u/ewong/rhodecode-enterprise-ce-fork Commit - r1829:ff4add41

audit-logs: implemented full audit logs across application....

marcink -

r1829:ff4add41 default

parent child

rhodecode/api/views/repo_api.py

0 +15 -7

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import time
             import rhodecode
             from rhodecode.api import (
                 jsonrpc_method, JSONRPCError, JSONRPCForbidden, JSONRPCValidationError)
             from rhodecode.api.utils import (
                 has_superadmin_permission, Optional, OAttr, get_repo_or_error,
                 get_user_group_or_error, get_user_or_error, validate_repo_permissions,
                 get_perm_or_error, parse_args, get_origin, build_commit_data,
                 validate_set_owner_permissions)
             from rhodecode.lib import audit_logger
             from rhodecode.lib import repo_maintenance
             from rhodecode.lib.auth import HasPermissionAnyApi, HasUserGroupPermissionAnyApi
             from rhodecode.lib.utils2 import str2bool, time_to_datetime
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.exceptions import StatusChangeOnClosedPullRequestError
             from rhodecode.model.changeset_status import ChangesetStatusModel
             from rhodecode.model.comment import CommentsModel
             from rhodecode.model.db import (
                 Session, ChangesetStatus, RepositoryField, Repository, RepoGroup,
                 ChangesetComment)
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.scm import ScmModel, RepoList
             from rhodecode.model.settings import SettingsModel, VcsSettingsModel
             from rhodecode.model import validation_schema
             from rhodecode.model.validation_schema.schemas import repo_schema
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_repo(request, apiuser, repoid, cache=Optional(True)):
                 """
                 Gets an existing repository by its name or repository_id.
                 The members section so the output returns users groups or users
                 associated with that repository.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository id.
                 :type repoid: str or int
                 :param cache: use the cached value for last changeset
                 :type: cache: Optional(bool)
                 Example output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": <repo_id>,
                       "result": {
                         "clone_uri": null,
                         "created_on": "timestamp",
                         "description": "repo description",
                         "enable_downloads": false,
                         "enable_locking": false,
                         "enable_statistics": false,
                         "followers": [
                           {
                             "active": true,
                             "admin": false,
                             "api_key": "****************************************",
                             "api_keys": [
                               "****************************************"
                             ],
                             "email": "user@example.com",
                             "emails": [
                               "user@example.com"
                             ],
                             "extern_name": "rhodecode",
                             "extern_type": "rhodecode",
                             "firstname": "username",
                             "ip_addresses": [],
                             "language": null,
                             "last_login": "2015-09-16T17:16:35.854",
                             "lastname": "surname",
                             "user_id": <user_id>,
                             "username": "name"
                           }
                         ],
                         "fork_of": "parent-repo",
                         "landing_rev": [
                           "rev",
                           "tip"
                         ],
                         "last_changeset": {
                           "author": "User <user@example.com>",
                           "branch": "default",
                           "date": "timestamp",
                           "message": "last commit message",
                           "parents": [
                             {
                               "raw_id": "commit-id"
                             }
                           ],
                           "raw_id": "commit-id",
                           "revision": <revision number>,
                           "short_id": "short id"
                         },
                         "lock_reason": null,
                         "locked_by": null,
                         "locked_date": null,
                         "members": [
                           {
                             "name": "super-admin-name",
                             "origin": "super-admin",
                             "permission": "repository.admin",
                             "type": "user"
                           },
                           {
                             "name": "owner-name",
                             "origin": "owner",
                             "permission": "repository.admin",
                             "type": "user"
                           },
                           {
                             "name": "user-group-name",
                             "origin": "permission",
                             "permission": "repository.write",
                             "type": "user_group"
                           }
                         ],
                         "owner": "owner-name",
                         "permissions": [
                           {
                             "name": "super-admin-name",
                             "origin": "super-admin",
                             "permission": "repository.admin",
                             "type": "user"
                           },
                           {
                             "name": "owner-name",
                             "origin": "owner",
                             "permission": "repository.admin",
                             "type": "user"
                           },
                           {
                             "name": "user-group-name",
                             "origin": "permission",
                             "permission": "repository.write",
                             "type": "user_group"
                           }
                         ],
                         "private": true,
                         "repo_id": 676,
                         "repo_name": "user-group/repo-name",
                         "repo_type": "hg"
                       }
                     }
                 """
                 repo = get_repo_or_error(repoid)
                 cache = Optional.extract(cache)
                 include_secrets = False
                 if has_superadmin_permission(apiuser):
                     include_secrets = True
                 else:
                     # check if we have at least read permission for this repo !
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 permissions = []
                 for _user in repo.permissions():
                     user_data = {
                         'name': _user.username,
                         'permission': _user.permission,
                         'origin': get_origin(_user),
                         'type': "user",
                     }
                     permissions.append(user_data)
                 for _user_group in repo.permission_user_groups():
                     user_group_data = {
                         'name': _user_group.users_group_name,
                         'permission': _user_group.permission,
                         'origin': get_origin(_user_group),
                         'type': "user_group",
                     }
                     permissions.append(user_group_data)
                 following_users = [
                     user.user.get_api_data(include_secrets=include_secrets)
                     for user in repo.followers]
                 if not cache:
                     repo.update_commit_cache()
                 data = repo.get_api_data(include_secrets=include_secrets)
                 data['members'] = permissions  # TODO: this should be deprecated soon
                 data['permissions'] = permissions
                 data['followers'] = following_users
                 return data
             @jsonrpc_method()
             def get_repos(request, apiuser, root=Optional(None), traverse=Optional(True)):
                 """
                 Lists all existing repositories.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param root: specify root repository group to fetch repositories.
                     filters the returned repositories to be members of given root group.
                 :type root: Optional(None)
                 :param traverse: traverse given root into subrepositories. With this flag
                     set to False, it will only return top-level repositories from `root`.
                     if root is empty it will return just top-level repositories.
                 :type traverse: Optional(True)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: [
                               {
                                 "repo_id" :          "<repo_id>",
                                 "repo_name" :        "<reponame>"
                                 "repo_type" :        "<repo_type>",
                                 "clone_uri" :        "<clone_uri>",
                                 "private": :         "<bool>",
                                 "created_on" :       "<datetimecreated>",
                                 "description" :      "<description>",
                                 "landing_rev":       "<landing_rev>",
                                 "owner":             "<repo_owner>",
                                 "fork_of":           "<name_of_fork_parent>",
                                 "enable_downloads":  "<bool>",
                                 "enable_locking":    "<bool>",
                                 "enable_statistics": "<bool>",
                               },
                               ...
                             ]
                     error:  null
                 """
                 include_secrets = has_superadmin_permission(apiuser)
                 _perms = ('repository.read', 'repository.write', 'repository.admin',)
                 extras = {'user': apiuser}
                 root = Optional.extract(root)
                 traverse = Optional.extract(traverse, binary=True)
                 if root:
                     # verify parent existance, if it's empty return an error
                     parent = RepoGroup.get_by_group_name(root)
                     if not parent:
                         raise JSONRPCError(
                             'Root repository group `{}` does not exist'.format(root))
                     if traverse:
                         repos = RepoModel().get_repos_for_root(root=root, traverse=traverse)
                     else:
                         repos = RepoModel().get_repos_for_root(root=parent)
                 else:
                     if traverse:
                         repos = RepoModel().get_all()
                     else:
                         # return just top-level
                         repos = RepoModel().get_repos_for_root(root=None)
                 repo_list = RepoList(repos, perm_set=_perms, extra_kwargs=extras)
                 return [repo.get_api_data(include_secrets=include_secrets)
                         for repo in repo_list]
             @jsonrpc_method()
             def get_repo_changeset(request, apiuser, repoid, revision,
                                    details=Optional('basic')):
                 """
                 Returns information about a changeset.
                 Additionally parameters define the amount of details returned by
                 this function.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository id
                 :type repoid: str or int
                 :param revision: revision for which listing should be done
                 :type revision: str
                 :param details: details can be 'basic|extended|full' full gives diff
                     info details like the diff itself, and number of changed files etc.
                 :type details: Optional(str)
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 changes_details = Optional.extract(details)
                 _changes_details_types = ['basic', 'extended', 'full']
                 if changes_details not in _changes_details_types:
                     raise JSONRPCError(
                         'ret_type must be one of %s' % (
                             ','.join(_changes_details_types)))
                 pre_load = ['author', 'branch', 'date', 'message', 'parents',
                             'status', '_commit', '_file_paths']
                 try:
                     cs = repo.get_commit(commit_id=revision, pre_load=pre_load)
                 except TypeError as e:
                     raise JSONRPCError(e.message)
                 _cs_json = cs.__json__()
                 _cs_json['diff'] = build_commit_data(cs, changes_details)
                 if changes_details == 'full':
                     _cs_json['refs'] = {
                         'branches': [cs.branch],
                         'bookmarks': getattr(cs, 'bookmarks', []),
                         'tags': cs.tags
                     }
                 return _cs_json
             @jsonrpc_method()
             def get_repo_changesets(request, apiuser, repoid, start_rev, limit,
                                     details=Optional('basic')):
                 """
                 Returns a set of commits limited by the number starting
                 from the `start_rev` option.
                 Additional parameters define the amount of details returned by this
                 function.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 :param start_rev: The starting revision from where to get changesets.
                 :type start_rev: str
                 :param limit: Limit the number of commits to this amount
                 :type limit: str or int
                 :param details: Set the level of detail returned. Valid option are:
                     ``basic``, ``extended`` and ``full``.
                 :type details: Optional(str)
                 .. note::
                    Setting the parameter `details` to the value ``full`` is extensive
                    and returns details like the diff itself, and the number
                    of changed files.
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 changes_details = Optional.extract(details)
                 _changes_details_types = ['basic', 'extended', 'full']
                 if changes_details not in _changes_details_types:
                     raise JSONRPCError(
                         'ret_type must be one of %s' % (
                             ','.join(_changes_details_types)))
                 limit = int(limit)
                 pre_load = ['author', 'branch', 'date', 'message', 'parents',
                             'status', '_commit', '_file_paths']
                 vcs_repo = repo.scm_instance()
                 # SVN needs a special case to distinguish its index and commit id
                 if vcs_repo and vcs_repo.alias == 'svn' and (start_rev == '0'):
                     start_rev = vcs_repo.commit_ids[0]
                 try:
                     commits = vcs_repo.get_commits(
                         start_id=start_rev, pre_load=pre_load)
                 except TypeError as e:
                     raise JSONRPCError(e.message)
                 except Exception:
                     log.exception('Fetching of commits failed')
                     raise JSONRPCError('Error occurred during commit fetching')
                 ret = []
                 for cnt, commit in enumerate(commits):
                     if cnt >= limit != -1:
                         break
                     _cs_json = commit.__json__()
                     _cs_json['diff'] = build_commit_data(commit, changes_details)
                     if changes_details == 'full':
                         _cs_json['refs'] = {
                             'branches': [commit.branch],
                             'bookmarks': getattr(commit, 'bookmarks', []),
                             'tags': commit.tags
                         }
                     ret.append(_cs_json)
                 return ret
             @jsonrpc_method()
             def get_repo_nodes(request, apiuser, repoid, revision, root_path,
                                ret_type=Optional('all'), details=Optional('basic'),
                                max_file_bytes=Optional(None)):
                 """
                 Returns a list of nodes and children in a flat list for a given
                 path at given revision.
                 It's possible to specify ret_type to show only `files` or `dirs`.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 :param revision: The revision for which listing should be done.
                 :type revision: str
                 :param root_path: The path from which to start displaying.
                 :type root_path: str
                 :param ret_type: Set the return type. Valid options are
                     ``all`` (default), ``files`` and ``dirs``.
                 :type ret_type: Optional(str)
                 :param details: Returns extended information about nodes, such as
                     md5, binary, and or content.  The valid options are ``basic`` and
                     ``full``.
                 :type details: Optional(str)
                 :param max_file_bytes: Only return file content under this file size bytes
                 :type details: Optional(int)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: [
                               {
                                 "name" : "<name>"
                                 "type" : "<type>",
                                 "binary": "<true|false>" (only in extended mode)
                                 "md5"  : "<md5 of file content>" (only in extended mode)
                               },
                               ...
                             ]
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 ret_type = Optional.extract(ret_type)
                 details = Optional.extract(details)
                 _extended_types = ['basic', 'full']
                 if details not in _extended_types:
                     raise JSONRPCError(
                         'ret_type must be one of %s' % (','.join(_extended_types)))
                 extended_info = False
                 content = False
                 if details == 'basic':
                     extended_info = True
                 if details == 'full':
                     extended_info = content = True
                 _map = {}
                 try:
                     # check if repo is not empty by any chance, skip quicker if it is.
                     _scm = repo.scm_instance()
                     if _scm.is_empty():
                         return []
                     _d, _f = ScmModel().get_nodes(
                         repo, revision, root_path, flat=False,
                         extended_info=extended_info, content=content,
                         max_file_bytes=max_file_bytes)
                     _map = {
                         'all': _d + _f,
                         'files': _f,
                         'dirs': _d,
                     }
                     return _map[ret_type]
                 except KeyError:
                     raise JSONRPCError(
                         'ret_type must be one of %s' % (','.join(sorted(_map.keys()))))
                 except Exception:
                     log.exception("Exception occurred while trying to get repo nodes")
                     raise JSONRPCError(
                         'failed to get repo: `%s` nodes' % repo.repo_name
                     )
             @jsonrpc_method()
             def get_repo_refs(request, apiuser, repoid):
                 """
                 Returns a dictionary of current references. It returns
                 bookmarks, branches, closed_branches, and tags for given repository
                 It's possible to specify ret_type to show only `files` or `dirs`.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     "result": {
                         "bookmarks": {
                           "dev": "5611d30200f4040ba2ab4f3d64e5b06408a02188",
                           "master": "367f590445081d8ec8c2ea0456e73ae1f1c3d6cf"
                         },
                         "branches": {
                           "default": "5611d30200f4040ba2ab4f3d64e5b06408a02188",
                           "stable": "367f590445081d8ec8c2ea0456e73ae1f1c3d6cf"
                         },
                         "branches_closed": {},
                         "tags": {
                           "tip": "5611d30200f4040ba2ab4f3d64e5b06408a02188",
                           "v4.4.0": "1232313f9e6adac5ce5399c2a891dc1e72b79022",
                           "v4.4.1": "cbb9f1d329ae5768379cdec55a62ebdd546c4e27",
                           "v4.4.2": "24ffe44a27fcd1c5b6936144e176b9f6dd2f3a17",
                         }
                     }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     # check if repo is not empty by any chance, skip quicker if it is.
                     vcs_instance = repo.scm_instance()
                     refs = vcs_instance.refs()
                     return refs
                 except Exception:
                     log.exception("Exception occurred while trying to get repo refs")
                     raise JSONRPCError(
                         'failed to get repo: `%s` references' % repo.repo_name
                     )
             @jsonrpc_method()
             def create_repo(
                     request, apiuser, repo_name, repo_type,
                     owner=Optional(OAttr('apiuser')),
                     description=Optional(''),
                     private=Optional(False),
                     clone_uri=Optional(None),
                     landing_rev=Optional('rev:tip'),
                     enable_statistics=Optional(False),
                     enable_locking=Optional(False),
                     enable_downloads=Optional(False),
                     copy_permissions=Optional(False)):
                 """
                 Creates a repository.
                 * If the repository name contains "/", repository will be created inside
                   a repository group or nested repository groups
                   For example "foo/bar/repo1" will create |repo| called "repo1" inside
                   group "foo/bar". You have to have permissions to access and write to
                   the last repository group ("bar" in this example)
                 This command can only be run using an |authtoken| with at least
                 permissions to create repositories, or write permissions to
                 parent repository groups.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repo_name: Set the repository name.
                 :type repo_name: str
                 :param repo_type: Set the repository type; 'hg','git', or 'svn'.
                 :type repo_type: str
                 :param owner: user_id or username
                 :type owner: Optional(str)
                 :param description: Set the repository description.
                 :type description: Optional(str)
                 :param private: set repository as private
                 :type private: bool
                 :param clone_uri: set clone_uri
                 :type clone_uri: str
                 :param landing_rev: <rev_type>:<rev>
                 :type landing_rev: str
                 :param enable_locking:
                 :type enable_locking: bool
                 :param enable_downloads:
                 :type enable_downloads: bool
                 :param enable_statistics:
                 :type enable_statistics: bool
                 :param copy_permissions: Copy permission from group in which the
                     repository is being created.
                 :type copy_permissions: bool
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "Created new repository `<reponame>`",
                               "success": true,
                               "task": "<celery task id or None if done sync>"
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                      'failed to create repository `<repo_name>`'
                   }
                 """
                 owner = validate_set_owner_permissions(apiuser, owner)
                 description = Optional.extract(description)
                 copy_permissions = Optional.extract(copy_permissions)
                 clone_uri = Optional.extract(clone_uri)
                 landing_commit_ref = Optional.extract(landing_rev)
                 defs = SettingsModel().get_default_repo_settings(strip_prefix=True)
                 if isinstance(private, Optional):
                     private = defs.get('repo_private') or Optional.extract(private)
                 if isinstance(repo_type, Optional):
                     repo_type = defs.get('repo_type')
                 if isinstance(enable_statistics, Optional):
                     enable_statistics = defs.get('repo_enable_statistics')
                 if isinstance(enable_locking, Optional):
                     enable_locking = defs.get('repo_enable_locking')
                 if isinstance(enable_downloads, Optional):
                     enable_downloads = defs.get('repo_enable_downloads')
                 schema = repo_schema.RepoSchema().bind(
                     repo_type_options=rhodecode.BACKENDS.keys(),
                     # user caller
                     user=apiuser)
                 try:
                     schema_data = schema.deserialize(dict(
                         repo_name=repo_name,
                         repo_type=repo_type,
                         repo_owner=owner.username,
                         repo_description=description,
                         repo_landing_commit_ref=landing_commit_ref,
                         repo_clone_uri=clone_uri,
                         repo_private=private,
                         repo_copy_permissions=copy_permissions,
                         repo_enable_statistics=enable_statistics,
                         repo_enable_downloads=enable_downloads,
                         repo_enable_locking=enable_locking))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 try:
                     data = {
                         'owner': owner,
                         'repo_name': schema_data['repo_group']['repo_name_without_group'],
                         'repo_name_full': schema_data['repo_name'],
                         'repo_group': schema_data['repo_group']['repo_group_id'],
                         'repo_type': schema_data['repo_type'],
                         'repo_description': schema_data['repo_description'],
                         'repo_private': schema_data['repo_private'],
                         'clone_uri': schema_data['repo_clone_uri'],
                         'repo_landing_rev': schema_data['repo_landing_commit_ref'],
                         'enable_statistics': schema_data['repo_enable_statistics'],
                         'enable_locking': schema_data['repo_enable_locking'],
                         'enable_downloads': schema_data['repo_enable_downloads'],
                         'repo_copy_permissions': schema_data['repo_copy_permissions'],
                     }
                     task = RepoModel().create(form_data=data, cur_user=owner)
                     from celery.result import BaseAsyncResult
                     task_id = None
                     if isinstance(task, BaseAsyncResult):
                         task_id = task.task_id
                     # no commit, it's done in RepoModel, or async via celery
                     return {
                         'msg': "Created new repository `%s`" % (schema_data['repo_name'],),
                         'success': True,  # cannot return the repo data here since fork
                         # can be done async
                         'task': task_id
                     }
                 except Exception:
                     log.exception(
                         u"Exception while trying to create the repository %s",
                         schema_data['repo_name'])
                     raise JSONRPCError(
                         'failed to create repository `%s`' % (schema_data['repo_name'],))
             @jsonrpc_method()
             def add_field_to_repo(request, apiuser, repoid, key, label=Optional(''),
                                   description=Optional('')):
                 """
                 Adds an extra field to a repository.
                 This command can only be run using an |authtoken| with at least
                 write permissions to the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository id.
                 :type repoid: str or int
                 :param key: Create a unique field key for this repository.
                 :type key: str
                 :param label:
                 :type label: Optional(str)
                 :param description:
                 :type description: Optional(str)
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 label = Optional.extract(label) or key
                 description = Optional.extract(description)
                 field = RepositoryField.get_by_key_name(key, repo)
                 if field:
                     raise JSONRPCError('Field with key '
                                        '`%s` exists for repo `%s`' % (key, repoid))
                 try:
                     RepoModel().add_repo_field(repo, key, field_label=label,
                                                field_desc=description)
                     Session().commit()
                     return {
                         'msg': "Added new repository field `%s`" % (key,),
                         'success': True,
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to add field to repo")
                     raise JSONRPCError(
                         'failed to create new field for repository `%s`' % (repoid,))
             @jsonrpc_method()
             def remove_field_from_repo(request, apiuser, repoid, key):
                 """
                 Removes an extra field from a repository.
                 This command can only be run using an |authtoken| with at least
                 write permissions to the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param key: Set the unique field key for this repository.
                 :type key: str
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 field = RepositoryField.get_by_key_name(key, repo)
                 if not field:
                     raise JSONRPCError('Field with key `%s` does not '
                                        'exists for repo `%s`' % (key, repoid))
                 try:
                     RepoModel().delete_repo_field(repo, field_key=key)
                     Session().commit()
                     return {
                         'msg': "Deleted repository field `%s`" % (key,),
                         'success': True,
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying to delete field from repo")
                     raise JSONRPCError(
                         'failed to delete field for repository `%s`' % (repoid,))
             @jsonrpc_method()
             def update_repo(
                     request, apiuser, repoid, repo_name=Optional(None),
                     owner=Optional(OAttr('apiuser')), description=Optional(''),
                     private=Optional(False), clone_uri=Optional(None),
                     landing_rev=Optional('rev:tip'), fork_of=Optional(None),
                     enable_statistics=Optional(False),
                     enable_locking=Optional(False),
                     enable_downloads=Optional(False), fields=Optional('')):
                 """
                 Updates a repository with the given information.
                 This command can only be run using an |authtoken| with at least
                 admin permissions to the |repo|.
                 * If the repository name contains "/", repository will be updated
                   accordingly with a repository group or nested repository groups
                   For example repoid=repo-test name="foo/bar/repo-test" will update |repo|
                   called "repo-test" and place it inside group "foo/bar".
                   You have to have permissions to access and write to the last repository
                   group ("bar" in this example)
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: repository name or repository ID.
                 :type repoid: str or int
                 :param repo_name: Update the |repo| name, including the
                     repository group it's in.
                 :type repo_name: str
                 :param owner: Set the |repo| owner.
                 :type owner: str
                 :param fork_of: Set the |repo| as fork of another |repo|.
                 :type fork_of: str
                 :param description: Update the |repo| description.
                 :type description: str
                 :param private: Set the |repo| as private. (True | False)
                 :type private: bool
                 :param clone_uri: Update the |repo| clone URI.
                 :type clone_uri: str
                 :param landing_rev: Set the |repo| landing revision. Default is ``rev:tip``.
                 :type landing_rev: str
                 :param enable_statistics: Enable statistics on the |repo|, (True | False).
                 :type enable_statistics: bool
                 :param enable_locking: Enable |repo| locking.
                 :type enable_locking: bool
                 :param enable_downloads: Enable downloads from the |repo|, (True | False).
                 :type enable_downloads: bool
                 :param fields: Add extra fields to the |repo|. Use the following
                     example format: ``field_key=field_val,field_key2=fieldval2``.
                     Escape ', ' with \,
                 :type fields: str
                 """
                 repo = get_repo_or_error(repoid)
                 include_secrets = False
                 if not has_superadmin_permission(apiuser):
                     validate_repo_permissions(apiuser, repoid, repo, ('repository.admin',))
                 else:
                     include_secrets = True
                 updates = dict(
                     repo_name=repo_name
                     if not isinstance(repo_name, Optional) else repo.repo_name,
                     fork_id=fork_of
                     if not isinstance(fork_of, Optional) else repo.fork.repo_name if repo.fork else None,
                     user=owner
                     if not isinstance(owner, Optional) else repo.user.username,
                     repo_description=description
                     if not isinstance(description, Optional) else repo.description,
                     repo_private=private
                     if not isinstance(private, Optional) else repo.private,
                     clone_uri=clone_uri
                     if not isinstance(clone_uri, Optional) else repo.clone_uri,
                     repo_landing_rev=landing_rev
                     if not isinstance(landing_rev, Optional) else repo._landing_revision,
                     repo_enable_statistics=enable_statistics
                     if not isinstance(enable_statistics, Optional) else repo.enable_statistics,
                     repo_enable_locking=enable_locking
                     if not isinstance(enable_locking, Optional) else repo.enable_locking,
                     repo_enable_downloads=enable_downloads
                     if not isinstance(enable_downloads, Optional) else repo.enable_downloads)
                 ref_choices, _labels = ScmModel().get_repo_landing_revs(repo=repo)
+                old_values = repo.get_api_data()
                 schema = repo_schema.RepoSchema().bind(
                     repo_type_options=rhodecode.BACKENDS.keys(),
                     repo_ref_options=ref_choices,
                     # user caller
                     user=apiuser,
-                    old_values=repo.get_api_data())
+                    old_values=old_values)
                 try:
                     schema_data = schema.deserialize(dict(
                         # we save old value, users cannot change type
                         repo_type=repo.repo_type,
                         repo_name=updates['repo_name'],
                         repo_owner=updates['user'],
                         repo_description=updates['repo_description'],
                         repo_clone_uri=updates['clone_uri'],
                         repo_fork_of=updates['fork_id'],
                         repo_private=updates['repo_private'],
                         repo_landing_commit_ref=updates['repo_landing_rev'],
                         repo_enable_statistics=updates['repo_enable_statistics'],
                         repo_enable_downloads=updates['repo_enable_downloads'],
                         repo_enable_locking=updates['repo_enable_locking']))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 # save validated data back into the updates dict
                 validated_updates = dict(
                     repo_name=schema_data['repo_group']['repo_name_without_group'],
                     repo_group=schema_data['repo_group']['repo_group_id'],
                     user=schema_data['repo_owner'],
                     repo_description=schema_data['repo_description'],
                     repo_private=schema_data['repo_private'],
                     clone_uri=schema_data['repo_clone_uri'],
                     repo_landing_rev=schema_data['repo_landing_commit_ref'],
                     repo_enable_statistics=schema_data['repo_enable_statistics'],
                     repo_enable_locking=schema_data['repo_enable_locking'],
                     repo_enable_downloads=schema_data['repo_enable_downloads'],
                 )
                 if schema_data['repo_fork_of']:
                     fork_repo = get_repo_or_error(schema_data['repo_fork_of'])
                     validated_updates['fork_id'] = fork_repo.repo_id
                 # extra fields
                 fields = parse_args(Optional.extract(fields), key_prefix='ex_')
                 if fields:
                     validated_updates.update(fields)
                 try:
                     RepoModel().update(repo, **validated_updates)
+                    audit_logger.store_api(
+                        'repo.edit', action_data={'old_data': old_values},
+                        user=apiuser, repo=repo)
                     Session().commit()
                     return {
                         'msg': 'updated repo ID:%s %s' % (repo.repo_id, repo.repo_name),
                         'repository': repo.get_api_data(include_secrets=include_secrets)
                     }
                 except Exception:
                     log.exception(
                         u"Exception while trying to update the repository %s",
                         repoid)
                     raise JSONRPCError('failed to update repo `%s`' % repoid)
             @jsonrpc_method()
             def fork_repo(request, apiuser, repoid, fork_name,
                           owner=Optional(OAttr('apiuser')),
                           description=Optional(''),
                           private=Optional(False),
                           clone_uri=Optional(None),
                           landing_rev=Optional('rev:tip'),
                           copy_permissions=Optional(False)):
                 """
                 Creates a fork of the specified |repo|.
                 * If the fork_name contains "/", fork will be created inside
                   a repository group or nested repository groups
                   For example "foo/bar/fork-repo" will create fork called "fork-repo"
                   inside group "foo/bar". You have to have permissions to access and
                   write to the last repository group ("bar" in this example)
                 This command can only be run using an |authtoken| with minimum
                 read permissions of the forked repo, create fork permissions for an user.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set repository name or repository ID.
                 :type repoid: str or int
                 :param fork_name: Set the fork name, including it's repository group membership.
                 :type fork_name: str
                 :param owner: Set the fork owner.
                 :type owner: str
                 :param description: Set the fork description.
                 :type description: str
                 :param copy_permissions: Copy permissions from parent |repo|. The
                     default is False.
                 :type copy_permissions: bool
                 :param private: Make the fork private. The default is False.
                 :type private: bool
                 :param landing_rev: Set the landing revision. The default is tip.
                 Example output:
                 .. code-block:: bash
                     id : <id_for_response>
                     api_key : "<api_key>"
                     args:     {
                                 "repoid" :          "<reponame or repo_id>",
                                 "fork_name":        "<forkname>",
                                 "owner":            "<username or user_id = Optional(=apiuser)>",
                                 "description":      "<description>",
                                 "copy_permissions": "<bool>",
                                 "private":          "<bool>",
                                 "landing_rev":      "<landing_rev>"
                               }
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "Created fork of `<reponame>` as `<forkname>`",
                               "success": true,
                               "task": "<celery task id or None if done sync>"
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 repo_name = repo.repo_name
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for
                     # this repo that we fork !
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read')
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                     # check if the regular user has at least fork permissions as well
                     if not HasPermissionAnyApi('hg.fork.repository')(user=apiuser):
                         raise JSONRPCForbidden()
                 # check if user can set owner parameter
                 owner = validate_set_owner_permissions(apiuser, owner)
                 description = Optional.extract(description)
                 copy_permissions = Optional.extract(copy_permissions)
                 clone_uri = Optional.extract(clone_uri)
                 landing_commit_ref = Optional.extract(landing_rev)
                 private = Optional.extract(private)
                 schema = repo_schema.RepoSchema().bind(
                     repo_type_options=rhodecode.BACKENDS.keys(),
                     # user caller
                     user=apiuser)
                 try:
                     schema_data = schema.deserialize(dict(
                         repo_name=fork_name,
                         repo_type=repo.repo_type,
                         repo_owner=owner.username,
                         repo_description=description,
                         repo_landing_commit_ref=landing_commit_ref,
                         repo_clone_uri=clone_uri,
                         repo_private=private,
                         repo_copy_permissions=copy_permissions))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 try:
                     data = {
                         'fork_parent_id': repo.repo_id,
                         'repo_name': schema_data['repo_group']['repo_name_without_group'],
                         'repo_name_full': schema_data['repo_name'],
                         'repo_group': schema_data['repo_group']['repo_group_id'],
                         'repo_type': schema_data['repo_type'],
                         'description': schema_data['repo_description'],
                         'private': schema_data['repo_private'],
                         'copy_permissions': schema_data['repo_copy_permissions'],
                         'landing_rev': schema_data['repo_landing_commit_ref'],
                     }
                     task = RepoModel().create_fork(data, cur_user=owner)
                     # no commit, it's done in RepoModel, or async via celery
                     from celery.result import BaseAsyncResult
                     task_id = None
                     if isinstance(task, BaseAsyncResult):
                         task_id = task.task_id
                     return {
                         'msg': 'Created fork of `%s` as `%s`' % (
                             repo.repo_name, schema_data['repo_name']),
                         'success': True,  # cannot return the repo data here since fork
                         # can be done async
                         'task': task_id
                     }
                 except Exception:
                     log.exception(
                         u"Exception while trying to create fork %s",
                         schema_data['repo_name'])
                     raise JSONRPCError(
                         'failed to fork repository `%s` as `%s`' % (
                             repo_name, schema_data['repo_name']))
             @jsonrpc_method()
             def delete_repo(request, apiuser, repoid, forks=Optional('')):
                 """
                 Deletes a repository.
                 * When the `forks` parameter is set it's possible to detach or delete
                   forks of deleted repository.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param forks: Set to `detach` or `delete` forks from the |repo|.
                 :type forks: Optional(str)
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "Deleted repository `<reponame>`",
                               "success": true
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 repo_name = repo.repo_name
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     handle_forks = Optional.extract(forks)
                     _forks_msg = ''
                     _forks = [f for f in repo.forks]
                     if handle_forks == 'detach':
                         _forks_msg = ' ' + 'Detached %s forks' % len(_forks)
                     elif handle_forks == 'delete':
                         _forks_msg = ' ' + 'Deleted %s forks' % len(_forks)
                     elif _forks:
                         raise JSONRPCError(
                             'Cannot delete `%s` it still contains attached forks' %
                             (repo.repo_name,)
                         )
-                    repo_data = repo.get_api_data()
+                    old_data = repo.get_api_data()
                     RepoModel().delete(repo, forks=forks)
                     repo = audit_logger.RepoWrap(repo_id=None,
                                                  repo_name=repo.repo_name)
                     audit_logger.store_api(
-                        action='repo.delete',
+                        'repo.delete', action_data={'old_data': old_data},
-                        action_data={'data': repo_data},
                         user=apiuser, repo=repo)
                     ScmModel().mark_for_invalidation(repo_name, delete=True)
                     Session().commit()
                     return {
                         'msg': 'Deleted repository `%s`%s' % (repo_name, _forks_msg),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to delete repo")
                     raise JSONRPCError(
                         'failed to delete repository `%s`' % (repo_name,)
                     )
             #TODO: marcink, change name ?
             @jsonrpc_method()
             def invalidate_cache(request, apiuser, repoid, delete_keys=Optional(False)):
                 """
                 Invalidates the cache for the specified repository.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Sets the repository name or repository ID.
                 :type repoid: str or int
                 :param delete_keys: This deletes the invalidated keys instead of
                     just flagging them.
                 :type delete_keys: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     'msg': Cache for repository `<repository name>` was invalidated,
                     'repository': <repository name>
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error : {
                      'Error occurred during cache invalidation action'
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin', 'repository.write',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 delete = Optional.extract(delete_keys)
                 try:
                     ScmModel().mark_for_invalidation(repo.repo_name, delete=delete)
                     return {
                         'msg': 'Cache for repository `%s` was invalidated' % (repoid,),
                         'repository': repo.repo_name
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying to invalidate repo cache")
                     raise JSONRPCError(
                         'Error occurred during cache invalidation action'
                     )
             #TODO: marcink, change name ?
             @jsonrpc_method()
             def lock(request, apiuser, repoid, locked=Optional(None),
                      userid=Optional(OAttr('apiuser'))):
                 """
                 Sets the lock state of the specified |repo| by the given user.
                 From more information, see :ref:`repo-locking`.
                 * If the ``userid`` option is not set, the repository is locked to the
                   user who called the method.
                 * If the ``locked`` parameter is not set, the current lock state of the
                   repository is displayed.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Sets the repository name or repository ID.
                 :type repoid: str or int
                 :param locked: Sets the lock state.
                 :type locked: Optional(``True`` | ``False``)
                 :param userid: Set the repository lock to this user.
                 :type userid: Optional(str or int)
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     'repo': '<reponame>',
                     'locked': <bool: lock state>,
                     'locked_since': <int: lock timestamp>,
                     'locked_by': <username of person who made the lock>,
                     'lock_reason': <str: reason for locking>,
                     'lock_state_changed': <bool: True if lock state has been changed in this request>,
                     'msg': 'Repo `<reponame>` locked by `<username>` on <timestamp>.'
                     or
                     'msg': 'Repo `<repository name>` not locked.'
                     or
                     'msg': 'User `<user name>` set lock state for repo `<repository name>` to `<new lock state>`'
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     'Error occurred locking repository `<reponame>`'
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least write permission for this repo !
                     _perms = ('repository.admin', 'repository.write',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                     # make sure normal user does not pass someone else userid,
                     # he is not allowed to do that
                     if not isinstance(userid, Optional) and userid != apiuser.user_id:
                         raise JSONRPCError('userid is not the same as your user')
                 if isinstance(userid, Optional):
                     userid = apiuser.user_id
                 user = get_user_or_error(userid)
                 if isinstance(locked, Optional):
                     lockobj = repo.locked
                     if lockobj[0] is None:
                         _d = {
                             'repo': repo.repo_name,
                             'locked': False,
                             'locked_since': None,
                             'locked_by': None,
                             'lock_reason': None,
                             'lock_state_changed': False,
                             'msg': 'Repo `%s` not locked.' % repo.repo_name
                         }
                         return _d
                     else:
                         _user_id, _time, _reason = lockobj
                         lock_user = get_user_or_error(userid)
                         _d = {
                             'repo': repo.repo_name,
                             'locked': True,
                             'locked_since': _time,
                             'locked_by': lock_user.username,
                             'lock_reason': _reason,
                             'lock_state_changed': False,
                             'msg': ('Repo `%s` locked by `%s` on `%s`.'
                                     % (repo.repo_name, lock_user.username,
                                        json.dumps(time_to_datetime(_time))))
                         }
                         return _d
                 # force locked state through a flag
                 else:
                     locked = str2bool(locked)
                     lock_reason = Repository.LOCK_API
                     try:
                         if locked:
                             lock_time = time.time()
                             Repository.lock(repo, user.user_id, lock_time, lock_reason)
                         else:
                             lock_time = None
                             Repository.unlock(repo)
                         _d = {
                             'repo': repo.repo_name,
                             'locked': locked,
                             'locked_since': lock_time,
                             'locked_by': user.username,
                             'lock_reason': lock_reason,
                             'lock_state_changed': True,
                             'msg': ('User `%s` set lock state for repo `%s` to `%s`'
                                     % (user.username, repo.repo_name, locked))
                         }
                         return _d
                     except Exception:
                         log.exception(
                             "Exception occurred while trying to lock repository")
                         raise JSONRPCError(
                             'Error occurred locking repository `%s`' % repo.repo_name
                         )
             @jsonrpc_method()
             def comment_commit(
                     request, apiuser, repoid, commit_id, message, status=Optional(None),
                     comment_type=Optional(ChangesetComment.COMMENT_TYPE_NOTE),
                     resolves_comment_id=Optional(None),
                     userid=Optional(OAttr('apiuser'))):
                 """
                 Set a commit comment, and optionally change the status of the commit.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param commit_id: Specify the commit_id for which to set a comment.
                 :type commit_id: str
                 :param message: The comment text.
                 :type message: str
                 :param status: (**Optional**) status of commit, one of: 'not_reviewed',
                     'approved', 'rejected', 'under_review'
                 :type status: str
                 :param comment_type: Comment type, one of: 'note', 'todo'
                 :type comment_type: Optional(str), default: 'note'
                 :param userid: Set the user name of the comment creator.
                 :type userid: Optional(str or int)
                 Example error output:
                 .. code-block:: bash
                     {
                         "id" : <id_given_in_input>,
                         "result" : {
                             "msg": "Commented on commit `<commit_id>` for repository `<repoid>`",
                             "status_change": null or <status>,
                             "success": true
                         },
                         "error" :  null
                     }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.read', 'repository.write', 'repository.admin')
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     commit_id = repo.scm_instance().get_commit(commit_id=commit_id).raw_id
                 except Exception as e:
                     log.exception('Failed to fetch commit')
                     raise JSONRPCError(e.message)
                 if isinstance(userid, Optional):
                     userid = apiuser.user_id
                 user = get_user_or_error(userid)
                 status = Optional.extract(status)
                 comment_type = Optional.extract(comment_type)
                 resolves_comment_id = Optional.extract(resolves_comment_id)
                 allowed_statuses = [x[0] for x in ChangesetStatus.STATUSES]
                 if status and status not in allowed_statuses:
                     raise JSONRPCError('Bad status, must be on '
                                        'of %s got %s' % (allowed_statuses, status,))
                 if resolves_comment_id:
                     comment = ChangesetComment.get(resolves_comment_id)
                     if not comment:
                         raise JSONRPCError(
                             'Invalid resolves_comment_id `%s` for this commit.'
                             % resolves_comment_id)
                     if comment.comment_type != ChangesetComment.COMMENT_TYPE_TODO:
                         raise JSONRPCError(
                             'Comment `%s` is wrong type for setting status to resolved.'
                             % resolves_comment_id)
                 try:
                     rc_config = SettingsModel().get_all_settings()
                     renderer = rc_config.get('rhodecode_markup_renderer', 'rst')
                     status_change_label = ChangesetStatus.get_status_lbl(status)
-                    comm = CommentsModel().create(
+                    comment = CommentsModel().create(
                         message, repo, user, commit_id=commit_id,
                         status_change=status_change_label,
                         status_change_type=status,
                         renderer=renderer,
                         comment_type=comment_type,
                         resolves_comment_id=resolves_comment_id
                     )
                     if status:
                         # also do a status change
                         try:
                             ChangesetStatusModel().set_status(
-                                repo, status, user, comm, revision=commit_id,
+                                repo, status, user, comment, revision=commit_id,
                                 dont_allow_on_closed_pull_request=True
                             )
                         except StatusChangeOnClosedPullRequestError:
                             log.exception(
                                 "Exception occurred while trying to change repo commit status")
                             msg = ('Changing status on a changeset associated with '
                                    'a closed pull request is not allowed')
                             raise JSONRPCError(msg)
                     Session().commit()
                     return {
                         'msg': (
                             'Commented on commit `%s` for repository `%s`' % (
-                                comm.revision, repo.repo_name)),
+                                comment.revision, repo.repo_name)),
                         'status_change': status,
                         'success': True,
                     }
                 except JSONRPCError:
                     # catch any inside errors, and re-raise them to prevent from
                     # below global catch to silence them
                     raise
                 except Exception:
                     log.exception("Exception occurred while trying to comment on commit")
                     raise JSONRPCError(
                         'failed to set comment on repository `%s`' % (repo.repo_name,)
                     )
             @jsonrpc_method()
             def grant_user_permission(request, apiuser, repoid, userid, perm):
                 """
                 Grant permissions for the specified user on the given repository,
                 or update existing permissions if found.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param userid: Set the user name.
                 :type userid: str
                 :param perm: Set the user permissions, using the following format
                     ``(repository.(none|read|write|admin))``
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Granted perm: `<perm>` for user: `<username>` in repo: `<reponame>`",
                               "success": true
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 user = get_user_or_error(userid)
                 perm = get_perm_or_error(perm)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     RepoModel().grant_user_permission(repo=repo, user=user, perm=perm)
                     Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` for user: `%s` in repo: `%s`' % (
                             perm.permission_name, user.username, repo.repo_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying edit permissions for repo")
                     raise JSONRPCError(
                         'failed to edit permission for user: `%s` in repo: `%s`' % (
                             userid, repoid
                         )
                     )
             @jsonrpc_method()
             def revoke_user_permission(request, apiuser, repoid, userid):
                 """
                 Revoke permission for a user on the specified repository.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param userid: Set the user name of revoked user.
                 :type userid: str or int
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Revoked perm for user: `<username>` in repo: `<reponame>`",
                               "success": true
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 user = get_user_or_error(userid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     RepoModel().revoke_user_permission(repo=repo, user=user)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm for user: `%s` in repo: `%s`' % (
                             user.username, repo.repo_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying revoke permissions to repo")
                     raise JSONRPCError(
                         'failed to edit permission for user: `%s` in repo: `%s`' % (
                             userid, repoid
                         )
                     )
             @jsonrpc_method()
             def grant_user_group_permission(request, apiuser, repoid, usergroupid, perm):
                 """
                 Grant permission for a user group on the specified repository,
                 or update existing permissions.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param usergroupid: Specify the ID of the user group.
                 :type usergroupid: str or int
                 :param perm: Set the user group permissions using the following
                     format: (repository.(none|read|write|admin))
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg" : "Granted perm: `<perm>` for group: `<usersgroupname>` in repo: `<reponame>`",
                     "success": true
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user group: `<usergroup>` in repo `<repo>`'
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 perm = get_perm_or_error(perm)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 try:
                     RepoModel().grant_user_group_permission(
                         repo=repo, group_name=user_group, perm=perm)
                     Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` for user group: `%s` in '
                                'repo: `%s`' % (
                                    perm.permission_name, user_group.users_group_name,
                                    repo.repo_name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying change permission on repo")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'repo: `%s`' % (
                             usergroupid, repo.repo_name
                         )
                     )
             @jsonrpc_method()
             def revoke_user_group_permission(request, apiuser, repoid, usergroupid):
                 """
                 Revoke the permissions of a user group on a given repository.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param usergroupid: Specify the user group ID.
                 :type usergroupid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Revoked perm for group: `<usersgroupname>` in repo: `<reponame>`",
                               "success": true
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 try:
                     RepoModel().revoke_user_group_permission(
                         repo=repo, group_name=user_group)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm for user group: `%s` in repo: `%s`' % (
                             user_group.users_group_name, repo.repo_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying revoke "
                                   "user group permission on repo")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'repo: `%s`' % (
                             user_group.users_group_name, repo.repo_name
                         )
                     )
             @jsonrpc_method()
             def pull(request, apiuser, repoid):
                 """
                 Triggers a pull on the given repository from a remote location. You
                 can use this to keep remote repositories up-to-date.
                 This command can only be run using an |authtoken| with admin
                 rights to the specified repository. For more information,
                 see :ref:`config-token-ref`.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Pulled from `<repository name>`"
                     "repository": "<repository name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "Unable to pull changes from `<reponame>`"
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     ScmModel().pull_changes(repo.repo_name, apiuser.username)
                     return {
                         'msg': 'Pulled from `%s`' % repo.repo_name,
                         'repository': repo.repo_name
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to "
                                   "pull changes from remote location")
                     raise JSONRPCError(
                         'Unable to pull changes from `%s`' % repo.repo_name
                     )
             @jsonrpc_method()
             def strip(request, apiuser, repoid, revision, branch):
                 """
                 Strips the given revision from the specified repository.
                 * This will remove the revision and all of its decendants.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 :param revision: The revision you wish to strip.
                 :type revision: str
                 :param branch: The branch from which to strip the revision.
                 :type branch: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "'Stripped commit <commit_hash> from repo `<repository name>`'"
                     "repository": "<repository name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "Unable to strip commit <commit_hash> from repo `<repository name>`"
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     ScmModel().strip(repo, revision, branch)
+                    audit_logger.store_api(
+                        'repo.commit.strip', action_data={'commit_id': revision},
+                        repo=repo,
+                        user=apiuser, commit=True)
                     return {
                         'msg': 'Stripped commit %s from repo `%s`' % (
                             revision, repo.repo_name),
                         'repository': repo.repo_name
                     }
                 except Exception:
                     log.exception("Exception while trying to strip")
                     raise JSONRPCError(
                         'Unable to strip commit %s from repo `%s`' % (
                             revision, repo.repo_name)
                     )
             @jsonrpc_method()
             def get_repo_settings(request, apiuser, repoid, key=Optional(None)):
                 """
                 Returns all settings for a repository. If key is given it only returns the
                 setting identified by the key or null.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository id.
                 :type repoid: str or int
                 :param key: Key of the setting to return.
                 :type: key: Optional(str)
                 Example output:
                 .. code-block:: bash
                     {
                         "error": null,
                         "id": 237,
                         "result": {
                             "extensions_largefiles": true,
                             "extensions_evolve": true,
                             "hooks_changegroup_push_logger": true,
                             "hooks_changegroup_repo_size": false,
                             "hooks_outgoing_pull_logger": true,
                             "phases_publish": "True",
                             "rhodecode_hg_use_rebase_for_merging": true,
                             "rhodecode_pr_merge_enabled": true,
                             "rhodecode_use_outdated_comments": true
                         }
                     }
                 """
                 # Restrict access to this api method to admins only.
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 try:
                     repo = get_repo_or_error(repoid)
                     settings_model = VcsSettingsModel(repo=repo)
                     settings = settings_model.get_global_settings()
                     settings.update(settings_model.get_repo_settings())
                     # If only a single setting is requested fetch it from all settings.
                     key = Optional.extract(key)
                     if key is not None:
                         settings = settings.get(key, None)
                 except Exception:
                     msg = 'Failed to fetch settings for repository `{}`'.format(repoid)
                     log.exception(msg)
                     raise JSONRPCError(msg)
                 return settings
             @jsonrpc_method()
             def set_repo_settings(request, apiuser, repoid, settings):
                 """
                 Update repository settings. Returns true on success.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository id.
                 :type repoid: str or int
                 :param settings: The new settings for the repository.
                 :type: settings: dict
                 Example output:
                 .. code-block:: bash
                     {
                         "error": null,
                         "id": 237,
                         "result": true
                     }
                 """
                 # Restrict access to this api method to admins only.
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 if type(settings) is not dict:
                     raise JSONRPCError('Settings have to be a JSON Object.')
                 try:
                     settings_model = VcsSettingsModel(repo=repoid)
                     # Merge global, repo and incoming settings.
                     new_settings = settings_model.get_global_settings()
                     new_settings.update(settings_model.get_repo_settings())
                     new_settings.update(settings)
                     # Update the settings.
                     inherit_global_settings = new_settings.get(
                         'inherit_global_settings', False)
                     settings_model.create_or_update_repo_settings(
                         new_settings, inherit_global_settings=inherit_global_settings)
                     Session().commit()
                 except Exception:
                     msg = 'Failed to update settings for repository `{}`'.format(repoid)
                     log.exception(msg)
                     raise JSONRPCError(msg)
                 # Indicate success.
                 return True
             @jsonrpc_method()
             def maintenance(request, apiuser, repoid):
                 """
                 Triggers a maintenance on the given repository.
                 This command can only be run using an |authtoken| with admin
                 rights to the specified repository. For more information,
                 see :ref:`config-token-ref`.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "executed maintenance command",
                     "executed_actions": [
                        <action_message>, <action_message2>...
                     ],
                     "repository": "<repository name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "Unable to execute maintenance on `<reponame>`"
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     maintenance = repo_maintenance.RepoMaintenance()
                     executed_actions = maintenance.execute(repo)
                     return {
                         'msg': 'executed maintenance command',
                         'executed_actions': executed_actions,
                         'repository': repo.repo_name
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to run maintenance")
                     raise JSONRPCError(
                         'Unable to execute maintenance on `%s`' % repo.repo_name)

rhodecode/api/views/repo_group_api.py

0 +17 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from rhodecode.api import JSONRPCValidationError
             from rhodecode.api import jsonrpc_method, JSONRPCError
             from rhodecode.api.utils import (
                 has_superadmin_permission, Optional, OAttr, get_user_or_error,
                 get_repo_group_or_error, get_perm_or_error, get_user_group_or_error,
                 get_origin, validate_repo_group_permissions, validate_set_owner_permissions)
+            from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import (
                 HasRepoGroupPermissionAnyApi, HasUserGroupPermissionAnyApi)
             from rhodecode.model.db import Session
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.scm import RepoGroupList
             from rhodecode.model import validation_schema
             from rhodecode.model.validation_schema.schemas import repo_group_schema
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_repo_group(request, apiuser, repogroupid):
                 """
                 Return the specified |repo| group, along with permissions,
                 and repositories inside the group
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Specify the name of ID of the repository group.
                 :type repogroupid: str or int
                 Example output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": repo-group-id,
                       "result": {
                         "group_description": "repo group description",
                         "group_id": 14,
                         "group_name": "group name",
                         "members": [
                           {
                             "name": "super-admin-username",
                             "origin": "super-admin",
                             "permission": "group.admin",
                             "type": "user"
                           },
                           {
                             "name": "owner-name",
                             "origin": "owner",
                             "permission": "group.admin",
                             "type": "user"
                           },
                           {
                             "name": "user-group-name",
                             "origin": "permission",
                             "permission": "group.write",
                             "type": "user_group"
                           }
                         ],
                         "owner": "owner-name",
                         "parent_group": null,
                         "repositories": [ repo-list ]
                       }
                     }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this repo group !
                     _perms = ('group.admin', 'group.write', 'group.read',)
                     if not HasRepoGroupPermissionAnyApi(*_perms)(
                             user=apiuser, group_name=repo_group.group_name):
                         raise JSONRPCError(
                             'repository group `%s` does not exist' % (repogroupid,))
                 permissions = []
                 for _user in repo_group.permissions():
                     user_data = {
                         'name': _user.username,
                         'permission': _user.permission,
                         'origin': get_origin(_user),
                         'type': "user",
                     }
                     permissions.append(user_data)
                 for _user_group in repo_group.permission_user_groups():
                     user_group_data = {
                         'name': _user_group.users_group_name,
                         'permission': _user_group.permission,
                         'origin': get_origin(_user_group),
                         'type': "user_group",
                     }
                     permissions.append(user_group_data)
                 data = repo_group.get_api_data()
                 data["members"] = permissions  # TODO: this should be named permissions
                 return data
             @jsonrpc_method()
             def get_repo_groups(request, apiuser):
                 """
                 Returns all repository groups.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 """
                 result = []
                 _perms = ('group.read', 'group.write', 'group.admin',)
                 extras = {'user': apiuser}
                 for repo_group in RepoGroupList(RepoGroupModel().get_all(),
                                                 perm_set=_perms, extra_kwargs=extras):
                     result.append(repo_group.get_api_data())
                 return result
             @jsonrpc_method()
             def create_repo_group(
                     request, apiuser, group_name,
                     owner=Optional(OAttr('apiuser')),
                     description=Optional(''),
                     copy_permissions=Optional(False)):
                 """
                 Creates a repository group.
                 * If the repository group name contains "/", repository group will be
                   created inside a repository group or nested repository groups
                   For example "foo/bar/group1" will create repository group called "group1"
                   inside group "foo/bar". You have to have permissions to access and
                   write to the last repository group ("bar" in this example)
                 This command can only be run using an |authtoken| with at least
                 permissions to create repository groups, or admin permissions to
                 parent repository groups.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param group_name: Set the repository group name.
                 :type group_name: str
                 :param description: Set the |repo| group description.
                 :type description: str
                 :param owner: Set the |repo| group owner.
                 :type owner: str
                 :param copy_permissions:
                 :type copy_permissions:
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                       "msg": "Created new repo group `<repo_group_name>`"
                       "repo_group": <repogroup_object>
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     failed to create repo group `<repogroupid>`
                   }
                 """
                 owner = validate_set_owner_permissions(apiuser, owner)
                 description = Optional.extract(description)
                 copy_permissions = Optional.extract(copy_permissions)
                 schema = repo_group_schema.RepoGroupSchema().bind(
                     # user caller
                     user=apiuser)
                 try:
                     schema_data = schema.deserialize(dict(
                         repo_group_name=group_name,
                         repo_group_owner=owner.username,
                         repo_group_description=description,
                         repo_group_copy_permissions=copy_permissions,
                     ))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 validated_group_name = schema_data['repo_group_name']
                 try:
                     repo_group = RepoGroupModel().create(
                         owner=owner,
                         group_name=validated_group_name,
                         group_description=schema_data['repo_group_name'],
                         copy_permissions=schema_data['repo_group_copy_permissions'])
+                    Session().flush()
+                    repo_group_data = repo_group.get_api_data()
+                    audit_logger.store_api(
+                        'repo_group.create', action_data={'data': repo_group_data},
+                        user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'Created new repo group `%s`' % validated_group_name,
                         'repo_group': repo_group.get_api_data()
                     }
                 except Exception:
                     log.exception("Exception occurred while trying create repo group")
                     raise JSONRPCError(
                         'failed to create repo group `%s`' % (validated_group_name,))
             @jsonrpc_method()
             def update_repo_group(
                     request, apiuser, repogroupid, group_name=Optional(''),
                     description=Optional(''), owner=Optional(OAttr('apiuser')),
                     enable_locking=Optional(False)):
                 """
                 Updates repository group with the details given.
                 This command can only be run using an |authtoken| with admin
                 permissions.
                 * If the group_name name contains "/", repository group will be updated
                   accordingly with a repository group or nested repository groups
                   For example repogroupid=group-test group_name="foo/bar/group-test"
                   will update repository group called "group-test" and place it
                   inside group "foo/bar".
                   You have to have permissions to access and write to the last repository
                   group ("bar" in this example)
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the ID of repository group.
                 :type repogroupid: str or int
                 :param group_name: Set the name of the |repo| group.
                 :type group_name: str
                 :param description: Set a description for the group.
                 :type description: str
                 :param owner: Set the |repo| group owner.
                 :type owner: str
                 :param enable_locking: Enable |repo| locking. The default is false.
                 :type enable_locking: bool
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
                     validate_repo_group_permissions(
                         apiuser, repogroupid, repo_group, ('group.admin',))
                 updates = dict(
                     group_name=group_name
                     if not isinstance(group_name, Optional) else repo_group.group_name,
                     group_description=description
                     if not isinstance(description, Optional) else repo_group.group_description,
                     user=owner
                     if not isinstance(owner, Optional) else repo_group.user.username,
                     enable_locking=enable_locking
                     if not isinstance(enable_locking, Optional) else repo_group.enable_locking
                 )
                 schema = repo_group_schema.RepoGroupSchema().bind(
                     # user caller
                     user=apiuser,
                     old_values=repo_group.get_api_data())
                 try:
                     schema_data = schema.deserialize(dict(
                         repo_group_name=updates['group_name'],
                         repo_group_owner=updates['user'],
                         repo_group_description=updates['group_description'],
                         repo_group_enable_locking=updates['enable_locking'],
                     ))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 validated_updates = dict(
                     group_name=schema_data['repo_group']['repo_group_name_without_group'],
                     group_parent_id=schema_data['repo_group']['repo_group_id'],
                     user=schema_data['repo_group_owner'],
                     group_description=schema_data['repo_group_description'],
                     enable_locking=schema_data['repo_group_enable_locking'],
                 )
+                old_data = repo_group.get_api_data()
                 try:
                     RepoGroupModel().update(repo_group, validated_updates)
+                    audit_logger.store_api(
+                        'repo_group.edit', action_data={'old_data': old_data},
+                        user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'updated repository group ID:%s %s' % (
                             repo_group.group_id, repo_group.group_name),
                         'repo_group': repo_group.get_api_data()
                     }
                 except Exception:
                     log.exception(
                         u"Exception occurred while trying update repo group %s",
                         repogroupid)
                     raise JSONRPCError('failed to update repository group `%s`'
                                        % (repogroupid,))
             @jsonrpc_method()
             def delete_repo_group(request, apiuser, repogroupid):
                 """
                 Deletes a |repo| group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the name or ID of repository group to be
                     deleted.
                 :type repogroupid: str or int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     'msg': 'deleted repo group ID:<repogroupid> <repogroupname>'
                     'repo_group': null
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to delete repo group ID:<repogroupid> <repogroupname>"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
                     validate_repo_group_permissions(
                         apiuser, repogroupid, repo_group, ('group.admin',))
+                old_data = repo_group.get_api_data()
                 try:
                     RepoGroupModel().delete(repo_group)
+                    audit_logger.store_api(
+                        'repo_group.delete', action_data={'old_data': old_data},
+                        user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'deleted repo group ID:%s %s' %
                                (repo_group.group_id, repo_group.group_name),
                         'repo_group': None
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to delete repo group")
                     raise JSONRPCError('failed to delete repo group ID:%s %s' %
                                        (repo_group.group_id, repo_group.group_name))
             @jsonrpc_method()
             def grant_user_permission_to_repo_group(
                     request, apiuser, repogroupid, userid, perm,
                     apply_to_children=Optional('none')):
                 """
                 Grant permission for a user on the given repository group, or update
                 existing permissions if found.
                 This command can only be run using an |authtoken| with admin
                 permissions.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the name or ID of repository group.
                 :type repogroupid: str or int
                 :param userid: Set the user name.
                 :type userid: str
                 :param perm: (group.(none|read|write|admin))
                 :type perm: str
                 :param apply_to_children: 'none', 'repos', 'groups', 'all'
                 :type apply_to_children: str
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",
                               "success": true
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
                     validate_repo_group_permissions(
                         apiuser, repogroupid, repo_group, ('group.admin',))
                 user = get_user_or_error(userid)
                 perm = get_perm_or_error(perm, prefix='group.')
                 apply_to_children = Optional.extract(apply_to_children)
                 perm_additions = [[user.user_id, perm, "user"]]
                 try:
                     RepoGroupModel().update_permissions(repo_group=repo_group,
                                                         perm_additions=perm_additions,
                                                         recursive=apply_to_children,
                                                         cur_user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` (recursive:%s) for user: '
                                '`%s` in repo group: `%s`' % (
                                    perm.permission_name, apply_to_children, user.username,
                                    repo_group.name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to grant "
                                   "user permissions to repo group")
                     raise JSONRPCError(
                         'failed to edit permission for user: '
                         '`%s` in repo group: `%s`' % (userid, repo_group.name))
             @jsonrpc_method()
             def revoke_user_permission_from_repo_group(
                     request, apiuser, repogroupid, userid,
                     apply_to_children=Optional('none')):
                 """
                 Revoke permission for a user in a given repository group.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo| group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the name or ID of the repository group.
                 :type repogroupid: str or int
                 :param userid: Set the user name to revoke.
                 :type userid: str
                 :param apply_to_children: 'none', 'repos', 'groups', 'all'
                 :type apply_to_children: str
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Revoked perm (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",
                               "success": true
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 if not has_superadmin_permission(apiuser):
                     validate_repo_group_permissions(
                         apiuser, repogroupid, repo_group, ('group.admin',))
                 user = get_user_or_error(userid)
                 apply_to_children = Optional.extract(apply_to_children)
                 perm_deletions = [[user.user_id, None, "user"]]
                 try:
                     RepoGroupModel().update_permissions(repo_group=repo_group,
                                                         perm_deletions=perm_deletions,
                                                         recursive=apply_to_children,
                                                         cur_user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm (recursive:%s) for user: '
                                '`%s` in repo group: `%s`' % (
                                    apply_to_children, user.username, repo_group.name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying revoke user "
                                   "permission from repo group")
                     raise JSONRPCError(
                         'failed to edit permission for user: '
                         '`%s` in repo group: `%s`' % (userid, repo_group.name))
             @jsonrpc_method()
             def grant_user_group_permission_to_repo_group(
                     request, apiuser, repogroupid, usergroupid, perm,
                     apply_to_children=Optional('none'), ):
                 """
                 Grant permission for a user group on given repository group, or update
                 existing permissions if found.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo| group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: Set the name or id of repository group
                 :type repogroupid: str or int
                 :param usergroupid: id of usergroup
                 :type usergroupid: str or int
                 :param perm: (group.(none|read|write|admin))
                 :type perm: str
                 :param apply_to_children: 'none', 'repos', 'groups', 'all'
                 :type apply_to_children: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",
                     "success": true
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 perm = get_perm_or_error(perm, prefix='group.')
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     validate_repo_group_permissions(
                         apiuser, repogroupid, repo_group, ('group.admin',))
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 apply_to_children = Optional.extract(apply_to_children)
                 perm_additions = [[user_group.users_group_id, perm, "user_group"]]
                 try:
                     RepoGroupModel().update_permissions(repo_group=repo_group,
                                                         perm_additions=perm_additions,
                                                         recursive=apply_to_children,
                                                         cur_user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` (recursive:%s) '
                                'for user group: `%s` in repo group: `%s`' % (
                                    perm.permission_name, apply_to_children,
                                    user_group.users_group_name, repo_group.name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to grant user "
                                   "group permissions to repo group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'repo group: `%s`' % (
                             usergroupid, repo_group.name
                         )
                     )
             @jsonrpc_method()
             def revoke_user_group_permission_from_repo_group(
                     request, apiuser, repogroupid, usergroupid,
                     apply_to_children=Optional('none')):
                 """
                 Revoke permission for user group on given repository.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo| group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repogroupid: name or id of repository group
                 :type repogroupid: str or int
                 :param usergroupid:
                 :param apply_to_children: 'none', 'repos', 'groups', 'all'
                 :type apply_to_children: str
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Revoked perm (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",
                               "success": true
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"
                   }
                 """
                 repo_group = get_repo_group_or_error(repogroupid)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     validate_repo_group_permissions(
                         apiuser, repogroupid, repo_group, ('group.admin',))
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 apply_to_children = Optional.extract(apply_to_children)
                 perm_deletions = [[user_group.users_group_id, None, "user_group"]]
                 try:
                     RepoGroupModel().update_permissions(repo_group=repo_group,
                                                         perm_deletions=perm_deletions,
                                                         recursive=apply_to_children,
                                                         cur_user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm (recursive:%s) for user group: '
                                '`%s` in repo group: `%s`' % (
                                    apply_to_children, user_group.users_group_name,
                                    repo_group.name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying revoke user group "
                                   "permissions from repo group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: '
                         '`%s` in repo group: `%s`' % (
                             user_group.users_group_name, repo_group.name
                         )
                     )

rhodecode/api/views/user_api.py

0 +16 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from rhodecode.api import jsonrpc_method, JSONRPCError, JSONRPCForbidden
             from rhodecode.api.utils import (
                 Optional, OAttr, has_superadmin_permission, get_user_or_error, store_update)
+            from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import AuthUser, PasswordGenerator
             from rhodecode.lib.exceptions import DefaultUserException
             from rhodecode.lib.utils2 import safe_int, str2bool
             from rhodecode.model.db import Session, User, Repository
             from rhodecode.model.user import UserModel
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_user(request, apiuser, userid=Optional(OAttr('apiuser'))):
                 """
                 Returns the information associated with a username or userid.
                 * If the ``userid`` is not set, this command returns the information
                   for the ``userid`` calling the method.
                 .. note::
                    Normal users may only run this command against their ``userid``. For
                    full privileges you must run this command using an |authtoken| with
                    admin rights.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Sets the userid for which data will be returned.
                 :type userid: Optional(str or int)
                 Example output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": <id>,
                       "result": {
                         "active": true,
                         "admin": false,
                         "api_keys": [ list of keys ],
                         "auth_tokens": [ list of tokens with details ],
                         "email": "user@example.com",
                         "emails": [
                           "user@example.com"
                         ],
                         "extern_name": "rhodecode",
                         "extern_type": "rhodecode",
                         "firstname": "username",
                         "ip_addresses": [],
                         "language": null,
                         "last_login": "Timestamp",
                         "last_activity": "Timestamp",
                         "lastname": "surnae",
                         "permissions": {
                           "global": [
                             "hg.inherit_default_perms.true",
                             "usergroup.read",
                             "hg.repogroup.create.false",
                             "hg.create.none",
                             "hg.password_reset.enabled",
                             "hg.extern_activate.manual",
                             "hg.create.write_on_repogroup.false",
                             "hg.usergroup.create.false",
                             "group.none",
                             "repository.none",
                             "hg.register.none",
                             "hg.fork.repository"
                           ],
                           "repositories": { "username/example": "repository.write"},
                           "repositories_groups": { "user-group/repo": "group.none" },
                           "user_groups": { "user_group_name": "usergroup.read" }
                         },
                         "user_id": 32,
                         "username": "username"
                       }
                     }
                 """
                 if not has_superadmin_permission(apiuser):
                     # make sure normal user does not pass someone else userid,
                     # he is not allowed to do that
                     if not isinstance(userid, Optional) and userid != apiuser.user_id:
                         raise JSONRPCError('userid is not the same as your user')
                 userid = Optional.extract(userid, evaluate_locals=locals())
                 userid = getattr(userid, 'user_id', userid)
                 user = get_user_or_error(userid)
                 data = user.get_api_data(include_secrets=True)
                 data['permissions'] = AuthUser(user_id=user.user_id).permissions
                 return data
             @jsonrpc_method()
             def get_users(request, apiuser):
                 """
                 Lists all users in the |RCE| user database.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: [<user_object>, ...]
                     error:  null
                 """
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 result = []
                 users_list = User.query().order_by(User.username) \
                     .filter(User.username != User.DEFAULT_USER) \
                     .all()
                 for user in users_list:
                     result.append(user.get_api_data(include_secrets=True))
                 return result
             @jsonrpc_method()
             def create_user(request, apiuser, username, email, password=Optional(''),
                             firstname=Optional(''), lastname=Optional(''),
                             active=Optional(True), admin=Optional(False),
                             extern_name=Optional('rhodecode'),
                             extern_type=Optional('rhodecode'),
                             force_password_change=Optional(False),
                             create_personal_repo_group=Optional(None)):
                 """
                 Creates a new user and returns the new user object.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param username: Set the new username.
                 :type username: str or int
                 :param email: Set the user email address.
                 :type email: str
                 :param password: Set the new user password.
                 :type password: Optional(str)
                 :param firstname: Set the new user firstname.
                 :type firstname: Optional(str)
                 :param lastname: Set the new user surname.
                 :type lastname: Optional(str)
                 :param active: Set the user as active.
                 :type active: Optional(``True`` | ``False``)
                 :param admin: Give the new user admin rights.
                 :type admin: Optional(``True`` | ``False``)
                 :param extern_name: Set the authentication plugin name.
                     Using LDAP this is filled with LDAP UID.
                 :type extern_name: Optional(str)
                 :param extern_type: Set the new user authentication plugin.
                 :type extern_type: Optional(str)
                 :param force_password_change: Force the new user to change password
                     on next login.
                 :type force_password_change: Optional(``True`` | ``False``)
                 :param create_personal_repo_group: Create personal repo group for this user
                 :type create_personal_repo_group: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                         "msg" : "created new user `<username>`",
                         "user": <user_obj>
                     }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "user `<username>` already exist"
                     or
                     "email `<email>` already exist"
                     or
                     "failed to create user `<username>`"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 if UserModel().get_by_username(username):
                     raise JSONRPCError("user `%s` already exist" % (username,))
                 if UserModel().get_by_email(email, case_insensitive=True):
                     raise JSONRPCError("email `%s` already exist" % (email,))
                 # generate random password if we actually given the
                 # extern_name and it's not rhodecode
                 if (not isinstance(extern_name, Optional) and
                             Optional.extract(extern_name) != 'rhodecode'):
                     # generate temporary password if user is external
                     password = PasswordGenerator().gen_password(length=16)
                 create_repo_group = Optional.extract(create_personal_repo_group)
                 if isinstance(create_repo_group, basestring):
                     create_repo_group = str2bool(create_repo_group)
                 try:
                     user = UserModel().create_or_update(
                         username=Optional.extract(username),
                         password=Optional.extract(password),
                         email=Optional.extract(email),
                         firstname=Optional.extract(firstname),
                         lastname=Optional.extract(lastname),
                         active=Optional.extract(active),
                         admin=Optional.extract(admin),
                         extern_type=Optional.extract(extern_type),
                         extern_name=Optional.extract(extern_name),
                         force_password_change=Optional.extract(force_password_change),
                         create_repo_group=create_repo_group
                     )
+                    Session().flush()
+                    creation_data = user.get_api_data()
+                    audit_logger.store_api(
+                        'user.create', action_data={'data': creation_data},
+                        user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'created new user `%s`' % username,
                         'user': user.get_api_data(include_secrets=True)
                     }
                 except Exception:
                     log.exception('Error occurred during creation of user')
                     raise JSONRPCError('failed to create user `%s`' % (username,))
             @jsonrpc_method()
             def update_user(request, apiuser, userid, username=Optional(None),
                             email=Optional(None), password=Optional(None),
                             firstname=Optional(None), lastname=Optional(None),
                             active=Optional(None), admin=Optional(None),
                             extern_type=Optional(None), extern_name=Optional(None), ):
                 """
                 Updates the details for the specified user, if that user exists.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Set the ``userid`` to update.
                 :type userid: str or int
                 :param username: Set the new username.
                 :type username: str or int
                 :param email: Set the new email.
                 :type email: str
                 :param password: Set the new password.
                 :type password: Optional(str)
                 :param firstname: Set the new first name.
                 :type firstname: Optional(str)
                 :param lastname: Set the new surname.
                 :type lastname: Optional(str)
                 :param active: Set the new user as active.
                 :type active: Optional(``True`` | ``False``)
                 :param admin: Give the user admin rights.
                 :type admin: Optional(``True`` | ``False``)
                 :param extern_name: Set the authentication plugin user name.
                     Using LDAP this is filled with LDAP UID.
                 :type extern_name: Optional(str)
                 :param extern_type: Set the authentication plugin type.
                 :type extern_type: Optional(str)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                         "msg" : "updated user ID:<userid> <username>",
                         "user": <user_object>,
                     }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to update user `<username>`"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 user = get_user_or_error(userid)
+                old_data = user.get_api_data()
                 # only non optional arguments will be stored in updates
                 updates = {}
                 try:
                     store_update(updates, username, 'username')
                     store_update(updates, password, 'password')
                     store_update(updates, email, 'email')
                     store_update(updates, firstname, 'name')
                     store_update(updates, lastname, 'lastname')
                     store_update(updates, active, 'active')
                     store_update(updates, admin, 'admin')
                     store_update(updates, extern_name, 'extern_name')
                     store_update(updates, extern_type, 'extern_type')
                     user = UserModel().update_user(user, **updates)
+                    audit_logger.store_api(
+                        'user.edit', action_data={'old_data': old_data},
+                        user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'updated user ID:%s %s' % (user.user_id, user.username),
                         'user': user.get_api_data(include_secrets=True)
                     }
                 except DefaultUserException:
                     log.exception("Default user edit exception")
                     raise JSONRPCError('editing default user is forbidden')
                 except Exception:
                     log.exception("Error occurred during update of user")
                     raise JSONRPCError('failed to update user `%s`' % (userid,))
             @jsonrpc_method()
             def delete_user(request, apiuser, userid):
                 """
                 Deletes the specified user from the |RCE| user database.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 .. important::
                    Ensure all open pull requests and open code review
                    requests to this user are close.
                    Also ensure all repositories, or repository groups owned by this
                    user are reassigned before deletion.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Set the user to delete.
                 :type userid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                         "msg" : "deleted user ID:<userid> <username>",
                         "user": null
                     }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to delete user ID:<userid> <username>"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 user = get_user_or_error(userid)
+                old_data = user.get_api_data()
                 try:
                     UserModel().delete(userid)
+                    audit_logger.store_api(
+                        'user.delete', action_data={'old_data': old_data},
+                        user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'deleted user ID:%s %s' % (user.user_id, user.username),
                         'user': None
                     }
                 except Exception:
                     log.exception("Error occurred during deleting of user")
                     raise JSONRPCError(
                         'failed to delete user ID:%s %s' % (user.user_id, user.username))
             @jsonrpc_method()
             def get_user_locks(request, apiuser, userid=Optional(OAttr('apiuser'))):
                 """
                 Displays all repositories locked by the specified user.
                 * If this command is run by a non-admin user, it returns
                   a list of |repos| locked by that user.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Sets the userid whose list of locked |repos| will be
                     displayed.
                 :type userid: Optional(str or int)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result : {
                         [repo_object, repo_object,...]
                     }
                     error :  null
                 """
                 include_secrets = False
                 if not has_superadmin_permission(apiuser):
                     # make sure normal user does not pass someone else userid,
                     # he is not allowed to do that
                     if not isinstance(userid, Optional) and userid != apiuser.user_id:
                         raise JSONRPCError('userid is not the same as your user')
                 else:
                     include_secrets = True
                 userid = Optional.extract(userid, evaluate_locals=locals())
                 userid = getattr(userid, 'user_id', userid)
                 user = get_user_or_error(userid)
                 ret = []
                 # show all locks
                 for r in Repository.getAll():
                     _user_id, _time, _reason = r.locked
                     if _user_id and _time:
                         _api_data = r.get_api_data(include_secrets=include_secrets)
                         # if we use user filter just show the locks for this user
                         if safe_int(_user_id) == user.user_id:
                             ret.append(_api_data)
                 return ret
             @jsonrpc_method()
             def get_user_audit_logs(request, apiuser, userid=Optional(OAttr('apiuser'))):
                 """
                 Fetches all action logs made by the specified user.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Sets the userid whose list of locked |repos| will be
                     displayed.
                 :type userid: Optional(str or int)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result : {
                         [action, action,...]
                     }
                     error :  null
                 """
                 if not has_superadmin_permission(apiuser):
                     # make sure normal user does not pass someone else userid,
                     # he is not allowed to do that
                     if not isinstance(userid, Optional) and userid != apiuser.user_id:
                         raise JSONRPCError('userid is not the same as your user')
                 userid = Optional.extract(userid, evaluate_locals=locals())
                 userid = getattr(userid, 'user_id', userid)
                 user = get_user_or_error(userid)
                 ret = []
                 # show all user actions
                 for entry in UserModel().get_user_log(user, filter_term=None):
                     ret.append(entry)
                 return ret

rhodecode/api/views/user_group_api.py

0 +28 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from rhodecode.api import jsonrpc_method, JSONRPCError, JSONRPCForbidden
             from rhodecode.api.utils import (
                 Optional, OAttr, store_update, has_superadmin_permission, get_origin,
                 get_user_or_error, get_user_group_or_error, get_perm_or_error)
+            from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import HasUserGroupPermissionAnyApi, HasPermissionAnyApi
             from rhodecode.lib.exceptions import UserGroupAssignedException
             from rhodecode.model.db import Session
             from rhodecode.model.scm import UserGroupList
             from rhodecode.model.user_group import UserGroupModel
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_user_group(request, apiuser, usergroupid):
                 """
                 Returns the data of an existing user group.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group from which to return data.
                 :type usergroupid: str or int
                 Example error output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": <id>,
                       "result": {
                         "active": true,
                         "group_description": "group description",
                         "group_name": "group name",
                         "members": [
                           {
                             "name": "owner-name",
                             "origin": "owner",
                             "permission": "usergroup.admin",
                             "type": "user"
                           },
                           {
                           {
                             "name": "user name",
                             "origin": "permission",
                             "permission": "usergroup.admin",
                             "type": "user"
                           },
                           {
                             "name": "user group name",
                             "origin": "permission",
                             "permission": "usergroup.write",
                             "type": "user_group"
                           }
                         ],
                         "owner": "owner name",
                         "users": [],
                         "users_group_id": 2
                       }
                     }
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError('user group `%s` does not exist' % (
                             usergroupid,))
                 permissions = []
                 for _user in user_group.permissions():
                     user_data = {
                         'name': _user.username,
                         'permission': _user.permission,
                         'origin': get_origin(_user),
                         'type': "user",
                     }
                     permissions.append(user_data)
                 for _user_group in user_group.permission_user_groups():
                     user_group_data = {
                         'name': _user_group.users_group_name,
                         'permission': _user_group.permission,
                         'origin': get_origin(_user_group),
                         'type': "user_group",
                     }
                     permissions.append(user_group_data)
                 data = user_group.get_api_data()
                 data['members'] = permissions
                 return data
             @jsonrpc_method()
             def get_user_groups(request, apiuser):
                 """
                 Lists all the existing user groups within RhodeCode.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result : [<user_group_obj>,...]
                     error : null
                 """
                 include_secrets = has_superadmin_permission(apiuser)
                 result = []
                 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                 extras = {'user': apiuser}
                 for user_group in UserGroupList(UserGroupModel().get_all(),
                                                 perm_set=_perms, extra_kwargs=extras):
                     result.append(
                         user_group.get_api_data(include_secrets=include_secrets))
                 return result
             @jsonrpc_method()
             def create_user_group(
                     request, apiuser, group_name, description=Optional(''),
                     owner=Optional(OAttr('apiuser')), active=Optional(True)):
                 """
                 Creates a new user group.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param group_name: Set the name of the new user group.
                 :type group_name: str
                 :param description: Give a description of the new user group.
                 :type description: str
                 :param owner: Set the owner of the new user group.
                     If not set, the owner is the |authtoken| user.
                 :type owner: Optional(str or int)
                 :param active: Set this group as active.
                 :type active: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "created new user group `<groupname>`",
                               "user_group": <user_group_object>
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "user group `<group name>` already exist"
                     or
                     "failed to create group `<group name>`"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     if not HasPermissionAnyApi('hg.usergroup.create.true')(user=apiuser):
                         raise JSONRPCForbidden()
                 if UserGroupModel().get_by_name(group_name):
                     raise JSONRPCError("user group `%s` already exist" % (group_name,))
                 try:
                     if isinstance(owner, Optional):
                         owner = apiuser.user_id
                     owner = get_user_or_error(owner)
                     active = Optional.extract(active)
                     description = Optional.extract(description)
-                    ug = UserGroupModel().create(
+                    user_group = UserGroupModel().create(
                         name=group_name, description=description, owner=owner,
                         active=active)
+                    Session().flush()
+                    creation_data = user_group.get_api_data()
+                    audit_logger.store_api(
+                        'user_group.create', action_data={'data': creation_data},
+                        user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'created new user group `%s`' % group_name,
-                        'user_group': ug.get_api_data()
+                        'user_group': creation_data
                     }
                 except Exception:
                     log.exception("Error occurred during creation of user group")
                     raise JSONRPCError('failed to create group `%s`' % (group_name,))
             @jsonrpc_method()
             def update_user_group(request, apiuser, usergroupid, group_name=Optional(''),
                                   description=Optional(''), owner=Optional(None),
                                   active=Optional(True)):
                 """
                 Updates the specified `user group` with the details provided.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the id of the `user group` to update.
                 :type usergroupid: str or int
                 :param group_name: Set the new name the `user group`
                 :type group_name: str
                 :param description: Give a description for the `user group`
                 :type description: str
                 :param owner: Set the owner of the `user group`.
                 :type owner: Optional(str or int)
                 :param active: Set the group as active.
                 :type active: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": 'updated user group ID:<user group id> <user group name>',
                     "user_group": <user_group_object>
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to update user group `<user group name>`"
                   }
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 include_secrets = False
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 else:
                     include_secrets = True
                 if not isinstance(owner, Optional):
                     owner = get_user_or_error(owner)
+                old_data = user_group.get_api_data()
                 updates = {}
                 store_update(updates, group_name, 'users_group_name')
                 store_update(updates, description, 'user_group_description')
                 store_update(updates, owner, 'user')
                 store_update(updates, active, 'users_group_active')
                 try:
                     UserGroupModel().update(user_group, updates)
+                    audit_logger.store_api(
+                        'user_group.edit', action_data={'old_data': old_data},
+                        user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'updated user group ID:%s %s' % (
                             user_group.users_group_id, user_group.users_group_name),
                         'user_group': user_group.get_api_data(
                             include_secrets=include_secrets)
                     }
                 except Exception:
                     log.exception("Error occurred during update of user group")
                     raise JSONRPCError(
                         'failed to update user group `%s`' % (usergroupid,))
             @jsonrpc_method()
             def delete_user_group(request, apiuser, usergroupid):
                 """
                 Deletes the specified `user group`.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: filled automatically from apikey
                 :type apiuser: AuthUser
                 :param usergroupid:
                 :type usergroupid: int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "deleted user group ID:<user_group_id> <user_group_name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to delete user group ID:<user_group_id> <user_group_name>"
                     or
                     "RepoGroup assigned to <repo_groups_list>"
                   }
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
+                old_data = user_group.get_api_data()
                 try:
                     UserGroupModel().delete(user_group)
+                    audit_logger.store_api(
+                        'user_group.delete', action_data={'old_data': old_data},
+                        user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'deleted user group ID:%s %s' % (
                             user_group.users_group_id, user_group.users_group_name),
                         'user_group': None
                     }
                 except UserGroupAssignedException as e:
                     log.exception("UserGroupAssigned error")
                     raise JSONRPCError(str(e))
                 except Exception:
                     log.exception("Error occurred during deletion of user group")
                     raise JSONRPCError(
                         'failed to delete user group ID:%s %s' %(
                             user_group.users_group_id, user_group.users_group_name))
             @jsonrpc_method()
             def add_user_to_user_group(request, apiuser, usergroupid, userid):
                 """
                 Adds a user to a `user group`. If the user already exists in the group
                 this command will return false.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified user group.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the name of the `user group` to which a
                     user will be added.
                 :type usergroupid: int
                 :param userid: Set the `user_id` of the user to add to the group.
                 :type userid: int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                       "success": True|False # depends on if member is in group
                       "msg": "added member `<username>` to user group `<groupname>` |
                               User is already in that group"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to add member to user group `<user_group_name>`"
                   }
                 """
                 user = get_user_or_error(userid)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError('user group `%s` does not exist' % (
                             usergroupid,))
                 try:
                     ugm = UserGroupModel().add_user_to_group(user_group, user)
                     success = True if ugm is not True else False
                     msg = 'added member `%s` to user group `%s`' % (
                         user.username, user_group.users_group_name
                     )
                     msg = msg if success else 'User is already in that group'
+                    if success:
+                        user_data = user.get_api_data()
+                        audit_logger.store_api(
+                            'user_group.edit.member.add', action_data={'user': user_data},
+                            user=apiuser)
                     Session().commit()
                     return {
                         'success': success,
                         'msg': msg
                     }
                 except Exception:
                     log.exception("Error occurred during adding a member to user group")
                     raise JSONRPCError(
                         'failed to add member to user group `%s`' % (
                             user_group.users_group_name,
                         )
                     )
             @jsonrpc_method()
             def remove_user_from_user_group(request, apiuser, usergroupid, userid):
                 """
                 Removes a user from a user group.
                 * If the specified user is not in the group, this command will return
                   `false`.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Sets the user group name.
                 :type usergroupid: str or int
                 :param userid: The user you wish to remove from |RCE|.
                 :type userid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "success":  True|False,  # depends on if member is in group
                               "msg": "removed member <username> from user group <groupname> |
                                       User wasn't in group"
                             }
                     error:  null
                 """
                 user = get_user_or_error(userid)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 try:
                     success = UserGroupModel().remove_user_from_group(user_group, user)
                     msg = 'removed member `%s` from user group `%s`' % (
                         user.username, user_group.users_group_name
                     )
                     msg = msg if success else "User wasn't in group"
+                    if success:
+                        user_data = user.get_api_data()
+                        audit_logger.store_api(
+                            'user_group.edit.member.delete', action_data={'user': user_data},
+                            user=apiuser)
                     Session().commit()
                     return {'success': success, 'msg': msg}
                 except Exception:
                     log.exception("Error occurred during removing an member from user group")
                     raise JSONRPCError(
                         'failed to remove member from user group `%s`' % (
                             user_group.users_group_name,
                         )
                     )
             @jsonrpc_method()
             def grant_user_permission_to_user_group(
                     request, apiuser, usergroupid, userid, perm):
                 """
                 Set permissions for a user in a user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group to edit permissions on.
                 :type usergroupid: str or int
                 :param userid: Set the user from whom you wish to set permissions.
                 :type userid: str
                 :param perm: (usergroup.(none|read|write|admin))
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Granted perm: `<perm_name>` for user: `<username>` in user group: `<user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 user = get_user_or_error(userid)
                 perm = get_perm_or_error(perm, prefix='usergroup.')
                 try:
                     UserGroupModel().grant_user_permission(
                         user_group=user_group, user=user, perm=perm)
                     Session().commit()
                     return {
                         'msg':
                             'Granted perm: `%s` for user: `%s` in user group: `%s`' % (
                                 perm.permission_name, user.username,
                                 user_group.users_group_name
                             ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user: '
                         '`%s` in user group: `%s`' % (
                             userid, user_group.users_group_name))
             @jsonrpc_method()
             def revoke_user_permission_from_user_group(
                     request, apiuser, usergroupid, userid):
                 """
                 Revoke a users permissions in a user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group from which to revoke the user
                     permissions.
                 :type: usergroupid: str or int
                 :param userid: Set the userid of the user whose permissions will be
                     revoked.
                 :type userid: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Revoked perm for user: `<username>` in user group: `<user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 user = get_user_or_error(userid)
                 try:
                     UserGroupModel().revoke_user_permission(
                         user_group=user_group, user=user)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm for user: `%s` in user group: `%s`' % (
                             user.username, user_group.users_group_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user: `%s` in user group: `%s`'
                         % (userid, user_group.users_group_name))
             @jsonrpc_method()
             def grant_user_group_permission_to_user_group(
                     request, apiuser, usergroupid, sourceusergroupid, perm):
                 """
                 Give one user group permissions to another user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group on which to edit permissions.
                 :type usergroupid: str or int
                 :param sourceusergroupid: Set the source user group to which
                     access/permissions will be granted.
                 :type sourceusergroupid: str or int
                 :param perm: (usergroup.(none|read|write|admin))
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Granted perm: `<perm_name>` for user group: `<source_user_group_name>` in user group: `<user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(sourceusergroupid)
                 target_user_group = get_user_group_or_error(usergroupid)
                 perm = get_perm_or_error(perm, prefix='usergroup.')
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser,
                             user_group_name=target_user_group.users_group_name):
                         raise JSONRPCError(
                             'to user group `%s` does not exist' % (usergroupid,))
                     # check if we have at least read permission for source user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (sourceusergroupid,))
                 try:
                     UserGroupModel().grant_user_group_permission(
                         target_user_group=target_user_group,
                         user_group=user_group, perm=perm)
                     Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` for user group: `%s` '
                                'in user group: `%s`' % (
                                    perm.permission_name, user_group.users_group_name,
                                    target_user_group.users_group_name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user group in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'user group: `%s`' % (
                             sourceusergroupid, target_user_group.users_group_name
                         )
                     )
             @jsonrpc_method()
             def revoke_user_group_permission_from_user_group(
                     request, apiuser, usergroupid, sourceusergroupid):
                 """
                 Revoke the permissions that one user group has to another.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group on which to edit permissions.
                 :type usergroupid: str or int
                 :param sourceusergroupid: Set the user group from which permissions
                     are revoked.
                 :type sourceusergroupid: str or int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Revoked perm for user group: `<user_group_name>` in user group: `<target_user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(sourceusergroupid)
                 target_user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser,
                             user_group_name=target_user_group.users_group_name):
                         raise JSONRPCError(
                             'to user group `%s` does not exist' % (usergroupid,))
                     # check if we have at least read permission
                     # for the source user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (sourceusergroupid,))
                 try:
                     UserGroupModel().revoke_user_group_permission(
                         target_user_group=target_user_group, user_group=user_group)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm for user group: '
                                '`%s` in user group: `%s`' % (
                                    user_group.users_group_name,
                                    target_user_group.users_group_name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user group in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: '
                         '`%s` in user group: `%s`' % (
                             sourceusergroupid, target_user_group.users_group_name
                         )
                     )

rhodecode/apps/admin/views/users.py

0 +8 -12

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import datetime
             import formencode
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from sqlalchemy.sql.functions import coalesce
             from rhodecode.apps._base import BaseAppView, DataGridAppView
             from rhodecode.lib import audit_logger
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.auth import (
                 LoginRequired, HasPermissionAllDecorator, CSRFRequired)
             from rhodecode.lib import helpers as h
             from rhodecode.lib.utils import PartialRenderer
             from rhodecode.lib.utils2 import safe_int, safe_unicode
             from rhodecode.model.auth_token import AuthTokenModel
             from rhodecode.model.user import UserModel
             from rhodecode.model.user_group import UserGroupModel
             from rhodecode.model.db import User, or_, UserIpMap, UserEmailMap, UserApiKeys
             from rhodecode.model.meta import Session
             log = logging.getLogger(__name__)
             class AdminUsersView(BaseAppView, DataGridAppView):
                 ALLOW_SCOPED_TOKENS = False
                 """
                 This view has alternative version inside EE, if modified please take a look
                 in there as well.
                 """
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     c.allow_scoped_tokens = self.ALLOW_SCOPED_TOKENS
                     self._register_global_c(c)
                     return c
                 def _redirect_for_default_user(self, username):
                     _ = self.request.translate
                     if username == User.DEFAULT_USER:
                         h.flash(_("You can't edit this user"), category='warning')
                         # TODO(marcink): redirect to 'users' admin panel once this
                         # is a pyramid view
                         raise HTTPFound('/')
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='users', request_method='GET',
                     renderer='rhodecode:templates/admin/users/users.mako')
                 def users_list(self):
                     c = self.load_default_context()
                     return self._get_template_context(c)
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     # renderer defined below
                     route_name='users_data', request_method='GET',
                     renderer='json_ext', xhr=True)
                 def users_list_data(self):
                     draw, start, limit = self._extract_chunk(self.request)
                     search_q, order_by, order_dir = self._extract_ordering(self.request)
                     _render = PartialRenderer('data_table/_dt_elements.mako')
                     def user_actions(user_id, username):
                         return _render("user_actions", user_id, username)
                     users_data_total_count = User.query()\
                         .filter(User.username != User.DEFAULT_USER) \
                         .count()
                     # json generate
                     base_q = User.query().filter(User.username != User.DEFAULT_USER)
                     if search_q:
                         like_expression = u'%{}%'.format(safe_unicode(search_q))
                         base_q = base_q.filter(or_(
                             User.username.ilike(like_expression),
                             User._email.ilike(like_expression),
                             User.name.ilike(like_expression),
                             User.lastname.ilike(like_expression),
                         ))
                     users_data_total_filtered_count = base_q.count()
                     sort_col = getattr(User, order_by, None)
                     if sort_col:
                         if order_dir == 'asc':
                             # handle null values properly to order by NULL last
                             if order_by in ['last_activity']:
                                 sort_col = coalesce(sort_col, datetime.date.max)
                             sort_col = sort_col.asc()
                         else:
                             # handle null values properly to order by NULL last
                             if order_by in ['last_activity']:
                                 sort_col = coalesce(sort_col, datetime.date.min)
                             sort_col = sort_col.desc()
                     base_q = base_q.order_by(sort_col)
                     base_q = base_q.offset(start).limit(limit)
                     users_list = base_q.all()
                     users_data = []
                     for user in users_list:
                         users_data.append({
                             "username": h.gravatar_with_user(user.username),
                             "email": user.email,
                             "first_name": user.first_name,
                             "last_name": user.last_name,
                             "last_login": h.format_date(user.last_login),
                             "last_activity": h.format_date(user.last_activity),
                             "active": h.bool2icon(user.active),
                             "active_raw": user.active,
                             "admin": h.bool2icon(user.admin),
                             "extern_type": user.extern_type,
                             "extern_name": user.extern_name,
                             "action": user_actions(user.user_id, user.username),
                         })
                     data = ({
                         'draw': draw,
                         'data': users_data,
                         'recordsTotal': users_data_total_count,
                         'recordsFiltered': users_data_total_filtered_count,
                     })
                     return data
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_auth_tokens', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def auth_tokens(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.request.matchdict.get('user_id')
                     c.user = User.get_or_404(user_id, pyramid_exc=True)
                     self._redirect_for_default_user(c.user.username)
                     c.active = 'auth_tokens'
                     c.lifetime_values = [
                         (str(-1), _('forever')),
                         (str(5), _('5 minutes')),
                         (str(60), _('1 hour')),
                         (str(60 * 24), _('1 day')),
                         (str(60 * 24 * 30), _('1 month')),
                     ]
                     c.lifetime_options = [(c.lifetime_values, _("Lifetime"))]
                     c.role_values = [
                         (x, AuthTokenModel.cls._get_role_name(x))
                         for x in AuthTokenModel.cls.ROLES]
                     c.role_options = [(c.role_values, _("Role"))]
                     c.user_auth_tokens = AuthTokenModel().get_auth_tokens(
                         c.user.user_id, show_expired=True)
                     return self._get_template_context(c)
                 def maybe_attach_token_scope(self, token):
                     # implemented in EE edition
                     pass
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_auth_tokens_add', request_method='POST')
                 def auth_tokens_add(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.request.matchdict.get('user_id')
                     c.user = User.get_or_404(user_id, pyramid_exc=True)
                     self._redirect_for_default_user(c.user.username)
                     user_data = c.user.get_api_data()
                     lifetime = safe_int(self.request.POST.get('lifetime'), -1)
                     description = self.request.POST.get('description')
                     role = self.request.POST.get('role')
                     token = AuthTokenModel().create(
                         c.user.user_id, description, lifetime, role)
                     token_data = token.get_api_data()
                     self.maybe_attach_token_scope(token)
                     audit_logger.store_web(
-                        action='user.edit.token.add',
+                        'user.edit.token.add', action_data={
-                        action_data={'data': {'token': token_data, 'user': user_data}},
+                            'data': {'token': token_data, 'user': user_data}},
                         user=self._rhodecode_user, )
                     Session().commit()
                     h.flash(_("Auth token successfully created"), category='success')
                     return HTTPFound(h.route_path('edit_user_auth_tokens', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_auth_tokens_delete', request_method='POST')
                 def auth_tokens_delete(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.request.matchdict.get('user_id')
                     c.user = User.get_or_404(user_id, pyramid_exc=True)
                     self._redirect_for_default_user(c.user.username)
                     user_data = c.user.get_api_data()
                     del_auth_token = self.request.POST.get('del_auth_token')
                     if del_auth_token:
                         token = UserApiKeys.get_or_404(del_auth_token, pyramid_exc=True)
                         token_data = token.get_api_data()
                         AuthTokenModel().delete(del_auth_token, c.user.user_id)
                         audit_logger.store_web(
-                            action='user.edit.token.delete',
+                            'user.edit.token.delete', action_data={
-                            action_data={'data': {'token': token_data, 'user': user_data}},
+                                'data': {'token': token_data, 'user': user_data}},
                             user=self._rhodecode_user,)
                         Session().commit()
                         h.flash(_("Auth token successfully deleted"), category='success')
                     return HTTPFound(h.route_path('edit_user_auth_tokens', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_emails', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def emails(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.request.matchdict.get('user_id')
                     c.user = User.get_or_404(user_id, pyramid_exc=True)
                     self._redirect_for_default_user(c.user.username)
                     c.active = 'emails'
                     c.user_email_map = UserEmailMap.query() \
                         .filter(UserEmailMap.user == c.user).all()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_emails_add', request_method='POST')
                 def emails_add(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.request.matchdict.get('user_id')
                     c.user = User.get_or_404(user_id, pyramid_exc=True)
                     self._redirect_for_default_user(c.user.username)
                     email = self.request.POST.get('new_email')
                     user_data = c.user.get_api_data()
                     try:
                         UserModel().add_extra_email(c.user.user_id, email)
                         audit_logger.store_web(
-                            'user.edit.email.add',
+                            'user.edit.email.add', action_data={'email': email, 'user': user_data},
-                            action_data={'email': email, 'user': user_data},
                             user=self._rhodecode_user)
                         Session().commit()
                         h.flash(_("Added new email address `%s` for user account") % email,
                                 category='success')
                     except formencode.Invalid as error:
                         h.flash(h.escape(error.error_dict['email']), category='error')
                     except Exception:
                         log.exception("Exception during email saving")
                         h.flash(_('An error occurred during email saving'),
                                 category='error')
                     raise HTTPFound(h.route_path('edit_user_emails', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_emails_delete', request_method='POST')
                 def emails_delete(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.request.matchdict.get('user_id')
                     c.user = User.get_or_404(user_id, pyramid_exc=True)
                     self._redirect_for_default_user(c.user.username)
                     email_id = self.request.POST.get('del_email_id')
                     user_model = UserModel()
                     email = UserEmailMap.query().get(email_id).email
                     user_data = c.user.get_api_data()
                     user_model.delete_extra_email(c.user.user_id, email_id)
                     audit_logger.store_web(
-                        'user.edit.email.delete',
+                        'user.edit.email.delete', action_data={'email': email, 'user': user_data},
-                        action_data={'email': email, 'user': user_data},
                         user=self._rhodecode_user)
                     Session().commit()
                     h.flash(_("Removed email address from user account"),
                             category='success')
                     raise HTTPFound(h.route_path('edit_user_emails', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_ips', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def ips(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.request.matchdict.get('user_id')
                     c.user = User.get_or_404(user_id, pyramid_exc=True)
                     self._redirect_for_default_user(c.user.username)
                     c.active = 'ips'
                     c.user_ip_map = UserIpMap.query() \
                         .filter(UserIpMap.user == c.user).all()
                     c.inherit_default_ips = c.user.inherit_default_permissions
                     c.default_user_ip_map = UserIpMap.query() \
                         .filter(UserIpMap.user == User.get_default_user()).all()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_ips_add', request_method='POST')
                 def ips_add(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.request.matchdict.get('user_id')
                     c.user = User.get_or_404(user_id, pyramid_exc=True)
                     # NOTE(marcink): this view is allowed for default users, as we can
                     # edit their IP white list
                     user_model = UserModel()
                     desc = self.request.POST.get('description')
                     try:
                         ip_list = user_model.parse_ip_range(
                             self.request.POST.get('new_ip'))
                     except Exception as e:
                         ip_list = []
                         log.exception("Exception during ip saving")
                         h.flash(_('An error occurred during ip saving:%s' % (e,)),
                                 category='error')
                     added = []
                     user_data = c.user.get_api_data()
                     for ip in ip_list:
                         try:
                             user_model.add_extra_ip(c.user.user_id, ip, desc)
                             audit_logger.store_web(
-                                'user.edit.ip.add',
+                                'user.edit.ip.add', action_data={'ip': ip, 'user': user_data},
-                                action_data={'ip': ip, 'user': user_data},
                                 user=self._rhodecode_user)
                             Session().commit()
                             added.append(ip)
                         except formencode.Invalid as error:
                             msg = error.error_dict['ip']
                             h.flash(msg, category='error')
                         except Exception:
                             log.exception("Exception during ip saving")
                             h.flash(_('An error occurred during ip saving'),
                                     category='error')
                     if added:
                         h.flash(
                             _("Added ips %s to user whitelist") % (', '.join(ip_list), ),
                             category='success')
                     if 'default_user' in self.request.POST:
                         # case for editing global IP list we do it for 'DEFAULT' user
                         raise HTTPFound(h.route_path('admin_permissions_ips'))
                     raise HTTPFound(h.route_path('edit_user_ips', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_ips_delete', request_method='POST')
                 def ips_delete(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.request.matchdict.get('user_id')
                     c.user = User.get_or_404(user_id, pyramid_exc=True)
                     # NOTE(marcink): this view is allowed for default users, as we can
                     # edit their IP white list
                     ip_id = self.request.POST.get('del_ip_id')
                     user_model = UserModel()
                     user_data = c.user.get_api_data()
                     ip = UserIpMap.query().get(ip_id).ip_addr
                     user_model.delete_extra_ip(c.user.user_id, ip_id)
                     audit_logger.store_web(
-                        'user.edit.ip.delete',
+                        'user.edit.ip.delete', action_data={'ip': ip, 'user': user_data},
-                        action_data={'ip': ip, 'user': user_data},
                         user=self._rhodecode_user)
                     Session().commit()
                     h.flash(_("Removed ip address from user whitelist"), category='success')
                     if 'default_user' in self.request.POST:
                         # case for editing global IP list we do it for 'DEFAULT' user
                         raise HTTPFound(h.route_path('admin_permissions_ips'))
                     raise HTTPFound(h.route_path('edit_user_ips', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_groups_management', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def groups_management(self):
                     c = self.load_default_context()
                     user_id = self.request.matchdict.get('user_id')
                     c.user = User.get_or_404(user_id, pyramid_exc=True)
                     c.data = c.user.group_member
                     self._redirect_for_default_user(c.user.username)
                     groups = [UserGroupModel.get_user_groups_as_dict(group.users_group)
                               for group in c.user.group_member]
                     c.groups = json.dumps(groups)
                     c.active = 'groups'
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_groups_management_updates', request_method='POST')
                 def groups_management_updates(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.request.matchdict.get('user_id')
                     c.user = User.get_or_404(user_id, pyramid_exc=True)
                     self._redirect_for_default_user(c.user.username)
                     users_groups = set(self.request.POST.getall('users_group_id'))
                     users_groups_model = []
                     for ugid in users_groups:
                         users_groups_model.append(UserGroupModel().get_group(safe_int(ugid)))
                     user_group_model = UserGroupModel()
                     user_group_model.change_groups(c.user, users_groups_model)
                     Session().commit()
                     c.active = 'user_groups_management'
                     h.flash(_("Groups successfully changed"), category='success')
                     return HTTPFound(h.route_path(
                         'edit_user_groups_management', user_id=user_id))
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 @view_config(
                     route_name='edit_user_audit_logs', request_method='GET',
                     renderer='rhodecode:templates/admin/users/user_edit.mako')
                 def user_audit_logs(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_id = self.request.matchdict.get('user_id')
                     c.user = User.get_or_404(user_id, pyramid_exc=True)
                     self._redirect_for_default_user(c.user.username)
                     c.active = 'audit'
                     p = safe_int(self.request.GET.get('page', 1), 1)
                     filter_term = self.request.GET.get('filter')
                     user_log = UserModel().get_user_log(c.user, filter_term)
                     def url_generator(**kw):
                         if filter_term:
                             kw['filter'] = filter_term
                         return self.request.current_route_path(_query=kw)
                     c.audit_logs = h.Page(
                         user_log, page=p, items_per_page=10, url=url_generator)
                     c.filter_term = filter_term
                     return self._get_template_context(c)

rhodecode/apps/login/views.py

0 +4 -5

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import time
             import collections
             import datetime
             import formencode
             import logging
             import urlparse
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from recaptcha.client.captcha import submit
             from rhodecode.apps._base import BaseAppView
             from rhodecode.authentication.base import authenticate, HTTP_TYPE
             from rhodecode.events import UserRegistered
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import (
                 AuthUser, HasPermissionAnyDecorator, CSRFRequired)
             from rhodecode.lib.base import get_ip_addr
             from rhodecode.lib.exceptions import UserCreationError
             from rhodecode.lib.utils2 import safe_str
             from rhodecode.model.db import User, UserApiKeys
             from rhodecode.model.forms import LoginForm, RegisterForm, PasswordResetForm
             from rhodecode.model.meta import Session
             from rhodecode.model.auth_token import AuthTokenModel
             from rhodecode.model.settings import SettingsModel
             from rhodecode.model.user import UserModel
             from rhodecode.translation import _
             log = logging.getLogger(__name__)
             CaptchaData = collections.namedtuple(
                 'CaptchaData', 'active, private_key, public_key')
             def _store_user_in_session(session, username, remember=False):
                 user = User.get_by_username(username, case_insensitive=True)
                 auth_user = AuthUser(user.user_id)
                 auth_user.set_authenticated()
                 cs = auth_user.get_cookie_store()
                 session['rhodecode_user'] = cs
                 user.update_lastlogin()
                 Session().commit()
                 # If they want to be remembered, update the cookie
                 if remember:
                     _year = (datetime.datetime.now() +
                              datetime.timedelta(seconds=60 * 60 * 24 * 365))
                     session._set_cookie_expires(_year)
                 session.save()
                 safe_cs = cs.copy()
                 safe_cs['password'] = '****'
                 log.info('user %s is now authenticated and stored in '
                          'session, session attrs %s', username, safe_cs)
                 # dumps session attrs back to cookie
                 session._update_cookie_out()
                 # we set new cookie
                 headers = None
                 if session.request['set_cookie']:
                     # send set-cookie headers back to response to update cookie
                     headers = [('Set-Cookie', session.request['cookie_out'])]
                 return headers
             def get_came_from(request):
                 came_from = safe_str(request.GET.get('came_from', ''))
                 parsed = urlparse.urlparse(came_from)
                 allowed_schemes = ['http', 'https']
                 default_came_from = h.route_path('home')
                 if parsed.scheme and parsed.scheme not in allowed_schemes:
                     log.error('Suspicious URL scheme detected %s for url %s' %
                               (parsed.scheme, parsed))
                     came_from = default_came_from
                 elif parsed.netloc and request.host != parsed.netloc:
                     log.error('Suspicious NETLOC detected %s for url %s server url '
                               'is: %s' % (parsed.netloc, parsed, request.host))
                     came_from = default_came_from
                 elif any(bad_str in parsed.path for bad_str in ('\r', '\n')):
                     log.error('Header injection detected `%s` for url %s server url ' %
                               (parsed.path, parsed))
                     came_from = default_came_from
                 return came_from or default_came_from
             class LoginView(BaseAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     c.came_from = get_came_from(self.request)
                     self._register_global_c(c)
                     return c
                 def _get_captcha_data(self):
                     settings = SettingsModel().get_all_settings()
                     private_key = settings.get('rhodecode_captcha_private_key')
                     public_key = settings.get('rhodecode_captcha_public_key')
                     active = bool(private_key)
                     return CaptchaData(
                         active=active, private_key=private_key, public_key=public_key)
                 @view_config(
                     route_name='login', request_method='GET',
                     renderer='rhodecode:templates/login.mako')
                 def login(self):
                     c = self.load_default_context()
                     auth_user = self._rhodecode_user
                     # redirect if already logged in
                     if (auth_user.is_authenticated and
                             not auth_user.is_default and auth_user.ip_allowed):
                         raise HTTPFound(c.came_from)
                     # check if we use headers plugin, and try to login using it.
                     try:
                         log.debug('Running PRE-AUTH for headers based authentication')
                         auth_info = authenticate(
                             '', '', self.request.environ, HTTP_TYPE, skip_missing=True)
                         if auth_info:
                             headers = _store_user_in_session(
                                 self.session, auth_info.get('username'))
                             raise HTTPFound(c.came_from, headers=headers)
                     except UserCreationError as e:
                         log.error(e)
                         self.session.flash(e, queue='error')
                     return self._get_template_context(c)
                 @view_config(
                     route_name='login', request_method='POST',
                     renderer='rhodecode:templates/login.mako')
                 def login_post(self):
                     c = self.load_default_context()
                     login_form = LoginForm()()
                     try:
                         self.session.invalidate()
                         form_result = login_form.to_python(self.request.params)
                         # form checks for username/password, now we're authenticated
                         headers = _store_user_in_session(
                             self.session,
                             username=form_result['username'],
                             remember=form_result['remember'])
                         log.debug('Redirecting to "%s" after login.', c.came_from)
                         audit_user = audit_logger.UserWrap(
                             username=self.request.params.get('username'),
                             ip_addr=self.request.remote_addr)
                         action_data = {'user_agent': self.request.user_agent}
                         audit_logger.store_web(
-                            action='user.login.success', action_data=action_data,
+                            'user.login.success', action_data=action_data,
                             user=audit_user, commit=True)
                         raise HTTPFound(c.came_from, headers=headers)
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         # remove password from filling in form again
                         defaults.pop('password', None)
                         render_ctx = self._get_template_context(c)
                         render_ctx.update({
                             'errors': errors.error_dict,
                             'defaults': defaults,
                         })
                         audit_user = audit_logger.UserWrap(
                             username=self.request.params.get('username'),
                             ip_addr=self.request.remote_addr)
                         action_data = {'user_agent': self.request.user_agent}
                         audit_logger.store_web(
-                            action='user.login.failure', action_data=action_data,
+                            'user.login.failure', action_data=action_data,
                             user=audit_user, commit=True)
                         return render_ctx
                     except UserCreationError as e:
                         # headers auth or other auth functions that create users on
                         # the fly can throw this exception signaling that there's issue
                         # with user creation, explanation should be provided in
                         # Exception itself
                         self.session.flash(e, queue='error')
                         return self._get_template_context(c)
                 @CSRFRequired()
                 @view_config(route_name='logout', request_method='POST')
                 def logout(self):
                     auth_user = self._rhodecode_user
                     log.info('Deleting session for user: `%s`', auth_user)
                     action_data = {'user_agent': self.request.user_agent}
                     audit_logger.store_web(
-                        action='user.logout', action_data=action_data,
+                        'user.logout', action_data=action_data,
                         user=auth_user, commit=True)
                     self.session.delete()
                     return HTTPFound(h.route_path('home'))
                 @HasPermissionAnyDecorator(
                     'hg.admin', 'hg.register.auto_activate', 'hg.register.manual_activate')
                 @view_config(
                     route_name='register', request_method='GET',
                     renderer='rhodecode:templates/register.mako',)
                 def register(self, defaults=None, errors=None):
                     c = self.load_default_context()
                     defaults = defaults or {}
                     errors = errors or {}
                     settings = SettingsModel().get_all_settings()
                     register_message = settings.get('rhodecode_register_message') or ''
                     captcha = self._get_captcha_data()
                     auto_active = 'hg.register.auto_activate' in User.get_default_user()\
                         .AuthUser.permissions['global']
                     render_ctx = self._get_template_context(c)
                     render_ctx.update({
                         'defaults': defaults,
                         'errors': errors,
                         'auto_active': auto_active,
                         'captcha_active': captcha.active,
                         'captcha_public_key': captcha.public_key,
                         'register_message': register_message,
                     })
                     return render_ctx
                 @HasPermissionAnyDecorator(
                     'hg.admin', 'hg.register.auto_activate', 'hg.register.manual_activate')
                 @view_config(
                     route_name='register', request_method='POST',
                     renderer='rhodecode:templates/register.mako')
                 def register_post(self):
                     captcha = self._get_captcha_data()
                     auto_active = 'hg.register.auto_activate' in User.get_default_user()\
                         .AuthUser.permissions['global']
                     register_form = RegisterForm()()
                     try:
                         form_result = register_form.to_python(self.request.params)
                         form_result['active'] = auto_active
                         if captcha.active:
                             response = submit(
                                 self.request.params.get('recaptcha_challenge_field'),
                                 self.request.params.get('recaptcha_response_field'),
                                 private_key=captcha.private_key,
                                 remoteip=get_ip_addr(self.request.environ))
                             if not response.is_valid:
                                 _value = form_result
                                 _msg = _('Bad captcha')
                                 error_dict = {'recaptcha_field': _msg}
                                 raise formencode.Invalid(_msg, _value, None,
                                                          error_dict=error_dict)
                         new_user = UserModel().create_registration(form_result)
                         event = UserRegistered(user=new_user, session=self.session)
                         self.request.registry.notify(event)
                         self.session.flash(
                             _('You have successfully registered with RhodeCode'),
                             queue='success')
                         Session().commit()
                         redirect_ro = self.request.route_path('login')
                         raise HTTPFound(redirect_ro)
                     except formencode.Invalid as errors:
                         errors.value.pop('password', None)
                         errors.value.pop('password_confirmation', None)
                         return self.register(
                             defaults=errors.value, errors=errors.error_dict)
                     except UserCreationError as e:
                         # container auth or other auth functions that create users on
                         # the fly can throw this exception signaling that there's issue
                         # with user creation, explanation should be provided in
                         # Exception itself
                         self.session.flash(e, queue='error')
                         return self.register()
                 @view_config(
                     route_name='reset_password', request_method=('GET', 'POST'),
                     renderer='rhodecode:templates/password_reset.mako')
                 def password_reset(self):
                     captcha = self._get_captcha_data()
                     render_ctx = {
                         'captcha_active': captcha.active,
                         'captcha_public_key': captcha.public_key,
                         'defaults': {},
                         'errors': {},
                     }
                     # always send implicit message to prevent from discovery of
                     # matching emails
                     msg = _('If such email exists, a password reset link was sent to it.')
                     if self.request.POST:
                         if h.HasPermissionAny('hg.password_reset.disabled')():
                             _email = self.request.POST.get('email', '')
                             log.error('Failed attempt to reset password for `%s`.', _email)
                             self.session.flash(_('Password reset has been disabled.'),
                                                queue='error')
                             return HTTPFound(self.request.route_path('reset_password'))
                         password_reset_form = PasswordResetForm()()
                         try:
                             form_result = password_reset_form.to_python(
                                 self.request.params)
                             user_email = form_result['email']
                             if captcha.active:
                                 response = submit(
                                     self.request.params.get('recaptcha_challenge_field'),
                                     self.request.params.get('recaptcha_response_field'),
                                     private_key=captcha.private_key,
                                     remoteip=get_ip_addr(self.request.environ))
                                 if not response.is_valid:
                                     _value = form_result
                                     _msg = _('Bad captcha')
                                     error_dict = {'recaptcha_field': _msg}
                                     raise formencode.Invalid(
                                         _msg, _value, None, error_dict=error_dict)
                             # Generate reset URL and send mail.
                             user = User.get_by_email(user_email)
                             # generate password reset token that expires in 10minutes
                             desc = 'Generated token for password reset from {}'.format(
                                 datetime.datetime.now().isoformat())
                             reset_token = AuthTokenModel().create(
                                 user, lifetime=10,
                                 description=desc,
                                 role=UserApiKeys.ROLE_PASSWORD_RESET)
                             Session().commit()
                             log.debug('Successfully created password recovery token')
                             password_reset_url = self.request.route_url(
                                 'reset_password_confirmation',
                                 _query={'key': reset_token.api_key})
                             UserModel().reset_password_link(
                                 form_result, password_reset_url)
                             # Display success message and redirect.
                             self.session.flash(msg, queue='success')
                             action_data = {'email': user_email,
                                            'user_agent': self.request.user_agent}
                             audit_logger.store_web(
-                                action='user.password.reset_request',
+                                'user.password.reset_request', action_data=action_data,
-                                action_data=action_data,
                                 user=self._rhodecode_user, commit=True)
                             return HTTPFound(self.request.route_path('reset_password'))
                         except formencode.Invalid as errors:
                             render_ctx.update({
                                 'defaults': errors.value,
                                 'errors': errors.error_dict,
                             })
                             if not self.request.params.get('email'):
                                 # case of empty email, we want to report that
                                 return render_ctx
                             if 'recaptcha_field' in errors.error_dict:
                                 # case of failed captcha
                                 return render_ctx
                         log.debug('faking response on invalid password reset')
                         # make this take 2s, to prevent brute forcing.
                         time.sleep(2)
                         self.session.flash(msg, queue='success')
                         return HTTPFound(self.request.route_path('reset_password'))
                     return render_ctx
                 @view_config(route_name='reset_password_confirmation',
                              request_method='GET')
                 def password_reset_confirmation(self):
                     if self.request.GET and self.request.GET.get('key'):
                         # make this take 2s, to prevent brute forcing.
                         time.sleep(2)
                         token = AuthTokenModel().get_auth_token(
                             self.request.GET.get('key'))
                         # verify token is the correct role
                         if token is None or token.role != UserApiKeys.ROLE_PASSWORD_RESET:
                             log.debug('Got token with role:%s expected is %s',
                                       getattr(token, 'role', 'EMPTY_TOKEN'),
                                       UserApiKeys.ROLE_PASSWORD_RESET)
                             self.session.flash(
                                 _('Given reset token is invalid'), queue='error')
                             return HTTPFound(self.request.route_path('reset_password'))
                         try:
                             owner = token.user
                             data = {'email': owner.email, 'token': token.api_key}
                             UserModel().reset_password(data)
                             self.session.flash(
                                 _('Your password reset was successful, '
                                   'a new password has been sent to your email'),
                                 queue='success')
                         except Exception as e:
                             log.error(e)
                             return HTTPFound(self.request.route_path('reset_password'))
                     return HTTPFound(self.request.route_path('login'))

rhodecode/apps/my_account/views.py

0 +8 -8

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import datetime
             import formencode
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from rhodecode.apps._base import BaseAppView
             from rhodecode import forms
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.auth import LoginRequired, NotAnonymous, CSRFRequired
             from rhodecode.lib.channelstream import channelstream_request, \
                 ChannelstreamException
             from rhodecode.lib.utils2 import safe_int, md5
             from rhodecode.model.auth_token import AuthTokenModel
             from rhodecode.model.db import (
                 Repository, UserEmailMap, UserApiKeys, UserFollowing, joinedload)
             from rhodecode.model.meta import Session
             from rhodecode.model.scm import RepoList
             from rhodecode.model.user import UserModel
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.validation_schema.schemas import user_schema
             log = logging.getLogger(__name__)
             class MyAccountView(BaseAppView):
                 ALLOW_SCOPED_TOKENS = False
                 """
                 This view has alternative version inside EE, if modified please take a look
                 in there as well.
                 """
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     c.user = c.auth_user.get_instance()
                     c.allow_scoped_tokens = self.ALLOW_SCOPED_TOKENS
                     self._register_global_c(c)
                     return c
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='my_account_profile', request_method='GET',
                     renderer='rhodecode:templates/admin/my_account/my_account.mako')
                 def my_account_profile(self):
                     c = self.load_default_context()
                     c.active = 'profile'
                     return self._get_template_context(c)
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='my_account_password', request_method='GET',
                     renderer='rhodecode:templates/admin/my_account/my_account.mako')
                 def my_account_password(self):
                     c = self.load_default_context()
                     c.active = 'password'
                     c.extern_type = c.user.extern_type
                     schema = user_schema.ChangePasswordSchema().bind(
                         username=c.user.username)
                     form = forms.Form(
                         schema, buttons=(forms.buttons.save, forms.buttons.reset))
                     c.form = form
                     return self._get_template_context(c)
                 @LoginRequired()
                 @NotAnonymous()
                 @CSRFRequired()
                 @view_config(
                     route_name='my_account_password', request_method='POST',
                     renderer='rhodecode:templates/admin/my_account/my_account.mako')
                 def my_account_password_update(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'password'
                     c.extern_type = c.user.extern_type
                     schema = user_schema.ChangePasswordSchema().bind(
                         username=c.user.username)
                     form = forms.Form(
                         schema, buttons=(forms.buttons.save, forms.buttons.reset))
                     if c.extern_type != 'rhodecode':
                         raise HTTPFound(self.request.route_path('my_account_password'))
                     controls = self.request.POST.items()
                     try:
                         valid_data = form.validate(controls)
                         UserModel().update_user(c.user.user_id, **valid_data)
                         c.user.update_userdata(force_password_change=False)
                         Session().commit()
                     except forms.ValidationFailure as e:
                         c.form = e
                         return self._get_template_context(c)
                     except Exception:
                         log.exception("Exception updating password")
                         h.flash(_('Error occurred during update of user password'),
                                 category='error')
                     else:
                         instance = c.auth_user.get_instance()
                         self.session.setdefault('rhodecode_user', {}).update(
                             {'password': md5(instance.password)})
                         self.session.save()
                         h.flash(_("Successfully updated password"), category='success')
                     raise HTTPFound(self.request.route_path('my_account_password'))
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='my_account_auth_tokens', request_method='GET',
                     renderer='rhodecode:templates/admin/my_account/my_account.mako')
                 def my_account_auth_tokens(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'auth_tokens'
                     c.lifetime_values = [
                         (str(-1), _('forever')),
                         (str(5), _('5 minutes')),
                         (str(60), _('1 hour')),
                         (str(60 * 24), _('1 day')),
                         (str(60 * 24 * 30), _('1 month')),
                     ]
                     c.lifetime_options = [(c.lifetime_values, _("Lifetime"))]
                     c.role_values = [
                         (x, AuthTokenModel.cls._get_role_name(x))
                         for x in AuthTokenModel.cls.ROLES]
                     c.role_options = [(c.role_values, _("Role"))]
                     c.user_auth_tokens = AuthTokenModel().get_auth_tokens(
                         c.user.user_id, show_expired=True)
                     return self._get_template_context(c)
                 def maybe_attach_token_scope(self, token):
                     # implemented in EE edition
                     pass
                 @LoginRequired()
                 @NotAnonymous()
                 @CSRFRequired()
                 @view_config(
                     route_name='my_account_auth_tokens_add', request_method='POST',)
                 def my_account_auth_tokens_add(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     lifetime = safe_int(self.request.POST.get('lifetime'), -1)
                     description = self.request.POST.get('description')
                     role = self.request.POST.get('role')
                     token = AuthTokenModel().create(
                         c.user.user_id, description, lifetime, role)
                     token_data = token.get_api_data()
                     self.maybe_attach_token_scope(token)
                     audit_logger.store_web(
-                        action='user.edit.token.add',
+                        'user.edit.token.add', action_data={
-                        action_data={'data': {'token': token_data, 'user': 'self'}},
+                            'data': {'token': token_data, 'user': 'self'}},
                         user=self._rhodecode_user, )
                     Session().commit()
                     h.flash(_("Auth token successfully created"), category='success')
                     return HTTPFound(h.route_path('my_account_auth_tokens'))
                 @LoginRequired()
                 @NotAnonymous()
                 @CSRFRequired()
                 @view_config(
                     route_name='my_account_auth_tokens_delete', request_method='POST')
                 def my_account_auth_tokens_delete(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     del_auth_token = self.request.POST.get('del_auth_token')
                     if del_auth_token:
                         token = UserApiKeys.get_or_404(del_auth_token, pyramid_exc=True)
                         token_data = token.get_api_data()
                         AuthTokenModel().delete(del_auth_token, c.user.user_id)
                         audit_logger.store_web(
-                            action='user.edit.token.delete',
+                            'user.edit.token.delete', action_data={
-                            action_data={'data': {'token': token_data, 'user': 'self'}},
+                                'data': {'token': token_data, 'user': 'self'}},
                             user=self._rhodecode_user,)
                         Session().commit()
                         h.flash(_("Auth token successfully deleted"), category='success')
                     return HTTPFound(h.route_path('my_account_auth_tokens'))
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='my_account_emails', request_method='GET',
                     renderer='rhodecode:templates/admin/my_account/my_account.mako')
                 def my_account_emails(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'emails'
                     c.user_email_map = UserEmailMap.query()\
                         .filter(UserEmailMap.user == c.user).all()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @NotAnonymous()
                 @CSRFRequired()
                 @view_config(
                     route_name='my_account_emails_add', request_method='POST')
                 def my_account_emails_add(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     email = self.request.POST.get('new_email')
                     try:
                         UserModel().add_extra_email(c.user.user_id, email)
                         audit_logger.store_web(
-                            action='user.edit.email.add',
+                            'user.edit.email.add', action_data={
-                            action_data={'data': {'email': email, 'user': 'self'}},
+                                'data': {'email': email, 'user': 'self'}},
                             user=self._rhodecode_user,)
                         Session().commit()
                         h.flash(_("Added new email address `%s` for user account") % email,
                                 category='success')
                     except formencode.Invalid as error:
                         h.flash(h.escape(error.error_dict['email']), category='error')
                     except Exception:
                         log.exception("Exception in my_account_emails")
                         h.flash(_('An error occurred during email saving'),
                                 category='error')
                     return HTTPFound(h.route_path('my_account_emails'))
                 @LoginRequired()
                 @NotAnonymous()
                 @CSRFRequired()
                 @view_config(
                     route_name='my_account_emails_delete', request_method='POST')
                 def my_account_emails_delete(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     del_email_id = self.request.POST.get('del_email_id')
                     if del_email_id:
                         email = UserEmailMap.get_or_404(del_email_id, pyramid_exc=True).email
                         UserModel().delete_extra_email(c.user.user_id, del_email_id)
                         audit_logger.store_web(
-                            action='user.edit.email.delete',
+                            'user.edit.email.delete', action_data={
-                            action_data={'data': {'email': email, 'user': 'self'}},
+                                'data': {'email': email, 'user': 'self'}},
                             user=self._rhodecode_user,)
                         Session().commit()
                         h.flash(_("Email successfully deleted"),
                                 category='success')
                     return HTTPFound(h.route_path('my_account_emails'))
                 @LoginRequired()
                 @NotAnonymous()
                 @CSRFRequired()
                 @view_config(
                     route_name='my_account_notifications_test_channelstream',
                     request_method='POST', renderer='json_ext')
                 def my_account_notifications_test_channelstream(self):
                     message = 'Test message sent via Channelstream by user: {}, on {}'.format(
                         self._rhodecode_user.username, datetime.datetime.now())
                     payload = {
                         # 'channel': 'broadcast',
                         'type': 'message',
                         'timestamp': datetime.datetime.utcnow(),
                         'user': 'system',
                         'pm_users': [self._rhodecode_user.username],
                         'message': {
                             'message': message,
                             'level': 'info',
                             'topic': '/notifications'
                         }
                     }
                     registry = self.request.registry
                     rhodecode_plugins = getattr(registry, 'rhodecode_plugins', {})
                     channelstream_config = rhodecode_plugins.get('channelstream', {})
                     try:
                         channelstream_request(channelstream_config, [payload], '/message')
                     except ChannelstreamException as e:
                         log.exception('Failed to send channelstream data')
                         return {"response": 'ERROR: {}'.format(e.__class__.__name__)}
                     return {"response": 'Channelstream data sent. '
                                         'You should see a new live message now.'}
                 def _load_my_repos_data(self, watched=False):
                     if watched:
                         admin = False
                         follows_repos = Session().query(UserFollowing)\
                             .filter(UserFollowing.user_id == self._rhodecode_user.user_id)\
                             .options(joinedload(UserFollowing.follows_repository))\
                             .all()
                         repo_list = [x.follows_repository for x in follows_repos]
                     else:
                         admin = True
                         repo_list = Repository.get_all_repos(
                             user_id=self._rhodecode_user.user_id)
                         repo_list = RepoList(repo_list, perm_set=[
                             'repository.read', 'repository.write', 'repository.admin'])
                     repos_data = RepoModel().get_repos_as_dict(
                         repo_list=repo_list, admin=admin)
                     # json used to render the grid
                     return json.dumps(repos_data)
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='my_account_repos', request_method='GET',
                     renderer='rhodecode:templates/admin/my_account/my_account.mako')
                 def my_account_repos(self):
                     c = self.load_default_context()
                     c.active = 'repos'
                     # json used to render the grid
                     c.data = self._load_my_repos_data()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='my_account_watched', request_method='GET',
                     renderer='rhodecode:templates/admin/my_account/my_account.mako')
                 def my_account_watched(self):
                     c = self.load_default_context()
                     c.active = 'watched'
                     # json used to render the grid
                     c.data = self._load_my_repos_data(watched=True)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='my_account_perms', request_method='GET',
                     renderer='rhodecode:templates/admin/my_account/my_account.mako')
                 def my_account_perms(self):
                     c = self.load_default_context()
                     c.active = 'perms'
                     c.perm_user = c.auth_user
                     return self._get_template_context(c)
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='my_account_notifications', request_method='GET',
                     renderer='rhodecode:templates/admin/my_account/my_account.mako')
                 def my_notifications(self):
                     c = self.load_default_context()
                     c.active = 'notifications'
                     return self._get_template_context(c)
                 @LoginRequired()
                 @NotAnonymous()
                 @CSRFRequired()
                 @view_config(
                     route_name='my_account_notifications_toggle_visibility',
                     request_method='POST', renderer='json_ext')
                 def my_notifications_toggle_visibility(self):
                     user = self._rhodecode_db_user
                     new_status = not user.user_data.get('notification_status', True)
                     user.update_userdata(notification_status=new_status)
                     Session().commit()
                     return user.user_data['notification_status']

rhodecode/apps/repository/views/repo_settings_advanced.py

0 +2 -3

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from pyramid.view import view_config
             from pyramid.httpexceptions import HTTPFound
             from rhodecode.apps._base import RepoAppView
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import (
                 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired)
             from rhodecode.lib.exceptions import AttachedForksError
             from rhodecode.lib.utils2 import safe_int
             from rhodecode.lib.vcs import RepositoryError
             from rhodecode.model.db import Session, UserFollowing, User, Repository
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.scm import ScmModel
             log = logging.getLogger(__name__)
             class RepoSettingsView(RepoAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     # TODO(marcink): remove repo_info and use c.rhodecode_db_repo instead
                     c.repo_info = self.db_repo
                     self._register_global_c(c)
                     return c
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @view_config(
                     route_name='edit_repo_advanced', request_method='GET',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_advanced(self):
                     c = self.load_default_context()
                     c.active = 'advanced'
                     c.default_user_id = User.get_default_user().user_id
                     c.in_public_journal = UserFollowing.query() \
                         .filter(UserFollowing.user_id == c.default_user_id) \
                         .filter(UserFollowing.follows_repository == c.repo_info).scalar()
                     c.has_origin_repo_read_perm = False
                     if self.db_repo.fork:
                         c.has_origin_repo_read_perm = h.HasRepoPermissionAny(
                             'repository.write', 'repository.read', 'repository.admin')(
                             self.db_repo.fork.repo_name, 'repo set as fork page')
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_advanced_delete', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_advanced_delete(self):
                     """
                     Deletes the repository, or shows warnings if deletion is not possible
                     because of attached forks or other errors.
                     """
                     _ = self.request.translate
                     handle_forks = self.request.POST.get('forks', None)
                     try:
                         _forks = self.db_repo.forks.count()
                         if _forks and handle_forks:
                             if handle_forks == 'detach_forks':
                                 handle_forks = 'detach'
                                 h.flash(_('Detached %s forks') % _forks, category='success')
                             elif handle_forks == 'delete_forks':
                                 handle_forks = 'delete'
                                 h.flash(_('Deleted %s forks') % _forks, category='success')
-                        repo_data = self.db_repo.get_api_data()
+                        old_data = self.db_repo.get_api_data()
                         RepoModel().delete(self.db_repo, forks=handle_forks)
                         repo = audit_logger.RepoWrap(repo_id=None,
                                                      repo_name=self.db_repo.repo_name)
                         audit_logger.store_web(
-                            action='repo.delete',
+                            'repo.delete', action_data={'old_data': old_data},
-                            action_data={'data': repo_data},
                             user=self._rhodecode_user, repo=repo)
                         ScmModel().mark_for_invalidation(self.db_repo_name, delete=True)
                         h.flash(
                             _('Deleted repository `%s`') % self.db_repo_name,
                             category='success')
                         Session().commit()
                     except AttachedForksError:
                         repo_advanced_url = h.route_path(
                             'edit_repo_advanced', repo_name=self.db_repo_name,
                             _anchor='advanced-delete')
                         delete_anchor = h.link_to(_('detach or delete'), repo_advanced_url)
                         h.flash(_('Cannot delete `{repo}` it still contains attached forks. '
                                   'Try using {delete_or_detach} option.')
                                 .format(repo=self.db_repo_name, delete_or_detach=delete_anchor),
                                 category='warning')
                         # redirect to advanced for forks handle action ?
                         raise HTTPFound(repo_advanced_url)
                     except Exception:
                         log.exception("Exception during deletion of repository")
                         h.flash(_('An error occurred during deletion of `%s`')
                                 % self.db_repo_name, category='error')
                         # redirect to advanced for more deletion options
                         raise HTTPFound(
                             h.route_path('edit_repo_advanced', repo_name=self.db_repo_name),
                             _anchor='advanced-delete')
                     raise HTTPFound(h.route_path('home'))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_advanced_journal', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_advanced_journal(self):
                     """
                     Set's this repository to be visible in public journal,
                     in other words making default user to follow this repo
                     """
                     _ = self.request.translate
                     try:
                         user_id = User.get_default_user().user_id
                         ScmModel().toggle_following_repo(self.db_repo.repo_id, user_id)
                         h.flash(_('Updated repository visibility in public journal'),
                                 category='success')
                         Session().commit()
                     except Exception:
                         h.flash(_('An error occurred during setting this '
                                   'repository in public journal'),
                                 category='error')
                     raise HTTPFound(
                         h.route_path('edit_repo_advanced', repo_name=self.db_repo_name))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_advanced_fork', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_advanced_fork(self):
                     """
                     Mark given repository as a fork of another
                     """
                     _ = self.request.translate
                     new_fork_id = self.request.POST.get('id_fork_of')
                     try:
                         if new_fork_id and not new_fork_id.isdigit():
                             log.error('Given fork id %s is not an INT', new_fork_id)
                         fork_id = safe_int(new_fork_id)
                         repo = ScmModel().mark_as_fork(
                             self.db_repo_name, fork_id, self._rhodecode_user.user_id)
                         fork = repo.fork.repo_name if repo.fork else _('Nothing')
                         Session().commit()
                         h.flash(_('Marked repo %s as fork of %s') % (self.db_repo_name, fork),
                                 category='success')
                     except RepositoryError as e:
                         log.exception("Repository Error occurred")
                         h.flash(str(e), category='error')
                     except Exception as e:
                         log.exception("Exception while editing fork")
                         h.flash(_('An error occurred during this operation'),
                                 category='error')
                     raise HTTPFound(
                         h.route_path('edit_repo_advanced', repo_name=self.db_repo_name))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_repo_advanced_locking', request_method='POST',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def edit_advanced_locking(self):
                     """
                     Toggle locking of repository
                     """
                     _ = self.request.translate
                     set_lock = self.request.POST.get('set_lock')
                     set_unlock = self.request.POST.get('set_unlock')
                     try:
                         if set_lock:
                             Repository.lock(self.db_repo, self._rhodecode_user.user_id,
                                             lock_reason=Repository.LOCK_WEB)
                             h.flash(_('Locked repository'), category='success')
                         elif set_unlock:
                             Repository.unlock(self.db_repo)
                             h.flash(_('Unlocked repository'), category='success')
                     except Exception as e:
                         log.exception("Exception during unlocking")
                         h.flash(_('An error occurred during unlocking'), category='error')
                     raise HTTPFound(
                         h.route_path('edit_repo_advanced', repo_name=self.db_repo_name))

rhodecode/apps/repository/views/repo_strip.py

0 +2 -4

             # -*- coding: utf-8 -*-
             # Copyright (C) 2017-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from pyramid.view import view_config
             from rhodecode.apps._base import RepoAppView
             from rhodecode.lib import audit_logger
             from rhodecode.lib import helpers as h
             from rhodecode.lib.auth import (LoginRequired, HasRepoPermissionAnyDecorator,
                                             NotAnonymous, CSRFRequired)
             from rhodecode.lib.ext_json import json
             log = logging.getLogger(__name__)
             class StripView(RepoAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     # TODO(marcink): remove repo_info and use c.rhodecode_db_repo instead
                     c.repo_info = self.db_repo
                     self._register_global_c(c)
                     return c
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @view_config(
                     route_name='strip', request_method='GET',
                     renderer='rhodecode:templates/admin/repos/repo_edit.mako')
                 def strip(self):
                     c = self.load_default_context()
                     c.active = 'strip'
                     c.strip_limit = 10
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='strip_check', request_method='POST',
                     renderer='json', xhr=True)
                 def strip_check(self):
                     from rhodecode.lib.vcs.backends.base import EmptyCommit
                     data = {}
                     rp = self.request.POST
                     for i in range(1, 11):
                         chset = 'changeset_id-%d' % (i,)
                         check = rp.get(chset)
                         if check:
                             data[i] = self.db_repo.get_changeset(rp[chset])
                             if isinstance(data[i], EmptyCommit):
                                 data[i] = {'rev': None, 'commit': h.escape(rp[chset])}
                             else:
                                 data[i] = {'rev': data[i].raw_id, 'branch': data[i].branch,
                                            'author': data[i].author,
                                            'comment': data[i].message}
                         else:
                             break
                     return data
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='strip_execute', request_method='POST',
                     renderer='json', xhr=True)
                 def strip_execute(self):
                     from rhodecode.model.scm import ScmModel
                     c = self.load_default_context()
                     user = self._rhodecode_user
                     rp = self.request.POST
                     data = {}
                     for idx in rp:
                         commit = json.loads(rp[idx])
                         # If someone put two times the same branch
                         if commit['branch'] in data.keys():
                             continue
                         try:
                             ScmModel().strip(
                                 repo=c.repo_info,
                                 commit_id=commit['rev'], branch=commit['branch'])
                             log.info('Stripped commit %s from repo `%s` by %s' % (
                                 commit['rev'], c.repo_info.repo_name, user))
                             data[commit['rev']] = True
                             audit_logger.store_web(
-                                action='repo.commit.strip',
+                                'repo.commit.strip', action_data={'commit_id': commit['rev']},
-                                action_data={'commit_id': commit['rev']},
+                                repo=self.db_repo, user=self._rhodecode_user, commit=True)
-                                repo=self.db_repo,
-                                user=self._rhodecode_user, commit=True)
                         except Exception as e:
                             data[commit['rev']] = False
                             log.debug('Stripped commit %s from repo `%s` failed by %s, exeption %s' % (
                                 commit['rev'], self.db_repo_name, user, e.message))
                     return data

rhodecode/controllers/admin/repo_groups.py

0 +9 -8

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Repository groups controller for RhodeCode
             """
             import logging
             import formencode
             from formencode import htmlfill
             from pylons import request, tmpl_context as c, url
             from pylons.controllers.util import abort, redirect
             from pylons.i18n.translation import _, ungettext
             from rhodecode.lib import auth
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.auth import (
                 LoginRequired, NotAnonymous, HasPermissionAll,
                 HasRepoGroupPermissionAll, HasRepoGroupPermissionAnyDecorator)
             from rhodecode.lib.base import BaseController, render
             from rhodecode.lib.utils2 import safe_int
             from rhodecode.model.db import RepoGroup, User
             from rhodecode.model.scm import RepoGroupList
             from rhodecode.model.repo_group import RepoGroupModel
             from rhodecode.model.forms import RepoGroupForm, RepoGroupPermsForm
             from rhodecode.model.meta import Session
             log = logging.getLogger(__name__)
             class RepoGroupsController(BaseController):
                 """REST Controller styled on the Atom Publishing Protocol"""
                 @LoginRequired()
                 def __before__(self):
                     super(RepoGroupsController, self).__before__()
                 def __load_defaults(self, allow_empty_group=False, repo_group=None):
                     if self._can_create_repo_group():
                         # we're global admin, we're ok and we can create TOP level groups
                         allow_empty_group = True
                     # override the choices for this form, we need to filter choices
                     # and display only those we have ADMIN right
                     groups_with_admin_rights = RepoGroupList(
                         RepoGroup.query().all(),
                         perm_set=['group.admin'])
                     c.repo_groups = RepoGroup.groups_choices(
                         groups=groups_with_admin_rights,
                         show_empty_group=allow_empty_group)
                     if repo_group:
                         # exclude filtered ids
                         exclude_group_ids = [repo_group.group_id]
                         c.repo_groups = filter(lambda x: x[0] not in exclude_group_ids,
                                                c.repo_groups)
                         c.repo_groups_choices = map(lambda k: unicode(k[0]), c.repo_groups)
                         parent_group = repo_group.parent_group
                         add_parent_group = (parent_group and (
                             unicode(parent_group.group_id) not in c.repo_groups_choices))
                         if add_parent_group:
                             c.repo_groups_choices.append(unicode(parent_group.group_id))
                             c.repo_groups.append(RepoGroup._generate_choice(parent_group))
                 def __load_data(self, group_id):
                     """
                     Load defaults settings for edit, and update
                     :param group_id:
                     """
                     repo_group = RepoGroup.get_or_404(group_id)
                     data = repo_group.get_dict()
                     data['group_name'] = repo_group.name
                     # fill owner
                     if repo_group.user:
                         data.update({'user': repo_group.user.username})
                     else:
                         replacement_user = User.get_first_super_admin().username
                         data.update({'user': replacement_user})
                     # fill repository group users
                     for p in repo_group.repo_group_to_perm:
                         data.update({
                             'u_perm_%s' % p.user.user_id: p.permission.permission_name})
                     # fill repository group user groups
                     for p in repo_group.users_group_to_perm:
                         data.update({
                             'g_perm_%s' % p.users_group.users_group_id:
                             p.permission.permission_name})
                     # html and form expects -1 as empty parent group
                     data['group_parent_id'] = data['group_parent_id'] or -1
                     return data
                 def _revoke_perms_on_yourself(self, form_result):
                     _updates = filter(lambda u: c.rhodecode_user.user_id == int(u[0]),
                                       form_result['perm_updates'])
                     _additions = filter(lambda u: c.rhodecode_user.user_id == int(u[0]),
                                         form_result['perm_additions'])
                     _deletions = filter(lambda u: c.rhodecode_user.user_id == int(u[0]),
                                         form_result['perm_deletions'])
                     admin_perm = 'group.admin'
                     if _updates and _updates[0][1] != admin_perm or \
                        _additions and _additions[0][1] != admin_perm or \
                        _deletions and _deletions[0][1] != admin_perm:
                         return True
                     return False
                 def _can_create_repo_group(self, parent_group_id=None):
                     is_admin = HasPermissionAll('hg.admin')('group create controller')
                     create_repo_group = HasPermissionAll(
                         'hg.repogroup.create.true')('group create controller')
                     if is_admin or (create_repo_group and not parent_group_id):
                         # we're global admin, or we have global repo group create
                         # permission
                         # we're ok and we can create TOP level groups
                         return True
                     elif parent_group_id:
                         # we check the permission if we can write to parent group
                         group = RepoGroup.get(parent_group_id)
                         group_name = group.group_name if group else None
                         if HasRepoGroupPermissionAll('group.admin')(
                                 group_name, 'check if user is an admin of group'):
                             # we're an admin of passed in group, we're ok.
                             return True
                         else:
                             return False
                     return False
                 @NotAnonymous()
                 def index(self):
                     repo_group_list = RepoGroup.get_all_repo_groups()
                     _perms = ['group.admin']
                     repo_group_list_acl = RepoGroupList(repo_group_list, perm_set=_perms)
                     repo_group_data = RepoGroupModel().get_repo_groups_as_dict(
                         repo_group_list=repo_group_list_acl, admin=True)
                     c.data = json.dumps(repo_group_data)
                     return render('admin/repo_groups/repo_groups.mako')
                 # perm checks inside
                 @NotAnonymous()
                 @auth.CSRFRequired()
                 def create(self):
                     parent_group_id = safe_int(request.POST.get('group_parent_id'))
                     can_create = self._can_create_repo_group(parent_group_id)
                     self.__load_defaults()
                     # permissions for can create group based on parent_id are checked
                     # here in the Form
                     available_groups = map(lambda k: unicode(k[0]), c.repo_groups)
                     repo_group_form = RepoGroupForm(available_groups=available_groups,
                                                     can_create_in_root=can_create)()
                     try:
                         owner = c.rhodecode_user
                         form_result = repo_group_form.to_python(dict(request.POST))
                         repo_group = RepoGroupModel().create(
                             group_name=form_result['group_name_full'],
                             group_description=form_result['group_description'],
                             owner=owner.user_id,
                             copy_permissions=form_result['group_copy_permissions']
                         )
-                        Session().commit()
+                        Session().flush()
-                        repo_group_data = repo_group.get_api_data()
-                        _new_group_name = form_result['group_name_full']
+                        repo_group_data = repo_group.get_api_data()
                         audit_logger.store_web(
-                            action='repo_group.create',
+                            'repo_group.create', action_data={'data': repo_group_data},
-                            action_data={'data': repo_group_data},
+                            user=c.rhodecode_user)
-                            user=c.rhodecode_user, commit=True)
+                        Session().commit()
+                        _new_group_name = form_result['group_name_full']
                         repo_group_url = h.link_to(
                             _new_group_name,
                             h.route_path('repo_group_home', repo_group_name=_new_group_name))
                         h.flash(h.literal(_('Created repository group %s')
                                 % repo_group_url), category='success')
                     except formencode.Invalid as errors:
                         return htmlfill.render(
                             render('admin/repo_groups/repo_group_add.mako'),
                             defaults=errors.value,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False)
                     except Exception:
                         log.exception("Exception during creation of repository group")
                         h.flash(_('Error occurred during creation of repository group %s')
                                 % request.POST.get('group_name'), category='error')
                     # TODO: maybe we should get back to the main view, not the admin one
                     return redirect(url('repo_groups', parent_group=parent_group_id))
                 # perm checks inside
                 @NotAnonymous()
                 def new(self):
                     # perm check for admin, create_group perm or admin of parent_group
                     parent_group_id = safe_int(request.GET.get('parent_group'))
                     if not self._can_create_repo_group(parent_group_id):
                         return abort(403)
                     self.__load_defaults()
                     return render('admin/repo_groups/repo_group_add.mako')
                 @HasRepoGroupPermissionAnyDecorator('group.admin')
                 @auth.CSRFRequired()
                 def update(self, group_name):
                     c.repo_group = RepoGroupModel()._get_repo_group(group_name)
                     can_create_in_root = self._can_create_repo_group()
                     show_root_location = can_create_in_root
                     if not c.repo_group.parent_group:
                         # this group don't have a parrent so we should show empty value
                         show_root_location = True
                     self.__load_defaults(allow_empty_group=show_root_location,
                                          repo_group=c.repo_group)
                     repo_group_form = RepoGroupForm(
                         edit=True, old_data=c.repo_group.get_dict(),
                         available_groups=c.repo_groups_choices,
                         can_create_in_root=can_create_in_root, allow_disabled=True)()
                     old_values = c.repo_group.get_api_data()
                     try:
                         form_result = repo_group_form.to_python(dict(request.POST))
                         gr_name = form_result['group_name']
                         new_gr = RepoGroupModel().update(group_name, form_result)
                         audit_logger.store_web(
                             'repo_group.edit', action_data={'old_data': old_values},
                             user=c.rhodecode_user)
                         Session().commit()
                         h.flash(_('Updated repository group %s') % (gr_name,),
                                 category='success')
                         # we now have new name !
                         group_name = new_gr.group_name
                     except formencode.Invalid as errors:
                         c.active = 'settings'
                         return htmlfill.render(
                             render('admin/repo_groups/repo_group_edit.mako'),
                             defaults=errors.value,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False)
                     except Exception:
                         log.exception("Exception during update or repository group")
                         h.flash(_('Error occurred during update of repository group %s')
                                 % request.POST.get('group_name'), category='error')
                     return redirect(url('edit_repo_group', group_name=group_name))
                 @HasRepoGroupPermissionAnyDecorator('group.admin')
                 @auth.CSRFRequired()
                 def delete(self, group_name):
                     gr = c.repo_group = RepoGroupModel()._get_repo_group(group_name)
                     repos = gr.repositories.all()
                     if repos:
                         msg = ungettext(
                             'This group contains %(num)d repository and cannot be deleted',
                             'This group contains %(num)d repositories and cannot be'
                             ' deleted',
                             len(repos)) % {'num': len(repos)}
                         h.flash(msg, category='warning')
                         return redirect(url('repo_groups'))
                     children = gr.children.all()
                     if children:
                         msg = ungettext(
                             'This group contains %(num)d subgroup and cannot be deleted',
                             'This group contains %(num)d subgroups and cannot be deleted',
                             len(children)) % {'num': len(children)}
                         h.flash(msg, category='warning')
                         return redirect(url('repo_groups'))
                     try:
                         old_values = gr.get_api_data()
                         RepoGroupModel().delete(group_name)
                         audit_logger.store_web(
-                            'repo_group.delete',
+                            'repo_group.delete', action_data={'old_data': old_values},
-                            action_data={'old_data': old_values},
                             user=c.rhodecode_user)
                         Session().commit()
                         h.flash(_('Removed repository group %s') % group_name,
                                 category='success')
                     except Exception:
                         log.exception("Exception during deletion of repository group")
                         h.flash(_('Error occurred during deletion of repository group %s')
                                 % group_name, category='error')
                     return redirect(url('repo_groups'))
                 @HasRepoGroupPermissionAnyDecorator('group.admin')
                 def edit(self, group_name):
                     c.active = 'settings'
                     c.repo_group = RepoGroupModel()._get_repo_group(group_name)
                     # we can only allow moving empty group if it's already a top-level
                     # group, ie has no parents, or we're admin
                     can_create_in_root = self._can_create_repo_group()
                     show_root_location = can_create_in_root
                     if not c.repo_group.parent_group:
                         # this group don't have a parrent so we should show empty value
                         show_root_location = True
                     self.__load_defaults(allow_empty_group=show_root_location,
                                          repo_group=c.repo_group)
                     defaults = self.__load_data(c.repo_group.group_id)
                     return htmlfill.render(
                         render('admin/repo_groups/repo_group_edit.mako'),
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                 @HasRepoGroupPermissionAnyDecorator('group.admin')
                 def edit_repo_group_advanced(self, group_name):
                     c.active = 'advanced'
                     c.repo_group = RepoGroupModel()._get_repo_group(group_name)
                     return render('admin/repo_groups/repo_group_edit.mako')
                 @HasRepoGroupPermissionAnyDecorator('group.admin')
                 def edit_repo_group_perms(self, group_name):
                     c.active = 'perms'
                     c.repo_group = RepoGroupModel()._get_repo_group(group_name)
                     self.__load_defaults()
                     defaults = self.__load_data(c.repo_group.group_id)
                     return htmlfill.render(
                         render('admin/repo_groups/repo_group_edit.mako'),
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                 @HasRepoGroupPermissionAnyDecorator('group.admin')
                 @auth.CSRFRequired()
                 def update_perms(self, group_name):
                     """
                     Update permissions for given repository group
                     """
                     c.repo_group = RepoGroupModel()._get_repo_group(group_name)
                     valid_recursive_choices = ['none', 'repos', 'groups', 'all']
                     form = RepoGroupPermsForm(valid_recursive_choices)().to_python(
                         request.POST)
                     if not c.rhodecode_user.is_admin:
                         if self._revoke_perms_on_yourself(form):
                             msg = _('Cannot change permission for yourself as admin')
                             h.flash(msg, category='warning')
                             return redirect(
                                 url('edit_repo_group_perms', group_name=group_name))
                     # iterate over all members(if in recursive mode) of this groups and
                     # set the permissions !
                     # this can be potentially heavy operation
                     changes = RepoGroupModel().update_permissions(
                         c.repo_group,
                         form['perm_additions'], form['perm_updates'], form['perm_deletions'],
                         form['recursive'])
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_web(
                         'repo_group.edit.permissions', action_data=action_data,
                         user=c.rhodecode_user)
                     Session().commit()
                     h.flash(_('Repository Group permissions updated'), category='success')
                     return redirect(url('edit_repo_group_perms', group_name=group_name))

rhodecode/controllers/admin/user_groups.py

0 +3 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             User Groups crud controller for pylons
             """
             import logging
             import formencode
             import peppercorn
             from formencode import htmlfill
             from pylons import request, tmpl_context as c, url, config
             from pylons.controllers.util import redirect
             from pylons.i18n.translation import _
             from sqlalchemy.orm import joinedload
             from rhodecode.lib import auth
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.exceptions import UserGroupAssignedException,\
                 RepoGroupAssignmentError
             from rhodecode.lib.utils import jsonify
             from rhodecode.lib.utils2 import safe_unicode, str2bool, safe_int
             from rhodecode.lib.auth import (
                 LoginRequired, NotAnonymous, HasUserGroupPermissionAnyDecorator,
                 HasPermissionAnyDecorator, XHRRequired)
             from rhodecode.lib.base import BaseController, render
             from rhodecode.model.permission import PermissionModel
             from rhodecode.model.scm import UserGroupList
             from rhodecode.model.user_group import UserGroupModel
             from rhodecode.model.db import (
                 User, UserGroup, UserGroupRepoToPerm, UserGroupRepoGroupToPerm)
             from rhodecode.model.forms import (
                 UserGroupForm, UserGroupPermsForm, UserIndividualPermissionsForm,
                 UserPermissionsForm)
             from rhodecode.model.meta import Session
             log = logging.getLogger(__name__)
             class UserGroupsController(BaseController):
                 """REST Controller styled on the Atom Publishing Protocol"""
                 @LoginRequired()
                 def __before__(self):
                     super(UserGroupsController, self).__before__()
                     c.available_permissions = config['available_permissions']
                     PermissionModel().set_global_permission_choices(c, gettext_translator=_)
                 def __load_data(self, user_group_id):
                     c.group_members_obj = [x.user for x in c.user_group.members]
                     c.group_members_obj.sort(key=lambda u: u.username.lower())
                     c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]
                 def __load_defaults(self, user_group_id):
                     """
                     Load defaults settings for edit, and update
                     :param user_group_id:
                     """
                     user_group = UserGroup.get_or_404(user_group_id)
                     data = user_group.get_dict()
                     # fill owner
                     if user_group.user:
                         data.update({'user': user_group.user.username})
                     else:
                         replacement_user = User.get_first_super_admin().username
                         data.update({'user': replacement_user})
                     return data
                 def _revoke_perms_on_yourself(self, form_result):
                     _updates = filter(lambda u: c.rhodecode_user.user_id == int(u[0]),
                                       form_result['perm_updates'])
                     _additions = filter(lambda u: c.rhodecode_user.user_id == int(u[0]),
                                         form_result['perm_additions'])
                     _deletions = filter(lambda u: c.rhodecode_user.user_id == int(u[0]),
                                         form_result['perm_deletions'])
                     admin_perm = 'usergroup.admin'
                     if _updates   and _updates[0][1]   != admin_perm or \
                        _additions and _additions[0][1] != admin_perm or \
                        _deletions and _deletions[0][1] != admin_perm:
                         return True
                     return False
                 # permission check inside
                 @NotAnonymous()
                 def index(self):
                     from rhodecode.lib.utils import PartialRenderer
                     _render = PartialRenderer('data_table/_dt_elements.mako')
                     def user_group_name(user_group_id, user_group_name):
                         return _render("user_group_name", user_group_id, user_group_name)
                     def user_group_actions(user_group_id, user_group_name):
                         return _render("user_group_actions", user_group_id, user_group_name)
                     # json generate
                     group_iter = UserGroupList(UserGroup.query().all(),
                                                perm_set=['usergroup.admin'])
                     user_groups_data = []
                     for user_gr in group_iter:
                         user_groups_data.append({
                             "group_name": user_group_name(
                                 user_gr.users_group_id, h.escape(user_gr.users_group_name)),
                             "group_name_raw": user_gr.users_group_name,
                             "desc": h.escape(user_gr.user_group_description),
                             "members": len(user_gr.members),
                             "sync": user_gr.group_data.get('extern_type'),
                             "active": h.bool2icon(user_gr.users_group_active),
                             "owner": h.escape(h.link_to_user(user_gr.user.username)),
                             "action": user_group_actions(
                                 user_gr.users_group_id, user_gr.users_group_name)
                         })
                     c.data = json.dumps(user_groups_data)
                     return render('admin/user_groups/user_groups.mako')
                 @HasPermissionAnyDecorator('hg.admin', 'hg.usergroup.create.true')
                 @auth.CSRFRequired()
                 def create(self):
                     users_group_form = UserGroupForm()()
                     try:
                         form_result = users_group_form.to_python(dict(request.POST))
                         user_group = UserGroupModel().create(
                             name=form_result['users_group_name'],
                             description=form_result['user_group_description'],
                             owner=c.rhodecode_user.user_id,
                             active=form_result['users_group_active'])
                         Session().flush()
                         creation_data = user_group.get_api_data()
                         user_group_name = form_result['users_group_name']
                         audit_logger.store_web(
                             'user_group.create', action_data={'data': creation_data},
                             user=c.rhodecode_user)
                         user_group_link = h.link_to(
                             h.escape(user_group_name),
                             url('edit_users_group', user_group_id=user_group.users_group_id))
                         h.flash(h.literal(_('Created user group %(user_group_link)s')
                                           % {'user_group_link': user_group_link}),
                                 category='success')
                         Session().commit()
                     except formencode.Invalid as errors:
                         return htmlfill.render(
                             render('admin/user_groups/user_group_add.mako'),
                             defaults=errors.value,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False)
                     except Exception:
                         log.exception("Exception creating user group")
                         h.flash(_('Error occurred during creation of user group %s') \
                                 % request.POST.get('users_group_name'), category='error')
                     return redirect(
                         url('edit_users_group', user_group_id=user_group.users_group_id))
                 @HasPermissionAnyDecorator('hg.admin', 'hg.usergroup.create.true')
                 def new(self):
                     """GET /user_groups/new: Form to create a new item"""
                     # url('new_users_group')
                     return render('admin/user_groups/user_group_add.mako')
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @auth.CSRFRequired()
                 def update(self, user_group_id):
                     user_group_id = safe_int(user_group_id)
                     c.user_group = UserGroup.get_or_404(user_group_id)
                     c.active = 'settings'
                     self.__load_data(user_group_id)
                     users_group_form = UserGroupForm(
                         edit=True, old_data=c.user_group.get_dict(), allow_disabled=True)()
                     old_values = c.user_group.get_api_data()
                     try:
                         form_result = users_group_form.to_python(request.POST)
                         pstruct = peppercorn.parse(request.POST.items())
                         form_result['users_group_members'] = pstruct['user_group_members']
+                        user_group, added_members, removed_members = \
                             UserGroupModel().update(c.user_group, form_result)
                         updated_user_group = form_result['users_group_name']
                         audit_logger.store_web(
                             'user_group.edit', action_data={'old_data': old_values},
                             user=c.rhodecode_user)
+                        # TODO(marcink): use added/removed to set user_group.edit.member.add
                         h.flash(_('Updated user group %s') % updated_user_group,
                                 category='success')
                         Session().commit()
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         e = errors.error_dict or {}
                         return htmlfill.render(
                             render('admin/user_groups/user_group_edit.mako'),
                             defaults=defaults,
                             errors=e,
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False)
                     except Exception:
                         log.exception("Exception during update of user group")
                         h.flash(_('Error occurred during update of user group %s')
                                 % request.POST.get('users_group_name'), category='error')
                     return redirect(url('edit_users_group', user_group_id=user_group_id))
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @auth.CSRFRequired()
                 def delete(self, user_group_id):
                     user_group_id = safe_int(user_group_id)
                     c.user_group = UserGroup.get_or_404(user_group_id)
                     force = str2bool(request.POST.get('force'))
                     old_values = c.user_group.get_api_data()
                     try:
                         UserGroupModel().delete(c.user_group, force=force)
                         audit_logger.store_web(
                             'user.delete', action_data={'old_data': old_values},
                             user=c.rhodecode_user)
                         Session().commit()
                         h.flash(_('Successfully deleted user group'), category='success')
                     except UserGroupAssignedException as e:
                         h.flash(str(e), category='error')
                     except Exception:
                         log.exception("Exception during deletion of user group")
                         h.flash(_('An error occurred during deletion of user group'),
                                 category='error')
                     return redirect(url('users_groups'))
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 def edit(self, user_group_id):
                     """GET /user_groups/user_group_id/edit: Form to edit an existing item"""
                     # url('edit_users_group', user_group_id=ID)
                     user_group_id = safe_int(user_group_id)
                     c.user_group = UserGroup.get_or_404(user_group_id)
                     c.active = 'settings'
                     self.__load_data(user_group_id)
                     defaults = self.__load_defaults(user_group_id)
                     return htmlfill.render(
                         render('admin/user_groups/user_group_edit.mako'),
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 def edit_perms(self, user_group_id):
                     user_group_id = safe_int(user_group_id)
                     c.user_group = UserGroup.get_or_404(user_group_id)
                     c.active = 'perms'
                     defaults = {}
                     # fill user group users
                     for p in c.user_group.user_user_group_to_perm:
                         defaults.update({'u_perm_%s' % p.user.user_id:
                                          p.permission.permission_name})
                     for p in c.user_group.user_group_user_group_to_perm:
                         defaults.update({'g_perm_%s' % p.user_group.users_group_id:
                                          p.permission.permission_name})
                     return htmlfill.render(
                         render('admin/user_groups/user_group_edit.mako'),
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @auth.CSRFRequired()
                 def update_perms(self, user_group_id):
                     """
                     grant permission for given usergroup
                     :param user_group_id:
                     """
                     user_group_id = safe_int(user_group_id)
                     c.user_group = UserGroup.get_or_404(user_group_id)
                     form = UserGroupPermsForm()().to_python(request.POST)
                     if not c.rhodecode_user.is_admin:
                         if self._revoke_perms_on_yourself(form):
                             msg = _('Cannot change permission for yourself as admin')
                             h.flash(msg, category='warning')
                             return redirect(url('edit_user_group_perms', user_group_id=user_group_id))
                     try:
                         UserGroupModel().update_permissions(user_group_id,
                             form['perm_additions'], form['perm_updates'], form['perm_deletions'])
                     except RepoGroupAssignmentError:
                         h.flash(_('Target group cannot be the same'), category='error')
                         return redirect(url('edit_user_group_perms', user_group_id=user_group_id))
                     # TODO(marcink): implement global permissions
                     # audit_log.store_web('user_group.edit.permissions')
                     Session().commit()
                     h.flash(_('User Group permissions updated'), category='success')
                     return redirect(url('edit_user_group_perms', user_group_id=user_group_id))
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 def edit_perms_summary(self, user_group_id):
                     user_group_id = safe_int(user_group_id)
                     c.user_group = UserGroup.get_or_404(user_group_id)
                     c.active = 'perms_summary'
                     permissions = {
                         'repositories': {},
                         'repositories_groups': {},
                     }
                     ugroup_repo_perms = UserGroupRepoToPerm.query()\
                         .options(joinedload(UserGroupRepoToPerm.permission))\
                         .options(joinedload(UserGroupRepoToPerm.repository))\
                         .filter(UserGroupRepoToPerm.users_group_id == user_group_id)\
                         .all()
                     for gr in ugroup_repo_perms:
                         permissions['repositories'][gr.repository.repo_name]  \
                             = gr.permission.permission_name
                     ugroup_group_perms = UserGroupRepoGroupToPerm.query()\
                         .options(joinedload(UserGroupRepoGroupToPerm.permission))\
                         .options(joinedload(UserGroupRepoGroupToPerm.group))\
                         .filter(UserGroupRepoGroupToPerm.users_group_id == user_group_id)\
                         .all()
                     for gr in ugroup_group_perms:
                         permissions['repositories_groups'][gr.group.group_name] \
                             = gr.permission.permission_name
                     c.permissions = permissions
                     return render('admin/user_groups/user_group_edit.mako')
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 def edit_global_perms(self, user_group_id):
                     user_group_id = safe_int(user_group_id)
                     c.user_group = UserGroup.get_or_404(user_group_id)
                     c.active = 'global_perms'
                     c.default_user = User.get_default_user()
                     defaults = c.user_group.get_dict()
                     defaults.update(c.default_user.get_default_perms(suffix='_inherited'))
                     defaults.update(c.user_group.get_default_perms())
                     return htmlfill.render(
                         render('admin/user_groups/user_group_edit.mako'),
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @auth.CSRFRequired()
                 def update_global_perms(self, user_group_id):
                     user_group_id = safe_int(user_group_id)
                     user_group = UserGroup.get_or_404(user_group_id)
                     c.active = 'global_perms'
                     try:
                         # first stage that verifies the checkbox
                         _form = UserIndividualPermissionsForm()
                         form_result = _form.to_python(dict(request.POST))
                         inherit_perms = form_result['inherit_default_permissions']
                         user_group.inherit_default_permissions = inherit_perms
                         Session().add(user_group)
                         if not inherit_perms:
                             # only update the individual ones if we un check the flag
                             _form = UserPermissionsForm(
                                 [x[0] for x in c.repo_create_choices],
                                 [x[0] for x in c.repo_create_on_write_choices],
                                 [x[0] for x in c.repo_group_create_choices],
                                 [x[0] for x in c.user_group_create_choices],
                                 [x[0] for x in c.fork_choices],
                                 [x[0] for x in c.inherit_default_permission_choices])()
                             form_result = _form.to_python(dict(request.POST))
                             form_result.update({'perm_user_group_id': user_group.users_group_id})
                             PermissionModel().update_user_group_permissions(form_result)
                         Session().commit()
                         h.flash(_('User Group global permissions updated successfully'),
                                 category='success')
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         c.user_group = user_group
                         return htmlfill.render(
                             render('admin/user_groups/user_group_edit.mako'),
                             defaults=defaults,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False)
                     except Exception:
                         log.exception("Exception during permissions saving")
                         h.flash(_('An error occurred during permissions saving'),
                                 category='error')
                     return redirect(url('edit_user_group_global_perms', user_group_id=user_group_id))
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 def edit_advanced(self, user_group_id):
                     user_group_id = safe_int(user_group_id)
                     c.user_group = UserGroup.get_or_404(user_group_id)
                     c.active = 'advanced'
                     c.group_members_obj = sorted(
                         (x.user for x in c.user_group.members),
                         key=lambda u: u.username.lower())
                     c.group_to_repos = sorted(
                         (x.repository for x in c.user_group.users_group_repo_to_perm),
                         key=lambda u: u.repo_name.lower())
                     c.group_to_repo_groups = sorted(
                         (x.group for x in c.user_group.users_group_repo_group_to_perm),
                         key=lambda u: u.group_name.lower())
                     return render('admin/user_groups/user_group_edit.mako')
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 def edit_advanced_set_synchronization(self, user_group_id):
                     user_group_id = safe_int(user_group_id)
                     user_group = UserGroup.get_or_404(user_group_id)
                     existing = user_group.group_data.get('extern_type')
                     if existing:
                         new_state = user_group.group_data
                         new_state['extern_type'] = None
                     else:
                         new_state = user_group.group_data
                         new_state['extern_type'] = 'manual'
                         new_state['extern_type_set_by'] = c.rhodecode_user.username
                     try:
                         user_group.group_data = new_state
                         Session().add(user_group)
                         Session().commit()
                         h.flash(_('User Group synchronization updated successfully'),
                                 category='success')
                     except Exception:
                         log.exception("Exception during sync settings saving")
                         h.flash(_('An error occurred during synchronization update'),
                                 category='error')
                     return redirect(
                         url('edit_user_group_advanced', user_group_id=user_group_id))
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @XHRRequired()
                 @jsonify
                 def user_group_members(self, user_group_id):
                     """
                     Return members of given user group
                     """
                     user_group_id = safe_int(user_group_id)
                     user_group = UserGroup.get_or_404(user_group_id)
                     group_members_obj = sorted((x.user for x in user_group.members),
                                                key=lambda u: u.username.lower())
                     group_members = [
                         {
                             'id': user.user_id,
                             'first_name': user.first_name,
                             'last_name': user.last_name,
                             'username': user.username,
                             'icon_link': h.gravatar_url(user.email, 30),
                             'value_display': h.person(user.email),
                             'value': user.username,
                             'value_type': 'user',
                             'active': user.active,
                         }
                         for user in group_members_obj
                     ]
                     return {
                         'members': group_members
                     }

rhodecode/controllers/files.py

0 +2 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Files controller for RhodeCode Enterprise
             """
             import itertools
             import logging
             import os
             import shutil
             import tempfile
             from pylons import request, response, tmpl_context as c, url
             from pylons.i18n.translation import _
             from pylons.controllers.util import redirect
             from webob.exc import HTTPNotFound, HTTPBadRequest
             from rhodecode.controllers.utils import parse_path_ref
             from rhodecode.lib import diffs, helpers as h, caches
             from rhodecode.lib import audit_logger
             from rhodecode.lib.codeblocks import (
                 filenode_as_lines_tokens, filenode_as_annotated_lines_tokens)
             from rhodecode.lib.utils import jsonify
             from rhodecode.lib.utils2 import (
                 convert_line_endings, detect_mode, safe_str, str2bool)
             from rhodecode.lib.auth import (
                 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired, XHRRequired)
             from rhodecode.lib.base import BaseRepoController, render
             from rhodecode.lib.vcs import path as vcspath
             from rhodecode.lib.vcs.backends.base import EmptyCommit
             from rhodecode.lib.vcs.conf import settings
             from rhodecode.lib.vcs.exceptions import (
                 RepositoryError, CommitDoesNotExistError, EmptyRepositoryError,
                 ImproperArchiveTypeError, VCSError, NodeAlreadyExistsError,
                 NodeDoesNotExistError, CommitError, NodeError)
             from rhodecode.lib.vcs.nodes import FileNode
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.scm import ScmModel
             from rhodecode.model.db import Repository
             from rhodecode.controllers.changeset import (
                 _ignorews_url, _context_url, get_line_ctx, get_ignore_ws)
             from rhodecode.lib.exceptions import NonRelativePathError
             log = logging.getLogger(__name__)
             class FilesController(BaseRepoController):
                 def __before__(self):
                     super(FilesController, self).__before__()
                     c.cut_off_limit = self.cut_off_limit_file
                 def _get_default_encoding(self):
                     enc_list = getattr(c, 'default_encodings', [])
                     return enc_list[0] if enc_list else 'UTF-8'
                 def __get_commit_or_redirect(self, commit_id, repo_name,
                                              redirect_after=True):
                     """
                     This is a safe way to get commit. If an error occurs it redirects to
                     tip with proper message
                     :param commit_id: id of commit to fetch
                     :param repo_name: repo name to redirect after
                     :param redirect_after: toggle redirection
                     """
                     try:
                         return c.rhodecode_repo.get_commit(commit_id)
                     except EmptyRepositoryError:
                         if not redirect_after:
                             return None
                         url_ = url('files_add_home',
                                    repo_name=c.repo_name,
                                    revision=0, f_path='', anchor='edit')
                         if h.HasRepoPermissionAny(
                                 'repository.write', 'repository.admin')(c.repo_name):
                             add_new = h.link_to(
                                 _('Click here to add a new file.'),
                                 url_, class_="alert-link")
                         else:
                             add_new = ""
                         h.flash(h.literal(
                             _('There are no files yet. %s') % add_new), category='warning')
                         redirect(h.route_path('repo_summary', repo_name=repo_name))
                     except (CommitDoesNotExistError, LookupError):
                         msg = _('No such commit exists for this repository')
                         h.flash(msg, category='error')
                         raise HTTPNotFound()
                     except RepositoryError as e:
                         h.flash(safe_str(e), category='error')
                         raise HTTPNotFound()
                 def __get_filenode_or_redirect(self, repo_name, commit, path):
                     """
                     Returns file_node, if error occurs or given path is directory,
                     it'll redirect to top level path
                     :param repo_name: repo_name
                     :param commit: given commit
                     :param path: path to lookup
                     """
                     try:
                         file_node = commit.get_node(path)
                         if file_node.is_dir():
                             raise RepositoryError('The given path is a directory')
                     except CommitDoesNotExistError:
                         log.exception('No such commit exists for this repository')
                         h.flash(_('No such commit exists for this repository'), category='error')
                         raise HTTPNotFound()
                     except RepositoryError as e:
                         h.flash(safe_str(e), category='error')
                         raise HTTPNotFound()
                     return file_node
                 def __get_tree_cache_manager(self, repo_name, namespace_type):
                     _namespace = caches.get_repo_namespace_key(namespace_type, repo_name)
                     return caches.get_cache_manager('repo_cache_long', _namespace)
                 def _get_tree_at_commit(self, repo_name, commit_id, f_path,
                                         full_load=False, force=False):
                     def _cached_tree():
                         log.debug('Generating cached file tree for %s, %s, %s',
                                   repo_name, commit_id, f_path)
                         c.full_load = full_load
                         return render('files/files_browser_tree.mako')
                     cache_manager = self.__get_tree_cache_manager(
                         repo_name, caches.FILE_TREE)
                     cache_key = caches.compute_key_from_params(
                         repo_name, commit_id, f_path)
                     if force:
                         # we want to force recompute of caches
                         cache_manager.remove_value(cache_key)
                     return cache_manager.get(cache_key, createfunc=_cached_tree)
                 def _get_nodelist_at_commit(self, repo_name, commit_id, f_path):
                     def _cached_nodes():
                         log.debug('Generating cached nodelist for %s, %s, %s',
                                   repo_name, commit_id, f_path)
                         _d, _f = ScmModel().get_nodes(
                             repo_name, commit_id, f_path, flat=False)
                         return _d + _f
                     cache_manager = self.__get_tree_cache_manager(
                         repo_name, caches.FILE_SEARCH_TREE_META)
                     cache_key = caches.compute_key_from_params(
                         repo_name, commit_id, f_path)
                     return cache_manager.get(cache_key, createfunc=_cached_nodes)
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 def index(
                         self, repo_name, revision, f_path, annotate=False, rendered=False):
                     commit_id = revision
                     # redirect to given commit_id from form if given
                     get_commit_id = request.GET.get('at_rev', None)
                     if get_commit_id:
                         self.__get_commit_or_redirect(get_commit_id, repo_name)
                     c.commit = self.__get_commit_or_redirect(commit_id, repo_name)
                     c.branch = request.GET.get('branch', None)
                     c.f_path = f_path
                     c.annotate = annotate
                     # default is false, but .rst/.md files later are autorendered, we can
                     # overwrite autorendering by setting this GET flag
                     c.renderer = rendered or not request.GET.get('no-render', False)
                     # prev link
                     try:
                         prev_commit = c.commit.prev(c.branch)
                         c.prev_commit = prev_commit
                         c.url_prev = url('files_home', repo_name=c.repo_name,
                                          revision=prev_commit.raw_id, f_path=f_path)
                         if c.branch:
                             c.url_prev += '?branch=%s' % c.branch
                     except (CommitDoesNotExistError, VCSError):
                         c.url_prev = '#'
                         c.prev_commit = EmptyCommit()
                     # next link
                     try:
                         next_commit = c.commit.next(c.branch)
                         c.next_commit = next_commit
                         c.url_next = url('files_home', repo_name=c.repo_name,
                                          revision=next_commit.raw_id, f_path=f_path)
                         if c.branch:
                             c.url_next += '?branch=%s' % c.branch
                     except (CommitDoesNotExistError, VCSError):
                         c.url_next = '#'
                         c.next_commit = EmptyCommit()
                     # files or dirs
                     try:
                         c.file = c.commit.get_node(f_path)
                         c.file_author = True
                         c.file_tree = ''
                         if c.file.is_file():
                             c.lf_node = c.file.get_largefile_node()
                             c.file_source_page = 'true'
                             c.file_last_commit = c.file.last_commit
                             if c.file.size < self.cut_off_limit_file:
                                 if c.annotate:  # annotation has precedence over renderer
                                     c.annotated_lines = filenode_as_annotated_lines_tokens(
                                         c.file
                                     )
                                 else:
                                     c.renderer = (
                                         c.renderer and h.renderer_from_filename(c.file.path)
                                     )
                                     if not c.renderer:
                                         c.lines = filenode_as_lines_tokens(c.file)
                             c.on_branch_head = self._is_valid_head(
                                 commit_id, c.rhodecode_repo)
                             branch = c.commit.branch if (
                                 c.commit.branch and '/' not in c.commit.branch) else None
                             c.branch_or_raw_id = branch or c.commit.raw_id
                             c.branch_name = c.commit.branch or h.short_id(c.commit.raw_id)
                             author = c.file_last_commit.author
                             c.authors = [(h.email(author),
                                           h.person(author, 'username_or_name_or_email'))]
                         else:
                             c.file_source_page = 'false'
                             c.authors = []
                             c.file_tree = self._get_tree_at_commit(
                                 repo_name, c.commit.raw_id, f_path)
                     except RepositoryError as e:
                         h.flash(safe_str(e), category='error')
                         raise HTTPNotFound()
                     if request.environ.get('HTTP_X_PJAX'):
                         return render('files/files_pjax.mako')
                     return render('files/files.mako')
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 def annotate_previous(self, repo_name, revision, f_path):
                     commit_id = revision
                     commit = self.__get_commit_or_redirect(commit_id, repo_name)
                     prev_commit_id = commit.raw_id
                     f_path = f_path
                     is_file = False
                     try:
                         _file = commit.get_node(f_path)
                         is_file = _file.is_file()
                     except (NodeDoesNotExistError, CommitDoesNotExistError, VCSError):
                         pass
                     if is_file:
                         history = commit.get_file_history(f_path)
                         prev_commit_id = history[1].raw_id \
                             if len(history) > 1 else prev_commit_id
                     return redirect(h.url(
                         'files_annotate_home', repo_name=repo_name,
                         revision=prev_commit_id, f_path=f_path))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
                                                'repository.admin')
                 @jsonify
                 def history(self, repo_name, revision, f_path):
                     commit = self.__get_commit_or_redirect(revision, repo_name)
                     f_path = f_path
                     _file = commit.get_node(f_path)
                     if _file.is_file():
                         file_history, _hist = self._get_node_history(commit, f_path)
                         res = []
                         for obj in file_history:
                             res.append({
                                 'text': obj[1],
                                 'children': [{'id': o[0], 'text': o[1]} for o in obj[0]]
                             })
                         data = {
                             'more': False,
                             'results': res
                         }
                         return data
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
                                                'repository.admin')
                 def authors(self, repo_name, revision, f_path):
                     commit = self.__get_commit_or_redirect(revision, repo_name)
                     file_node = commit.get_node(f_path)
                     if file_node.is_file():
                         c.file_last_commit = file_node.last_commit
                         if request.GET.get('annotate') == '1':
                             # use _hist from annotation if annotation mode is on
                             commit_ids = set(x[1] for x in file_node.annotate)
                             _hist = (
                                 c.rhodecode_repo.get_commit(commit_id)
                                 for commit_id in commit_ids)
                         else:
                             _f_history, _hist = self._get_node_history(commit, f_path)
                         c.file_author = False
                         c.authors = []
                         for author in set(commit.author for commit in _hist):
                             c.authors.append((
                                 h.email(author),
                                 h.person(author, 'username_or_name_or_email')))
                         return render('files/file_authors_box.mako')
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
                                                'repository.admin')
                 def rawfile(self, repo_name, revision, f_path):
                     """
                     Action for download as raw
                     """
                     commit = self.__get_commit_or_redirect(revision, repo_name)
                     file_node = self.__get_filenode_or_redirect(repo_name, commit, f_path)
                     if request.GET.get('lf'):
                         # only if lf get flag is passed, we download this file
                         # as LFS/Largefile
                         lf_node = file_node.get_largefile_node()
                         if lf_node:
                             # overwrite our pointer with the REAL large-file
                             file_node = lf_node
                     response.content_disposition = 'attachment; filename=%s' % \
                         safe_str(f_path.split(Repository.NAME_SEP)[-1])
                     response.content_type = file_node.mimetype
                     charset = self._get_default_encoding()
                     if charset:
                         response.charset = charset
                     return file_node.content
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
                                                'repository.admin')
                 def raw(self, repo_name, revision, f_path):
                     """
                     Action for show as raw, some mimetypes are "rendered",
                     those include images, icons.
                     """
                     commit = self.__get_commit_or_redirect(revision, repo_name)
                     file_node = self.__get_filenode_or_redirect(repo_name, commit, f_path)
                     raw_mimetype_mapping = {
                         # map original mimetype to a mimetype used for "show as raw"
                         # you can also provide a content-disposition to override the
                         # default "attachment" disposition.
                         # orig_type: (new_type, new_dispo)
                         # show images inline:
                         # Do not re-add SVG: it is unsafe and permits XSS attacks. One can
                         # for example render an SVG with javascript inside or even render
                         # HTML.
                         'image/x-icon': ('image/x-icon', 'inline'),
                         'image/png': ('image/png', 'inline'),
                         'image/gif': ('image/gif', 'inline'),
                         'image/jpeg': ('image/jpeg', 'inline'),
                         'application/pdf': ('application/pdf', 'inline'),
                     }
                     mimetype = file_node.mimetype
                     try:
                         mimetype, dispo = raw_mimetype_mapping[mimetype]
                     except KeyError:
                         # we don't know anything special about this, handle it safely
                         if file_node.is_binary:
                             # do same as download raw for binary files
                             mimetype, dispo = 'application/octet-stream', 'attachment'
                         else:
                             # do not just use the original mimetype, but force text/plain,
                             # otherwise it would serve text/html and that might be unsafe.
                             # Note: underlying vcs library fakes text/plain mimetype if the
                             # mimetype can not be determined and it thinks it is not
                             # binary.This might lead to erroneous text display in some
                             # cases, but helps in other cases, like with text files
                             # without extension.
                             mimetype, dispo = 'text/plain', 'inline'
                     if dispo == 'attachment':
                         dispo = 'attachment; filename=%s' % safe_str(
                             f_path.split(os.sep)[-1])
                     response.content_disposition = dispo
                     response.content_type = mimetype
                     charset = self._get_default_encoding()
                     if charset:
                         response.charset = charset
                     return file_node.content
                 @CSRFRequired()
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.write', 'repository.admin')
                 def delete(self, repo_name, revision, f_path):
                     commit_id = revision
                     repo = c.rhodecode_db_repo
                     if repo.enable_locking and repo.locked[0]:
                         h.flash(_('This repository has been locked by %s on %s')
                                 % (h.person_by_id(repo.locked[0]),
                                 h.format_date(h.time_to_datetime(repo.locked[1]))),
                                 'warning')
                         return redirect(h.url('files_home',
                                               repo_name=repo_name, revision='tip'))
                     if not self._is_valid_head(commit_id, repo.scm_instance()):
                         h.flash(_('You can only delete files with revision '
                                   'being a valid branch '), category='warning')
                         return redirect(h.url('files_home',
                                               repo_name=repo_name, revision='tip',
                                               f_path=f_path))
                     c.commit = self.__get_commit_or_redirect(commit_id, repo_name)
                     c.file = self.__get_filenode_or_redirect(repo_name, c.commit, f_path)
                     c.default_message = _(
                         'Deleted file {} via RhodeCode Enterprise').format(f_path)
                     c.f_path = f_path
                     node_path = f_path
                     author = c.rhodecode_user.full_contact
                     message = request.POST.get('message') or c.default_message
                     try:
                         nodes = {
                             node_path: {
                                 'content': ''
                             }
                         }
                         self.scm_model.delete_nodes(
                             user=c.rhodecode_user.user_id, repo=c.rhodecode_db_repo,
                             message=message,
                             nodes=nodes,
                             parent_commit=c.commit,
                             author=author,
                         )
                         h.flash(
                             _('Successfully deleted file `{}`').format(
                                 h.escape(f_path)), category='success')
                     except Exception:
                         msg = _('Error occurred during commit')
                         log.exception(msg)
                         h.flash(msg, category='error')
                     return redirect(url('changeset_home',
                                         repo_name=c.repo_name, revision='tip'))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.write', 'repository.admin')
                 def delete_home(self, repo_name, revision, f_path):
                     commit_id = revision
                     repo = c.rhodecode_db_repo
                     if repo.enable_locking and repo.locked[0]:
                         h.flash(_('This repository has been locked by %s on %s')
                                 % (h.person_by_id(repo.locked[0]),
                                 h.format_date(h.time_to_datetime(repo.locked[1]))),
                                 'warning')
                         return redirect(h.url('files_home',
                                               repo_name=repo_name, revision='tip'))
                     if not self._is_valid_head(commit_id, repo.scm_instance()):
                         h.flash(_('You can only delete files with revision '
                                   'being a valid branch '), category='warning')
                         return redirect(h.url('files_home',
                                               repo_name=repo_name, revision='tip',
                                               f_path=f_path))
                     c.commit = self.__get_commit_or_redirect(commit_id, repo_name)
                     c.file = self.__get_filenode_or_redirect(repo_name, c.commit, f_path)
                     c.default_message = _(
                         'Deleted file {} via RhodeCode Enterprise').format(f_path)
                     c.f_path = f_path
                     return render('files/files_delete.mako')
                 @CSRFRequired()
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.write', 'repository.admin')
                 def edit(self, repo_name, revision, f_path):
                     commit_id = revision
                     repo = c.rhodecode_db_repo
                     if repo.enable_locking and repo.locked[0]:
                         h.flash(_('This repository has been locked by %s on %s')
                                 % (h.person_by_id(repo.locked[0]),
                                 h.format_date(h.time_to_datetime(repo.locked[1]))),
                                 'warning')
                         return redirect(h.url('files_home',
                                               repo_name=repo_name, revision='tip'))
                     if not self._is_valid_head(commit_id, repo.scm_instance()):
                         h.flash(_('You can only edit files with revision '
                                   'being a valid branch '), category='warning')
                         return redirect(h.url('files_home',
                                               repo_name=repo_name, revision='tip',
                                               f_path=f_path))
                     c.commit = self.__get_commit_or_redirect(commit_id, repo_name)
                     c.file = self.__get_filenode_or_redirect(repo_name, c.commit, f_path)
                     if c.file.is_binary:
                         return redirect(url('files_home', repo_name=c.repo_name,
                                         revision=c.commit.raw_id, f_path=f_path))
                     c.default_message = _(
                         'Edited file {} via RhodeCode Enterprise').format(f_path)
                     c.f_path = f_path
                     old_content = c.file.content
                     sl = old_content.splitlines(1)
                     first_line = sl[0] if sl else ''
                     # modes:  0 - Unix, 1 - Mac, 2 - DOS
                     mode = detect_mode(first_line, 0)
                     content = convert_line_endings(request.POST.get('content', ''), mode)
                     message = request.POST.get('message') or c.default_message
                     org_f_path = c.file.unicode_path
                     filename = request.POST['filename']
                     org_filename = c.file.name
                     if content == old_content and filename == org_filename:
                         h.flash(_('No changes'), category='warning')
                         return redirect(url('changeset_home', repo_name=c.repo_name,
                                             revision='tip'))
                     try:
                         mapping = {
                             org_f_path: {
                                 'org_filename': org_f_path,
                                 'filename': os.path.join(c.file.dir_path, filename),
                                 'content': content,
                                 'lexer': '',
                                 'op': 'mod',
                             }
                         }
                         ScmModel().update_nodes(
                             user=c.rhodecode_user.user_id,
                             repo=c.rhodecode_db_repo,
                             message=message,
                             nodes=mapping,
                             parent_commit=c.commit,
                         )
                         h.flash(
                             _('Successfully committed changes to file `{}`').format(
                                 h.escape(f_path)), category='success')
                     except Exception:
                         log.exception('Error occurred during commit')
                         h.flash(_('Error occurred during commit'), category='error')
                     return redirect(url('changeset_home',
                                         repo_name=c.repo_name, revision='tip'))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.write', 'repository.admin')
                 def edit_home(self, repo_name, revision, f_path):
                     commit_id = revision
                     repo = c.rhodecode_db_repo
                     if repo.enable_locking and repo.locked[0]:
                         h.flash(_('This repository has been locked by %s on %s')
                                 % (h.person_by_id(repo.locked[0]),
                                 h.format_date(h.time_to_datetime(repo.locked[1]))),
                                 'warning')
                         return redirect(h.url('files_home',
                                               repo_name=repo_name, revision='tip'))
                     if not self._is_valid_head(commit_id, repo.scm_instance()):
                         h.flash(_('You can only edit files with revision '
                                   'being a valid branch '), category='warning')
                         return redirect(h.url('files_home',
                                               repo_name=repo_name, revision='tip',
                                               f_path=f_path))
                     c.commit = self.__get_commit_or_redirect(commit_id, repo_name)
                     c.file = self.__get_filenode_or_redirect(repo_name, c.commit, f_path)
                     if c.file.is_binary:
                         return redirect(url('files_home', repo_name=c.repo_name,
                                         revision=c.commit.raw_id, f_path=f_path))
                     c.default_message = _(
                         'Edited file {} via RhodeCode Enterprise').format(f_path)
                     c.f_path = f_path
                     return render('files/files_edit.mako')
                 def _is_valid_head(self, commit_id, repo):
                     # check if commit is a branch identifier- basically we cannot
                     # create multiple heads via file editing
                     valid_heads = repo.branches.keys() + repo.branches.values()
                     if h.is_svn(repo) and not repo.is_empty():
                         # Note: Subversion only has one head, we add it here in case there
                         # is no branch matched.
                         valid_heads.append(repo.get_commit(commit_idx=-1).raw_id)
                     # check if commit is a branch name or branch hash
                     return commit_id in valid_heads
                 @CSRFRequired()
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.write', 'repository.admin')
                 def add(self, repo_name, revision, f_path):
                     repo = Repository.get_by_repo_name(repo_name)
                     if repo.enable_locking and repo.locked[0]:
                         h.flash(_('This repository has been locked by %s on %s')
                                 % (h.person_by_id(repo.locked[0]),
                                 h.format_date(h.time_to_datetime(repo.locked[1]))),
                                 'warning')
                         return redirect(h.url('files_home',
                                               repo_name=repo_name, revision='tip'))
                     r_post = request.POST
                     c.commit = self.__get_commit_or_redirect(
                         revision, repo_name, redirect_after=False)
                     if c.commit is None:
                         c.commit = EmptyCommit(alias=c.rhodecode_repo.alias)
                     c.default_message = (_('Added file via RhodeCode Enterprise'))
                     c.f_path = f_path
                     unix_mode = 0
                     content = convert_line_endings(r_post.get('content', ''), unix_mode)
                     message = r_post.get('message') or c.default_message
                     filename = r_post.get('filename')
                     location = r_post.get('location', '')  # dir location
                     file_obj = r_post.get('upload_file', None)
                     if file_obj is not None and hasattr(file_obj, 'filename'):
                         filename = r_post.get('filename_upload')
                         content = file_obj.file
                         if hasattr(content, 'file'):
                             # non posix systems store real file under file attr
                             content = content.file
                     # If there's no commit, redirect to repo summary
                     if type(c.commit) is EmptyCommit:
                         redirect_url = h.route_path('repo_summary', repo_name=c.repo_name)
                     else:
                         redirect_url = url("changeset_home", repo_name=c.repo_name,
                                            revision='tip')
                     if not filename:
                         h.flash(_('No filename'), category='warning')
                         return redirect(redirect_url)
                     # extract the location from filename,
                     # allows using foo/bar.txt syntax to create subdirectories
                     subdir_loc = filename.rsplit('/', 1)
                     if len(subdir_loc) == 2:
                         location = os.path.join(location, subdir_loc[0])
                     # strip all crap out of file, just leave the basename
                     filename = os.path.basename(filename)
                     node_path = os.path.join(location, filename)
                     author = c.rhodecode_user.full_contact
                     try:
                         nodes = {
                             node_path: {
                                 'content': content
                             }
                         }
                         self.scm_model.create_nodes(
                             user=c.rhodecode_user.user_id,
                             repo=c.rhodecode_db_repo,
                             message=message,
                             nodes=nodes,
                             parent_commit=c.commit,
                             author=author,
                         )
                         h.flash(
                             _('Successfully committed new file `{}`').format(
                                 h.escape(node_path)), category='success')
                     except NonRelativePathError as e:
                         h.flash(_(
                             'The location specified must be a relative path and must not '
                             'contain .. in the path'), category='warning')
                         return redirect(url('changeset_home', repo_name=c.repo_name,
                                             revision='tip'))
                     except (NodeError, NodeAlreadyExistsError) as e:
                         h.flash(_(h.escape(e)), category='error')
                     except Exception:
                         log.exception('Error occurred during commit')
                         h.flash(_('Error occurred during commit'), category='error')
                     return redirect(url('changeset_home',
                                         repo_name=c.repo_name, revision='tip'))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.write', 'repository.admin')
                 def add_home(self, repo_name, revision, f_path):
                     repo = Repository.get_by_repo_name(repo_name)
                     if repo.enable_locking and repo.locked[0]:
                         h.flash(_('This repository has been locked by %s on %s')
                                 % (h.person_by_id(repo.locked[0]),
                                 h.format_date(h.time_to_datetime(repo.locked[1]))),
                                 'warning')
                         return redirect(h.url('files_home',
                                               repo_name=repo_name, revision='tip'))
                     c.commit = self.__get_commit_or_redirect(
                         revision, repo_name, redirect_after=False)
                     if c.commit is None:
                         c.commit = EmptyCommit(alias=c.rhodecode_repo.alias)
                     c.default_message = (_('Added file via RhodeCode Enterprise'))
                     c.f_path = f_path
                     return render('files/files_add.mako')
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
                                                'repository.admin')
                 def archivefile(self, repo_name, fname):
                     fileformat = None
                     commit_id = None
                     ext = None
                     subrepos = request.GET.get('subrepos') == 'true'
                     for a_type, ext_data in settings.ARCHIVE_SPECS.items():
                         archive_spec = fname.split(ext_data[1])
                         if len(archive_spec) == 2 and archive_spec[1] == '':
                             fileformat = a_type or ext_data[1]
                             commit_id = archive_spec[0]
                             ext = ext_data[1]
                     dbrepo = RepoModel().get_by_repo_name(repo_name)
                     if not dbrepo.enable_downloads:
                         return _('Downloads disabled')
                     try:
                         commit = c.rhodecode_repo.get_commit(commit_id)
                         content_type = settings.ARCHIVE_SPECS[fileformat][0]
                     except CommitDoesNotExistError:
                         return _('Unknown revision %s') % commit_id
                     except EmptyRepositoryError:
                         return _('Empty repository')
                     except KeyError:
                         return _('Unknown archive type')
                     # archive cache
                     from rhodecode import CONFIG
                     archive_name = '%s-%s%s%s' % (
                         safe_str(repo_name.replace('/', '_')),
                         '-sub' if subrepos else '',
                         safe_str(commit.short_id), ext)
                     use_cached_archive = False
                     archive_cache_enabled = CONFIG.get(
                         'archive_cache_dir') and not request.GET.get('no_cache')
                     if archive_cache_enabled:
                         # check if we it's ok to write
                         if not os.path.isdir(CONFIG['archive_cache_dir']):
                             os.makedirs(CONFIG['archive_cache_dir'])
                         cached_archive_path = os.path.join(
                             CONFIG['archive_cache_dir'], archive_name)
                         if os.path.isfile(cached_archive_path):
                             log.debug('Found cached archive in %s', cached_archive_path)
                             fd, archive = None, cached_archive_path
                             use_cached_archive = True
                         else:
                             log.debug('Archive %s is not yet cached', archive_name)
                     if not use_cached_archive:
                         # generate new archive
                         fd, archive = tempfile.mkstemp()
                         log.debug('Creating new temp archive in %s', archive)
                         try:
                             commit.archive_repo(archive, kind=fileformat, subrepos=subrepos)
                         except ImproperArchiveTypeError:
                             return _('Unknown archive type')
                         if archive_cache_enabled:
                             # if we generated the archive and we have cache enabled
                             # let's use this for future
                             log.debug('Storing new archive in %s', cached_archive_path)
                             shutil.move(archive, cached_archive_path)
                             archive = cached_archive_path
                     # store download action
                     audit_logger.store_web(
-                        action='repo.archive.download',
+                        'repo.archive.download', action_data={
-                        action_data={'user_agent': request.user_agent,
+                            'user_agent': request.user_agent,
                             'archive_name': archive_name,
                             'archive_spec': fname,
                             'archive_cached': use_cached_archive},
                         user=c.rhodecode_user,
                         repo=dbrepo,
                         commit=True
                     )
                     response.content_disposition = str(
                         'attachment; filename=%s' % archive_name)
                     response.content_type = str(content_type)
                     def get_chunked_archive(archive):
                         with open(archive, 'rb') as stream:
                             while True:
                                 data = stream.read(16 * 1024)
                                 if not data:
                                     if fd:  # fd means we used temporary file
                                         os.close(fd)
                                     if not archive_cache_enabled:
                                         log.debug('Destroying temp archive %s', archive)
                                         os.remove(archive)
                                     break
                                 yield data
                     return get_chunked_archive(archive)
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
                                                'repository.admin')
                 def diff(self, repo_name, f_path):
                     c.action = request.GET.get('diff')
                     diff1 = request.GET.get('diff1', '')
                     diff2 = request.GET.get('diff2', '')
                     path1, diff1 = parse_path_ref(diff1, default_path=f_path)
                     ignore_whitespace = str2bool(request.GET.get('ignorews'))
                     line_context = request.GET.get('context', 3)
                     if not any((diff1, diff2)):
                         h.flash(
                             'Need query parameter "diff1" or "diff2" to generate a diff.',
                             category='error')
                         raise HTTPBadRequest()
                     if c.action not in ['download', 'raw']:
                         # redirect to new view if we render diff
                         return redirect(
                             url('compare_url', repo_name=repo_name,
                                 source_ref_type='rev',
                                 source_ref=diff1,
                                 target_repo=c.repo_name,
                                 target_ref_type='rev',
                                 target_ref=diff2,
                                 f_path=f_path))
                     try:
                         node1 = self._get_file_node(diff1, path1)
                         node2 = self._get_file_node(diff2, f_path)
                     except (RepositoryError, NodeError):
                         log.exception("Exception while trying to get node from repository")
                         return redirect(url(
                             'files_home', repo_name=c.repo_name, f_path=f_path))
                     if all(isinstance(node.commit, EmptyCommit)
                            for node in (node1, node2)):
                         raise HTTPNotFound
                     c.commit_1 = node1.commit
                     c.commit_2 = node2.commit
                     if c.action == 'download':
                         _diff = diffs.get_gitdiff(node1, node2,
                                                   ignore_whitespace=ignore_whitespace,
                                                   context=line_context)
                         diff = diffs.DiffProcessor(_diff, format='gitdiff')
                         diff_name = '%s_vs_%s.diff' % (diff1, diff2)
                         response.content_type = 'text/plain'
                         response.content_disposition = (
                             'attachment; filename=%s' % (diff_name,)
                         )
                         charset = self._get_default_encoding()
                         if charset:
                             response.charset = charset
                         return diff.as_raw()
                     elif c.action == 'raw':
                         _diff = diffs.get_gitdiff(node1, node2,
                                                   ignore_whitespace=ignore_whitespace,
                                                   context=line_context)
                         diff = diffs.DiffProcessor(_diff, format='gitdiff')
                         response.content_type = 'text/plain'
                         charset = self._get_default_encoding()
                         if charset:
                             response.charset = charset
                         return diff.as_raw()
                     else:
                         return redirect(
                             url('compare_url', repo_name=repo_name,
                                 source_ref_type='rev',
                                 source_ref=diff1,
                                 target_repo=c.repo_name,
                                 target_ref_type='rev',
                                 target_ref=diff2,
                                 f_path=f_path))
                 @LoginRequired()
                 @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
                                                'repository.admin')
                 def diff_2way(self, repo_name, f_path):
                     """
                     Kept only to make OLD links work
                     """
                     diff1 = request.GET.get('diff1', '')
                     diff2 = request.GET.get('diff2', '')
                     if not any((diff1, diff2)):
                         h.flash(
                             'Need query parameter "diff1" or "diff2" to generate a diff.',
                             category='error')
                         raise HTTPBadRequest()
                     return redirect(
                         url('compare_url', repo_name=repo_name,
                             source_ref_type='rev',
                             source_ref=diff1,
                             target_repo=c.repo_name,
                             target_ref_type='rev',
                             target_ref=diff2,
                             f_path=f_path,
                             diffmode='sideside'))
                 def _get_file_node(self, commit_id, f_path):
                     if commit_id not in ['', None, 'None', '0' * 12, '0' * 40]:
                         commit = c.rhodecode_repo.get_commit(commit_id=commit_id)
                         try:
                             node = commit.get_node(f_path)
                             if node.is_dir():
                                 raise NodeError('%s path is a %s not a file'
                                                 % (node, type(node)))
                         except NodeDoesNotExistError:
                             commit = EmptyCommit(
                                 commit_id=commit_id,
                                 idx=commit.idx,
                                 repo=commit.repository,
                                 alias=commit.repository.alias,
                                 message=commit.message,
                                 author=commit.author,
                                 date=commit.date)
                             node = FileNode(f_path, '', commit=commit)
                     else:
                         commit = EmptyCommit(
                             repo=c.rhodecode_repo,
                             alias=c.rhodecode_repo.alias)
                         node = FileNode(f_path, '', commit=commit)
                     return node
                 def _get_node_history(self, commit, f_path, commits=None):
                     """
                     get commit history for given node
                     :param commit: commit to calculate history
                     :param f_path: path for node to calculate history for
                     :param commits: if passed don't calculate history and take
                         commits defined in this list
                     """
                     # calculate history based on tip
                     tip = c.rhodecode_repo.get_commit()
                     if commits is None:
                         pre_load = ["author", "branch"]
                         try:
                             commits = tip.get_file_history(f_path, pre_load=pre_load)
                         except (NodeDoesNotExistError, CommitError):
                             # this node is not present at tip!
                             commits = commit.get_file_history(f_path, pre_load=pre_load)
                     history = []
                     commits_group = ([], _("Changesets"))
                     for commit in commits:
                         branch = ' (%s)' % commit.branch if commit.branch else ''
                         n_desc = 'r%s:%s%s' % (commit.idx, commit.short_id, branch)
                         commits_group[0].append((commit.raw_id, n_desc,))
                     history.append(commits_group)
                     symbolic_reference = self._symbolic_reference
                     if c.rhodecode_repo.alias == 'svn':
                         adjusted_f_path = self._adjust_file_path_for_svn(
                             f_path, c.rhodecode_repo)
                         if adjusted_f_path != f_path:
                             log.debug(
                                 'Recognized svn tag or branch in file "%s", using svn '
                                 'specific symbolic references', f_path)
                             f_path = adjusted_f_path
                             symbolic_reference = self._symbolic_reference_svn
                     branches = self._create_references(
                         c.rhodecode_repo.branches, symbolic_reference, f_path)
                     branches_group = (branches, _("Branches"))
                     tags = self._create_references(
                         c.rhodecode_repo.tags, symbolic_reference, f_path)
                     tags_group = (tags, _("Tags"))
                     history.append(branches_group)
                     history.append(tags_group)
                     return history, commits
                 def _adjust_file_path_for_svn(self, f_path, repo):
                     """
                     Computes the relative path of `f_path`.
                     This is mainly based on prefix matching of the recognized tags and
                     branches in the underlying repository.
                     """
                     tags_and_branches = itertools.chain(
                         repo.branches.iterkeys(),
                         repo.tags.iterkeys())
                     tags_and_branches = sorted(tags_and_branches, key=len, reverse=True)
                     for name in tags_and_branches:
                         if f_path.startswith(name + '/'):
                             f_path = vcspath.relpath(f_path, name)
                             break
                     return f_path
                 def _create_references(
                         self, branches_or_tags, symbolic_reference, f_path):
                     items = []
                     for name, commit_id in branches_or_tags.items():
                         sym_ref = symbolic_reference(commit_id, name, f_path)
                         items.append((sym_ref, name))
                     return items
                 def _symbolic_reference(self, commit_id, name, f_path):
                     return commit_id
                 def _symbolic_reference_svn(self, commit_id, name, f_path):
                     new_f_path = vcspath.join(name, f_path)
                     return u'%s@%s' % (new_f_path, commit_id)
                 @LoginRequired()
                 @XHRRequired()
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 @jsonify
                 def nodelist(self, repo_name, revision, f_path):
                     commit = self.__get_commit_or_redirect(revision, repo_name)
                     metadata = self._get_nodelist_at_commit(
                         repo_name, commit.raw_id, f_path)
                     return {'nodes': metadata}
                 @LoginRequired()
                 @XHRRequired()
                 @HasRepoPermissionAnyDecorator(
                     'repository.read', 'repository.write', 'repository.admin')
                 def nodetree_full(self, repo_name, commit_id, f_path):
                     """
                     Returns rendered html of file tree that contains commit date,
                     author, revision for the specified combination of
                     repo, commit_id and file path
                     :param repo_name: name of the repository
                     :param commit_id: commit_id of file tree
                     :param f_path: file path of the requested directory
                     """
                     commit = self.__get_commit_or_redirect(commit_id, repo_name)
                     try:
                         dir_node = commit.get_node(f_path)
                     except RepositoryError as e:
                         return 'error {}'.format(safe_str(e))
                     if dir_node.is_file():
                         return ''
                     c.file = dir_node
                     c.commit = commit
                     # using force=True here, make a little trick. We flush the cache and
                     # compute it using the same key as without full_load, so the fully
                     # loaded cached tree is now returned instead of partial
                     return self._get_tree_at_commit(
                         repo_name, commit.raw_id, dir_node.path, full_load=True,
                         force=True)

rhodecode/lib/audit_logger.py

0 +10 -12

             # -*- coding: utf-8 -*-
             # Copyright (C) 2017-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import datetime
             from rhodecode.model import meta
             from rhodecode.model.db import User, UserLog, Repository
             log = logging.getLogger(__name__)
             # action as key, and expected action_data as value
             ACTIONS_V1 = {
                 'user.login.success': {'user_agent': ''},
                 'user.login.failure': {'user_agent': ''},
                 'user.logout': {'user_agent': ''},
                 'user.password.reset_request': {},
                 'user.push': {'user_agent': '', 'commit_ids': []},
                 'user.pull': {'user_agent': ''},
                 'user.create': {'data': {}},
                 'user.delete': {'old_data': {}},
                 'user.edit': {'old_data': {}},
                 'user.edit.permissions': {},
                 'user.edit.ip.add': {'ip': {}, 'user': {}},
                 'user.edit.ip.delete': {'ip': {}, 'user': {}},
                 'user.edit.token.add': {'token': {}, 'user': {}},
                 'user.edit.token.delete': {'token': {}, 'user': {}},
                 'user.edit.email.add': {'email': ''},
                 'user.edit.email.delete': {'email': ''},
                 'user.edit.password_reset.enabled': {},
                 'user.edit.password_reset.disabled': {},
                 'user_group.create': {'data': {}},
                 'user_group.delete': {'old_data': {}},
                 'user_group.edit': {'old_data': {}},
                 'user_group.edit.permissions': {},
-                'user_group.edit.member.add': {},
+                'user_group.edit.member.add': {'user': {}},
-                'user_group.edit.member.delete': {},
+                'user_group.edit.member.delete': {'user': {}},
                 'repo.create': {'data': {}},
                 'repo.fork': {'data': {}},
                 'repo.edit': {'old_data': {}},
                 'repo.edit.permissions': {},
                 'repo.delete': {'old_data': {}},
                 'repo.commit.strip': {'commit_id': ''},
                 'repo.archive.download': {'user_agent': '', 'archive_name': '',
                                           'archive_spec': '', 'archive_cached': ''},
                 'repo.pull_request.create': '',
                 'repo.pull_request.edit': '',
                 'repo.pull_request.delete': '',
                 'repo.pull_request.close': '',
                 'repo.pull_request.merge': '',
                 'repo.pull_request.vote': '',
                 'repo.pull_request.comment.create': '',
                 'repo.pull_request.comment.delete': '',
                 'repo.pull_request.reviewer.add': '',
                 'repo.pull_request.reviewer.delete': '',
-                'repo.commit.comment.create': '',
+                'repo.commit.comment.create': {'data': {}},
-                'repo.commit.comment.delete': '',
+                'repo.commit.comment.delete': {'data': {}},
                 'repo.commit.vote': '',
                 'repo_group.create': {'data': {}},
                 'repo_group.edit': {'old_data': {}},
                 'repo_group.edit.permissions': {},
                 'repo_group.delete': {'old_data': {}},
             }
             ACTIONS = ACTIONS_V1
             SOURCE_WEB = 'source_web'
             SOURCE_API = 'source_api'
             class UserWrap(object):
                 """
                 Fake object used to imitate AuthUser
                 """
                 def __init__(self, user_id=None, username=None, ip_addr=None):
                     self.user_id = user_id
                     self.username = username
                     self.ip_addr = ip_addr
             class RepoWrap(object):
                 """
                 Fake object used to imitate RepoObject that audit logger requires
                 """
                 def __init__(self, repo_id=None, repo_name=None):
                     self.repo_id = repo_id
                     self.repo_name = repo_name
             def _store_log(action_name, action_data, user_id, username, user_data,
                            ip_address, repository_id, repository_name):
                 user_log = UserLog()
                 user_log.version = UserLog.VERSION_2
                 user_log.action = action_name
                 user_log.action_data = action_data
                 user_log.user_ip = ip_address
                 user_log.user_id = user_id
                 user_log.username = username
                 user_log.user_data = user_data
                 user_log.repository_id = repository_id
                 user_log.repository_name = repository_name
                 user_log.action_date = datetime.datetime.now()
                 log.info('AUDIT: Logging action: `%s` by user:id:%s[%s] ip:%s',
                          action_name, user_id, username, ip_address)
                 return user_log
             def store_web(*args, **kwargs):
                 if 'action_data' not in kwargs:
                     kwargs['action_data'] = {}
                 kwargs['action_data'].update({
                     'source': SOURCE_WEB
                 })
                 return store(*args, **kwargs)
             def store_api(*args, **kwargs):
                 if 'action_data' not in kwargs:
                     kwargs['action_data'] = {}
                 kwargs['action_data'].update({
                     'source': SOURCE_API
                 })
                 return store(*args, **kwargs)
             def store(action, user, action_data=None, user_data=None, ip_addr=None,
                       repo=None, sa_session=None, commit=False):
                 """
                 Audit logger for various actions made by users, typically this
                 results in a call such::
                     from rhodecode.lib import audit_logger
                     audit_logger.store(
-                        action='repo.edit', user=self._rhodecode_user)
+                        'repo.edit', user=self._rhodecode_user)
                     audit_logger.store(
-                        action='repo.delete', action_data={'data': repo_data},
+                        'repo.delete', action_data={'data': repo_data},
                         user=audit_logger.UserWrap(username='itried-login', ip_addr='8.8.8.8'))
                     # repo action
                     audit_logger.store(
-                        action='repo.delete',
+                        'repo.delete',
                         user=audit_logger.UserWrap(username='itried-login', ip_addr='8.8.8.8'),
                         repo=audit_logger.RepoWrap(repo_name='some-repo'))
                     # repo action, when we know and have the repository object already
                     audit_logger.store(
-                        action='repo.delete',
+                        'repo.delete', action_data={'source': audit_logger.SOURCE_WEB, },
-                        action_data={'source': audit_logger.SOURCE_WEB, },
                         user=self._rhodecode_user,
                         repo=repo_object)
                     # alternative wrapper to the above
                     audit_logger.store_web(
-                        action='repo.delete',
+                        'repo.delete', action_data={},
-                        action_data={},
                         user=self._rhodecode_user,
                         repo=repo_object)
                     # without an user ?
                     audit_logger.store(
-                        action='user.login.failure',
+                        'user.login.failure',
                         user=audit_logger.UserWrap(
                                 username=self.request.params.get('username'),
                                 ip_addr=self.request.remote_addr))
                 """
                 from rhodecode.lib.utils2 import safe_unicode
                 from rhodecode.lib.auth import AuthUser
                 action_spec = ACTIONS.get(action, None)
                 if action_spec is None:
                     raise ValueError('Action `{}` is not supported'.format(action))
                 if not sa_session:
                     sa_session = meta.Session()
                 try:
                     username = getattr(user, 'username', None)
                     if not username:
                         pass
                     user_id = getattr(user, 'user_id', None)
                     if not user_id:
                         # maybe we have username ? Try to figure user_id from username
                         if username:
                             user_id = getattr(
                                 User.get_by_username(username), 'user_id', None)
                     ip_addr = ip_addr or getattr(user, 'ip_addr', None)
                     if not ip_addr:
                         pass
                     if not user_data:
                         # try to get this from the auth user
                         if isinstance(user, AuthUser):
                             user_data = {
                                 'username': user.username,
                                 'email': user.email,
                             }
                     repository_name = getattr(repo, 'repo_name', None)
                     repository_id = getattr(repo, 'repo_id', None)
                     if not repository_id:
                         # maybe we have repo_name ? Try to figure repo_id from repo_name
                         if repository_name:
                             repository_id = getattr(
                                 Repository.get_by_repo_name(repository_name), 'repo_id', None)
                     user_log = _store_log(
                         action_name=safe_unicode(action),
                         action_data=action_data or {},
                         user_id=user_id,
                         username=username,
                         user_data=user_data or {},
                         ip_address=safe_unicode(ip_addr),
                         repository_id=repository_id,
                         repository_name=repository_name
                     )
                     sa_session.add(user_log)
                     if commit:
                         sa_session.commit()
                 except Exception:
                     log.exception('AUDIT: failed to store audit log')

rhodecode/lib/celerylib/tasks.py

0 +4 -6

             # -*- coding: utf-8 -*-
             # Copyright (C) 2012-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             RhodeCode task modules, containing all task that suppose to be run
             by celery daemon
             """
             import os
             import logging
             from celery.task import task
             from pylons import config
             import rhodecode
             from rhodecode.lib import audit_logger
             from rhodecode.lib.celerylib import (
                 run_task, dbsession, __get_lockkey, LockHeld, DaemonLock,
                 get_session, vcsconnection, RhodecodeCeleryTask)
             from rhodecode.lib.hooks_base import log_create_repository
             from rhodecode.lib.rcmail.smtp_mailer import SmtpMailer
             from rhodecode.lib.utils import add_cache
             from rhodecode.lib.utils2 import safe_int, str2bool
             from rhodecode.model.db import Repository, User
             add_cache(config)  # pragma: no cover
             def get_logger(cls):
                 if rhodecode.CELERY_ENABLED:
                     try:
                         log = cls.get_logger()
                     except Exception:
                         log = logging.getLogger(__name__)
                 else:
                     log = logging.getLogger(__name__)
                 return log
             @task(ignore_result=True, base=RhodecodeCeleryTask)
             @dbsession
             def send_email(recipients, subject, body='', html_body='', email_config=None):
                 """
                 Sends an email with defined parameters from the .ini files.
                 :param recipients: list of recipients, it this is empty the defined email
                     address from field 'email_to' is used instead
                 :param subject: subject of the mail
                 :param body: body of the mail
                 :param html_body: html version of body
                 """
                 log = get_logger(send_email)
                 email_config = email_config or rhodecode.CONFIG
                 subject = "%s %s" % (email_config.get('email_prefix', ''), subject)
                 if not recipients:
                     # if recipients are not defined we send to email_config + all admins
                     admins = [
                         u.email for u in User.query().filter(User.admin == True).all()]
                     recipients = [email_config.get('email_to')] + admins
                 mail_server = email_config.get('smtp_server') or None
                 if mail_server is None:
                     log.error("SMTP server information missing. Sending email failed. "
                               "Make sure that `smtp_server` variable is configured "
                               "inside the .ini file")
                     return False
                 mail_from = email_config.get('app_email_from', 'RhodeCode')
                 user = email_config.get('smtp_username')
                 passwd = email_config.get('smtp_password')
                 mail_port = email_config.get('smtp_port')
                 tls = str2bool(email_config.get('smtp_use_tls'))
                 ssl = str2bool(email_config.get('smtp_use_ssl'))
                 debug = str2bool(email_config.get('debug'))
                 smtp_auth = email_config.get('smtp_auth')
                 try:
                     m = SmtpMailer(mail_from, user, passwd, mail_server, smtp_auth,
                                    mail_port, ssl, tls, debug=debug)
                     m.send(recipients, subject, body, html_body)
                 except Exception:
                     log.exception('Mail sending failed')
                     return False
                 return True
             @task(ignore_result=True, base=RhodecodeCeleryTask)
             @dbsession
             @vcsconnection
             def create_repo(form_data, cur_user):
                 from rhodecode.model.repo import RepoModel
                 from rhodecode.model.user import UserModel
                 from rhodecode.model.settings import SettingsModel
                 log = get_logger(create_repo)
                 DBS = get_session()
                 cur_user = UserModel(DBS)._get_user(cur_user)
                 owner = cur_user
                 repo_name = form_data['repo_name']
                 repo_name_full = form_data['repo_name_full']
                 repo_type = form_data['repo_type']
                 description = form_data['repo_description']
                 private = form_data['repo_private']
                 clone_uri = form_data.get('clone_uri')
                 repo_group = safe_int(form_data['repo_group'])
                 landing_rev = form_data['repo_landing_rev']
                 copy_fork_permissions = form_data.get('copy_permissions')
                 copy_group_permissions = form_data.get('repo_copy_permissions')
                 fork_of = form_data.get('fork_parent_id')
                 state = form_data.get('repo_state', Repository.STATE_PENDING)
                 # repo creation defaults, private and repo_type are filled in form
                 defs = SettingsModel().get_default_repo_settings(strip_prefix=True)
                 enable_statistics = form_data.get(
                     'enable_statistics', defs.get('repo_enable_statistics'))
                 enable_locking = form_data.get(
                     'enable_locking', defs.get('repo_enable_locking'))
                 enable_downloads = form_data.get(
                     'enable_downloads', defs.get('repo_enable_downloads'))
                 try:
                     repo = RepoModel(DBS)._create_repo(
                         repo_name=repo_name_full,
                         repo_type=repo_type,
                         description=description,
                         owner=owner,
                         private=private,
                         clone_uri=clone_uri,
                         repo_group=repo_group,
                         landing_rev=landing_rev,
                         fork_of=fork_of,
                         copy_fork_permissions=copy_fork_permissions,
                         copy_group_permissions=copy_group_permissions,
                         enable_statistics=enable_statistics,
                         enable_locking=enable_locking,
                         enable_downloads=enable_downloads,
                         state=state
                     )
                     DBS.commit()
                     # now create this repo on Filesystem
                     RepoModel(DBS)._create_filesystem_repo(
                         repo_name=repo_name,
                         repo_type=repo_type,
                         repo_group=RepoModel(DBS)._get_repo_group(repo_group),
                         clone_uri=clone_uri,
                     )
                     repo = Repository.get_by_repo_name(repo_name_full)
                     log_create_repository(created_by=owner.username, **repo.get_dict())
                     # update repo commit caches initially
                     repo.update_commit_cache()
                     # set new created state
                     repo.set_state(Repository.STATE_CREATED)
                     repo_id = repo.repo_id
                     repo_data = repo.get_api_data()
-                    audit_logger.store_web(
+                    audit_logger.store(
-                        action='repo.create',
+                        'repo.create', action_data={'data': repo_data},
-                        action_data={'data': repo_data},
                         user=cur_user,
                         repo=audit_logger.RepoWrap(repo_name=repo_name, repo_id=repo_id))
                     DBS.commit()
                 except Exception:
                     log.warning('Exception occurred when creating repository, '
                                 'doing cleanup...', exc_info=True)
                     # rollback things manually !
                     repo = Repository.get_by_repo_name(repo_name_full)
                     if repo:
                         Repository.delete(repo.repo_id)
                         DBS.commit()
                         RepoModel(DBS)._delete_filesystem_repo(repo)
                     raise
                 # it's an odd fix to make celery fail task when exception occurs
                 def on_failure(self, *args, **kwargs):
                     pass
                 return True
             @task(ignore_result=True, base=RhodecodeCeleryTask)
             @dbsession
             @vcsconnection
             def create_repo_fork(form_data, cur_user):
                 """
                 Creates a fork of repository using internal VCS methods
                 :param form_data:
                 :param cur_user:
                 """
                 from rhodecode.model.repo import RepoModel
                 from rhodecode.model.user import UserModel
                 log = get_logger(create_repo_fork)
                 DBS = get_session()
                 cur_user = UserModel(DBS)._get_user(cur_user)
                 owner = cur_user
                 repo_name = form_data['repo_name']  # fork in this case
                 repo_name_full = form_data['repo_name_full']
                 repo_type = form_data['repo_type']
                 description = form_data['description']
                 private = form_data['private']
                 clone_uri = form_data.get('clone_uri')
                 repo_group = safe_int(form_data['repo_group'])
                 landing_rev = form_data['landing_rev']
                 copy_fork_permissions = form_data.get('copy_permissions')
                 fork_id = safe_int(form_data.get('fork_parent_id'))
                 try:
                     fork_of = RepoModel(DBS)._get_repo(fork_id)
                     RepoModel(DBS)._create_repo(
                         repo_name=repo_name_full,
                         repo_type=repo_type,
                         description=description,
                         owner=owner,
                         private=private,
                         clone_uri=clone_uri,
                         repo_group=repo_group,
                         landing_rev=landing_rev,
                         fork_of=fork_of,
                         copy_fork_permissions=copy_fork_permissions
                     )
                     DBS.commit()
                     base_path = Repository.base_path()
                     source_repo_path = os.path.join(base_path, fork_of.repo_name)
                     # now create this repo on Filesystem
                     RepoModel(DBS)._create_filesystem_repo(
                         repo_name=repo_name,
                         repo_type=repo_type,
                         repo_group=RepoModel(DBS)._get_repo_group(repo_group),
                         clone_uri=source_repo_path,
                     )
                     repo = Repository.get_by_repo_name(repo_name_full)
                     log_create_repository(created_by=owner.username, **repo.get_dict())
                     # update repo commit caches initially
                     config = repo._config
                     config.set('extensions', 'largefiles', '')
                     repo.update_commit_cache(config=config)
                     # set new created state
                     repo.set_state(Repository.STATE_CREATED)
                     repo_id = repo.repo_id
                     repo_data = repo.get_api_data()
-                    audit_logger.store_web(
+                    audit_logger.store(
-                        action='repo.fork',
+                        'repo.fork', action_data={'data': repo_data},
-                        action_data={'data': repo_data},
                         user=cur_user,
                         repo=audit_logger.RepoWrap(repo_name=repo_name, repo_id=repo_id))
                     DBS.commit()
                 except Exception as e:
                     log.warning('Exception %s occurred when forking repository, '
                                 'doing cleanup...', e)
                     # rollback things manually !
                     repo = Repository.get_by_repo_name(repo_name_full)
                     if repo:
                         Repository.delete(repo.repo_id)
                         DBS.commit()
                         RepoModel(DBS)._delete_filesystem_repo(repo)
                     raise
                 # it's an odd fix to make celery fail task when exception occurs
                 def on_failure(self, *args, **kwargs):
                     pass
                 return True

rhodecode/lib/hooks_base.py

0 +2 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2013-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Set of hooks run by RhodeCode Enterprise
             """
             import os
             import collections
             import logging
             import rhodecode
             from rhodecode import events
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.utils2 import safe_str
             from rhodecode.lib.exceptions import HTTPLockedRC, UserCreationError
             from rhodecode.model.db import Repository, User
             log = logging.getLogger(__name__)
             HookResponse = collections.namedtuple('HookResponse', ('status', 'output'))
             def is_shadow_repo(extras):
                 """
                 Returns ``True`` if this is an action executed against a shadow repository.
                 """
                 return extras['is_shadow_repo']
             def _get_scm_size(alias, root_path):
                 if not alias.startswith('.'):
                     alias += '.'
                 size_scm, size_root = 0, 0
                 for path, unused_dirs, files in os.walk(safe_str(root_path)):
                     if path.find(alias) != -1:
                         for f in files:
                             try:
                                 size_scm += os.path.getsize(os.path.join(path, f))
                             except OSError:
                                 pass
                     else:
                         for f in files:
                             try:
                                 size_root += os.path.getsize(os.path.join(path, f))
                             except OSError:
                                 pass
                 size_scm_f = h.format_byte_size_binary(size_scm)
                 size_root_f = h.format_byte_size_binary(size_root)
                 size_total_f = h.format_byte_size_binary(size_root + size_scm)
                 return size_scm_f, size_root_f, size_total_f
             # actual hooks called by Mercurial internally, and GIT by our Python Hooks
             def repo_size(extras):
                 """Present size of repository after push."""
                 repo = Repository.get_by_repo_name(extras.repository)
                 vcs_part = safe_str(u'.%s' % repo.repo_type)
                 size_vcs, size_root, size_total = _get_scm_size(vcs_part,
                                                                 repo.repo_full_path)
                 msg = ('Repository `%s` size summary %s:%s repo:%s total:%s\n'
                        % (repo.repo_name, vcs_part, size_vcs, size_root, size_total))
                 return HookResponse(0, msg)
             def pre_push(extras):
                 """
                 Hook executed before pushing code.
                 It bans pushing when the repository is locked.
                 """
                 usr = User.get_by_username(extras.username)
                 output = ''
                 if extras.locked_by[0] and usr.user_id != int(extras.locked_by[0]):
                     locked_by = User.get(extras.locked_by[0]).username
                     reason = extras.locked_by[2]
                     # this exception is interpreted in git/hg middlewares and based
                     # on that proper return code is server to client
                     _http_ret = HTTPLockedRC(
                         _locked_by_explanation(extras.repository, locked_by, reason))
                     if str(_http_ret.code).startswith('2'):
                         # 2xx Codes don't raise exceptions
                         output = _http_ret.title
                     else:
                         raise _http_ret
                 # Propagate to external components. This is done after checking the
                 # lock, for consistent behavior.
                 if not is_shadow_repo(extras):
                     pre_push_extension(repo_store_path=Repository.base_path(), **extras)
                     events.trigger(events.RepoPrePushEvent(
                         repo_name=extras.repository, extras=extras))
                 return HookResponse(0, output)
             def pre_pull(extras):
                 """
                 Hook executed before pulling the code.
                 It bans pulling when the repository is locked.
                 """
                 output = ''
                 if extras.locked_by[0]:
                     locked_by = User.get(extras.locked_by[0]).username
                     reason = extras.locked_by[2]
                     # this exception is interpreted in git/hg middlewares and based
                     # on that proper return code is server to client
                     _http_ret = HTTPLockedRC(
                         _locked_by_explanation(extras.repository, locked_by, reason))
                     if str(_http_ret.code).startswith('2'):
                         # 2xx Codes don't raise exceptions
                         output = _http_ret.title
                     else:
                         raise _http_ret
                 # Propagate to external components. This is done after checking the
                 # lock, for consistent behavior.
                 if not is_shadow_repo(extras):
                     pre_pull_extension(**extras)
                     events.trigger(events.RepoPrePullEvent(
                         repo_name=extras.repository, extras=extras))
                 return HookResponse(0, output)
             def post_pull(extras):
                 """Hook executed after client pulls the code."""
                 audit_user = audit_logger.UserWrap(
                     username=extras.username,
                     ip_addr=extras.ip)
                 repo = audit_logger.RepoWrap(repo_name=extras.repository)
                 audit_logger.store(
-                    action='user.pull', action_data={
+                    'user.pull', action_data={
                         'user_agent': extras.user_agent},
                     user=audit_user, repo=repo, commit=True)
                 # Propagate to external components.
                 if not is_shadow_repo(extras):
                     post_pull_extension(**extras)
                     events.trigger(events.RepoPullEvent(
                         repo_name=extras.repository, extras=extras))
                 output = ''
                 # make lock is a tri state False, True, None. We only make lock on True
                 if extras.make_lock is True and not is_shadow_repo(extras):
                     user = User.get_by_username(extras.username)
                     Repository.lock(Repository.get_by_repo_name(extras.repository),
                                     user.user_id,
                                     lock_reason=Repository.LOCK_PULL)
                     msg = 'Made lock on repo `%s`' % (extras.repository,)
                     output += msg
                 if extras.locked_by[0]:
                     locked_by = User.get(extras.locked_by[0]).username
                     reason = extras.locked_by[2]
                     _http_ret = HTTPLockedRC(
                         _locked_by_explanation(extras.repository, locked_by, reason))
                     if str(_http_ret.code).startswith('2'):
                         # 2xx Codes don't raise exceptions
                         output += _http_ret.title
                 return HookResponse(0, output)
             def post_push(extras):
                 """Hook executed after user pushes to the repository."""
                 commit_ids = extras.commit_ids
                 # log the push call
                 audit_user = audit_logger.UserWrap(
                     username=extras.username, ip_addr=extras.ip)
                 repo = audit_logger.RepoWrap(repo_name=extras.repository)
                 audit_logger.store(
-                    action='user.push', action_data={
+                    'user.push', action_data={
                         'user_agent': extras.user_agent,
                         'commit_ids': commit_ids[:10000]},
                     user=audit_user, repo=repo, commit=True)
                 # Propagate to external components.
                 if not is_shadow_repo(extras):
                     post_push_extension(
                         repo_store_path=Repository.base_path(),
                         pushed_revs=commit_ids,
                         **extras)
                     events.trigger(events.RepoPushEvent(
                         repo_name=extras.repository,
                         pushed_commit_ids=commit_ids,
                         extras=extras))
                 output = ''
                 # make lock is a tri state False, True, None. We only release lock on False
                 if extras.make_lock is False and not is_shadow_repo(extras):
                     Repository.unlock(Repository.get_by_repo_name(extras.repository))
                     msg = 'Released lock on repo `%s`\n' % extras.repository
                     output += msg
                 if extras.locked_by[0]:
                     locked_by = User.get(extras.locked_by[0]).username
                     reason = extras.locked_by[2]
                     _http_ret = HTTPLockedRC(
                         _locked_by_explanation(extras.repository, locked_by, reason))
                     # TODO: johbo: if not?
                     if str(_http_ret.code).startswith('2'):
                         # 2xx Codes don't raise exceptions
                         output += _http_ret.title
                 if extras.new_refs:
                     tmpl = \
                         extras.server_url + '/' + \
                         extras.repository + \
                         "/pull-request/new?{ref_type}={ref_name}"
                     for branch_name in extras.new_refs['branches']:
                         output += 'RhodeCode: open pull request link: {}\n'.format(
                             tmpl.format(ref_type='branch', ref_name=branch_name))
                     for book_name in extras.new_refs['bookmarks']:
                         output += 'RhodeCode: open pull request link: {}\n'.format(
                             tmpl.format(ref_type='bookmark', ref_name=book_name))
                 output += 'RhodeCode: push completed\n'
                 return HookResponse(0, output)
             def _locked_by_explanation(repo_name, user_name, reason):
                 message = (
                     'Repository `%s` locked by user `%s`. Reason:`%s`'
                     % (repo_name, user_name, reason))
                 return message
             def check_allowed_create_user(user_dict, created_by, **kwargs):
                 # pre create hooks
                 if pre_create_user.is_active():
                     allowed, reason = pre_create_user(created_by=created_by, **user_dict)
                     if not allowed:
                         raise UserCreationError(reason)
             class ExtensionCallback(object):
                 """
                 Forwards a given call to rcextensions, sanitizes keyword arguments.
                 Does check if there is an extension active for that hook. If it is
                 there, it will forward all `kwargs_keys` keyword arguments to the
                 extension callback.
                 """
                 def __init__(self, hook_name, kwargs_keys):
                     self._hook_name = hook_name
                     self._kwargs_keys = set(kwargs_keys)
                 def __call__(self, *args, **kwargs):
                     log.debug('Calling extension callback for %s', self._hook_name)
                     kwargs_to_pass = dict((key, kwargs[key]) for key in self._kwargs_keys)
                     # backward compat for removed api_key for old hooks. THis was it works
                     # with older rcextensions that require api_key present
                     if self._hook_name in ['CREATE_USER_HOOK', 'DELETE_USER_HOOK']:
                         kwargs_to_pass['api_key'] = '_DEPRECATED_'
                     callback = self._get_callback()
                     if callback:
                         return callback(**kwargs_to_pass)
                     else:
                         log.debug('extensions callback not found skipping...')
                 def is_active(self):
                     return hasattr(rhodecode.EXTENSIONS, self._hook_name)
                 def _get_callback(self):
                     return getattr(rhodecode.EXTENSIONS, self._hook_name, None)
             pre_pull_extension = ExtensionCallback(
                 hook_name='PRE_PULL_HOOK',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository'))
             post_pull_extension = ExtensionCallback(
                 hook_name='PULL_HOOK',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository'))
             pre_push_extension = ExtensionCallback(
                 hook_name='PRE_PUSH_HOOK',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'repo_store_path', 'commit_ids'))
             post_push_extension = ExtensionCallback(
                 hook_name='PUSH_HOOK',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'repo_store_path', 'pushed_revs'))
             pre_create_user = ExtensionCallback(
                 hook_name='PRE_CREATE_USER_HOOK',
                 kwargs_keys=(
                     'username', 'password', 'email', 'firstname', 'lastname', 'active',
                     'admin', 'created_by'))
             log_create_pull_request = ExtensionCallback(
                 hook_name='CREATE_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_merge_pull_request = ExtensionCallback(
                 hook_name='MERGE_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_close_pull_request = ExtensionCallback(
                 hook_name='CLOSE_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_review_pull_request = ExtensionCallback(
                 hook_name='REVIEW_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_update_pull_request = ExtensionCallback(
                 hook_name='UPDATE_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_create_user = ExtensionCallback(
                 hook_name='CREATE_USER_HOOK',
                 kwargs_keys=(
                     'username', 'full_name_or_username', 'full_contact', 'user_id',
                     'name', 'firstname', 'short_contact', 'admin', 'lastname',
                     'ip_addresses', 'extern_type', 'extern_name',
                     'email', 'api_keys', 'last_login',
                     'full_name', 'active', 'password', 'emails',
                     'inherit_default_permissions', 'created_by', 'created_on'))
             log_delete_user = ExtensionCallback(
                 hook_name='DELETE_USER_HOOK',
                 kwargs_keys=(
                     'username', 'full_name_or_username', 'full_contact', 'user_id',
                     'name', 'firstname', 'short_contact', 'admin', 'lastname',
                     'ip_addresses',
                     'email', 'last_login',
                     'full_name', 'active', 'password', 'emails',
                     'inherit_default_permissions', 'deleted_by'))
             log_create_repository = ExtensionCallback(
                 hook_name='CREATE_REPO_HOOK',
                 kwargs_keys=(
                     'repo_name', 'repo_type', 'description', 'private', 'created_on',
                     'enable_downloads', 'repo_id', 'user_id', 'enable_statistics',
                     'clone_uri', 'fork_id', 'group_id', 'created_by'))
             log_delete_repository = ExtensionCallback(
                 hook_name='DELETE_REPO_HOOK',
                 kwargs_keys=(
                     'repo_name', 'repo_type', 'description', 'private', 'created_on',
                     'enable_downloads', 'repo_id', 'user_id', 'enable_statistics',
                     'clone_uri', 'fork_id', 'group_id', 'deleted_by', 'deleted_on'))
             log_create_repository_group = ExtensionCallback(
                 hook_name='CREATE_REPO_GROUP_HOOK',
                 kwargs_keys=(
                     'group_name', 'group_parent_id', 'group_description',
                     'group_id', 'user_id', 'created_by', 'created_on',
                     'enable_locking'))

rhodecode/model/user_group.py

0 +6 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             user group model for RhodeCode
             """
             import logging
             import traceback
             from rhodecode.lib.utils2 import safe_str, safe_unicode
             from rhodecode.lib.exceptions import (
                 UserGroupAssignedException, RepoGroupAssignmentError)
             from rhodecode.lib.utils2 import (
                 get_current_rhodecode_user, action_logger_generic)
             from rhodecode.model import BaseModel
             from rhodecode.model.scm import UserGroupList
             from rhodecode.model.db import (
                 true, func, User, UserGroupMember, UserGroup,
                 UserGroupRepoToPerm, Permission, UserGroupToPerm, UserUserGroupToPerm,
                 UserGroupUserGroupToPerm, UserGroupRepoGroupToPerm)
             log = logging.getLogger(__name__)
             class UserGroupModel(BaseModel):
                 cls = UserGroup
                 def _get_user_group(self, user_group):
                     return self._get_instance(UserGroup, user_group,
                                               callback=UserGroup.get_by_group_name)
                 def _create_default_perms(self, user_group):
                     # create default permission
                     default_perm = 'usergroup.read'
                     def_user = User.get_default_user()
                     for p in def_user.user_perms:
                         if p.permission.permission_name.startswith('usergroup.'):
                             default_perm = p.permission.permission_name
                             break
                     user_group_to_perm = UserUserGroupToPerm()
                     user_group_to_perm.permission = Permission.get_by_key(default_perm)
                     user_group_to_perm.user_group = user_group
                     user_group_to_perm.user_id = def_user.user_id
                     return user_group_to_perm
                 def update_permissions(self, user_group, perm_additions=None, perm_updates=None,
                                        perm_deletions=None, check_perms=True, cur_user=None):
                     from rhodecode.lib.auth import HasUserGroupPermissionAny
                     if not perm_additions:
                         perm_additions = []
                     if not perm_updates:
                         perm_updates = []
                     if not perm_deletions:
                         perm_deletions = []
                     req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')
                     # update permissions
                     for member_id, perm, member_type in perm_updates:
                         member_id = int(member_id)
                         if member_type == 'user':
                             # this updates existing one
                             self.grant_user_permission(
                                 user_group=user_group, user=member_id, perm=perm
                             )
                         else:
                             # check if we have permissions to alter this usergroup
                             member_name = UserGroup.get(member_id).users_group_name
                             if not check_perms or HasUserGroupPermissionAny(*req_perms)(member_name, user=cur_user):
                                 self.grant_user_group_permission(
                                     target_user_group=user_group, user_group=member_id, perm=perm
                                 )
                     # set new permissions
                     for member_id, perm, member_type in perm_additions:
                         member_id = int(member_id)
                         if member_type == 'user':
                             self.grant_user_permission(
                                 user_group=user_group, user=member_id, perm=perm
                             )
                         else:
                             # check if we have permissions to alter this usergroup
                             member_name = UserGroup.get(member_id).users_group_name
                             if not check_perms or HasUserGroupPermissionAny(*req_perms)(member_name, user=cur_user):
                                 self.grant_user_group_permission(
                                     target_user_group=user_group, user_group=member_id, perm=perm
                                 )
                     # delete permissions
                     for member_id, perm, member_type in perm_deletions:
                         member_id = int(member_id)
                         if member_type == 'user':
                             self.revoke_user_permission(user_group=user_group, user=member_id)
                         else:
                             # check if we have permissions to alter this usergroup
                             member_name = UserGroup.get(member_id).users_group_name
                             if not check_perms or HasUserGroupPermissionAny(*req_perms)(member_name, user=cur_user):
                                 self.revoke_user_group_permission(
                                     target_user_group=user_group, user_group=member_id
                                 )
                 def get(self, user_group_id, cache=False):
                     return UserGroup.get(user_group_id)
                 def get_group(self, user_group):
                     return self._get_user_group(user_group)
                 def get_by_name(self, name, cache=False, case_insensitive=False):
                     return UserGroup.get_by_group_name(name, cache, case_insensitive)
                 def create(self, name, description, owner, active=True, group_data=None):
                     try:
                         new_user_group = UserGroup()
                         new_user_group.user = self._get_user(owner)
                         new_user_group.users_group_name = name
                         new_user_group.user_group_description = description
                         new_user_group.users_group_active = active
                         if group_data:
                             new_user_group.group_data = group_data
                         self.sa.add(new_user_group)
                         perm_obj = self._create_default_perms(new_user_group)
                         self.sa.add(perm_obj)
                         self.grant_user_permission(user_group=new_user_group,
                                                    user=owner, perm='usergroup.admin')
                         return new_user_group
                     except Exception:
                         log.error(traceback.format_exc())
                         raise
                 def _get_memberships_for_user_ids(self, user_group, user_id_list):
                     members = []
                     for user_id in user_id_list:
                         member = self._get_membership(user_group.users_group_id, user_id)
                         members.append(member)
                     return members
                 def _get_added_and_removed_user_ids(self, user_group, user_id_list):
                     current_members = user_group.members or []
                     current_members_ids = [m.user.user_id for m in current_members]
                     added_members = [
                         user_id for user_id in user_id_list
                         if user_id not in current_members_ids]
                     if user_id_list == []:
                         # all members were deleted
                         deleted_members = current_members_ids
                     else:
                         deleted_members = [
                             user_id for user_id in current_members_ids
                             if user_id not in user_id_list]
-                    return (added_members, deleted_members)
+                    return added_members, deleted_members
                 def _set_users_as_members(self, user_group, user_ids):
                     user_group.members = []
                     self.sa.flush()
                     members = self._get_memberships_for_user_ids(
                         user_group, user_ids)
                     user_group.members = members
                     self.sa.add(user_group)
                 def _update_members_from_user_ids(self, user_group, user_ids):
                     added, removed = self._get_added_and_removed_user_ids(
                         user_group, user_ids)
                     self._set_users_as_members(user_group, user_ids)
                     self._log_user_changes('added to', user_group, added)
                     self._log_user_changes('removed from', user_group, removed)
+                    return added, removed
                 def _clean_members_data(self, members_data):
                     if not members_data:
                         members_data = []
                     members = []
                     for user in members_data:
                         uid = int(user['member_user_id'])
                         if uid not in members and user['type'] in ['new', 'existing']:
                             members.append(uid)
                     return members
                 def update(self, user_group, form_data):
                     user_group = self._get_user_group(user_group)
                     if 'users_group_name' in form_data:
                         user_group.users_group_name = form_data['users_group_name']
                     if 'users_group_active' in form_data:
                         user_group.users_group_active = form_data['users_group_active']
                     if 'user_group_description' in form_data:
                         user_group.user_group_description = form_data[
                             'user_group_description']
                     # handle owner change
                     if 'user' in form_data:
                         owner = form_data['user']
                         if isinstance(owner, basestring):
                             owner = User.get_by_username(form_data['user'])
                         if not isinstance(owner, User):
                             raise ValueError(
                                 'invalid owner for user group: %s' % form_data['user'])
                         user_group.user = owner
+                    added_user_ids = []
+                    removed_user_ids = []
                     if 'users_group_members' in form_data:
                         members_id_list = self._clean_members_data(
                             form_data['users_group_members'])
+                        added_user_ids, removed_user_ids = \
                             self._update_members_from_user_ids(user_group, members_id_list)
                     self.sa.add(user_group)
+                    return user_group, added_user_ids, removed_user_ids
                 def delete(self, user_group, force=False):
                     """
                     Deletes repository group, unless force flag is used
                     raises exception if there are members in that group, else deletes
                     group and users
                     :param user_group:
                     :param force:
                     """
                     user_group = self._get_user_group(user_group)
                     try:
                         # check if this group is not assigned to repo
                         assigned_to_repo = [x.repository for x in UserGroupRepoToPerm.query()\
                             .filter(UserGroupRepoToPerm.users_group == user_group).all()]
                         # check if this group is not assigned to repo
                         assigned_to_repo_group = [x.group for x in UserGroupRepoGroupToPerm.query()\
                             .filter(UserGroupRepoGroupToPerm.users_group == user_group).all()]
                         if (assigned_to_repo or assigned_to_repo_group) and not force:
                             assigned = ','.join(map(safe_str,
                                                 assigned_to_repo+assigned_to_repo_group))
                             raise UserGroupAssignedException(
                                 'UserGroup assigned to %s' % (assigned,))
                         self.sa.delete(user_group)
                     except Exception:
                         log.error(traceback.format_exc())
                         raise
                 def _log_user_changes(self, action, user_group, user_or_users):
                     users = user_or_users
                     if not isinstance(users, (list, tuple)):
                         users = [users]
                     rhodecode_user = get_current_rhodecode_user()
                     ipaddr = getattr(rhodecode_user, 'ip_addr', '')
                     group_name = user_group.users_group_name
                     for user_or_user_id in users:
                         user = self._get_user(user_or_user_id)
                         log_text = 'User {user} {action} {group}'.format(
                             action=action, user=user.username, group=group_name)
                         log.info('Logging action: {0} by {1} ip:{2}'.format(
                                  log_text, rhodecode_user, ipaddr))
                 def _find_user_in_group(self, user, user_group):
                     user_group_member = None
                     for m in user_group.members:
                         if m.user_id == user.user_id:
                             # Found this user's membership row
                             user_group_member = m
                             break
                     return user_group_member
                 def _get_membership(self, user_group_id, user_id):
                     user_group_member = UserGroupMember(user_group_id, user_id)
                     return user_group_member
                 def add_user_to_group(self, user_group, user):
                     user_group = self._get_user_group(user_group)
                     user = self._get_user(user)
                     user_member = self._find_user_in_group(user, user_group)
                     if user_member:
                         # user already in the group, skip
                         return True
                     member = self._get_membership(
                         user_group.users_group_id, user.user_id)
                     user_group.members.append(member)
                     try:
                         self.sa.add(member)
                     except Exception:
                         # what could go wrong here?
                         log.error(traceback.format_exc())
                         raise
                     self._log_user_changes('added to', user_group, user)
                     return member
                 def remove_user_from_group(self, user_group, user):
                     user_group = self._get_user_group(user_group)
                     user = self._get_user(user)
                     user_group_member = self._find_user_in_group(user, user_group)
                     if not user_group_member:
                         # User isn't in that group
                         return False
                     try:
                         self.sa.delete(user_group_member)
                     except Exception:
                         log.error(traceback.format_exc())
                         raise
                     self._log_user_changes('removed from', user_group, user)
                     return True
                 def has_perm(self, user_group, perm):
                     user_group = self._get_user_group(user_group)
                     perm = self._get_perm(perm)
                     return UserGroupToPerm.query()\
                         .filter(UserGroupToPerm.users_group == user_group)\
                         .filter(UserGroupToPerm.permission == perm).scalar() is not None
                 def grant_perm(self, user_group, perm):
                     user_group = self._get_user_group(user_group)
                     perm = self._get_perm(perm)
                     # if this permission is already granted skip it
                     _perm = UserGroupToPerm.query()\
                         .filter(UserGroupToPerm.users_group == user_group)\
                         .filter(UserGroupToPerm.permission == perm)\
                         .scalar()
                     if _perm:
                         return
                     new = UserGroupToPerm()
                     new.users_group = user_group
                     new.permission = perm
                     self.sa.add(new)
                     return new
                 def revoke_perm(self, user_group, perm):
                     user_group = self._get_user_group(user_group)
                     perm = self._get_perm(perm)
                     obj = UserGroupToPerm.query()\
                         .filter(UserGroupToPerm.users_group == user_group)\
                         .filter(UserGroupToPerm.permission == perm).scalar()
                     if obj:
                         self.sa.delete(obj)
                 def grant_user_permission(self, user_group, user, perm):
                     """
                     Grant permission for user on given user group, or update
                     existing one if found
                     :param user_group: Instance of UserGroup, users_group_id,
                         or users_group_name
                     :param user: Instance of User, user_id or username
                     :param perm: Instance of Permission, or permission_name
                     """
                     user_group = self._get_user_group(user_group)
                     user = self._get_user(user)
                     permission = self._get_perm(perm)
                     # check if we have that permission already
                     obj = self.sa.query(UserUserGroupToPerm)\
                         .filter(UserUserGroupToPerm.user == user)\
                         .filter(UserUserGroupToPerm.user_group == user_group)\
                         .scalar()
                     if obj is None:
                         # create new !
                         obj = UserUserGroupToPerm()
                     obj.user_group = user_group
                     obj.user = user
                     obj.permission = permission
                     self.sa.add(obj)
                     log.debug('Granted perm %s to %s on %s', perm, user, user_group)
                     action_logger_generic(
                         'granted permission: {} to user: {} on usergroup: {}'.format(
                             perm, user, user_group), namespace='security.usergroup')
                     return obj
                 def revoke_user_permission(self, user_group, user):
                     """
                     Revoke permission for user on given user group
                     :param user_group: Instance of UserGroup, users_group_id,
                         or users_group name
                     :param user: Instance of User, user_id or username
                     """
                     user_group = self._get_user_group(user_group)
                     user = self._get_user(user)
                     obj = self.sa.query(UserUserGroupToPerm)\
                         .filter(UserUserGroupToPerm.user == user)\
                         .filter(UserUserGroupToPerm.user_group == user_group)\
                         .scalar()
                     if obj:
                         self.sa.delete(obj)
                         log.debug('Revoked perm on %s on %s', user_group, user)
                         action_logger_generic(
                             'revoked permission from user: {} on usergroup: {}'.format(
                                 user, user_group), namespace='security.usergroup')
                 def grant_user_group_permission(self, target_user_group, user_group, perm):
                     """
                     Grant user group permission for given target_user_group
                     :param target_user_group:
                     :param user_group:
                     :param perm:
                     """
                     target_user_group = self._get_user_group(target_user_group)
                     user_group = self._get_user_group(user_group)
                     permission = self._get_perm(perm)
                     # forbid assigning same user group to itself
                     if target_user_group == user_group:
                         raise RepoGroupAssignmentError('target repo:%s cannot be '
                                                        'assigned to itself' % target_user_group)
                     # check if we have that permission already
                     obj = self.sa.query(UserGroupUserGroupToPerm)\
                         .filter(UserGroupUserGroupToPerm.target_user_group == target_user_group)\
                         .filter(UserGroupUserGroupToPerm.user_group == user_group)\
                         .scalar()
                     if obj is None:
                         # create new !
                         obj = UserGroupUserGroupToPerm()
                     obj.user_group = user_group
                     obj.target_user_group = target_user_group
                     obj.permission = permission
                     self.sa.add(obj)
                     log.debug(
                         'Granted perm %s to %s on %s', perm, target_user_group, user_group)
                     action_logger_generic(
                         'granted permission: {} to usergroup: {} on usergroup: {}'.format(
                             perm, user_group, target_user_group),
                         namespace='security.usergroup')
                     return obj
                 def revoke_user_group_permission(self, target_user_group, user_group):
                     """
                     Revoke user group permission for given target_user_group
                     :param target_user_group:
                     :param user_group:
                     """
                     target_user_group = self._get_user_group(target_user_group)
                     user_group = self._get_user_group(user_group)
                     obj = self.sa.query(UserGroupUserGroupToPerm)\
                         .filter(UserGroupUserGroupToPerm.target_user_group == target_user_group)\
                         .filter(UserGroupUserGroupToPerm.user_group == user_group)\
                         .scalar()
                     if obj:
                         self.sa.delete(obj)
                         log.debug(
                             'Revoked perm on %s on %s', target_user_group, user_group)
                         action_logger_generic(
                             'revoked permission from usergroup: {} on usergroup: {}'.format(
                                 user_group, target_user_group),
                             namespace='security.repogroup')
                 def enforce_groups(self, user, groups, extern_type=None):
                     user = self._get_user(user)
                     log.debug('Enforcing groups %s on user %s', groups, user)
                     current_groups = user.group_member
                     # find the external created groups
                     externals = [x.users_group for x in current_groups
                                  if 'extern_type' in x.users_group.group_data]
                     # calculate from what groups user should be removed
                     # externals that are not in groups
                     for gr in externals:
                         if gr.users_group_name not in groups:
                             log.debug('Removing user %s from user group %s', user, gr)
                             self.remove_user_from_group(gr, user)
                     # now we calculate in which groups user should be == groups params
                     owner = User.get_first_super_admin().username
                     for gr in set(groups):
                         existing_group = UserGroup.get_by_group_name(gr)
                         if not existing_group:
                             desc = 'Automatically created from plugin:%s' % extern_type
                             # we use first admin account to set the owner of the group
                             existing_group = UserGroupModel().create(
                                 gr, desc, owner, group_data={'extern_type': extern_type})
                         # we can only add users to special groups created via plugins
                         managed = 'extern_type' in existing_group.group_data
                         if managed:
                             log.debug('Adding user %s to user group %s', user, gr)
                             UserGroupModel().add_user_to_group(existing_group, user)
                         else:
                             log.debug('Skipping addition to group %s since it is '
                                       'not set to be automatically synchronized' % gr)
                 def change_groups(self, user, groups):
                     """
                     This method changes user group assignment
                     :param user:  User
                     :param groups: array of UserGroupModel
                     :return:
                     """
                     user = self._get_user(user)
                     log.debug('Changing user(%s) assignment to groups(%s)', user, groups)
                     current_groups = user.group_member
                     current_groups = [x.users_group for x in current_groups]
                     # calculate from what groups user should be removed/add
                     groups = set(groups)
                     current_groups = set(current_groups)
                     groups_to_remove = current_groups - groups
                     groups_to_add = groups - current_groups
                     for gr in groups_to_remove:
                         log.debug('Removing user %s from user group %s', user.username, gr.users_group_name)
                         self.remove_user_from_group(gr.users_group_name, user.username)
                     for gr in groups_to_add:
                         log.debug('Adding user %s to user group %s', user.username, gr.users_group_name)
                         UserGroupModel().add_user_to_group(gr.users_group_name, user.username)
                 def _serialize_user_group(self, user_group):
                     import rhodecode.lib.helpers as h
                     return {
                             'id': user_group.users_group_id,
                             # TODO: marcink figure out a way to generate the url for the
                             # icon
                             'icon_link': '',
                             'value_display': 'Group: %s (%d members)' % (
                                 user_group.users_group_name, len(user_group.members),),
                             'value': user_group.users_group_name,
                             'description': user_group.user_group_description,
                             'owner': user_group.user.username,
                             'owner_icon': h.gravatar_url(user_group.user.email, 30),
                             'value_display_owner': h.person(user_group.user.email),
                             'value_type': 'user_group',
                             'active': user_group.users_group_active,
                         }
                 def get_user_groups(self, name_contains=None, limit=20, only_active=True,
                                     expand_groups=False):
                     query = self.sa.query(UserGroup)
                     if only_active:
                         query = query.filter(UserGroup.users_group_active == true())
                     if name_contains:
                         ilike_expression = u'%{}%'.format(safe_unicode(name_contains))
                         query = query.filter(
                             UserGroup.users_group_name.ilike(ilike_expression))\
                             .order_by(func.length(UserGroup.users_group_name))\
                             .order_by(UserGroup.users_group_name)
                         query = query.limit(limit)
                     user_groups = query.all()
                     perm_set = ['usergroup.read', 'usergroup.write', 'usergroup.admin']
                     user_groups = UserGroupList(user_groups, perm_set=perm_set)
                     # store same serialize method to extract data from User
                     from rhodecode.model.user import UserModel
                     serialize_user = UserModel()._serialize_user
                     _groups = []
                     for group in user_groups:
                         entry = self._serialize_user_group(group)
                         if expand_groups:
                             expanded_members = []
                             for member in group.members:
                                 expanded_members.append(serialize_user(member.user))
                             entry['members'] = expanded_members
                         _groups.append(entry)
                     return _groups
                 @staticmethod
                 def get_user_groups_as_dict(user_group):
                     import rhodecode.lib.helpers as h
                     data = {
                         'users_group_id': user_group.users_group_id,
                         'group_name': user_group.users_group_name,
                         'group_description': user_group.user_group_description,
                         'active': user_group.users_group_active,
                         "owner": user_group.user.username,
                         'owner_icon': h.gravatar_url(user_group.user.email, 30),
                         "owner_data": {
                             'owner': user_group.user.username,
                             'owner_icon': h.gravatar_url(user_group.user.email, 30)}
                         }
                     return data

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages