepoGroupToPerm, User, Permission, UserGroupRepoGroupToPerm, |
|
|
39 | 38 | UserGroup, Repository) |
|
|
40 | 39 | from rhodecode.model.permission import PermissionModel |
|
|
41 |
from rhodecode.model.settings import |
|
|
|
40 | from rhodecode.model.settings import SettingsModel | |
|
|
42 | 41 | from rhodecode.lib.caching_query import FromCache |
|
|
43 | 42 | from rhodecode.lib.utils2 import action_logger_generic |
|
|
44 | 43 | |
| @@ -350,46 +349,45 b' class RepoGroupModel(BaseModel):' | |||
|
|
350 | 349 | 'default_user_changed': None |
|
|
351 | 350 | } |
|
|
352 | 351 | |
|
|
353 | def _set_perm_user(obj, user, perm): | |
|
|
354 | if isinstance(obj, RepoGroup): | |
|
|
355 | self.grant_user_permission( | |
|
|
356 |
|
|
|
|
357 | elif isinstance(obj, Repository): | |
|
|
352 | def _set_perm_user(_obj: RepoGroup | Repository, _user_obj: User, _perm): | |
|
|
353 | ||
|
|
354 | if isinstance(_obj, RepoGroup): | |
|
|
355 | self.grant_user_permission(repo_group=_obj, user=_user_obj, perm=_perm) | |
|
|
356 | elif isinstance(_obj, Repository): | |
|
|
358 | 357 | # private repos will not allow to change the default |
|
|
359 | 358 | # permissions using recursive mode |
|
|
360 | if obj.private and user == User.DEFAULT_USER: | |
|
|
359 | if _obj.private and _user_obj.username == User.DEFAULT_USER: | |
|
|
360 | log.debug('Skipping private repo %s for user %s', _obj, _user_obj) | |
|
|
361 | 361 | return |
|
|
362 | 362 | |
|
|
363 |
# we set group permission |
|
|
|
364 | # permission | |
|
|
365 | perm = perm.replace('group.', 'repository.') | |
|
|
366 | RepoModel().grant_user_permission( | |
|
|
367 | repo=obj, user=user, perm=perm) | |
|
|
363 | # we set group permission, we have to switch to repo permission definition | |
|
|
364 | new_perm = _perm.replace('group.', 'repository.') | |
|
|
365 | RepoModel().grant_user_permission(repo=_obj, user=_user_obj, perm=new_perm) | |
|
|
366 | ||
|
|
367 | def _set_perm_group(_obj: RepoGroup | Repository, users_group: UserGroup, _perm): | |
|
|
368 | if isinstance(_obj, RepoGroup): | |
|
|
369 | self.grant_user_group_permission(repo_group=_obj, group_name=users_group, perm=_perm) | |
|
|
370 | elif isinstance(_obj, Repository): | |
|
|
371 | # we set group permission, we have to switch to repo permission definition | |
|
|
372 | new_perm = _perm.replace('group.', 'repository.') | |
|
|
373 | RepoModel().grant_user_group_permission(repo=_obj, group_name=users_group, perm=new_perm) | |
|
|
368 | 374 | |
|
|
369 | def _set_perm_group(obj, users_group, perm): | |
|
|
370 | if isinstance(obj, RepoGroup): | |
|
|
371 |
self. |
|
|
|
372 | repo_group=obj, group_name=users_group, perm=perm) | |
|
|
373 | elif isinstance(obj, Repository): | |
|
|
374 | # we set group permission but we have to switch to repo | |
|
|
375 | # permission | |
|
|
376 | perm = perm.replace('group.', 'repository.') | |
|
|
377 | RepoModel().grant_user_group_permission( | |
|
|
378 | repo=obj, group_name=users_group, perm=perm) | |
|
|
375 | def _revoke_perm_user(_obj: RepoGroup | Repository, _user_obj: User): | |
|
|
376 | if isinstance(_obj, RepoGroup): | |
|
|
377 | self.revoke_user_permission(repo_group=_obj, user=_user_obj) | |
|
|
378 | elif isinstance(_obj, Repository): | |
|
|
379 | # private repos will not allow to change the default | |
|
|
380 | # permissions using recursive mode, also there's no revocation fo default user, just update | |
|
|
381 | if _user_obj.username == User.DEFAULT_USER: | |
|
|
382 | log.debug('Skipping private repo %s for user %s', _obj, _user_obj) | |
|
|
383 | return | |
|
|
384 | RepoModel().revoke_user_permission(repo=_obj, user=_user_obj) | |
|
|
379 | 385 | |
|
|
380 |
def _revoke_perm_ |
|
|
|
381 | if isinstance(obj, RepoGroup): | |
|
|
382 |
self.revoke_user_permission(repo_group=obj, |
|
|
|
383 | elif isinstance(obj, Repository): | |
|
|
384 |
RepoModel().revoke_user_permission(repo=obj, |
|
|
|
385 | ||
|
|
386 | def _revoke_perm_group(obj, user_group): | |
|
|
387 | if isinstance(obj, RepoGroup): | |
|
|
388 | self.revoke_user_group_permission( | |
|
|
389 | repo_group=obj, group_name=user_group) | |
|
|
390 | elif isinstance(obj, Repository): | |
|
|
391 | RepoModel().revoke_user_group_permission( | |
|
|
392 | repo=obj, group_name=user_group) | |
|
|
386 | def _revoke_perm_group(_obj: RepoGroup | Repository, user_group: UserGroup): | |
|
|
387 | if isinstance(_obj, RepoGroup): | |
|
|
388 | self.revoke_user_group_permission(repo_group=_obj, group_name=user_group) | |
|
|
389 | elif isinstance(_obj, Repository): | |
|
|
390 | RepoModel().revoke_user_group_permission(repo=_obj, group_name=user_group) | |
|
|
393 | 391 | |
|
|
394 | 392 | # start updates |
|
|
395 | 393 | log.debug('Now updating permissions for %s in recursive mode:%s', |
| @@ -423,7 +421,8 b' class RepoGroupModel(BaseModel):' | |||
|
|
423 | 421 | for member_id, perm, member_type in perm_updates: |
|
|
424 | 422 | member_id = int(member_id) |
|
|
425 | 423 | if member_type == 'user': |
|
|
426 |
member_ |
|
|
|
424 | member_obj = User.get(member_id) | |
|
|
425 | member_name = member_obj.username | |
|
|
427 | 426 | if isinstance(obj, RepoGroup) and obj == repo_group and member_name == User.DEFAULT_USER: |
|
|
428 | 427 | # NOTE(dan): detect if we changed permissions for default user |
|
|
429 | 428 | perm_obj = self.sa.query(UserRepoGroupToPerm) \ |
| @@ -434,15 +433,16 b' class RepoGroupModel(BaseModel):' | |||
|
|
434 | 433 | changes['default_user_changed'] = True |
|
|
435 | 434 | |
|
|
436 | 435 | # this updates also current one if found |
|
|
437 |
_set_perm_user(obj, |
|
|
|
436 | _set_perm_user(obj, member_obj, perm) | |
|
|
438 | 437 | elif member_type == 'user_group': |
|
|
439 |
member_ |
|
|
|
440 | if not check_perms or has_group_perm(member_name, | |
|
|
441 | user=cur_user): | |
|
|
442 |
_set_perm_group(obj, |
|
|
|
438 | member_obj = UserGroup.get(member_id) | |
|
|
439 | member_name = member_obj.users_group_name | |
|
|
440 | if not check_perms or has_group_perm(member_name, user=cur_user): | |
|
|
441 | _set_perm_group(obj, member_obj, perm) | |
|
|
443 | 442 | else: |
|
|
444 |
raise ValueError( |
|
|
|
445 | "got {} instead".format(member_type)) | |
|
|
443 | raise ValueError( | |
|
|
444 | f"member_type must be 'user' or 'user_group' got {member_type} instead" | |
|
|
445 | ) | |
|
|
446 | 446 | |
|
|
447 | 447 | changes['updated'].append( |
|
|
448 | 448 | {'change_obj': change_obj, 'type': member_type, |
| @@ -452,17 +452,19 b' class RepoGroupModel(BaseModel):' | |||
|
|
452 | 452 | for member_id, perm, member_type in perm_additions: |
|
|
453 | 453 | member_id = int(member_id) |
|
|
454 | 454 | if member_type == 'user': |
|
|
455 |
member_ |
|
|
|
456 | _set_perm_user(obj, user=member_id, perm=perm) | |
|
|
455 | member_obj = User.get(member_id) | |
|
|
456 | member_name = member_obj.username | |
|
|
457 | _set_perm_user(obj, member_obj, perm) | |
|
|
457 | 458 | elif member_type == 'user_group': |
|
|
458 | 459 | # check if we have permissions to alter this usergroup |
|
|
459 |
member_ |
|
|
|
460 | if not check_perms or has_group_perm(member_name, | |
|
|
461 | user=cur_user): | |
|
|
462 |
_set_perm_group(obj, |
|
|
|
460 | member_obj = UserGroup.get(member_id) | |
|
|
461 | member_name = member_obj.users_group_name | |
|
|
462 | if not check_perms or has_group_perm(member_name, user=cur_user): | |
|
|
463 | _set_perm_group(obj, member_obj, perm) | |
|
|
463 | 464 | else: |
|
|
464 |
raise ValueError( |
|
|
|
465 | "got {} instead".format(member_type)) | |
|
|
465 | raise ValueError( | |
|
|
466 | f"member_type must be 'user' or 'user_group' got {member_type} instead" | |
|
|
467 | ) | |
|
|
466 | 468 | |
|
|
467 | 469 | changes['added'].append( |
|
|
468 | 470 | {'change_obj': change_obj, 'type': member_type, |
| @@ -472,18 +474,19 b' class RepoGroupModel(BaseModel):' | |||
|
|
472 | 474 | for member_id, perm, member_type in perm_deletions: |
|
|
473 | 475 | member_id = int(member_id) |
|
|
474 | 476 | if member_type == 'user': |
|
|
475 |
member_ |
|
|
|
476 | _revoke_perm_user(obj, user=member_id) | |
|
|
477 | member_obj = User.get(member_id) | |
|
|
478 | member_name = member_obj.username | |
|
|
479 | _revoke_perm_user(obj, member_obj) | |
|
|
477 | 480 | elif member_type == 'user_group': |
|
|
478 | 481 | # check if we have permissions to alter this usergroup |
|
|
479 |
member_ |
|
|
|
480 | if not check_perms or has_group_perm(member_name, | |
|
|
481 | user=cur_user): | |
|
|
482 |
_revoke_perm_group(obj, |
|
|
|
482 | member_obj = UserGroup.get(member_id) | |
|
|
483 | member_name = member_obj.users_group_name | |
|
|
484 | if not check_perms or has_group_perm(member_name, user=cur_user): | |
|
|
485 | _revoke_perm_group(obj, member_obj) | |
|
|
483 | 486 | else: |
|
|
484 |
raise ValueError( |
|
|
|
485 | "got {} instead".format(member_type)) | |
|
|
486 | ||
|
|
487 | raise ValueError( | |
|
|
488 | f"member_type must be 'user' or 'user_group' got {member_type} instead" | |
|
|
489 | ) | |
|
|
487 | 490 | changes['deleted'].append( |
|
|
488 | 491 | {'change_obj': change_obj, 'type': member_type, |
|
|
489 | 492 | 'id': member_id, 'name': member_name, 'new_perm': perm}) |
General Comments 0
You need to be logged in to leave comments.
Login now