##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
api: user-group api docs update
marcink -
r3864:d2ea15f3 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,895 +1,899 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2011-2019 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 import logging
22 22
23 23 from rhodecode.api import (
24 24 jsonrpc_method, JSONRPCError, JSONRPCForbidden, JSONRPCValidationError)
25 25 from rhodecode.api.utils import (
26 26 Optional, OAttr, store_update, has_superadmin_permission, get_origin,
27 27 get_user_or_error, get_user_group_or_error, get_perm_or_error)
28 28 from rhodecode.lib import audit_logger
29 29 from rhodecode.lib.auth import HasUserGroupPermissionAnyApi, HasPermissionAnyApi
30 30 from rhodecode.lib.exceptions import UserGroupAssignedException
31 31 from rhodecode.model.db import Session
32 32 from rhodecode.model.scm import UserGroupList
33 33 from rhodecode.model.user_group import UserGroupModel
34 34 from rhodecode.model import validation_schema
35 35 from rhodecode.model.validation_schema.schemas import user_group_schema
36 36
37 37 log = logging.getLogger(__name__)
38 38
39 39
40 40 @jsonrpc_method()
41 41 def get_user_group(request, apiuser, usergroupid):
42 42 """
43 43 Returns the data of an existing user group.
44 44
45 45 This command can only be run using an |authtoken| with admin rights to
46 46 the specified repository.
47 47
48 48 :param apiuser: This is filled automatically from the |authtoken|.
49 49 :type apiuser: AuthUser
50 50 :param usergroupid: Set the user group from which to return data.
51 51 :type usergroupid: str or int
52 52
53 53 Example error output:
54 54
55 55 .. code-block:: bash
56 56
57 57 {
58 58 "error": null,
59 59 "id": <id>,
60 60 "result": {
61 61 "active": true,
62 62 "group_description": "group description",
63 63 "group_name": "group name",
64 64 "permissions": [
65 65 {
66 66 "name": "owner-name",
67 67 "origin": "owner",
68 68 "permission": "usergroup.admin",
69 69 "type": "user"
70 70 },
71 71 {
72 72 {
73 73 "name": "user name",
74 74 "origin": "permission",
75 75 "permission": "usergroup.admin",
76 76 "type": "user"
77 77 },
78 78 {
79 79 "name": "user group name",
80 80 "origin": "permission",
81 81 "permission": "usergroup.write",
82 82 "type": "user_group"
83 83 }
84 84 ],
85 85 "permissions_summary": {
86 86 "repositories": {
87 87 "aa-root-level-repo-1": "repository.admin"
88 88 },
89 89 "repositories_groups": {}
90 90 },
91 91 "owner": "owner name",
92 92 "users": [],
93 93 "users_group_id": 2
94 94 }
95 95 }
96 96
97 97 """
98 98
99 99 user_group = get_user_group_or_error(usergroupid)
100 100 if not has_superadmin_permission(apiuser):
101 101 # check if we have at least read permission for this user group !
102 102 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
103 103 if not HasUserGroupPermissionAnyApi(*_perms)(
104 104 user=apiuser, user_group_name=user_group.users_group_name):
105 105 raise JSONRPCError('user group `%s` does not exist' % (
106 106 usergroupid,))
107 107
108 108 permissions = []
109 109 for _user in user_group.permissions():
110 110 user_data = {
111 111 'name': _user.username,
112 112 'permission': _user.permission,
113 113 'origin': get_origin(_user),
114 114 'type': "user",
115 115 }
116 116 permissions.append(user_data)
117 117
118 118 for _user_group in user_group.permission_user_groups():
119 119 user_group_data = {
120 120 'name': _user_group.users_group_name,
121 121 'permission': _user_group.permission,
122 122 'origin': get_origin(_user_group),
123 123 'type': "user_group",
124 124 }
125 125 permissions.append(user_group_data)
126 126
127 127 data = user_group.get_api_data()
128 128 data["permissions"] = permissions
129 129 data["permissions_summary"] = UserGroupModel().get_perms_summary(
130 130 user_group.users_group_id)
131 131 return data
132 132
133 133
134 134 @jsonrpc_method()
135 135 def get_user_groups(request, apiuser):
136 136 """
137 137 Lists all the existing user groups within RhodeCode.
138 138
139 139 This command can only be run using an |authtoken| with admin rights to
140 140 the specified repository.
141 141
142 142 This command takes the following options:
143 143
144 144 :param apiuser: This is filled automatically from the |authtoken|.
145 145 :type apiuser: AuthUser
146 146
147 147 Example error output:
148 148
149 149 .. code-block:: bash
150 150
151 151 id : <id_given_in_input>
152 152 result : [<user_group_obj>,...]
153 153 error : null
154 154 """
155 155
156 156 include_secrets = has_superadmin_permission(apiuser)
157 157
158 158 result = []
159 159 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
160 160 extras = {'user': apiuser}
161 161 for user_group in UserGroupList(UserGroupModel().get_all(),
162 162 perm_set=_perms, extra_kwargs=extras):
163 163 result.append(
164 164 user_group.get_api_data(include_secrets=include_secrets))
165 165 return result
166 166
167 167
168 168 @jsonrpc_method()
169 169 def create_user_group(
170 170 request, apiuser, group_name, description=Optional(''),
171 171 owner=Optional(OAttr('apiuser')), active=Optional(True),
172 172 sync=Optional(None)):
173 173 """
174 174 Creates a new user group.
175 175
176 176 This command can only be run using an |authtoken| with admin rights to
177 177 the specified repository.
178 178
179 179 This command takes the following options:
180 180
181 181 :param apiuser: This is filled automatically from the |authtoken|.
182 182 :type apiuser: AuthUser
183 183 :param group_name: Set the name of the new user group.
184 184 :type group_name: str
185 185 :param description: Give a description of the new user group.
186 186 :type description: str
187 187 :param owner: Set the owner of the new user group.
188 188 If not set, the owner is the |authtoken| user.
189 189 :type owner: Optional(str or int)
190 190 :param active: Set this group as active.
191 191 :type active: Optional(``True`` | ``False``)
192 192 :param sync: Set enabled or disabled the automatically sync from
193 external authentication types like ldap.
193 external authentication types like ldap. If User Group will be named like
194 one from e.g ldap and sync flag is enabled members will be synced automatically.
195 Sync type when enabled via API is set to `manual_api`
194 196 :type sync: Optional(``True`` | ``False``)
195 197
196 198 Example output:
197 199
198 200 .. code-block:: bash
199 201
200 202 id : <id_given_in_input>
201 203 result: {
202 204 "msg": "created new user group `<groupname>`",
203 205 "user_group": <user_group_object>
204 206 }
205 207 error: null
206 208
207 209 Example error output:
208 210
209 211 .. code-block:: bash
210 212
211 213 id : <id_given_in_input>
212 214 result : null
213 215 error : {
214 216 "user group `<group name>` already exist"
215 217 or
216 218 "failed to create group `<group name>`"
217 219 }
218 220
219 221 """
220 222
221 223 if not has_superadmin_permission(apiuser):
222 224 if not HasPermissionAnyApi('hg.usergroup.create.true')(user=apiuser):
223 225 raise JSONRPCForbidden()
224 226
225 227 if UserGroupModel().get_by_name(group_name):
226 228 raise JSONRPCError("user group `%s` already exist" % (group_name,))
227 229
228 230 if isinstance(owner, Optional):
229 231 owner = apiuser.user_id
230 232
231 233 owner = get_user_or_error(owner)
232 234 active = Optional.extract(active)
233 235 description = Optional.extract(description)
234 236 sync = Optional.extract(sync)
235 237
236 238 # set the sync option based on group_data
237 239 group_data = None
238 240 if sync:
239 241 group_data = {
240 242 'extern_type': 'manual_api',
241 243 'extern_type_set_by': apiuser.username
242 244 }
243 245
244 246 schema = user_group_schema.UserGroupSchema().bind(
245 247 # user caller
246 248 user=apiuser)
247 249 try:
248 250 schema_data = schema.deserialize(dict(
249 251 user_group_name=group_name,
250 252 user_group_description=description,
251 253 user_group_owner=owner.username,
252 254 user_group_active=active,
253 255 ))
254 256 except validation_schema.Invalid as err:
255 257 raise JSONRPCValidationError(colander_exc=err)
256 258
257 259 try:
258 260 user_group = UserGroupModel().create(
259 261 name=schema_data['user_group_name'],
260 262 description=schema_data['user_group_description'],
261 263 owner=owner,
262 264 active=schema_data['user_group_active'], group_data=group_data)
263 265 Session().flush()
264 266 creation_data = user_group.get_api_data()
265 267 audit_logger.store_api(
266 268 'user_group.create', action_data={'data': creation_data},
267 269 user=apiuser)
268 270 Session().commit()
269 271 return {
270 272 'msg': 'created new user group `%s`' % group_name,
271 273 'user_group': creation_data
272 274 }
273 275 except Exception:
274 276 log.exception("Error occurred during creation of user group")
275 277 raise JSONRPCError('failed to create group `%s`' % (group_name,))
276 278
277 279
278 280 @jsonrpc_method()
279 281 def update_user_group(request, apiuser, usergroupid, group_name=Optional(''),
280 282 description=Optional(''), owner=Optional(None),
281 283 active=Optional(True), sync=Optional(None)):
282 284 """
283 285 Updates the specified `user group` with the details provided.
284 286
285 287 This command can only be run using an |authtoken| with admin rights to
286 288 the specified repository.
287 289
288 290 :param apiuser: This is filled automatically from the |authtoken|.
289 291 :type apiuser: AuthUser
290 292 :param usergroupid: Set the id of the `user group` to update.
291 293 :type usergroupid: str or int
292 294 :param group_name: Set the new name the `user group`
293 295 :type group_name: str
294 296 :param description: Give a description for the `user group`
295 297 :type description: str
296 298 :param owner: Set the owner of the `user group`.
297 299 :type owner: Optional(str or int)
298 300 :param active: Set the group as active.
299 301 :type active: Optional(``True`` | ``False``)
300 302 :param sync: Set enabled or disabled the automatically sync from
301 external authentication types like ldap.
303 external authentication types like ldap. If User Group will be named like
304 one from e.g ldap and sync flag is enabled members will be synced automatically.
305 Sync type when enabled via API is set to `manual_api`
302 306 :type sync: Optional(``True`` | ``False``)
303 307
304 308 Example output:
305 309
306 310 .. code-block:: bash
307 311
308 312 id : <id_given_in_input>
309 313 result : {
310 314 "msg": 'updated user group ID:<user group id> <user group name>',
311 315 "user_group": <user_group_object>
312 316 }
313 317 error : null
314 318
315 319 Example error output:
316 320
317 321 .. code-block:: bash
318 322
319 323 id : <id_given_in_input>
320 324 result : null
321 325 error : {
322 326 "failed to update user group `<user group name>`"
323 327 }
324 328
325 329 """
326 330
327 331 user_group = get_user_group_or_error(usergroupid)
328 332 include_secrets = False
329 333 if not has_superadmin_permission(apiuser):
330 334 # check if we have admin permission for this user group !
331 335 _perms = ('usergroup.admin',)
332 336 if not HasUserGroupPermissionAnyApi(*_perms)(
333 337 user=apiuser, user_group_name=user_group.users_group_name):
334 338 raise JSONRPCError(
335 339 'user group `%s` does not exist' % (usergroupid,))
336 340 else:
337 341 include_secrets = True
338 342
339 343 if not isinstance(owner, Optional):
340 344 owner = get_user_or_error(owner)
341 345
342 346 old_data = user_group.get_api_data()
343 347 updates = {}
344 348 store_update(updates, group_name, 'users_group_name')
345 349 store_update(updates, description, 'user_group_description')
346 350 store_update(updates, owner, 'user')
347 351 store_update(updates, active, 'users_group_active')
348 352
349 353 sync = Optional.extract(sync)
350 354 group_data = None
351 355 if sync is True:
352 356 group_data = {
353 357 'extern_type': 'manual_api',
354 358 'extern_type_set_by': apiuser.username
355 359 }
356 360 if sync is False:
357 361 group_data = user_group.group_data
358 362 if group_data and "extern_type" in group_data:
359 363 del group_data["extern_type"]
360 364
361 365 try:
362 366 UserGroupModel().update(user_group, updates, group_data=group_data)
363 367 audit_logger.store_api(
364 368 'user_group.edit', action_data={'old_data': old_data},
365 369 user=apiuser)
366 370 Session().commit()
367 371 return {
368 372 'msg': 'updated user group ID:%s %s' % (
369 373 user_group.users_group_id, user_group.users_group_name),
370 374 'user_group': user_group.get_api_data(
371 375 include_secrets=include_secrets)
372 376 }
373 377 except Exception:
374 378 log.exception("Error occurred during update of user group")
375 379 raise JSONRPCError(
376 380 'failed to update user group `%s`' % (usergroupid,))
377 381
378 382
379 383 @jsonrpc_method()
380 384 def delete_user_group(request, apiuser, usergroupid):
381 385 """
382 386 Deletes the specified `user group`.
383 387
384 388 This command can only be run using an |authtoken| with admin rights to
385 389 the specified repository.
386 390
387 391 This command takes the following options:
388 392
389 393 :param apiuser: filled automatically from apikey
390 394 :type apiuser: AuthUser
391 395 :param usergroupid:
392 396 :type usergroupid: int
393 397
394 398 Example output:
395 399
396 400 .. code-block:: bash
397 401
398 402 id : <id_given_in_input>
399 403 result : {
400 404 "msg": "deleted user group ID:<user_group_id> <user_group_name>"
401 405 }
402 406 error : null
403 407
404 408 Example error output:
405 409
406 410 .. code-block:: bash
407 411
408 412 id : <id_given_in_input>
409 413 result : null
410 414 error : {
411 415 "failed to delete user group ID:<user_group_id> <user_group_name>"
412 416 or
413 417 "RepoGroup assigned to <repo_groups_list>"
414 418 }
415 419
416 420 """
417 421
418 422 user_group = get_user_group_or_error(usergroupid)
419 423 if not has_superadmin_permission(apiuser):
420 424 # check if we have admin permission for this user group !
421 425 _perms = ('usergroup.admin',)
422 426 if not HasUserGroupPermissionAnyApi(*_perms)(
423 427 user=apiuser, user_group_name=user_group.users_group_name):
424 428 raise JSONRPCError(
425 429 'user group `%s` does not exist' % (usergroupid,))
426 430
427 431 old_data = user_group.get_api_data()
428 432 try:
429 433 UserGroupModel().delete(user_group)
430 434 audit_logger.store_api(
431 435 'user_group.delete', action_data={'old_data': old_data},
432 436 user=apiuser)
433 437 Session().commit()
434 438 return {
435 439 'msg': 'deleted user group ID:%s %s' % (
436 440 user_group.users_group_id, user_group.users_group_name),
437 441 'user_group': None
438 442 }
439 443 except UserGroupAssignedException as e:
440 444 log.exception("UserGroupAssigned error")
441 445 raise JSONRPCError(str(e))
442 446 except Exception:
443 447 log.exception("Error occurred during deletion of user group")
444 448 raise JSONRPCError(
445 449 'failed to delete user group ID:%s %s' %(
446 450 user_group.users_group_id, user_group.users_group_name))
447 451
448 452
449 453 @jsonrpc_method()
450 454 def add_user_to_user_group(request, apiuser, usergroupid, userid):
451 455 """
452 456 Adds a user to a `user group`. If the user already exists in the group
453 457 this command will return false.
454 458
455 459 This command can only be run using an |authtoken| with admin rights to
456 460 the specified user group.
457 461
458 462 This command takes the following options:
459 463
460 464 :param apiuser: This is filled automatically from the |authtoken|.
461 465 :type apiuser: AuthUser
462 466 :param usergroupid: Set the name of the `user group` to which a
463 467 user will be added.
464 468 :type usergroupid: int
465 469 :param userid: Set the `user_id` of the user to add to the group.
466 470 :type userid: int
467 471
468 472 Example output:
469 473
470 474 .. code-block:: bash
471 475
472 476 id : <id_given_in_input>
473 477 result : {
474 478 "success": True|False # depends on if member is in group
475 479 "msg": "added member `<username>` to user group `<groupname>` |
476 480 User is already in that group"
477 481
478 482 }
479 483 error : null
480 484
481 485 Example error output:
482 486
483 487 .. code-block:: bash
484 488
485 489 id : <id_given_in_input>
486 490 result : null
487 491 error : {
488 492 "failed to add member to user group `<user_group_name>`"
489 493 }
490 494
491 495 """
492 496
493 497 user = get_user_or_error(userid)
494 498 user_group = get_user_group_or_error(usergroupid)
495 499 if not has_superadmin_permission(apiuser):
496 500 # check if we have admin permission for this user group !
497 501 _perms = ('usergroup.admin',)
498 502 if not HasUserGroupPermissionAnyApi(*_perms)(
499 503 user=apiuser, user_group_name=user_group.users_group_name):
500 504 raise JSONRPCError('user group `%s` does not exist' % (
501 505 usergroupid,))
502 506
503 507 old_values = user_group.get_api_data()
504 508 try:
505 509 ugm = UserGroupModel().add_user_to_group(user_group, user)
506 510 success = True if ugm is not True else False
507 511 msg = 'added member `%s` to user group `%s`' % (
508 512 user.username, user_group.users_group_name
509 513 )
510 514 msg = msg if success else 'User is already in that group'
511 515 if success:
512 516 user_data = user.get_api_data()
513 517 audit_logger.store_api(
514 518 'user_group.edit.member.add',
515 519 action_data={'user': user_data, 'old_data': old_values},
516 520 user=apiuser)
517 521
518 522 Session().commit()
519 523
520 524 return {
521 525 'success': success,
522 526 'msg': msg
523 527 }
524 528 except Exception:
525 529 log.exception("Error occurred during adding a member to user group")
526 530 raise JSONRPCError(
527 531 'failed to add member to user group `%s`' % (
528 532 user_group.users_group_name,
529 533 )
530 534 )
531 535
532 536
533 537 @jsonrpc_method()
534 538 def remove_user_from_user_group(request, apiuser, usergroupid, userid):
535 539 """
536 540 Removes a user from a user group.
537 541
538 542 * If the specified user is not in the group, this command will return
539 543 `false`.
540 544
541 545 This command can only be run using an |authtoken| with admin rights to
542 546 the specified user group.
543 547
544 548 :param apiuser: This is filled automatically from the |authtoken|.
545 549 :type apiuser: AuthUser
546 550 :param usergroupid: Sets the user group name.
547 551 :type usergroupid: str or int
548 552 :param userid: The user you wish to remove from |RCE|.
549 553 :type userid: str or int
550 554
551 555 Example output:
552 556
553 557 .. code-block:: bash
554 558
555 559 id : <id_given_in_input>
556 560 result: {
557 561 "success": True|False, # depends on if member is in group
558 562 "msg": "removed member <username> from user group <groupname> |
559 563 User wasn't in group"
560 564 }
561 565 error: null
562 566
563 567 """
564 568
565 569 user = get_user_or_error(userid)
566 570 user_group = get_user_group_or_error(usergroupid)
567 571 if not has_superadmin_permission(apiuser):
568 572 # check if we have admin permission for this user group !
569 573 _perms = ('usergroup.admin',)
570 574 if not HasUserGroupPermissionAnyApi(*_perms)(
571 575 user=apiuser, user_group_name=user_group.users_group_name):
572 576 raise JSONRPCError(
573 577 'user group `%s` does not exist' % (usergroupid,))
574 578
575 579 old_values = user_group.get_api_data()
576 580 try:
577 581 success = UserGroupModel().remove_user_from_group(user_group, user)
578 582 msg = 'removed member `%s` from user group `%s`' % (
579 583 user.username, user_group.users_group_name
580 584 )
581 585 msg = msg if success else "User wasn't in group"
582 586 if success:
583 587 user_data = user.get_api_data()
584 588 audit_logger.store_api(
585 589 'user_group.edit.member.delete',
586 590 action_data={'user': user_data, 'old_data': old_values},
587 591 user=apiuser)
588 592
589 593 Session().commit()
590 594 return {'success': success, 'msg': msg}
591 595 except Exception:
592 596 log.exception("Error occurred during removing an member from user group")
593 597 raise JSONRPCError(
594 598 'failed to remove member from user group `%s`' % (
595 599 user_group.users_group_name,
596 600 )
597 601 )
598 602
599 603
600 604 @jsonrpc_method()
601 605 def grant_user_permission_to_user_group(
602 606 request, apiuser, usergroupid, userid, perm):
603 607 """
604 608 Set permissions for a user in a user group.
605 609
606 610 :param apiuser: This is filled automatically from the |authtoken|.
607 611 :type apiuser: AuthUser
608 612 :param usergroupid: Set the user group to edit permissions on.
609 613 :type usergroupid: str or int
610 614 :param userid: Set the user from whom you wish to set permissions.
611 615 :type userid: str
612 616 :param perm: (usergroup.(none|read|write|admin))
613 617 :type perm: str
614 618
615 619 Example output:
616 620
617 621 .. code-block:: bash
618 622
619 623 id : <id_given_in_input>
620 624 result : {
621 625 "msg": "Granted perm: `<perm_name>` for user: `<username>` in user group: `<user_group_name>`",
622 626 "success": true
623 627 }
624 628 error : null
625 629 """
626 630
627 631 user_group = get_user_group_or_error(usergroupid)
628 632
629 633 if not has_superadmin_permission(apiuser):
630 634 # check if we have admin permission for this user group !
631 635 _perms = ('usergroup.admin',)
632 636 if not HasUserGroupPermissionAnyApi(*_perms)(
633 637 user=apiuser, user_group_name=user_group.users_group_name):
634 638 raise JSONRPCError(
635 639 'user group `%s` does not exist' % (usergroupid,))
636 640
637 641 user = get_user_or_error(userid)
638 642 perm = get_perm_or_error(perm, prefix='usergroup.')
639 643
640 644 try:
641 645 changes = UserGroupModel().grant_user_permission(
642 646 user_group=user_group, user=user, perm=perm)
643 647
644 648 action_data = {
645 649 'added': changes['added'],
646 650 'updated': changes['updated'],
647 651 'deleted': changes['deleted'],
648 652 }
649 653 audit_logger.store_api(
650 654 'user_group.edit.permissions', action_data=action_data,
651 655 user=apiuser)
652 656
653 657 Session().commit()
654 658 return {
655 659 'msg':
656 660 'Granted perm: `%s` for user: `%s` in user group: `%s`' % (
657 661 perm.permission_name, user.username,
658 662 user_group.users_group_name
659 663 ),
660 664 'success': True
661 665 }
662 666 except Exception:
663 667 log.exception("Error occurred during editing permissions "
664 668 "for user in user group")
665 669 raise JSONRPCError(
666 670 'failed to edit permission for user: '
667 671 '`%s` in user group: `%s`' % (
668 672 userid, user_group.users_group_name))
669 673
670 674
671 675 @jsonrpc_method()
672 676 def revoke_user_permission_from_user_group(
673 677 request, apiuser, usergroupid, userid):
674 678 """
675 679 Revoke a users permissions in a user group.
676 680
677 681 :param apiuser: This is filled automatically from the |authtoken|.
678 682 :type apiuser: AuthUser
679 683 :param usergroupid: Set the user group from which to revoke the user
680 684 permissions.
681 685 :type: usergroupid: str or int
682 686 :param userid: Set the userid of the user whose permissions will be
683 687 revoked.
684 688 :type userid: str
685 689
686 690 Example output:
687 691
688 692 .. code-block:: bash
689 693
690 694 id : <id_given_in_input>
691 695 result : {
692 696 "msg": "Revoked perm for user: `<username>` in user group: `<user_group_name>`",
693 697 "success": true
694 698 }
695 699 error : null
696 700 """
697 701
698 702 user_group = get_user_group_or_error(usergroupid)
699 703
700 704 if not has_superadmin_permission(apiuser):
701 705 # check if we have admin permission for this user group !
702 706 _perms = ('usergroup.admin',)
703 707 if not HasUserGroupPermissionAnyApi(*_perms)(
704 708 user=apiuser, user_group_name=user_group.users_group_name):
705 709 raise JSONRPCError(
706 710 'user group `%s` does not exist' % (usergroupid,))
707 711
708 712 user = get_user_or_error(userid)
709 713
710 714 try:
711 715 changes = UserGroupModel().revoke_user_permission(
712 716 user_group=user_group, user=user)
713 717 action_data = {
714 718 'added': changes['added'],
715 719 'updated': changes['updated'],
716 720 'deleted': changes['deleted'],
717 721 }
718 722 audit_logger.store_api(
719 723 'user_group.edit.permissions', action_data=action_data,
720 724 user=apiuser)
721 725
722 726 Session().commit()
723 727 return {
724 728 'msg': 'Revoked perm for user: `%s` in user group: `%s`' % (
725 729 user.username, user_group.users_group_name
726 730 ),
727 731 'success': True
728 732 }
729 733 except Exception:
730 734 log.exception("Error occurred during editing permissions "
731 735 "for user in user group")
732 736 raise JSONRPCError(
733 737 'failed to edit permission for user: `%s` in user group: `%s`'
734 738 % (userid, user_group.users_group_name))
735 739
736 740
737 741 @jsonrpc_method()
738 742 def grant_user_group_permission_to_user_group(
739 743 request, apiuser, usergroupid, sourceusergroupid, perm):
740 744 """
741 745 Give one user group permissions to another user group.
742 746
743 747 :param apiuser: This is filled automatically from the |authtoken|.
744 748 :type apiuser: AuthUser
745 749 :param usergroupid: Set the user group on which to edit permissions.
746 750 :type usergroupid: str or int
747 751 :param sourceusergroupid: Set the source user group to which
748 752 access/permissions will be granted.
749 753 :type sourceusergroupid: str or int
750 754 :param perm: (usergroup.(none|read|write|admin))
751 755 :type perm: str
752 756
753 757 Example output:
754 758
755 759 .. code-block:: bash
756 760
757 761 id : <id_given_in_input>
758 762 result : {
759 763 "msg": "Granted perm: `<perm_name>` for user group: `<source_user_group_name>` in user group: `<user_group_name>`",
760 764 "success": true
761 765 }
762 766 error : null
763 767 """
764 768
765 769 user_group = get_user_group_or_error(sourceusergroupid)
766 770 target_user_group = get_user_group_or_error(usergroupid)
767 771 perm = get_perm_or_error(perm, prefix='usergroup.')
768 772
769 773 if not has_superadmin_permission(apiuser):
770 774 # check if we have admin permission for this user group !
771 775 _perms = ('usergroup.admin',)
772 776 if not HasUserGroupPermissionAnyApi(*_perms)(
773 777 user=apiuser,
774 778 user_group_name=target_user_group.users_group_name):
775 779 raise JSONRPCError(
776 780 'to user group `%s` does not exist' % (usergroupid,))
777 781
778 782 # check if we have at least read permission for source user group !
779 783 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
780 784 if not HasUserGroupPermissionAnyApi(*_perms)(
781 785 user=apiuser, user_group_name=user_group.users_group_name):
782 786 raise JSONRPCError(
783 787 'user group `%s` does not exist' % (sourceusergroupid,))
784 788
785 789 try:
786 790 changes = UserGroupModel().grant_user_group_permission(
787 791 target_user_group=target_user_group,
788 792 user_group=user_group, perm=perm)
789 793
790 794 action_data = {
791 795 'added': changes['added'],
792 796 'updated': changes['updated'],
793 797 'deleted': changes['deleted'],
794 798 }
795 799 audit_logger.store_api(
796 800 'user_group.edit.permissions', action_data=action_data,
797 801 user=apiuser)
798 802
799 803 Session().commit()
800 804 return {
801 805 'msg': 'Granted perm: `%s` for user group: `%s` '
802 806 'in user group: `%s`' % (
803 807 perm.permission_name, user_group.users_group_name,
804 808 target_user_group.users_group_name
805 809 ),
806 810 'success': True
807 811 }
808 812 except Exception:
809 813 log.exception("Error occurred during editing permissions "
810 814 "for user group in user group")
811 815 raise JSONRPCError(
812 816 'failed to edit permission for user group: `%s` in '
813 817 'user group: `%s`' % (
814 818 sourceusergroupid, target_user_group.users_group_name
815 819 )
816 820 )
817 821
818 822
819 823 @jsonrpc_method()
820 824 def revoke_user_group_permission_from_user_group(
821 825 request, apiuser, usergroupid, sourceusergroupid):
822 826 """
823 827 Revoke the permissions that one user group has to another.
824 828
825 829 :param apiuser: This is filled automatically from the |authtoken|.
826 830 :type apiuser: AuthUser
827 831 :param usergroupid: Set the user group on which to edit permissions.
828 832 :type usergroupid: str or int
829 833 :param sourceusergroupid: Set the user group from which permissions
830 834 are revoked.
831 835 :type sourceusergroupid: str or int
832 836
833 837 Example output:
834 838
835 839 .. code-block:: bash
836 840
837 841 id : <id_given_in_input>
838 842 result : {
839 843 "msg": "Revoked perm for user group: `<user_group_name>` in user group: `<target_user_group_name>`",
840 844 "success": true
841 845 }
842 846 error : null
843 847 """
844 848
845 849 user_group = get_user_group_or_error(sourceusergroupid)
846 850 target_user_group = get_user_group_or_error(usergroupid)
847 851
848 852 if not has_superadmin_permission(apiuser):
849 853 # check if we have admin permission for this user group !
850 854 _perms = ('usergroup.admin',)
851 855 if not HasUserGroupPermissionAnyApi(*_perms)(
852 856 user=apiuser,
853 857 user_group_name=target_user_group.users_group_name):
854 858 raise JSONRPCError(
855 859 'to user group `%s` does not exist' % (usergroupid,))
856 860
857 861 # check if we have at least read permission
858 862 # for the source user group !
859 863 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
860 864 if not HasUserGroupPermissionAnyApi(*_perms)(
861 865 user=apiuser, user_group_name=user_group.users_group_name):
862 866 raise JSONRPCError(
863 867 'user group `%s` does not exist' % (sourceusergroupid,))
864 868
865 869 try:
866 870 changes = UserGroupModel().revoke_user_group_permission(
867 871 target_user_group=target_user_group, user_group=user_group)
868 872 action_data = {
869 873 'added': changes['added'],
870 874 'updated': changes['updated'],
871 875 'deleted': changes['deleted'],
872 876 }
873 877 audit_logger.store_api(
874 878 'user_group.edit.permissions', action_data=action_data,
875 879 user=apiuser)
876 880
877 881 Session().commit()
878 882
879 883 return {
880 884 'msg': 'Revoked perm for user group: '
881 885 '`%s` in user group: `%s`' % (
882 886 user_group.users_group_name,
883 887 target_user_group.users_group_name
884 888 ),
885 889 'success': True
886 890 }
887 891 except Exception:
888 892 log.exception("Error occurred during editing permissions "
889 893 "for user group in user group")
890 894 raise JSONRPCError(
891 895 'failed to edit permission for user group: '
892 896 '`%s` in user group: `%s`' % (
893 897 sourceusergroupid, target_user_group.users_group_name
894 898 )
895 899 )
General Comments 0
You need to be logged in to leave comments. Login now