rhodecode-enterprise-ce Commit - r1154:e3bdce95

repo-group-schemas: refactor repository group schemas....

marcink -

r1154:e3bdce95 default

parent child

rhodecode/tests/models/schemas/test_repo_group_schema.py

0 created 644 +116 0

@@ -0,0 +1,116 b''
	1	# -- coding: utf-8 --
	2
	3	# Copyright (C) 2016-2016 RhodeCode GmbH
	4	#
	5	# This program is free software: you can redistribute it and/or modify
	6	# it under the terms of the GNU Affero General Public License, version 3
	7	# (only), as published by the Free Software Foundation.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16	#
	17	# This program is dual-licensed. If you wish to learn more about the
	18	# RhodeCode Enterprise Edition, including its added features, Support services,
	19	# and proprietary license terms, please see https://rhodecode.com/licenses/
	20
	21	import colander
	22	import pytest
	23
	24	from rhodecode.model.validation_schema import types
	25	from rhodecode.model.validation_schema.schemas import repo_group_schema
	26
	27
	28	class TestRepoGroupSchema(object):
	29
	30	@pytest.mark.parametrize('given, expected', [
	31	('my repo', 'my-repo'),
	32	(' hello world mike ', 'hello-world-mike'),
	33
	34	('//group1/group2//', 'group1/group2'),
	35	('//group1///group2//', 'group1/group2'),
	36	('///group1/group2///group3', 'group1/group2/group3'),
	37	('word g1/group2///group3', 'word-g1/group2/group3'),
	38
	39	('grou p1/gro;,,##up2//.../group3', 'grou-p1/group2/group3'),
	40
	41	('group,,,/,,,/1/2/3', 'group/1/2/3'),
	42	('grou[]p1/gro;up2///gro up3', 'group1/group2/gro-up3'),
	43	(u'grou[]p1/gro;up2///gro up3/ąć', u'group1/group2/gro-up3/ąć'),
	44	])
	45	def test_deserialize_repo_name(self, app, user_admin, given, expected):
	46	schema = repo_group_schema.RepoGroupSchema().bind()
	47	assert schema.get('repo_group_name').deserialize(given) == expected
	48
	49	def test_deserialize(self, app, user_admin):
	50	schema = repo_group_schema.RepoGroupSchema().bind(
	51	user=user_admin
	52	)
	53
	54	schema_data = schema.deserialize(dict(
	55	repo_group_name='dupa',
	56	repo_group_owner=user_admin.username
	57	))
	58
	59	assert schema_data['repo_group_name'] == 'dupa'
	60	assert schema_data['repo_group'] == {
	61	'repo_group_id': None,
	62	'repo_group_name': types.RootLocation,
	63	'repo_group_name_without_group': 'dupa'}
	64
	65	@pytest.mark.parametrize('given, err_key, expected_exc', [
	66	('xxx/dupa', 'repo_group', 'Parent repository group `xxx` does not exist'),
	67	('', 'repo_group_name', 'Name must start with a letter or number. Got ``'),
	68	])
	69	def test_deserialize_with_bad_group_name(
	70	self, app, user_admin, given, err_key, expected_exc):
	71	schema = repo_group_schema.RepoGroupSchema().bind(
	72	repo_type_options=['hg'],
	73	user=user_admin
	74	)
	75
	76	with pytest.raises(colander.Invalid) as excinfo:
	77	schema.deserialize(dict(
	78	repo_group_name=given,
	79	repo_group_owner=user_admin.username
	80	))
	81
	82	assert excinfo.value.asdict()[err_key] == expected_exc
	83
	84	def test_deserialize_with_group_name(self, app, user_admin, test_repo_group):
	85	schema = repo_group_schema.RepoGroupSchema().bind(
	86	user=user_admin
	87	)
	88
	89	full_name = test_repo_group.group_name + '/dupa'
	90	schema_data = schema.deserialize(dict(
	91	repo_group_name=full_name,
	92	repo_group_owner=user_admin.username
	93	))
	94
	95	assert schema_data['repo_group_name'] == full_name
	96	assert schema_data['repo_group'] == {
	97	'repo_group_id': test_repo_group.group_id,
	98	'repo_group_name': test_repo_group.group_name,
	99	'repo_group_name_without_group': 'dupa'}
	100
	101	def test_deserialize_with_group_name_regular_user_no_perms(
	102	self, app, user_regular, test_repo_group):
	103	schema = repo_group_schema.RepoGroupSchema().bind(
	104	user=user_regular
	105	)
	106
	107	full_name = test_repo_group.group_name + '/dupa'
	108	with pytest.raises(colander.Invalid) as excinfo:
	109	schema.deserialize(dict(
	110	repo_group_name=full_name,
	111	repo_group_owner=user_regular.username
	112	))
	113
	114	expected = 'Parent repository group `{}` does not exist'.format(
	115	test_repo_group.group_name)
	116	assert excinfo.value.asdict()['repo_group'] == expected

rhodecode/api/tests/test_create_repo_group.py

0 +145 -55

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2016  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import mock
             import pytest
             from rhodecode.model.meta import Session
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.user import UserModel
             from rhodecode.tests import TEST_USER_ADMIN_LOGIN
             from rhodecode.api.tests.utils import (
                 build_data, api_call, assert_ok, assert_error, crash)
             from rhodecode.tests.fixture import Fixture
             fixture = Fixture()
             @pytest.mark.usefixtures("testuser_api", "app")
             class TestCreateRepoGroup(object):
                 def test_api_create_repo_group(self):
                     repo_group_name = 'api-repo-group'
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     id_, params = build_data(
                         self.apikey, 'create_repo_group',
                         group_name=repo_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,)
                     response = api_call(self.app, params)
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is not None
                     ret = {
                         'msg': 'Created new repo group `%s`' % (repo_group_name,),
                         'repo_group': repo_group.get_api_data()
                     }
                     expected = ret
-                    assert_ok(id_, expected, given=response.body)
+                    try:
-                    fixture.destroy_repo_group(repo_group_name)
+                        assert_ok(id_, expected, given=response.body)
+                    finally:
-                def test_api_create_repo_group_regular_user(self):
+                        fixture.destroy_repo_group(repo_group_name)
-                    repo_group_name = 'api-repo-group'
-                    usr = UserModel().get_by_username(self.TEST_USER_LOGIN)
-                    usr.inherit_default_permissions = False
-                    Session().add(usr)
-                    UserModel().grant_perm(
-                        self.TEST_USER_LOGIN, 'hg.repogroup.create.true')
-                    Session().commit()
-                    repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
-                    assert repo_group is None
-                    id_, params = build_data(
-                        self.apikey_regular, 'create_repo_group',
-                        group_name=repo_group_name,
-                        owner=TEST_USER_ADMIN_LOGIN,)
-                    response = api_call(self.app, params)
-                    repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
-                    assert repo_group is not None
-                    ret = {
-                        'msg': 'Created new repo group `%s`' % (repo_group_name,),
-                        'repo_group': repo_group.get_api_data()
-                    expected = ret
-                    assert_ok(id_, expected, given=response.body)
-                    fixture.destroy_repo_group(repo_group_name)
-                    UserModel().revoke_perm(
-                        self.TEST_USER_LOGIN, 'hg.repogroup.create.true')
-                    usr = UserModel().get_by_username(self.TEST_USER_LOGIN)
-                    usr.inherit_default_permissions = True
-                    Session().add(usr)
-                    Session().commit()
-                def test_api_create_repo_group_regular_user_no_permission(self):
-                    repo_group_name = 'api-repo-group'
-                    id_, params = build_data(
-                        self.apikey_regular, 'create_repo_group',
-                        group_name=repo_group_name,
-                        owner=TEST_USER_ADMIN_LOGIN,)
-                    response = api_call(self.app, params)
-                    expected = "Access was denied to this resource."
-                    assert_error(id_, expected, given=response.body)
                 def test_api_create_repo_group_in_another_group(self):
                     repo_group_name = 'api-repo-group'
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     # create the parent
                     fixture.create_repo_group(repo_group_name)
                     full_repo_group_name = repo_group_name+'/'+repo_group_name
                     id_, params = build_data(
                         self.apikey, 'create_repo_group',
                         group_name=full_repo_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,
                         copy_permissions=True)
                     response = api_call(self.app, params)
                     repo_group = RepoGroupModel.cls.get_by_group_name(full_repo_group_name)
                     assert repo_group is not None
                     ret = {
                         'msg': 'Created new repo group `%s`' % (full_repo_group_name,),
                         'repo_group': repo_group.get_api_data()
                     }
                     expected = ret
-                    assert_ok(id_, expected, given=response.body)
+                    try:
-                    fixture.destroy_repo_group(full_repo_group_name)
+                        assert_ok(id_, expected, given=response.body)
-                    fixture.destroy_repo_group(repo_group_name)
+                    finally:
+                        fixture.destroy_repo_group(full_repo_group_name)
+                        fixture.destroy_repo_group(repo_group_name)
                 def test_api_create_repo_group_in_another_group_not_existing(self):
                     repo_group_name = 'api-repo-group-no'
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     full_repo_group_name = repo_group_name+'/'+repo_group_name
                     id_, params = build_data(
                         self.apikey, 'create_repo_group',
                         group_name=full_repo_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,
                         copy_permissions=True)
                     response = api_call(self.app, params)
-                    expected = 'repository group `%s` does not exist' % (repo_group_name,)
+                    expected = {
+                        'repo_group':
+                            'Parent repository group `{}` does not exist'.format(
+                                repo_group_name)}
                     assert_error(id_, expected, given=response.body)
                 def test_api_create_repo_group_that_exists(self):
                     repo_group_name = 'api-repo-group'
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     fixture.create_repo_group(repo_group_name)
                     id_, params = build_data(
                         self.apikey, 'create_repo_group',
                         group_name=repo_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,)
                     response = api_call(self.app, params)
-                    expected = 'repo group `%s` already exist' % (repo_group_name,)
+                    expected = {
+                        'unique_repo_group_name':
+                            'Repository group with name `{}` already exists'.format(
+                                repo_group_name)}
+                    try:
+                        assert_error(id_, expected, given=response.body)
+                    finally:
+                        fixture.destroy_repo_group(repo_group_name)
+                def test_api_create_repo_group_regular_user_wit_root_location_perms(
+                        self, user_util):
+                    regular_user = user_util.create_user()
+                    regular_user_api_key = regular_user.api_key
+                    repo_group_name = 'api-repo-group-by-regular-user'
+                    usr = UserModel().get_by_username(regular_user.username)
+                    usr.inherit_default_permissions = False
+                    Session().add(usr)
+                    UserModel().grant_perm(
+                        regular_user.username, 'hg.repogroup.create.true')
+                    Session().commit()
+                    repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
+                    assert repo_group is None
+                    id_, params = build_data(
+                        regular_user_api_key, 'create_repo_group',
+                        group_name=repo_group_name)
+                    response = api_call(self.app, params)
+                    repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
+                    assert repo_group is not None
+                    expected = {
+                        'msg': 'Created new repo group `%s`' % (repo_group_name,),
+                        'repo_group': repo_group.get_api_data()
+                    }
+                    try:
+                        assert_ok(id_, expected, given=response.body)
+                    finally:
+                        fixture.destroy_repo_group(repo_group_name)
+                def test_api_create_repo_group_regular_user_with_admin_perms_to_parent(
+                        self, user_util):
+                    repo_group_name = 'api-repo-group-parent'
+                    repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
+                    assert repo_group is None
+                    # create the parent
+                    fixture.create_repo_group(repo_group_name)
+                    # user perms
+                    regular_user = user_util.create_user()
+                    regular_user_api_key = regular_user.api_key
+                    usr = UserModel().get_by_username(regular_user.username)
+                    usr.inherit_default_permissions = False
+                    Session().add(usr)
+                    RepoGroupModel().grant_user_permission(
+                        repo_group_name, regular_user.username, 'group.admin')
+                    Session().commit()
+                    full_repo_group_name = repo_group_name + '/' + repo_group_name
+                    id_, params = build_data(
+                        regular_user_api_key, 'create_repo_group',
+                        group_name=full_repo_group_name)
+                    response = api_call(self.app, params)
+                    repo_group = RepoGroupModel.cls.get_by_group_name(full_repo_group_name)
+                    assert repo_group is not None
+                    expected = {
+                        'msg': 'Created new repo group `{}`'.format(full_repo_group_name),
+                        'repo_group': repo_group.get_api_data()
+                    }
+                    try:
+                        assert_ok(id_, expected, given=response.body)
+                    finally:
+                        fixture.destroy_repo_group(full_repo_group_name)
+                        fixture.destroy_repo_group(repo_group_name)
+                def test_api_create_repo_group_regular_user_no_permission_to_create_to_root_level(self):
+                    repo_group_name = 'api-repo-group'
+                    id_, params = build_data(
+                        self.apikey_regular, 'create_repo_group',
+                        group_name=repo_group_name)
+                    response = api_call(self.app, params)
+                    expected = {
+                        'repo_group':
+                            u'You do not have the permission to store '
+                            u'repository groups in the root location.'}
                     assert_error(id_, expected, given=response.body)
-                    fixture.destroy_repo_group(repo_group_name)
+                def test_api_create_repo_group_regular_user_no_parent_group_perms(self):
+                    repo_group_name = 'api-repo-group-regular-user'
+                    repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
+                    assert repo_group is None
+                    # create the parent
+                    fixture.create_repo_group(repo_group_name)
+                    full_repo_group_name = repo_group_name+'/'+repo_group_name
+                    id_, params = build_data(
+                        self.apikey_regular, 'create_repo_group',
+                        group_name=full_repo_group_name)
+                    response = api_call(self.app, params)
+                    expected = {
+                        'repo_group':
+                            'Parent repository group `{}` does not exist'.format(
+                                repo_group_name)}
+                    try:
+                        assert_error(id_, expected, given=response.body)
+                    finally:
+                        fixture.destroy_repo_group(repo_group_name)
+                def test_api_create_repo_group_regular_user_no_permission_to_specify_owner(
+                        self):
+                    repo_group_name = 'api-repo-group'
+                    id_, params = build_data(
+                        self.apikey_regular, 'create_repo_group',
+                        group_name=repo_group_name,
+                        owner=TEST_USER_ADMIN_LOGIN,)
+                    response = api_call(self.app, params)
+                    expected = "Only RhodeCode super-admin can specify `owner` param"
+                    assert_error(id_, expected, given=response.body)
                 @mock.patch.object(RepoGroupModel, 'create', crash)
                 def test_api_create_repo_group_exception_occurred(self):
                     repo_group_name = 'api-repo-group'
                     repo_group = RepoGroupModel.cls.get_by_group_name(repo_group_name)
                     assert repo_group is None
                     id_, params = build_data(
                         self.apikey, 'create_repo_group',
                         group_name=repo_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,)
                     response = api_call(self.app, params)
                     expected = 'failed to create repo group `%s`' % (repo_group_name,)
                     assert_error(id_, expected, given=response.body)
                 def test_create_group_with_extra_slashes_in_name(self, user_util):
                     existing_repo_group = user_util.create_repo_group()
                     dirty_group_name = '//{}//group2//'.format(
                         existing_repo_group.group_name)
                     cleaned_group_name = '{}/group2'.format(
                         existing_repo_group.group_name)
                     id_, params = build_data(
                         self.apikey, 'create_repo_group',
                         group_name=dirty_group_name,
                         owner=TEST_USER_ADMIN_LOGIN,)
                     response = api_call(self.app, params)
                     repo_group = RepoGroupModel.cls.get_by_group_name(cleaned_group_name)
                     expected = {
                         'msg': 'Created new repo group `%s`' % (cleaned_group_name,),
                         'repo_group': repo_group.get_api_data()
                     }
                     assert_ok(id_, expected, given=response.body)
                     fixture.destroy_repo_group(cleaned_group_name)

rhodecode/api/tests/test_update_repo_group.py

0 +56 -13

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2016  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import os
             import pytest
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.user import UserModel
             from rhodecode.api.tests.utils import (
                 build_data, api_call, assert_error, assert_ok)
             @pytest.mark.usefixtures("testuser_api", "app")
             class TestApiUpdateRepoGroup(object):
                 def test_update_group_name(self, user_util):
                     new_group_name = 'new-group'
                     initial_name = self._update(user_util, group_name=new_group_name)
                     assert RepoGroupModel()._get_repo_group(initial_name) is None
-                    assert RepoGroupModel()._get_repo_group(new_group_name) is not None
+                    new_group = RepoGroupModel()._get_repo_group(new_group_name)
+                    assert new_group is not None
+                    assert new_group.full_path == new_group_name
-                def test_update_parent(self, user_util):
+                def test_update_group_name_change_parent(self, user_util):
                     parent_group = user_util.create_repo_group()
-                    initial_name = self._update(user_util, parent=parent_group.name)
+                    parent_group_name = parent_group.name
-                    expected_group_name = '{}/{}'.format(parent_group.name, initial_name)
+                    expected_group_name = '{}/{}'.format(parent_group_name, 'new-group')
+                    initial_name = self._update(user_util, group_name=expected_group_name)
                     repo_group = RepoGroupModel()._get_repo_group(expected_group_name)
                     assert repo_group is not None
                     assert repo_group.group_name == expected_group_name
-                    assert repo_group.name == initial_name
+                    assert repo_group.full_path == expected_group_name
                     assert RepoGroupModel()._get_repo_group(initial_name) is None
                     new_path = os.path.join(
                         RepoGroupModel().repos_path, *repo_group.full_path_splitted)
                     assert os.path.exists(new_path)
                 def test_update_enable_locking(self, user_util):
                     initial_name = self._update(user_util, enable_locking=True)
                     repo_group = RepoGroupModel()._get_repo_group(initial_name)
                     assert repo_group.enable_locking is True
                 def test_update_description(self, user_util):
                     description = 'New description'
                     initial_name = self._update(user_util, description=description)
                     repo_group = RepoGroupModel()._get_repo_group(initial_name)
                     assert repo_group.group_description == description
                 def test_update_owner(self, user_util):
                     owner = self.TEST_USER_LOGIN
                     initial_name = self._update(user_util, owner=owner)
                     repo_group = RepoGroupModel()._get_repo_group(initial_name)
                     assert repo_group.user.username == owner
-                def test_api_update_repo_group_by_regular_user_no_permission(
+                def test_update_group_name_conflict_with_existing(self, user_util):
-                        self, backend):
+                    group_1 = user_util.create_repo_group()
-                    repo = backend.create_repo()
+                    group_2 = user_util.create_repo_group()
-                    repo_name = repo.repo_name
+                    repo_group_name_1 = group_1.group_name
+                    repo_group_name_2 = group_2.group_name
                     id_, params = build_data(
-                        self.apikey_regular, 'update_repo_group', repogroupid=repo_name)
+                        self.apikey, 'update_repo_group', repogroupid=repo_group_name_1,
+                        group_name=repo_group_name_2)
+                    response = api_call(self.app, params)
+                    expected = {
+                        'unique_repo_group_name':
+                            'Repository group with name `{}` already exists'.format(
+                                repo_group_name_2)}
+                    assert_error(id_, expected, given=response.body)
+                def test_api_update_repo_group_by_regular_user_no_permission(self, user_util):
+                    temp_user = user_util.create_user()
+                    temp_user_api_key = temp_user.api_key
+                    parent_group = user_util.create_repo_group()
+                    repo_group_name = parent_group.group_name
+                    id_, params = build_data(
+                        temp_user_api_key, 'update_repo_group', repogroupid=repo_group_name)
                     response = api_call(self.app, params)
-                    expected = 'repository group `%s` does not exist' % (repo_name,)
+                    expected = 'repository group `%s` does not exist' % (repo_group_name,)
+                    assert_error(id_, expected, given=response.body)
+                def test_api_update_repo_group_regular_user_no_root_write_permissions(
+                        self, user_util):
+                    temp_user = user_util.create_user()
+                    temp_user_api_key = temp_user.api_key
+                    parent_group = user_util.create_repo_group(owner=temp_user.username)
+                    repo_group_name = parent_group.group_name
+                    id_, params = build_data(
+                        temp_user_api_key, 'update_repo_group', repogroupid=repo_group_name,
+                        group_name='at-root-level')
+                    response = api_call(self.app, params)
+                    expected = {
+                        'repo_group': 'You do not have the permission to store '
+                                      'repository groups in the root location.'}
                     assert_error(id_, expected, given=response.body)
                 def _update(self, user_util, **kwargs):
                     repo_group = user_util.create_repo_group()
                     initial_name = repo_group.name
                     user = UserModel().get_by_username(self.TEST_USER_LOGIN)
                     user_util.grant_user_permission_to_repo_group(
                         repo_group, user, 'group.admin')
                     id_, params = build_data(
                         self.apikey, 'update_repo_group', repogroupid=initial_name,
                         **kwargs)
                     response = api_call(self.app, params)
-                    ret = {
+                    repo_group = RepoGroupModel.cls.get(repo_group.group_id)
+                    expected = {
                         'msg': 'updated repository group ID:{} {}'.format(
                             repo_group.group_id, repo_group.group_name),
                         'repo_group': {
                             'repositories': [],
                             'group_name': repo_group.group_name,
                             'group_description': repo_group.group_description,
                             'owner': repo_group.user.username,
                             'group_id': repo_group.group_id,
                             'parent_group': (
                                 repo_group.parent_group.name
                                 if repo_group.parent_group else None)
                         }
                     }
-                    assert_ok(id_, ret, given=response.body)
+                    assert_ok(id_, expected, given=response.body)
                     return initial_name

rhodecode/api/views/repo_group_api.py

0 +105 -102

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2016  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
-            import colander
+            from rhodecode.api import JSONRPCValidationError
+            from rhodecode.api import jsonrpc_method, JSONRPCError
-            from rhodecode.api import jsonrpc_method, JSONRPCError, JSONRPCForbidden
             from rhodecode.api.utils import (
                 has_superadmin_permission, Optional, OAttr, get_user_or_error,
-                store_update, get_repo_group_or_error,
+                get_repo_group_or_error, get_perm_or_error, get_user_group_or_error,
-                get_perm_or_error, get_user_group_or_error, get_origin)
+                get_origin, validate_repo_group_permissions, validate_set_owner_permissions)
             from rhodecode.lib.auth import (
-                HasPermissionAnyApi, HasRepoGroupPermissionAnyApi,
+                HasRepoGroupPermissionAnyApi, HasUserGroupPermissionAnyApi)
-                HasUserGroupPermissionAnyApi)
+            from rhodecode.model.db import Session
-            from rhodecode.model.db import Session, RepoGroup
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.scm import RepoGroupList
+            from rhodecode.model import validation_schema
             from rhodecode.model.validation_schema.schemas import repo_group_schema
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_repo_group(request, apiuser, repogroupid):
                 """
                 Return the specified |repo| group, along with permissions,
                 and repositories inside the group
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Specify the name of ID of the repository group.
                 :type repogroupid: str or int
                 Example output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": repo-group-id,
                       "result": {
                         "group_description": "repo group description",
                         "group_id": 14,
                         "group_name": "group name",
                         "members": [
                           {
                             "name": "super-admin-username",
                             "origin": "super-admin",
                             "permission": "group.admin",
                             "type": "user"
                           },
                           {
                             "name": "owner-name",
                             "origin": "owner",
                             "permission": "group.admin",
                             "type": "user"
                           },
                           {
                             "name": "user-group-name",
                             "origin": "permission",
                             "permission": "group.write",
                             "type": "user_group"
                           }
                         ],
                         "owner": "owner-name",
                         "parent_group": null,
                         "repositories": [ repo-list ]
                       }
                     }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this repo group !
                     _perms = ('group.admin', 'group.write', 'group.read',)
                     if not HasRepoGroupPermissionAnyApi(*_perms)(
                             user=apiuser, group_name=repo_group.group_name):
                         raise JSONRPCError(
                             'repository group `%s` does not exist' % (repogroupid,))
                 permissions = []
                 for _user in repo_group.permissions():
                     user_data = {
                         'name': _user.username,
                         'permission': _user.permission,
                         'origin': get_origin(_user),
                         'type': "user",
                     }
                     permissions.append(user_data)
                 for _user_group in repo_group.permission_user_groups():
                     user_group_data = {
                         'name': _user_group.users_group_name,
                         'permission': _user_group.permission,
                         'origin': get_origin(_user_group),
                         'type': "user_group",
                     }
                     permissions.append(user_group_data)
                 data = repo_group.get_api_data()
                 data["members"] = permissions  # TODO: this should be named permissions
                 return data
             @jsonrpc_method()
             def get_repo_groups(request, apiuser):
                 """
                 Returns all repository groups.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 """
                 result = []
                 _perms = ('group.read', 'group.write', 'group.admin',)
                 extras = {'user': apiuser}
                 for repo_group in RepoGroupList(RepoGroupModel().get_all(),
                                                 perm_set=_perms, extra_kwargs=extras):
                     result.append(repo_group.get_api_data())
                 return result
             @jsonrpc_method()
-            def create_repo_group(request, apiuser, group_name, description=Optional(''),
+            def create_repo_group(
-                                  owner=Optional(OAttr('apiuser')),
+                    request, apiuser, group_name,
-                                  copy_permissions=Optional(False)):
+                    owner=Optional(OAttr('apiuser')),
+                    description=Optional(''),
+                    copy_permissions=Optional(False)):
                 """
                 Creates a repository group.
-                * If the repository group name contains "/", all the required repository
+                * If the repository group name contains "/", repository group will be
-                  groups will be created.
+                  created inside a repository group or nested repository groups
-                  For example "foo/bar/baz" will create |repo| groups "foo" and "bar"
+                  For example "foo/bar/group1" will create repository group called "group1"
-                  (with "foo" as parent). It will also create the "baz" repository
+                  inside group "foo/bar". You have to have permissions to access and
-                  with "bar" as |repo| group.
+                  write to the last repository group ("bar" in this example)
-                This command can only be run using an |authtoken| with admin
+                This command can only be run using an |authtoken| with at least
-                permissions.
+                permissions to create repository groups, or admin permissions to
+                parent repository groups.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param group_name: Set the repository group name.
                 :type group_name: str
                 :param description: Set the |repo| group description.
                 :type description: str
                 :param owner: Set the |repo| group owner.
                 :type owner: str
                 :param copy_permissions:
                 :type copy_permissions:
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                       "msg": "Created new repo group `<repo_group_name>`"
                       "repo_group": <repogroup_object>
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     failed to create repo group `<repogroupid>`
                   }
                 """
-                schema = repo_group_schema.RepoGroupSchema()
+                owner = validate_set_owner_permissions(apiuser, owner)
-                try:
-                    data = schema.deserialize({
-                        'group_name': group_name
-                    })
-                except colander.Invalid as e:
-                    raise JSONRPCError("Validation failed: %s" % (e.asdict(),))
-                group_name = data['group_name']
-                if isinstance(owner, Optional):
+                description = Optional.extract(description)
-                    owner = apiuser.user_id
-                group_description = Optional.extract(description)
                 copy_permissions = Optional.extract(copy_permissions)
-                # get by full name with parents, check if it already exist
+                schema = repo_group_schema.RepoGroupSchema().bind(
-                if RepoGroup.get_by_group_name(group_name):
+                    # user caller
-                    raise JSONRPCError("repo group `%s` already exist" % (group_name,))
+                    user=apiuser)
-                (group_name_cleaned,
-                 parent_group_name) = RepoGroupModel()._get_group_name_and_parent(
-                    group_name)
-                parent_group = None
+                try:
-                if parent_group_name:
+                    schema_data = schema.deserialize(dict(
-                    parent_group = get_repo_group_or_error(parent_group_name)
+                        repo_group_name=group_name,
+                        repo_group_owner=owner.username,
+                        repo_group_description=description,
+                        repo_group_copy_permissions=copy_permissions,
+                    ))
+                except validation_schema.Invalid as err:
+                    raise JSONRPCValidationError(colander_exc=err)
-                if not HasPermissionAnyApi(
+                validated_group_name = schema_data['repo_group_name']
-                        'hg.admin', 'hg.repogroup.create.true')(user=apiuser):
-                    # check if we have admin permission for this parent repo group !
-                    # users without admin or hg.repogroup.create can only create other
-                    # groups in groups they own so this is a required, but can be empty
-                    parent_group = getattr(parent_group, 'group_name', '')
-                    _perms = ('group.admin',)
-                    if not HasRepoGroupPermissionAnyApi(*_perms)(
-                            user=apiuser, group_name=parent_group):
-                        raise JSONRPCForbidden()
                 try:
                     repo_group = RepoGroupModel().create(
-                        group_name=group_name,
-                        group_description=group_description,
                         owner=owner,
-                        copy_permissions=copy_permissions)
+                        group_name=validated_group_name,
+                        group_description=schema_data['repo_group_name'],
+                        copy_permissions=schema_data['repo_group_copy_permissions'])
                     Session().commit()
                     return {
-                        'msg': 'Created new repo group `%s`' % group_name,
+                        'msg': 'Created new repo group `%s`' % validated_group_name,
                         'repo_group': repo_group.get_api_data()
                     }
                 except Exception:
                     log.exception("Exception occurred while trying create repo group")
                     raise JSONRPCError(
-                        'failed to create repo group `%s`' % (group_name,))
+                        'failed to create repo group `%s`' % (validated_group_name,))
             @jsonrpc_method()
             def update_repo_group(
                     request, apiuser, repogroupid, group_name=Optional(''),
                     description=Optional(''), owner=Optional(OAttr('apiuser')),
-                    parent=Optional(None), enable_locking=Optional(False)):
+                    enable_locking=Optional(False)):
                 """
                 Updates repository group with the details given.
                 This command can only be run using an |authtoken| with admin
                 permissions.
+                * If the group_name name contains "/", repository group will be updated
+                  accordingly with a repository group or nested repository groups
+                  For example repogroupid=group-test group_name="foo/bar/group-test"
+                  will update repository group called "group-test" and place it
+                  inside group "foo/bar".
+                  You have to have permissions to access and write to the last repository
+                  group ("bar" in this example)
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the ID of repository group.
                 :type repogroupid: str or int
                 :param group_name: Set the name of the |repo| group.
                 :type group_name: str
                 :param description: Set a description for the group.
                 :type description: str
                 :param owner: Set the |repo| group owner.
                 :type owner: str
-                :param parent: Set the |repo| group parent.
-                :type parent: str or int
                 :param enable_locking: Enable |repo| locking. The default is false.
                 :type enable_locking: bool
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
-                    # check if we have admin permission for this repo group !
+                    validate_repo_group_permissions(
-                    _perms = ('group.admin',)
+                        apiuser, repogroupid, repo_group, ('group.admin',))
-                    if not HasRepoGroupPermissionAnyApi(*_perms)(
-                            user=apiuser, group_name=repo_group.group_name):
+                updates = dict(
-                        raise JSONRPCError(
+                    group_name=group_name
-                            'repository group `%s` does not exist' % (repogroupid,))
+                    if not isinstance(group_name, Optional) else repo_group.group_name,
+                    group_description=description
+                    if not isinstance(description, Optional) else repo_group.group_description,
+                    user=owner
+                    if not isinstance(owner, Optional) else repo_group.user.username,
+                    enable_locking=enable_locking
+                    if not isinstance(enable_locking, Optional) else repo_group.enable_locking
+                )
-                updates = {}
+                schema = repo_group_schema.RepoGroupSchema().bind(
+                    # user caller
+                    user=apiuser,
+                    old_values=repo_group.get_api_data())
                 try:
-                    store_update(updates, group_name, 'group_name')
+                    schema_data = schema.deserialize(dict(
-                    store_update(updates, description, 'group_description')
+                        repo_group_name=updates['group_name'],
-                    store_update(updates, owner, 'user')
+                        repo_group_owner=updates['user'],
-                    store_update(updates, parent, 'group_parent_id')
+                        repo_group_description=updates['group_description'],
-                    store_update(updates, enable_locking, 'enable_locking')
+                        repo_group_enable_locking=updates['enable_locking'],
-                    repo_group = RepoGroupModel().update(repo_group, updates)
+                    ))
+                except validation_schema.Invalid as err:
+                    raise JSONRPCValidationError(colander_exc=err)
+                validated_updates = dict(
+                    group_name=schema_data['repo_group']['repo_group_name_without_group'],
+                    group_parent_id=schema_data['repo_group']['repo_group_id'],
+                    user=schema_data['repo_group_owner'],
+                    group_description=schema_data['repo_group_description'],
+                    enable_locking=schema_data['repo_group_enable_locking'],
+                )
+                try:
+                    RepoGroupModel().update(repo_group, validated_updates)
                     Session().commit()
                     return {
                         'msg': 'updated repository group ID:%s %s' % (
                             repo_group.group_id, repo_group.group_name),
                         'repo_group': repo_group.get_api_data()
                     }
                 except Exception:
-                    log.exception("Exception occurred while trying update repo group")
+                    log.exception(
+                        u"Exception occurred while trying update repo group %s",
+                        repogroupid)
                     raise JSONRPCError('failed to update repository group `%s`'
                                        % (repogroupid,))
             @jsonrpc_method()
             def delete_repo_group(request, apiuser, repogroupid):
                 """
                 Deletes a |repo| group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the name or ID of repository group to be
                     deleted.
                 :type repogroupid: str or int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     'msg': 'deleted repo group ID:<repogroupid> <repogroupname>'
                     'repo_group': null
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to delete repo group ID:<repogroupid> <repogroupname>"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
-                    # check if we have admin permission for this repo group !
+                    validate_repo_group_permissions(
-                    _perms = ('group.admin',)
+                        apiuser, repogroupid, repo_group, ('group.admin',))
-                    if not HasRepoGroupPermissionAnyApi(*_perms)(
-                            user=apiuser, group_name=repo_group.group_name):
-                        raise JSONRPCError(
-                            'repository group `%s` does not exist' % (repogroupid,))
                 try:
                     RepoGroupModel().delete(repo_group)
                     Session().commit()
                     return {
                         'msg': 'deleted repo group ID:%s %s' %
                                (repo_group.group_id, repo_group.group_name),
                         'repo_group': None
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to delete repo group")
                     raise JSONRPCError('failed to delete repo group ID:%s %s' %
                                        (repo_group.group_id, repo_group.group_name))
             @jsonrpc_method()
             def grant_user_permission_to_repo_group(
                     request, apiuser, repogroupid, userid, perm,
                     apply_to_children=Optional('none')):
                 """
                 Grant permission for a user on the given repository group, or update
                 existing permissions if found.
                 This command can only be run using an |authtoken| with admin
                 permissions.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the name or ID of repository group.
                 :type repogroupid: str or int
                 :param userid: Set the user name.
                 :type userid: str
                 :param perm: (group.(none|read|write|admin))
                 :type perm: str
                 :param apply_to_children: 'none', 'repos', 'groups', 'all'
                 :type apply_to_children: str
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",
                               "success": true
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
-                    # check if we have admin permission for this repo group !
+                    validate_repo_group_permissions(
-                    _perms = ('group.admin',)
+                        apiuser, repogroupid, repo_group, ('group.admin',))
-                    if not HasRepoGroupPermissionAnyApi(*_perms)(
-                            user=apiuser, group_name=repo_group.group_name):
-                        raise JSONRPCError(
-                            'repository group `%s` does not exist' % (repogroupid,))
                 user = get_user_or_error(userid)
                 perm = get_perm_or_error(perm, prefix='group.')
                 apply_to_children = Optional.extract(apply_to_children)
                 perm_additions = [[user.user_id, perm, "user"]]
                 try:
                     RepoGroupModel().update_permissions(repo_group=repo_group,
                                                         perm_additions=perm_additions,
                                                         recursive=apply_to_children,
                                                         cur_user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` (recursive:%s) for user: '
                                '`%s` in repo group: `%s`' % (
                                    perm.permission_name, apply_to_children, user.username,
                                    repo_group.name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to grant "
                                   "user permissions to repo group")
                     raise JSONRPCError(
                         'failed to edit permission for user: '
                         '`%s` in repo group: `%s`' % (userid, repo_group.name))
             @jsonrpc_method()
             def revoke_user_permission_from_repo_group(
                     request, apiuser, repogroupid, userid,
                     apply_to_children=Optional('none')):
                 """
                 Revoke permission for a user in a given repository group.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo| group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the name or ID of the repository group.
                 :type repogroupid: str or int
                 :param userid: Set the user name to revoke.
                 :type userid: str
                 :param apply_to_children: 'none', 'repos', 'groups', 'all'
                 :type apply_to_children: str
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Revoked perm (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",
                               "success": true
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
-                    # check if we have admin permission for this repo group !
+                    validate_repo_group_permissions(
-                    _perms = ('group.admin',)
+                        apiuser, repogroupid, repo_group, ('group.admin',))
-                    if not HasRepoGroupPermissionAnyApi(*_perms)(
-                            user=apiuser, group_name=repo_group.group_name):
-                        raise JSONRPCError(
-                            'repository group `%s` does not exist' % (repogroupid,))
                 user = get_user_or_error(userid)
                 apply_to_children = Optional.extract(apply_to_children)
                 perm_deletions = [[user.user_id, None, "user"]]
                 try:
                     RepoGroupModel().update_permissions(repo_group=repo_group,
                                                         perm_deletions=perm_deletions,
                                                         recursive=apply_to_children,
                                                         cur_user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm (recursive:%s) for user: '
                                '`%s` in repo group: `%s`' % (
                                    apply_to_children, user.username, repo_group.name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying revoke user "
                                   "permission from repo group")
                     raise JSONRPCError(
                         'failed to edit permission for user: '
                         '`%s` in repo group: `%s`' % (userid, repo_group.name))
             @jsonrpc_method()
             def grant_user_group_permission_to_repo_group(
                     request, apiuser, repogroupid, usergroupid, perm,
                     apply_to_children=Optional('none'), ):
                 """
                 Grant permission for a user group on given repository group, or update
                 existing permissions if found.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo| group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the name or id of repository group
                 :type repogroupid: str or int
                 :param usergroupid: id of usergroup
                 :type usergroupid: str or int
                 :param perm: (group.(none|read|write|admin))
                 :type perm: str
                 :param apply_to_children: 'none', 'repos', 'groups', 'all'
                 :type apply_to_children: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",
                     "success": true
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 perm = get_perm_or_error(perm, prefix='group.')
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
-                    # check if we have admin permission for this repo group !
+                    validate_repo_group_permissions(
-                    _perms = ('group.admin',)
+                        apiuser, repogroupid, repo_group, ('group.admin',))
-                    if not HasRepoGroupPermissionAnyApi(*_perms)(
-                            user=apiuser, group_name=repo_group.group_name):
-                        raise JSONRPCError(
-                            'repository group `%s` does not exist' % (repogroupid,))
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 apply_to_children = Optional.extract(apply_to_children)
                 perm_additions = [[user_group.users_group_id, perm, "user_group"]]
                 try:
                     RepoGroupModel().update_permissions(repo_group=repo_group,
                                                         perm_additions=perm_additions,
                                                         recursive=apply_to_children,
                                                         cur_user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` (recursive:%s) '
                                'for user group: `%s` in repo group: `%s`' % (
                                    perm.permission_name, apply_to_children,
                                    user_group.users_group_name, repo_group.name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to grant user "
                                   "group permissions to repo group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'repo group: `%s`' % (
                             usergroupid, repo_group.name
                         )
                     )
             @jsonrpc_method()
             def revoke_user_group_permission_from_repo_group(
                     request, apiuser, repogroupid, usergroupid,
                     apply_to_children=Optional('none')):
                 """
                 Revoke permission for user group on given repository.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo| group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: name or id of repository group
                 :type repogroupid: str or int
                 :param usergroupid:
                 :param apply_to_children: 'none', 'repos', 'groups', 'all'
                 :type apply_to_children: str
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Revoked perm (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",
                               "success": true
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
-                    # check if we have admin permission for this repo group !
+                    validate_repo_group_permissions(
-                    _perms = ('group.admin',)
+                        apiuser, repogroupid, repo_group, ('group.admin',))
-                    if not HasRepoGroupPermissionAnyApi(*_perms)(
-                            user=apiuser, group_name=repo_group.group_name):
-                        raise JSONRPCError(
-                            'repository group `%s` does not exist' % (repogroupid,))
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 apply_to_children = Optional.extract(apply_to_children)
                 perm_deletions = [[user_group.users_group_id, None, "user_group"]]
                 try:
                     RepoGroupModel().update_permissions(repo_group=repo_group,
                                                         perm_deletions=perm_deletions,
                                                         recursive=apply_to_children,
                                                         cur_user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm (recursive:%s) for user group: '
                                '`%s` in repo group: `%s`' % (
                                    apply_to_children, user_group.users_group_name,
                                    repo_group.name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying revoke user group "
                                   "permissions from repo group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: '
                         '`%s` in repo group: `%s`' % (
                             user_group.users_group_name, repo_group.name
                         )
                     )

rhodecode/model/validation_schema/schemas/repo_group_schema.py

0 +213 -2

@@ -1,29 +1,240 b''
1	# -- coding: utf-8 --	1	# -- coding: utf-8 --
2		2
3	# Copyright (C) 2016-2016 RhodeCode GmbH	3	# Copyright (C) 2016-2016 RhodeCode GmbH
4	#	4	#
5	# This program is free software: you can redistribute it and/or modify	5	# This program is free software: you can redistribute it and/or modify
6	# it under the terms of the GNU Affero General Public License, version 3	6	# it under the terms of the GNU Affero General Public License, version 3
7	# (only), as published by the Free Software Foundation.	7	# (only), as published by the Free Software Foundation.
8	#	8	#
9	# This program is distributed in the hope that it will be useful,	9	# This program is distributed in the hope that it will be useful,
10	# but WITHOUT ANY WARRANTY; without even the implied warranty of	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12	# GNU General Public License for more details.	12	# GNU General Public License for more details.
13	#	13	#
14	# You should have received a copy of the GNU Affero General Public License	14	# You should have received a copy of the GNU Affero General Public License
15	# along with this program. If not, see <http://www.gnu.org/licenses/>.	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
16	#	16	#
17	# This program is dual-licensed. If you wish to learn more about the	17	# This program is dual-licensed. If you wish to learn more about the
18	# RhodeCode Enterprise Edition, including its added features, Support services,	18	# RhodeCode Enterprise Edition, including its added features, Support services,
19	# and proprietary license terms, please see https://rhodecode.com/licenses/	19	# and proprietary license terms, please see https://rhodecode.com/licenses/
20		20
21		21
22	import colander	22	import colander
23		23
24		24	from rhodecode.translation import _
25	from rhodecode.model.validation_schema import validators, preparers, types	25	from rhodecode.model.validation_schema import validators, preparers, types
26		26
27		27
		28	def get_group_and_repo(repo_name):
		29	from rhodecode.model.repo_group import RepoGroupModel
		30	return RepoGroupModel()._get_group_name_and_parent(
		31	repo_name, get_object=True)
		32
		33
		34	@colander.deferred
		35	def deferred_can_write_to_group_validator(node, kw):
		36	old_values = kw.get('old_values') or {}
		37	request_user = kw.get('user')
		38
		39	def can_write_group_validator(node, value):
		40	from rhodecode.lib.auth import (
		41	HasPermissionAny, HasRepoGroupPermissionAny)
		42	from rhodecode.model.repo_group import RepoGroupModel
		43
		44	messages = {
		45	'invalid_parent_repo_group':
		46	_(u"Parent repository group `{}` does not exist"),
		47	# permissions denied we expose as not existing, to prevent
		48	# resource discovery
		49	'permission_denied_parent_group':
		50	_(u"Parent repository group `{}` does not exist"),
		51	'permission_denied_root':
		52	_(u"You do not have the permission to store "
		53	u"repository groups in the root location.")
		54	}
		55
		56	value = value['repo_group_name']
		57	parent_group_name = value
		58
		59	is_root_location = value is types.RootLocation
		60
		61	# NOT initialized validators, we must call them
		62	can_create_repo_groups_at_root = HasPermissionAny(
		63	'hg.admin', 'hg.repogroup.create.true')
		64
		65	if is_root_location:
		66	if can_create_repo_groups_at_root(user=request_user):
		67	# we can create repo group inside tool-level. No more checks
		68	# are required
		69	return
		70	else:
		71	raise colander.Invalid(node, messages['permission_denied_root'])
		72
		73	# check if the parent repo group actually exists
		74	parent_group = None
		75	if parent_group_name:
		76	parent_group = RepoGroupModel().get_by_group_name(parent_group_name)
		77	if value and not parent_group:
		78	raise colander.Invalid(
		79	node, messages['invalid_parent_repo_group'].format(
		80	parent_group_name))
		81
		82	# check if we have permissions to create new groups under
		83	# parent repo group
		84	# create repositories with write permission on group is set to true
		85	create_on_write = HasPermissionAny(
		86	'hg.create.write_on_repogroup.true')(user=request_user)
		87
		88	group_admin = HasRepoGroupPermissionAny('group.admin')(
		89	parent_group_name, 'can write into group validator', user=request_user)
		90	group_write = HasRepoGroupPermissionAny('group.write')(
		91	parent_group_name, 'can write into group validator', user=request_user)
		92
		93	# creation by write access is currently disabled. Needs thinking if
		94	# we want to allow this...
		95	forbidden = not (group_admin or (group_write and create_on_write and 0))
		96
		97	if parent_group and forbidden:
		98	msg = messages['permission_denied_parent_group'].format(
		99	parent_group_name)
		100	raise colander.Invalid(node, msg)
		101
		102	return can_write_group_validator
		103
		104
		105	@colander.deferred
		106	def deferred_repo_group_owner_validator(node, kw):
		107
		108	def repo_owner_validator(node, value):
		109	from rhodecode.model.db import User
		110	existing = User.get_by_username(value)
		111	if not existing:
		112	msg = _(u'Repo group owner with id `{}` does not exists').format(
		113	value)
		114	raise colander.Invalid(node, msg)
		115
		116	return repo_owner_validator
		117
		118
		119	@colander.deferred
		120	def deferred_unique_name_validator(node, kw):
		121	request_user = kw.get('user')
		122	old_values = kw.get('old_values') or {}
		123
		124	def unique_name_validator(node, value):
		125	from rhodecode.model.db import Repository, RepoGroup
		126	name_changed = value != old_values.get('group_name')
		127
		128	existing = Repository.get_by_repo_name(value)
		129	if name_changed and existing:
		130	msg = _(u'Repository with name `{}` already exists').format(value)
		131	raise colander.Invalid(node, msg)
		132
		133	existing_group = RepoGroup.get_by_group_name(value)
		134	if name_changed and existing_group:
		135	msg = _(u'Repository group with name `{}` already exists').format(
		136	value)
		137	raise colander.Invalid(node, msg)
		138	return unique_name_validator
		139
		140
		141	@colander.deferred
		142	def deferred_repo_group_name_validator(node, kw):
		143	return validators.valid_name_validator
		144
		145
		146	class GroupType(colander.Mapping):
		147	def _validate(self, node, value):
		148	try:
		149	return dict(repo_group_name=value)
		150	except Exception as e:
		151	raise colander.Invalid(
		152	node, '"${val}" is not a mapping type: ${err}'.format(
		153	val=value, err=e))
		154
		155	def deserialize(self, node, cstruct):
		156	if cstruct is colander.null:
		157	return cstruct
		158
		159	appstruct = super(GroupType, self).deserialize(node, cstruct)
		160	validated_name = appstruct['repo_group_name']
		161
		162	# inject group based on once deserialized data
		163	(repo_group_name_without_group,
		164	parent_group_name,
		165	parent_group) = get_group_and_repo(validated_name)
		166
		167	appstruct['repo_group_name_without_group'] = repo_group_name_without_group
		168	appstruct['repo_group_name'] = parent_group_name or types.RootLocation
		169	if parent_group:
		170	appstruct['repo_group_id'] = parent_group.group_id
		171
		172	return appstruct
		173
		174
		175	class GroupSchema(colander.SchemaNode):
		176	schema_type = GroupType
		177	validator = deferred_can_write_to_group_validator
		178	missing = colander.null
		179
		180
		181	class RepoGroup(GroupSchema):
		182	repo_group_name = colander.SchemaNode(
		183	types.GroupNameType())
		184	repo_group_id = colander.SchemaNode(
		185	colander.String(), missing=None)
		186	repo_group_name_without_group = colander.SchemaNode(
		187	colander.String(), missing=None)
		188
		189
		190	class RepoGroupAccessSchema(colander.MappingSchema):
		191	repo_group = RepoGroup()
		192
		193
		194	class RepoGroupNameUniqueSchema(colander.MappingSchema):
		195	unique_repo_group_name = colander.SchemaNode(
		196	colander.String(),
		197	validator=deferred_unique_name_validator)
		198
		199
28	class RepoGroupSchema(colander.Schema):	200	class RepoGroupSchema(colander.Schema):
29	group_name = colander.SchemaNode(types.GroupNameType())	201
		202	repo_group_name = colander.SchemaNode(
		203	types.GroupNameType(),
		204	validator=deferred_repo_group_name_validator)
		205
		206	repo_group_owner = colander.SchemaNode(
		207	colander.String(),
		208	validator=deferred_repo_group_owner_validator)
		209
		210	repo_group_description = colander.SchemaNode(
		211	colander.String(), missing='')
		212
		213	repo_group_copy_permissions = colander.SchemaNode(
		214	types.StringBooleanType(),
		215	missing=False)
		216
		217	repo_group_enable_locking = colander.SchemaNode(
		218	types.StringBooleanType(),
		219	missing=False)
		220
		221	def deserialize(self, cstruct):
		222	"""
		223	Custom deserialize that allows to chain validation, and verify
		224	permissions, and as last step uniqueness
		225	"""
		226
		227	appstruct = super(RepoGroupSchema, self).deserialize(cstruct)
		228	validated_name = appstruct['repo_group_name']
		229
		230	# second pass to validate permissions to repo_group
		231	second = RepoGroupAccessSchema().bind(**self.bindings)
		232	appstruct_second = second.deserialize({'repo_group': validated_name})
		233	# save result
		234	appstruct['repo_group'] = appstruct_second['repo_group']
		235
		236	# thirds to validate uniqueness
		237	third = RepoGroupNameUniqueSchema().bind(**self.bindings)
		238	third.deserialize({'unique_repo_group_name': validated_name})
		239
		240	return appstruct

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages