u/pc/rhodecode-enterprise-ce-fork-pc Commit - r2437:31460ef8

api: add consistent permissions_summary data for both user and user_groups that expose...

marcink -

r2437:31460ef8 default

parent child

rhodecode/api/views/user_api.py

0 +3 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from rhodecode.api import (
                 jsonrpc_method, JSONRPCError, JSONRPCForbidden, JSONRPCValidationError)
             from rhodecode.api.utils import (
                 Optional, OAttr, has_superadmin_permission, get_user_or_error, store_update)
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import AuthUser, PasswordGenerator
             from rhodecode.lib.exceptions import DefaultUserException
             from rhodecode.lib.utils2 import safe_int, str2bool
             from rhodecode.model.db import Session, User, Repository
             from rhodecode.model.user import UserModel
             from rhodecode.model import validation_schema
             from rhodecode.model.validation_schema.schemas import user_schema
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_user(request, apiuser, userid=Optional(OAttr('apiuser'))):
                 """
                 Returns the information associated with a username or userid.
                 * If the ``userid`` is not set, this command returns the information
                   for the ``userid`` calling the method.
                 .. note::
                    Normal users may only run this command against their ``userid``. For
                    full privileges you must run this command using an |authtoken| with
                    admin rights.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Sets the userid for which data will be returned.
                 :type userid: Optional(str or int)
                 Example output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": <id>,
                       "result": {
                         "active": true,
                         "admin": false,
                         "api_keys": [ list of keys ],
                         "auth_tokens": [ list of tokens with details ],
                         "email": "user@example.com",
                         "emails": [
                           "user@example.com"
                         ],
                         "extern_name": "rhodecode",
                         "extern_type": "rhodecode",
                         "firstname": "username",
                         "ip_addresses": [],
                         "language": null,
                         "last_login": "Timestamp",
                         "last_activity": "Timestamp",
                         "lastname": "surnae",
                         "permissions": {
                           "global": [
                             "hg.inherit_default_perms.true",
                             "usergroup.read",
                             "hg.repogroup.create.false",
                             "hg.create.none",
                             "hg.password_reset.enabled",
                             "hg.extern_activate.manual",
                             "hg.create.write_on_repogroup.false",
                             "hg.usergroup.create.false",
                             "group.none",
                             "repository.none",
                             "hg.register.none",
                             "hg.fork.repository"
                           ],
                           "repositories": { "username/example": "repository.write"},
                           "repositories_groups": { "user-group/repo": "group.none" },
                           "user_groups": { "user_group_name": "usergroup.read" }
                         },
                         "user_id": 32,
                         "username": "username"
                       }
                     }
                 """
                 if not has_superadmin_permission(apiuser):
                     # make sure normal user does not pass someone else userid,
                     # he is not allowed to do that
                     if not isinstance(userid, Optional) and userid != apiuser.user_id:
                         raise JSONRPCError('userid is not the same as your user')
                 userid = Optional.extract(userid, evaluate_locals=locals())
                 userid = getattr(userid, 'user_id', userid)
                 user = get_user_or_error(userid)
                 data = user.get_api_data(include_secrets=True)
-                data['permissions'] = AuthUser(user_id=user.user_id).permissions
+                permissions = AuthUser(user_id=user.user_id).permissions
+                data['permissions'] = permissions  # TODO(marcink): should be deprecated
+                data['permissions_summary'] = permissions
                 return data
             @jsonrpc_method()
             def get_users(request, apiuser):
                 """
                 Lists all users in the |RCE| user database.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: [<user_object>, ...]
                     error:  null
                 """
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 result = []
                 users_list = User.query().order_by(User.username) \
                     .filter(User.username != User.DEFAULT_USER) \
                     .all()
                 for user in users_list:
                     result.append(user.get_api_data(include_secrets=True))
                 return result
             @jsonrpc_method()
             def create_user(request, apiuser, username, email, password=Optional(''),
                             firstname=Optional(''), lastname=Optional(''),
                             active=Optional(True), admin=Optional(False),
                             extern_name=Optional('rhodecode'),
                             extern_type=Optional('rhodecode'),
                             force_password_change=Optional(False),
                             create_personal_repo_group=Optional(None)):
                 """
                 Creates a new user and returns the new user object.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param username: Set the new username.
                 :type username: str or int
                 :param email: Set the user email address.
                 :type email: str
                 :param password: Set the new user password.
                 :type password: Optional(str)
                 :param firstname: Set the new user firstname.
                 :type firstname: Optional(str)
                 :param lastname: Set the new user surname.
                 :type lastname: Optional(str)
                 :param active: Set the user as active.
                 :type active: Optional(``True`` | ``False``)
                 :param admin: Give the new user admin rights.
                 :type admin: Optional(``True`` | ``False``)
                 :param extern_name: Set the authentication plugin name.
                     Using LDAP this is filled with LDAP UID.
                 :type extern_name: Optional(str)
                 :param extern_type: Set the new user authentication plugin.
                 :type extern_type: Optional(str)
                 :param force_password_change: Force the new user to change password
                     on next login.
                 :type force_password_change: Optional(``True`` | ``False``)
                 :param create_personal_repo_group: Create personal repo group for this user
                 :type create_personal_repo_group: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                         "msg" : "created new user `<username>`",
                         "user": <user_obj>
                     }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "user `<username>` already exist"
                     or
                     "email `<email>` already exist"
                     or
                     "failed to create user `<username>`"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 if UserModel().get_by_username(username):
                     raise JSONRPCError("user `%s` already exist" % (username,))
                 if UserModel().get_by_email(email, case_insensitive=True):
                     raise JSONRPCError("email `%s` already exist" % (email,))
                 # generate random password if we actually given the
                 # extern_name and it's not rhodecode
                 if (not isinstance(extern_name, Optional) and
                             Optional.extract(extern_name) != 'rhodecode'):
                     # generate temporary password if user is external
                     password = PasswordGenerator().gen_password(length=16)
                 create_repo_group = Optional.extract(create_personal_repo_group)
                 if isinstance(create_repo_group, basestring):
                     create_repo_group = str2bool(create_repo_group)
                 username = Optional.extract(username)
                 password = Optional.extract(password)
                 email = Optional.extract(email)
                 first_name = Optional.extract(firstname)
                 last_name = Optional.extract(lastname)
                 active = Optional.extract(active)
                 admin = Optional.extract(admin)
                 extern_type = Optional.extract(extern_type)
                 extern_name = Optional.extract(extern_name)
                 schema = user_schema.UserSchema().bind(
                     # user caller
                     user=apiuser)
                 try:
                     schema_data = schema.deserialize(dict(
                         username=username,
                         email=email,
                         password=password,
                         first_name=first_name,
                         last_name=last_name,
                         active=active,
                         admin=admin,
                         extern_type=extern_type,
                         extern_name=extern_name,
                         ))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 try:
                     user = UserModel().create_or_update(
                         username=schema_data['username'],
                         password=schema_data['password'],
                         email=schema_data['email'],
                         firstname=schema_data['first_name'],
                         lastname=schema_data['last_name'],
                         active=schema_data['active'],
                         admin=schema_data['admin'],
                         extern_type=schema_data['extern_type'],
                         extern_name=schema_data['extern_name'],
                         force_password_change=Optional.extract(force_password_change),
                         create_repo_group=create_repo_group
                     )
                     Session().flush()
                     creation_data = user.get_api_data()
                     audit_logger.store_api(
                         'user.create', action_data={'data': creation_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'created new user `%s`' % username,
                         'user': user.get_api_data(include_secrets=True)
                     }
                 except Exception:
                     log.exception('Error occurred during creation of user')
                     raise JSONRPCError('failed to create user `%s`' % (username,))
             @jsonrpc_method()
             def update_user(request, apiuser, userid, username=Optional(None),
                             email=Optional(None), password=Optional(None),
                             firstname=Optional(None), lastname=Optional(None),
                             active=Optional(None), admin=Optional(None),
                             extern_type=Optional(None), extern_name=Optional(None), ):
                 """
                 Updates the details for the specified user, if that user exists.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Set the ``userid`` to update.
                 :type userid: str or int
                 :param username: Set the new username.
                 :type username: str or int
                 :param email: Set the new email.
                 :type email: str
                 :param password: Set the new password.
                 :type password: Optional(str)
                 :param firstname: Set the new first name.
                 :type firstname: Optional(str)
                 :param lastname: Set the new surname.
                 :type lastname: Optional(str)
                 :param active: Set the new user as active.
                 :type active: Optional(``True`` | ``False``)
                 :param admin: Give the user admin rights.
                 :type admin: Optional(``True`` | ``False``)
                 :param extern_name: Set the authentication plugin user name.
                     Using LDAP this is filled with LDAP UID.
                 :type extern_name: Optional(str)
                 :param extern_type: Set the authentication plugin type.
                 :type extern_type: Optional(str)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                         "msg" : "updated user ID:<userid> <username>",
                         "user": <user_object>,
                     }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to update user `<username>`"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 user = get_user_or_error(userid)
                 old_data = user.get_api_data()
                 # only non optional arguments will be stored in updates
                 updates = {}
                 try:
                     store_update(updates, username, 'username')
                     store_update(updates, password, 'password')
                     store_update(updates, email, 'email')
                     store_update(updates, firstname, 'name')
                     store_update(updates, lastname, 'lastname')
                     store_update(updates, active, 'active')
                     store_update(updates, admin, 'admin')
                     store_update(updates, extern_name, 'extern_name')
                     store_update(updates, extern_type, 'extern_type')
                     user = UserModel().update_user(user, **updates)
                     audit_logger.store_api(
                         'user.edit', action_data={'old_data': old_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'updated user ID:%s %s' % (user.user_id, user.username),
                         'user': user.get_api_data(include_secrets=True)
                     }
                 except DefaultUserException:
                     log.exception("Default user edit exception")
                     raise JSONRPCError('editing default user is forbidden')
                 except Exception:
                     log.exception("Error occurred during update of user")
                     raise JSONRPCError('failed to update user `%s`' % (userid,))
             @jsonrpc_method()
             def delete_user(request, apiuser, userid):
                 """
                 Deletes the specified user from the |RCE| user database.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 .. important::
                    Ensure all open pull requests and open code review
                    requests to this user are close.
                    Also ensure all repositories, or repository groups owned by this
                    user are reassigned before deletion.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Set the user to delete.
                 :type userid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                         "msg" : "deleted user ID:<userid> <username>",
                         "user": null
                     }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to delete user ID:<userid> <username>"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 user = get_user_or_error(userid)
                 old_data = user.get_api_data()
                 try:
                     UserModel().delete(userid)
                     audit_logger.store_api(
                         'user.delete', action_data={'old_data': old_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'deleted user ID:%s %s' % (user.user_id, user.username),
                         'user': None
                     }
                 except Exception:
                     log.exception("Error occurred during deleting of user")
                     raise JSONRPCError(
                         'failed to delete user ID:%s %s' % (user.user_id, user.username))
             @jsonrpc_method()
             def get_user_locks(request, apiuser, userid=Optional(OAttr('apiuser'))):
                 """
                 Displays all repositories locked by the specified user.
                 * If this command is run by a non-admin user, it returns
                   a list of |repos| locked by that user.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Sets the userid whose list of locked |repos| will be
                     displayed.
                 :type userid: Optional(str or int)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result : {
                         [repo_object, repo_object,...]
                     }
                     error :  null
                 """
                 include_secrets = False
                 if not has_superadmin_permission(apiuser):
                     # make sure normal user does not pass someone else userid,
                     # he is not allowed to do that
                     if not isinstance(userid, Optional) and userid != apiuser.user_id:
                         raise JSONRPCError('userid is not the same as your user')
                 else:
                     include_secrets = True
                 userid = Optional.extract(userid, evaluate_locals=locals())
                 userid = getattr(userid, 'user_id', userid)
                 user = get_user_or_error(userid)
                 ret = []
                 # show all locks
                 for r in Repository.getAll():
                     _user_id, _time, _reason = r.locked
                     if _user_id and _time:
                         _api_data = r.get_api_data(include_secrets=include_secrets)
                         # if we use user filter just show the locks for this user
                         if safe_int(_user_id) == user.user_id:
                             ret.append(_api_data)
                 return ret
             @jsonrpc_method()
             def get_user_audit_logs(request, apiuser, userid=Optional(OAttr('apiuser'))):
                 """
                 Fetches all action logs made by the specified user.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param userid: Sets the userid whose list of locked |repos| will be
                     displayed.
                 :type userid: Optional(str or int)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result : {
                         [action, action,...]
                     }
                     error :  null
                 """
                 if not has_superadmin_permission(apiuser):
                     # make sure normal user does not pass someone else userid,
                     # he is not allowed to do that
                     if not isinstance(userid, Optional) and userid != apiuser.user_id:
                         raise JSONRPCError('userid is not the same as your user')
                 userid = Optional.extract(userid, evaluate_locals=locals())
                 userid = getattr(userid, 'user_id', userid)
                 user = get_user_or_error(userid)
                 ret = []
                 # show all user actions
                 for entry in UserModel().get_user_log(user, filter_term=None):
                     ret.append(entry)
                 return ret

rhodecode/api/views/user_group_api.py

0 +2 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from rhodecode.api import (
                 jsonrpc_method, JSONRPCError, JSONRPCForbidden, JSONRPCValidationError)
             from rhodecode.api.utils import (
                 Optional, OAttr, store_update, has_superadmin_permission, get_origin,
                 get_user_or_error, get_user_group_or_error, get_perm_or_error)
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import HasUserGroupPermissionAnyApi, HasPermissionAnyApi
             from rhodecode.lib.exceptions import UserGroupAssignedException
             from rhodecode.model.db import Session
             from rhodecode.model.scm import UserGroupList
             from rhodecode.model.user_group import UserGroupModel
             from rhodecode.model import validation_schema
             from rhodecode.model.validation_schema.schemas import user_group_schema
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_user_group(request, apiuser, usergroupid):
                 """
                 Returns the data of an existing user group.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group from which to return data.
                 :type usergroupid: str or int
                 Example error output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": <id>,
                       "result": {
                         "active": true,
                         "group_description": "group description",
                         "group_name": "group name",
                         "members": [
                           {
                             "name": "owner-name",
                             "origin": "owner",
                             "permission": "usergroup.admin",
                             "type": "user"
                           },
                           {
                           {
                             "name": "user name",
                             "origin": "permission",
                             "permission": "usergroup.admin",
                             "type": "user"
                           },
                           {
                             "name": "user group name",
                             "origin": "permission",
                             "permission": "usergroup.write",
                             "type": "user_group"
                           }
                         ],
                         "owner": "owner name",
                         "users": [],
                         "users_group_id": 2
                       }
                     }
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError('user group `%s` does not exist' % (
                             usergroupid,))
                 permissions = []
                 for _user in user_group.permissions():
                     user_data = {
                         'name': _user.username,
                         'permission': _user.permission,
                         'origin': get_origin(_user),
                         'type': "user",
                     }
                     permissions.append(user_data)
                 for _user_group in user_group.permission_user_groups():
                     user_group_data = {
                         'name': _user_group.users_group_name,
                         'permission': _user_group.permission,
                         'origin': get_origin(_user_group),
                         'type': "user_group",
                     }
                     permissions.append(user_group_data)
                 data = user_group.get_api_data()
                 data["permissions"] = permissions
+                data["Permissions_summary"] = UserGroupModel().get_perms_summary(
+                    user_group.users_group_id)
                 return data
             @jsonrpc_method()
             def get_user_groups(request, apiuser):
                 """
                 Lists all the existing user groups within RhodeCode.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result : [<user_group_obj>,...]
                     error : null
                 """
                 include_secrets = has_superadmin_permission(apiuser)
                 result = []
                 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                 extras = {'user': apiuser}
                 for user_group in UserGroupList(UserGroupModel().get_all(),
                                                 perm_set=_perms, extra_kwargs=extras):
                     result.append(
                         user_group.get_api_data(include_secrets=include_secrets))
                 return result
             @jsonrpc_method()
             def create_user_group(
                     request, apiuser, group_name, description=Optional(''),
                     owner=Optional(OAttr('apiuser')), active=Optional(True)):
                 """
                 Creates a new user group.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param group_name: Set the name of the new user group.
                 :type group_name: str
                 :param description: Give a description of the new user group.
                 :type description: str
                 :param owner: Set the owner of the new user group.
                     If not set, the owner is the |authtoken| user.
                 :type owner: Optional(str or int)
                 :param active: Set this group as active.
                 :type active: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "created new user group `<groupname>`",
                               "user_group": <user_group_object>
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "user group `<group name>` already exist"
                     or
                     "failed to create group `<group name>`"
                   }
                 """
                 if not has_superadmin_permission(apiuser):
                     if not HasPermissionAnyApi('hg.usergroup.create.true')(user=apiuser):
                         raise JSONRPCForbidden()
                 if UserGroupModel().get_by_name(group_name):
                     raise JSONRPCError("user group `%s` already exist" % (group_name,))
                 if isinstance(owner, Optional):
                     owner = apiuser.user_id
                 owner = get_user_or_error(owner)
                 active = Optional.extract(active)
                 description = Optional.extract(description)
                 schema = user_group_schema.UserGroupSchema().bind(
                     # user caller
                     user=apiuser)
                 try:
                     schema_data = schema.deserialize(dict(
                         user_group_name=group_name,
                         user_group_description=description,
                         user_group_owner=owner.username,
                         user_group_active=active,
                         ))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 try:
                     user_group = UserGroupModel().create(
                         name=schema_data['user_group_name'],
                         description=schema_data['user_group_description'],
                         owner=owner,
                         active=schema_data['user_group_active'])
                     Session().flush()
                     creation_data = user_group.get_api_data()
                     audit_logger.store_api(
                         'user_group.create', action_data={'data': creation_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'created new user group `%s`' % group_name,
                         'user_group': creation_data
                     }
                 except Exception:
                     log.exception("Error occurred during creation of user group")
                     raise JSONRPCError('failed to create group `%s`' % (group_name,))
             @jsonrpc_method()
             def update_user_group(request, apiuser, usergroupid, group_name=Optional(''),
                                   description=Optional(''), owner=Optional(None),
                                   active=Optional(True)):
                 """
                 Updates the specified `user group` with the details provided.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the id of the `user group` to update.
                 :type usergroupid: str or int
                 :param group_name: Set the new name the `user group`
                 :type group_name: str
                 :param description: Give a description for the `user group`
                 :type description: str
                 :param owner: Set the owner of the `user group`.
                 :type owner: Optional(str or int)
                 :param active: Set the group as active.
                 :type active: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": 'updated user group ID:<user group id> <user group name>',
                     "user_group": <user_group_object>
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to update user group `<user group name>`"
                   }
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 include_secrets = False
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 else:
                     include_secrets = True
                 if not isinstance(owner, Optional):
                     owner = get_user_or_error(owner)
                 old_data = user_group.get_api_data()
                 updates = {}
                 store_update(updates, group_name, 'users_group_name')
                 store_update(updates, description, 'user_group_description')
                 store_update(updates, owner, 'user')
                 store_update(updates, active, 'users_group_active')
                 try:
                     UserGroupModel().update(user_group, updates)
                     audit_logger.store_api(
                         'user_group.edit', action_data={'old_data': old_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'updated user group ID:%s %s' % (
                             user_group.users_group_id, user_group.users_group_name),
                         'user_group': user_group.get_api_data(
                             include_secrets=include_secrets)
                     }
                 except Exception:
                     log.exception("Error occurred during update of user group")
                     raise JSONRPCError(
                         'failed to update user group `%s`' % (usergroupid,))
             @jsonrpc_method()
             def delete_user_group(request, apiuser, usergroupid):
                 """
                 Deletes the specified `user group`.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: filled automatically from apikey
                 :type apiuser: AuthUser
                 :param usergroupid:
                 :type usergroupid: int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "deleted user group ID:<user_group_id> <user_group_name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to delete user group ID:<user_group_id> <user_group_name>"
                     or
                     "RepoGroup assigned to <repo_groups_list>"
                   }
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 old_data = user_group.get_api_data()
                 try:
                     UserGroupModel().delete(user_group)
                     audit_logger.store_api(
                         'user_group.delete', action_data={'old_data': old_data},
                         user=apiuser)
                     Session().commit()
                     return {
                         'msg': 'deleted user group ID:%s %s' % (
                             user_group.users_group_id, user_group.users_group_name),
                         'user_group': None
                     }
                 except UserGroupAssignedException as e:
                     log.exception("UserGroupAssigned error")
                     raise JSONRPCError(str(e))
                 except Exception:
                     log.exception("Error occurred during deletion of user group")
                     raise JSONRPCError(
                         'failed to delete user group ID:%s %s' %(
                             user_group.users_group_id, user_group.users_group_name))
             @jsonrpc_method()
             def add_user_to_user_group(request, apiuser, usergroupid, userid):
                 """
                 Adds a user to a `user group`. If the user already exists in the group
                 this command will return false.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified user group.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the name of the `user group` to which a
                     user will be added.
                 :type usergroupid: int
                 :param userid: Set the `user_id` of the user to add to the group.
                 :type userid: int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                       "success": True|False # depends on if member is in group
                       "msg": "added member `<username>` to user group `<groupname>` |
                               User is already in that group"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to add member to user group `<user_group_name>`"
                   }
                 """
                 user = get_user_or_error(userid)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError('user group `%s` does not exist' % (
                             usergroupid,))
                 old_values = user_group.get_api_data()
                 try:
                     ugm = UserGroupModel().add_user_to_group(user_group, user)
                     success = True if ugm is not True else False
                     msg = 'added member `%s` to user group `%s`' % (
                         user.username, user_group.users_group_name
                     )
                     msg = msg if success else 'User is already in that group'
                     if success:
                         user_data = user.get_api_data()
                         audit_logger.store_api(
                             'user_group.edit.member.add',
                             action_data={'user': user_data, 'old_data': old_values},
                             user=apiuser)
                     Session().commit()
                     return {
                         'success': success,
                         'msg': msg
                     }
                 except Exception:
                     log.exception("Error occurred during adding a member to user group")
                     raise JSONRPCError(
                         'failed to add member to user group `%s`' % (
                             user_group.users_group_name,
                         )
                     )
             @jsonrpc_method()
             def remove_user_from_user_group(request, apiuser, usergroupid, userid):
                 """
                 Removes a user from a user group.
                 * If the specified user is not in the group, this command will return
                   `false`.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Sets the user group name.
                 :type usergroupid: str or int
                 :param userid: The user you wish to remove from |RCE|.
                 :type userid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "success":  True|False,  # depends on if member is in group
                               "msg": "removed member <username> from user group <groupname> |
                                       User wasn't in group"
                             }
                     error:  null
                 """
                 user = get_user_or_error(userid)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 old_values = user_group.get_api_data()
                 try:
                     success = UserGroupModel().remove_user_from_group(user_group, user)
                     msg = 'removed member `%s` from user group `%s`' % (
                         user.username, user_group.users_group_name
                     )
                     msg = msg if success else "User wasn't in group"
                     if success:
                         user_data = user.get_api_data()
                         audit_logger.store_api(
                             'user_group.edit.member.delete',
                             action_data={'user': user_data, 'old_data': old_values},
                             user=apiuser)
                     Session().commit()
                     return {'success': success, 'msg': msg}
                 except Exception:
                     log.exception("Error occurred during removing an member from user group")
                     raise JSONRPCError(
                         'failed to remove member from user group `%s`' % (
                             user_group.users_group_name,
                         )
                     )
             @jsonrpc_method()
             def grant_user_permission_to_user_group(
                     request, apiuser, usergroupid, userid, perm):
                 """
                 Set permissions for a user in a user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group to edit permissions on.
                 :type usergroupid: str or int
                 :param userid: Set the user from whom you wish to set permissions.
                 :type userid: str
                 :param perm: (usergroup.(none|read|write|admin))
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Granted perm: `<perm_name>` for user: `<username>` in user group: `<user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 user = get_user_or_error(userid)
                 perm = get_perm_or_error(perm, prefix='usergroup.')
                 try:
                     UserGroupModel().grant_user_permission(
                         user_group=user_group, user=user, perm=perm)
                     Session().commit()
                     return {
                         'msg':
                             'Granted perm: `%s` for user: `%s` in user group: `%s`' % (
                                 perm.permission_name, user.username,
                                 user_group.users_group_name
                             ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user: '
                         '`%s` in user group: `%s`' % (
                             userid, user_group.users_group_name))
             @jsonrpc_method()
             def revoke_user_permission_from_user_group(
                     request, apiuser, usergroupid, userid):
                 """
                 Revoke a users permissions in a user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group from which to revoke the user
                     permissions.
                 :type: usergroupid: str or int
                 :param userid: Set the userid of the user whose permissions will be
                     revoked.
                 :type userid: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Revoked perm for user: `<username>` in user group: `<user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 user = get_user_or_error(userid)
                 try:
                     UserGroupModel().revoke_user_permission(
                         user_group=user_group, user=user)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm for user: `%s` in user group: `%s`' % (
                             user.username, user_group.users_group_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user: `%s` in user group: `%s`'
                         % (userid, user_group.users_group_name))
             @jsonrpc_method()
             def grant_user_group_permission_to_user_group(
                     request, apiuser, usergroupid, sourceusergroupid, perm):
                 """
                 Give one user group permissions to another user group.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group on which to edit permissions.
                 :type usergroupid: str or int
                 :param sourceusergroupid: Set the source user group to which
                     access/permissions will be granted.
                 :type sourceusergroupid: str or int
                 :param perm: (usergroup.(none|read|write|admin))
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Granted perm: `<perm_name>` for user group: `<source_user_group_name>` in user group: `<user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(sourceusergroupid)
                 target_user_group = get_user_group_or_error(usergroupid)
                 perm = get_perm_or_error(perm, prefix='usergroup.')
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser,
                             user_group_name=target_user_group.users_group_name):
                         raise JSONRPCError(
                             'to user group `%s` does not exist' % (usergroupid,))
                     # check if we have at least read permission for source user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (sourceusergroupid,))
                 try:
                     UserGroupModel().grant_user_group_permission(
                         target_user_group=target_user_group,
                         user_group=user_group, perm=perm)
                     Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` for user group: `%s` '
                                'in user group: `%s`' % (
                                    perm.permission_name, user_group.users_group_name,
                                    target_user_group.users_group_name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user group in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'user group: `%s`' % (
                             sourceusergroupid, target_user_group.users_group_name
                         )
                     )
             @jsonrpc_method()
             def revoke_user_group_permission_from_user_group(
                     request, apiuser, usergroupid, sourceusergroupid):
                 """
                 Revoke the permissions that one user group has to another.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param usergroupid: Set the user group on which to edit permissions.
                 :type usergroupid: str or int
                 :param sourceusergroupid: Set the user group from which permissions
                     are revoked.
                 :type sourceusergroupid: str or int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Revoked perm for user group: `<user_group_name>` in user group: `<target_user_group_name>`",
                     "success": true
                   }
                   error :  null
                 """
                 user_group = get_user_group_or_error(sourceusergroupid)
                 target_user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have admin permission for this user group !
                     _perms = ('usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser,
                             user_group_name=target_user_group.users_group_name):
                         raise JSONRPCError(
                             'to user group `%s` does not exist' % (usergroupid,))
                     # check if we have at least read permission
                     # for the source user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (sourceusergroupid,))
                 try:
                     UserGroupModel().revoke_user_group_permission(
                         target_user_group=target_user_group, user_group=user_group)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm for user group: '
                                '`%s` in user group: `%s`' % (
                                    user_group.users_group_name,
                                    target_user_group.users_group_name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Error occurred during editing permissions "
                                   "for user group in user group")
                     raise JSONRPCError(
                         'failed to edit permission for user group: '
                         '`%s` in user group: `%s`' % (
                             sourceusergroupid, target_user_group.users_group_name
                         )
                     )

rhodecode/apps/user_group/views/__init__.py

0 +4 -31

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import peppercorn
             import formencode
             import formencode.htmlfill
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from pyramid.response import Response
             from pyramid.renderers import render
             from rhodecode.lib.exceptions import (
                 RepoGroupAssignmentError, UserGroupAssignedException)
             from rhodecode.model.forms import (
                 UserGroupPermsForm, UserGroupForm, UserIndividualPermissionsForm,
                 UserPermissionsForm)
             from rhodecode.model.permission import PermissionModel
             from rhodecode.apps._base import UserGroupAppView
             from rhodecode.lib.auth import (
                 LoginRequired, HasUserGroupPermissionAnyDecorator, CSRFRequired)
             from rhodecode.lib import helpers as h, audit_logger
             from rhodecode.lib.utils2 import str2bool
-            from rhodecode.model.db import (
+            from rhodecode.model.db import User
-                joinedload, User, UserGroupRepoToPerm, UserGroupRepoGroupToPerm)
             from rhodecode.model.meta import Session
             from rhodecode.model.user_group import UserGroupModel
             log = logging.getLogger(__name__)
             class UserGroupsView(UserGroupAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     PermissionModel().set_global_permission_choices(
                         c, gettext_translator=self.request.translate)
                     return c
-                def _get_perms_summary(self, user_group_id):
-                    permissions = {
-                        'repositories': {},
-                        'repositories_groups': {},
-                    ugroup_repo_perms = UserGroupRepoToPerm.query()\
-                        .options(joinedload(UserGroupRepoToPerm.permission))\
-                        .options(joinedload(UserGroupRepoToPerm.repository))\
-                        .filter(UserGroupRepoToPerm.users_group_id == user_group_id)\
-                        .all()
-                    for gr in ugroup_repo_perms:
-                        permissions['repositories'][gr.repository.repo_name]  \
-                            = gr.permission.permission_name
-                    ugroup_group_perms = UserGroupRepoGroupToPerm.query()\
-                        .options(joinedload(UserGroupRepoGroupToPerm.permission))\
-                        .options(joinedload(UserGroupRepoGroupToPerm.group))\
-                        .filter(UserGroupRepoGroupToPerm.users_group_id == user_group_id)\
-                        .all()
-                    for gr in ugroup_group_perms:
-                        permissions['repositories_groups'][gr.group.group_name] \
-                            = gr.permission.permission_name
-                    return permissions
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='user_group_members_data', request_method='GET',
                     renderer='json_ext', xhr=True)
                 def user_group_members(self):
                     """
                     Return members of given user group
                     """
                     self.load_default_context()
                     user_group = self.db_user_group
                     group_members_obj = sorted((x.user for x in user_group.members),
                                                key=lambda u: u.username.lower())
                     group_members = [
                         {
                             'id': user.user_id,
                             'first_name': user.first_name,
                             'last_name': user.last_name,
                             'username': user.username,
                             'icon_link': h.gravatar_url(user.email, 30),
                             'value_display': h.person(user.email),
                             'value': user.username,
                             'value_type': 'user',
                             'active': user.active,
                         }
                         for user in group_members_obj
                     ]
                     return {
                         'members': group_members
                     }
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_perms_summary', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_perms_summary(self):
                     c = self.load_default_context()
                     c.user_group = self.db_user_group
                     c.active = 'perms_summary'
-                    c.permissions = self._get_perms_summary(c.user_group.users_group_id)
+                    c.permissions = UserGroupModel().get_perms_summary(
+                        c.user_group.users_group_id)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_perms_summary_json', request_method='GET',
                     renderer='json_ext')
                 def user_group_perms_summary_json(self):
                     self.load_default_context()
                     user_group = self.db_user_group
-                    return self._get_perms_summary(user_group.users_group_id)
+                    return UserGroupModel().get_perms_summary(user_group.users_group_id)
                 def _revoke_perms_on_yourself(self, form_result):
                     _updates = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),
                                       form_result['perm_updates'])
                     _additions = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),
                                         form_result['perm_additions'])
                     _deletions = filter(lambda u: self._rhodecode_user.user_id == int(u[0]),
                                         form_result['perm_deletions'])
                     admin_perm = 'usergroup.admin'
                     if _updates   and _updates[0][1]   != admin_perm or \
                        _additions and _additions[0][1] != admin_perm or \
                        _deletions and _deletions[0][1] != admin_perm:
                         return True
                     return False
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_groups_update', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_update(self):
                     _ = self.request.translate
                     user_group = self.db_user_group
                     user_group_id = user_group.users_group_id
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.group_members_obj = [x.user for x in c.user_group.members]
                     c.group_members_obj.sort(key=lambda u: u.username.lower())
                     c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]
                     c.active = 'settings'
                     users_group_form = UserGroupForm(
                         self.request.translate, edit=True,
                         old_data=c.user_group.get_dict(), allow_disabled=True)()
                     old_values = c.user_group.get_api_data()
                     user_group_name = self.request.POST.get('users_group_name')
                     try:
                         form_result = users_group_form.to_python(self.request.POST)
                         pstruct = peppercorn.parse(self.request.POST.items())
                         form_result['users_group_members'] = pstruct['user_group_members']
                         user_group, added_members, removed_members = \
                             UserGroupModel().update(c.user_group, form_result)
                         updated_user_group = form_result['users_group_name']
                         for user_id in added_members:
                             user = User.get(user_id)
                             user_data = user.get_api_data()
                             audit_logger.store_web(
                                 'user_group.edit.member.add',
                                 action_data={'user': user_data, 'old_data': old_values},
                                 user=self._rhodecode_user)
                         for user_id in removed_members:
                             user = User.get(user_id)
                             user_data = user.get_api_data()
                             audit_logger.store_web(
                                 'user_group.edit.member.delete',
                                 action_data={'user': user_data, 'old_data': old_values},
                                 user=self._rhodecode_user)
                         audit_logger.store_web(
                             'user_group.edit', action_data={'old_data': old_values},
                             user=self._rhodecode_user)
                         h.flash(_('Updated user group %s') % updated_user_group,
                                 category='success')
                         Session().commit()
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         e = errors.error_dict or {}
                         data = render(
                             'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=defaults,
                             errors=e,
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception during update of user group")
                         h.flash(_('Error occurred during update of user group %s')
                                 % user_group_name, category='error')
                     raise HTTPFound(
                         h.route_path('edit_user_group', user_group_id=user_group_id))
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='user_groups_delete', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_delete(self):
                     _ = self.request.translate
                     user_group = self.db_user_group
                     self.load_default_context()
                     force = str2bool(self.request.POST.get('force'))
                     old_values = user_group.get_api_data()
                     try:
                         UserGroupModel().delete(user_group, force=force)
                         audit_logger.store_web(
                             'user.delete', action_data={'old_data': old_values},
                             user=self._rhodecode_user)
                         Session().commit()
                         h.flash(_('Successfully deleted user group'), category='success')
                     except UserGroupAssignedException as e:
                         h.flash(str(e), category='error')
                     except Exception:
                         log.exception("Exception during deletion of user group")
                         h.flash(_('An error occurred during deletion of user group'),
                                 category='error')
                     raise HTTPFound(h.route_path('user_groups'))
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_edit(self):
                     user_group = self.db_user_group
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.group_members_obj = [x.user for x in c.user_group.members]
                     c.group_members_obj.sort(key=lambda u: u.username.lower())
                     c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]
                     c.active = 'settings'
                     defaults = user_group.get_dict()
                     # fill owner
                     if user_group.user:
                         defaults.update({'user': user_group.user.username})
                     else:
                         replacement_user = User.get_first_super_admin().username
                         defaults.update({'user': replacement_user})
                     data = render(
                         'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_perms', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_edit_perms(self):
                     user_group = self.db_user_group
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.active = 'perms'
                     defaults = {}
                     # fill user group users
                     for p in c.user_group.user_user_group_to_perm:
                         defaults.update({'u_perm_%s' % p.user.user_id:
                                          p.permission.permission_name})
                     for p in c.user_group.user_group_user_group_to_perm:
                         defaults.update({'g_perm_%s' % p.user_group.users_group_id:
                                          p.permission.permission_name})
                     data = render(
                         'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_group_perms_update', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_update_perms(self):
                     """
                     grant permission for given user group
                     """
                     _ = self.request.translate
                     user_group = self.db_user_group
                     user_group_id = user_group.users_group_id
                     c = self.load_default_context()
                     c.user_group = user_group
                     form = UserGroupPermsForm(self.request.translate)().to_python(self.request.POST)
                     if not self._rhodecode_user.is_admin:
                         if self._revoke_perms_on_yourself(form):
                             msg = _('Cannot change permission for yourself as admin')
                             h.flash(msg, category='warning')
                             raise HTTPFound(
                                 h.route_path('edit_user_group_perms',
                                              user_group_id=user_group_id))
                     try:
                         changes = UserGroupModel().update_permissions(
                             user_group_id,
                             form['perm_additions'], form['perm_updates'],
                             form['perm_deletions'])
                     except RepoGroupAssignmentError:
                         h.flash(_('Target group cannot be the same'), category='error')
                         raise HTTPFound(
                             h.route_path('edit_user_group_perms',
                                          user_group_id=user_group_id))
                     action_data = {
                         'added': changes['added'],
                         'updated': changes['updated'],
                         'deleted': changes['deleted'],
                     }
                     audit_logger.store_web(
                         'user_group.edit.permissions', action_data=action_data,
                         user=self._rhodecode_user)
                     Session().commit()
                     h.flash(_('User Group permissions updated'), category='success')
                     raise HTTPFound(
                         h.route_path('edit_user_group_perms', user_group_id=user_group_id))
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_global_perms', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_global_perms_edit(self):
                     user_group = self.db_user_group
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.active = 'global_perms'
                     c.default_user = User.get_default_user()
                     defaults = c.user_group.get_dict()
                     defaults.update(c.default_user.get_default_perms(suffix='_inherited'))
                     defaults.update(c.user_group.get_default_perms())
                     data = render(
                         'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                         self._get_template_context(c), self.request)
                     html = formencode.htmlfill.render(
                         data,
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False
                     )
                     return Response(html)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_group_global_perms_update', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_global_perms_update(self):
                     _ = self.request.translate
                     user_group = self.db_user_group
                     user_group_id = self.db_user_group.users_group_id
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.active = 'global_perms'
                     try:
                         # first stage that verifies the checkbox
                         _form = UserIndividualPermissionsForm(self.request.translate)
                         form_result = _form.to_python(dict(self.request.POST))
                         inherit_perms = form_result['inherit_default_permissions']
                         user_group.inherit_default_permissions = inherit_perms
                         Session().add(user_group)
                         if not inherit_perms:
                             # only update the individual ones if we un check the flag
                             _form = UserPermissionsForm(
                                 self.request.translate,
                                 [x[0] for x in c.repo_create_choices],
                                 [x[0] for x in c.repo_create_on_write_choices],
                                 [x[0] for x in c.repo_group_create_choices],
                                 [x[0] for x in c.user_group_create_choices],
                                 [x[0] for x in c.fork_choices],
                                 [x[0] for x in c.inherit_default_permission_choices])()
                             form_result = _form.to_python(dict(self.request.POST))
                             form_result.update(
                                 {'perm_user_group_id': user_group.users_group_id})
                             PermissionModel().update_user_group_permissions(form_result)
                         Session().commit()
                         h.flash(_('User Group global permissions updated successfully'),
                                 category='success')
                     except formencode.Invalid as errors:
                         defaults = errors.value
                         data = render(
                             'rhodecode:templates/admin/user_groups/user_group_edit.mako',
                             self._get_template_context(c), self.request)
                         html = formencode.htmlfill.render(
                             data,
                             defaults=defaults,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False
                         )
                         return Response(html)
                     except Exception:
                         log.exception("Exception during permissions saving")
                         h.flash(_('An error occurred during permissions saving'),
                                 category='error')
                     raise HTTPFound(
                         h.route_path('edit_user_group_global_perms',
                                      user_group_id=user_group_id))
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @view_config(
                     route_name='edit_user_group_advanced', request_method='GET',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_edit_advanced(self):
                     user_group = self.db_user_group
                     c = self.load_default_context()
                     c.user_group = user_group
                     c.active = 'advanced'
                     c.group_members_obj = sorted(
                         (x.user for x in c.user_group.members),
                         key=lambda u: u.username.lower())
                     c.group_to_repos = sorted(
                         (x.repository for x in c.user_group.users_group_repo_to_perm),
                         key=lambda u: u.repo_name.lower())
                     c.group_to_repo_groups = sorted(
                         (x.group for x in c.user_group.users_group_repo_group_to_perm),
                         key=lambda u: u.group_name.lower())
                     c.group_to_review_rules = sorted(
                         (x.users_group for x in c.user_group.user_group_review_rules),
                         key=lambda u: u.users_group_name.lower())
                     return self._get_template_context(c)
                 @LoginRequired()
                 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
                 @CSRFRequired()
                 @view_config(
                     route_name='edit_user_group_advanced_sync', request_method='POST',
                     renderer='rhodecode:templates/admin/user_groups/user_group_edit.mako')
                 def user_group_edit_advanced_set_synchronization(self):
                     _ = self.request.translate
                     user_group = self.db_user_group
                     user_group_id = user_group.users_group_id
                     existing = user_group.group_data.get('extern_type')
                     if existing:
                         new_state = user_group.group_data
                         new_state['extern_type'] = None
                     else:
                         new_state = user_group.group_data
                         new_state['extern_type'] = 'manual'
                         new_state['extern_type_set_by'] = self._rhodecode_user.username
                     try:
                         user_group.group_data = new_state
                         Session().add(user_group)
                         Session().commit()
                         h.flash(_('User Group synchronization updated successfully'),
                                 category='success')
                     except Exception:
                         log.exception("Exception during sync settings saving")
                         h.flash(_('An error occurred during synchronization update'),
                                 category='error')
                     raise HTTPFound(
                         h.route_path('edit_user_group_advanced',
                                      user_group_id=user_group_id))

rhodecode/model/user_group.py

0 +27 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import traceback
             from rhodecode.lib.utils2 import safe_str, safe_unicode
             from rhodecode.lib.exceptions import (
                 UserGroupAssignedException, RepoGroupAssignmentError)
             from rhodecode.lib.utils2 import (
                 get_current_rhodecode_user, action_logger_generic)
             from rhodecode.model import BaseModel
             from rhodecode.model.scm import UserGroupList
             from rhodecode.model.db import (
-                true, func, User, UserGroupMember, UserGroup,
+                joinedload, true, func, User, UserGroupMember, UserGroup,
                 UserGroupRepoToPerm, Permission, UserGroupToPerm, UserUserGroupToPerm,
                 UserGroupUserGroupToPerm, UserGroupRepoGroupToPerm)
             log = logging.getLogger(__name__)
             class UserGroupModel(BaseModel):
                 cls = UserGroup
                 def _get_user_group(self, user_group):
                     return self._get_instance(UserGroup, user_group,
                                               callback=UserGroup.get_by_group_name)
                 def _create_default_perms(self, user_group):
                     # create default permission
                     default_perm = 'usergroup.read'
                     def_user = User.get_default_user()
                     for p in def_user.user_perms:
                         if p.permission.permission_name.startswith('usergroup.'):
                             default_perm = p.permission.permission_name
                             break
                     user_group_to_perm = UserUserGroupToPerm()
                     user_group_to_perm.permission = Permission.get_by_key(default_perm)
                     user_group_to_perm.user_group = user_group
                     user_group_to_perm.user_id = def_user.user_id
                     return user_group_to_perm
                 def update_permissions(
                         self, user_group, perm_additions=None, perm_updates=None,
                         perm_deletions=None, check_perms=True, cur_user=None):
                     from rhodecode.lib.auth import HasUserGroupPermissionAny
                     if not perm_additions:
                         perm_additions = []
                     if not perm_updates:
                         perm_updates = []
                     if not perm_deletions:
                         perm_deletions = []
                     req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')
                     changes = {
                         'added': [],
                         'updated': [],
                         'deleted': []
                     }
                     # update permissions
                     for member_id, perm, member_type in perm_updates:
                         member_id = int(member_id)
                         if member_type == 'user':
                             member_name = User.get(member_id).username
                             # this updates existing one
                             self.grant_user_permission(
                                 user_group=user_group, user=member_id, perm=perm
                             )
                         else:
                             # check if we have permissions to alter this usergroup
                             member_name = UserGroup.get(member_id).users_group_name
                             if not check_perms or HasUserGroupPermissionAny(
                                     *req_perms)(member_name, user=cur_user):
                                 self.grant_user_group_permission(
                                     target_user_group=user_group, user_group=member_id, perm=perm)
                         changes['updated'].append({'type': member_type, 'id': member_id,
                                                    'name': member_name, 'new_perm': perm})
                     # set new permissions
                     for member_id, perm, member_type in perm_additions:
                         member_id = int(member_id)
                         if member_type == 'user':
                             member_name = User.get(member_id).username
                             self.grant_user_permission(
                                 user_group=user_group, user=member_id, perm=perm)
                         else:
                             # check if we have permissions to alter this usergroup
                             member_name = UserGroup.get(member_id).users_group_name
                             if not check_perms or HasUserGroupPermissionAny(
                                     *req_perms)(member_name, user=cur_user):
                                 self.grant_user_group_permission(
                                     target_user_group=user_group, user_group=member_id, perm=perm)
                         changes['added'].append({'type': member_type, 'id': member_id,
                                                  'name': member_name, 'new_perm': perm})
                     # delete permissions
                     for member_id, perm, member_type in perm_deletions:
                         member_id = int(member_id)
                         if member_type == 'user':
                             member_name = User.get(member_id).username
                             self.revoke_user_permission(user_group=user_group, user=member_id)
                         else:
                             # check if we have permissions to alter this usergroup
                             member_name = UserGroup.get(member_id).users_group_name
                             if not check_perms or HasUserGroupPermissionAny(
                                     *req_perms)(member_name, user=cur_user):
                                 self.revoke_user_group_permission(
                                     target_user_group=user_group, user_group=member_id)
                         changes['deleted'].append({'type': member_type, 'id': member_id,
                                                    'name': member_name, 'new_perm': perm})
                     return changes
                 def get(self, user_group_id, cache=False):
                     return UserGroup.get(user_group_id)
                 def get_group(self, user_group):
                     return self._get_user_group(user_group)
                 def get_by_name(self, name, cache=False, case_insensitive=False):
                     return UserGroup.get_by_group_name(name, cache, case_insensitive)
                 def create(self, name, description, owner, active=True, group_data=None):
                     try:
                         new_user_group = UserGroup()
                         new_user_group.user = self._get_user(owner)
                         new_user_group.users_group_name = name
                         new_user_group.user_group_description = description
                         new_user_group.users_group_active = active
                         if group_data:
                             new_user_group.group_data = group_data
                         self.sa.add(new_user_group)
                         perm_obj = self._create_default_perms(new_user_group)
                         self.sa.add(perm_obj)
                         self.grant_user_permission(user_group=new_user_group,
                                                    user=owner, perm='usergroup.admin')
                         return new_user_group
                     except Exception:
                         log.error(traceback.format_exc())
                         raise
                 def _get_memberships_for_user_ids(self, user_group, user_id_list):
                     members = []
                     for user_id in user_id_list:
                         member = self._get_membership(user_group.users_group_id, user_id)
                         members.append(member)
                     return members
                 def _get_added_and_removed_user_ids(self, user_group, user_id_list):
                     current_members = user_group.members or []
                     current_members_ids = [m.user.user_id for m in current_members]
                     added_members = [
                         user_id for user_id in user_id_list
                         if user_id not in current_members_ids]
                     if user_id_list == []:
                         # all members were deleted
                         deleted_members = current_members_ids
                     else:
                         deleted_members = [
                             user_id for user_id in current_members_ids
                             if user_id not in user_id_list]
                     return added_members, deleted_members
                 def _set_users_as_members(self, user_group, user_ids):
                     user_group.members = []
                     self.sa.flush()
                     members = self._get_memberships_for_user_ids(
                         user_group, user_ids)
                     user_group.members = members
                     self.sa.add(user_group)
                 def _update_members_from_user_ids(self, user_group, user_ids):
                     added, removed = self._get_added_and_removed_user_ids(
                         user_group, user_ids)
                     self._set_users_as_members(user_group, user_ids)
                     self._log_user_changes('added to', user_group, added)
                     self._log_user_changes('removed from', user_group, removed)
                     return added, removed
                 def _clean_members_data(self, members_data):
                     if not members_data:
                         members_data = []
                     members = []
                     for user in members_data:
                         uid = int(user['member_user_id'])
                         if uid not in members and user['type'] in ['new', 'existing']:
                             members.append(uid)
                     return members
                 def update(self, user_group, form_data):
                     user_group = self._get_user_group(user_group)
                     if 'users_group_name' in form_data:
                         user_group.users_group_name = form_data['users_group_name']
                     if 'users_group_active' in form_data:
                         user_group.users_group_active = form_data['users_group_active']
                     if 'user_group_description' in form_data:
                         user_group.user_group_description = form_data[
                             'user_group_description']
                     # handle owner change
                     if 'user' in form_data:
                         owner = form_data['user']
                         if isinstance(owner, basestring):
                             owner = User.get_by_username(form_data['user'])
                         if not isinstance(owner, User):
                             raise ValueError(
                                 'invalid owner for user group: %s' % form_data['user'])
                         user_group.user = owner
                     added_user_ids = []
                     removed_user_ids = []
                     if 'users_group_members' in form_data:
                         members_id_list = self._clean_members_data(
                             form_data['users_group_members'])
                         added_user_ids, removed_user_ids = \
                             self._update_members_from_user_ids(user_group, members_id_list)
                     self.sa.add(user_group)
                     return user_group, added_user_ids, removed_user_ids
                 def delete(self, user_group, force=False):
                     """
                     Deletes repository group, unless force flag is used
                     raises exception if there are members in that group, else deletes
                     group and users
                     :param user_group:
                     :param force:
                     """
                     user_group = self._get_user_group(user_group)
                     if not user_group:
                         return
                     try:
                         # check if this group is not assigned to repo
                         assigned_to_repo = [x.repository for x in UserGroupRepoToPerm.query()\
                             .filter(UserGroupRepoToPerm.users_group == user_group).all()]
                         # check if this group is not assigned to repo
                         assigned_to_repo_group = [x.group for x in UserGroupRepoGroupToPerm.query()\
                             .filter(UserGroupRepoGroupToPerm.users_group == user_group).all()]
                         if (assigned_to_repo or assigned_to_repo_group) and not force:
                             assigned = ','.join(map(safe_str,
                                                 assigned_to_repo+assigned_to_repo_group))
                             raise UserGroupAssignedException(
                                 'UserGroup assigned to %s' % (assigned,))
                         self.sa.delete(user_group)
                     except Exception:
                         log.error(traceback.format_exc())
                         raise
                 def _log_user_changes(self, action, user_group, user_or_users):
                     users = user_or_users
                     if not isinstance(users, (list, tuple)):
                         users = [users]
                     group_name = user_group.users_group_name
                     for user_or_user_id in users:
                         user = self._get_user(user_or_user_id)
                         log_text = 'User {user} {action} {group}'.format(
                             action=action, user=user.username, group=group_name)
                         action_logger_generic(log_text)
                 def _find_user_in_group(self, user, user_group):
                     user_group_member = None
                     for m in user_group.members:
                         if m.user_id == user.user_id:
                             # Found this user's membership row
                             user_group_member = m
                             break
                     return user_group_member
                 def _get_membership(self, user_group_id, user_id):
                     user_group_member = UserGroupMember(user_group_id, user_id)
                     return user_group_member
                 def add_user_to_group(self, user_group, user):
                     user_group = self._get_user_group(user_group)
                     user = self._get_user(user)
                     user_member = self._find_user_in_group(user, user_group)
                     if user_member:
                         # user already in the group, skip
                         return True
                     member = self._get_membership(
                         user_group.users_group_id, user.user_id)
                     user_group.members.append(member)
                     try:
                         self.sa.add(member)
                     except Exception:
                         # what could go wrong here?
                         log.error(traceback.format_exc())
                         raise
                     self._log_user_changes('added to', user_group, user)
                     return member
                 def remove_user_from_group(self, user_group, user):
                     user_group = self._get_user_group(user_group)
                     user = self._get_user(user)
                     user_group_member = self._find_user_in_group(user, user_group)
                     if not user_group_member:
                         # User isn't in that group
                         return False
                     try:
                         self.sa.delete(user_group_member)
                     except Exception:
                         log.error(traceback.format_exc())
                         raise
                     self._log_user_changes('removed from', user_group, user)
                     return True
                 def has_perm(self, user_group, perm):
                     user_group = self._get_user_group(user_group)
                     perm = self._get_perm(perm)
                     return UserGroupToPerm.query()\
                         .filter(UserGroupToPerm.users_group == user_group)\
                         .filter(UserGroupToPerm.permission == perm).scalar() is not None
                 def grant_perm(self, user_group, perm):
                     user_group = self._get_user_group(user_group)
                     perm = self._get_perm(perm)
                     # if this permission is already granted skip it
                     _perm = UserGroupToPerm.query()\
                         .filter(UserGroupToPerm.users_group == user_group)\
                         .filter(UserGroupToPerm.permission == perm)\
                         .scalar()
                     if _perm:
                         return
                     new = UserGroupToPerm()
                     new.users_group = user_group
                     new.permission = perm
                     self.sa.add(new)
                     return new
                 def revoke_perm(self, user_group, perm):
                     user_group = self._get_user_group(user_group)
                     perm = self._get_perm(perm)
                     obj = UserGroupToPerm.query()\
                         .filter(UserGroupToPerm.users_group == user_group)\
                         .filter(UserGroupToPerm.permission == perm).scalar()
                     if obj:
                         self.sa.delete(obj)
                 def grant_user_permission(self, user_group, user, perm):
                     """
                     Grant permission for user on given user group, or update
                     existing one if found
                     :param user_group: Instance of UserGroup, users_group_id,
                         or users_group_name
                     :param user: Instance of User, user_id or username
                     :param perm: Instance of Permission, or permission_name
                     """
                     user_group = self._get_user_group(user_group)
                     user = self._get_user(user)
                     permission = self._get_perm(perm)
                     # check if we have that permission already
                     obj = self.sa.query(UserUserGroupToPerm)\
                         .filter(UserUserGroupToPerm.user == user)\
                         .filter(UserUserGroupToPerm.user_group == user_group)\
                         .scalar()
                     if obj is None:
                         # create new !
                         obj = UserUserGroupToPerm()
                     obj.user_group = user_group
                     obj.user = user
                     obj.permission = permission
                     self.sa.add(obj)
                     log.debug('Granted perm %s to %s on %s', perm, user, user_group)
                     action_logger_generic(
                         'granted permission: {} to user: {} on usergroup: {}'.format(
                             perm, user, user_group), namespace='security.usergroup')
                     return obj
                 def revoke_user_permission(self, user_group, user):
                     """
                     Revoke permission for user on given user group
                     :param user_group: Instance of UserGroup, users_group_id,
                         or users_group name
                     :param user: Instance of User, user_id or username
                     """
                     user_group = self._get_user_group(user_group)
                     user = self._get_user(user)
                     obj = self.sa.query(UserUserGroupToPerm)\
                         .filter(UserUserGroupToPerm.user == user)\
                         .filter(UserUserGroupToPerm.user_group == user_group)\
                         .scalar()
                     if obj:
                         self.sa.delete(obj)
                         log.debug('Revoked perm on %s on %s', user_group, user)
                         action_logger_generic(
                             'revoked permission from user: {} on usergroup: {}'.format(
                                 user, user_group), namespace='security.usergroup')
                 def grant_user_group_permission(self, target_user_group, user_group, perm):
                     """
                     Grant user group permission for given target_user_group
                     :param target_user_group:
                     :param user_group:
                     :param perm:
                     """
                     target_user_group = self._get_user_group(target_user_group)
                     user_group = self._get_user_group(user_group)
                     permission = self._get_perm(perm)
                     # forbid assigning same user group to itself
                     if target_user_group == user_group:
                         raise RepoGroupAssignmentError('target repo:%s cannot be '
                                                        'assigned to itself' % target_user_group)
                     # check if we have that permission already
                     obj = self.sa.query(UserGroupUserGroupToPerm)\
                         .filter(UserGroupUserGroupToPerm.target_user_group == target_user_group)\
                         .filter(UserGroupUserGroupToPerm.user_group == user_group)\
                         .scalar()
                     if obj is None:
                         # create new !
                         obj = UserGroupUserGroupToPerm()
                     obj.user_group = user_group
                     obj.target_user_group = target_user_group
                     obj.permission = permission
                     self.sa.add(obj)
                     log.debug(
                         'Granted perm %s to %s on %s', perm, target_user_group, user_group)
                     action_logger_generic(
                         'granted permission: {} to usergroup: {} on usergroup: {}'.format(
                             perm, user_group, target_user_group),
                         namespace='security.usergroup')
                     return obj
                 def revoke_user_group_permission(self, target_user_group, user_group):
                     """
                     Revoke user group permission for given target_user_group
                     :param target_user_group:
                     :param user_group:
                     """
                     target_user_group = self._get_user_group(target_user_group)
                     user_group = self._get_user_group(user_group)
                     obj = self.sa.query(UserGroupUserGroupToPerm)\
                         .filter(UserGroupUserGroupToPerm.target_user_group == target_user_group)\
                         .filter(UserGroupUserGroupToPerm.user_group == user_group)\
                         .scalar()
                     if obj:
                         self.sa.delete(obj)
                         log.debug(
                             'Revoked perm on %s on %s', target_user_group, user_group)
                         action_logger_generic(
                             'revoked permission from usergroup: {} on usergroup: {}'.format(
                                 user_group, target_user_group),
                             namespace='security.repogroup')
+                def get_perms_summary(self, user_group_id):
+                    permissions = {
+                        'repositories': {},
+                        'repositories_groups': {},
+                    }
+                    ugroup_repo_perms = UserGroupRepoToPerm.query()\
+                        .options(joinedload(UserGroupRepoToPerm.permission))\
+                        .options(joinedload(UserGroupRepoToPerm.repository))\
+                        .filter(UserGroupRepoToPerm.users_group_id == user_group_id)\
+                        .all()
+                    for gr in ugroup_repo_perms:
+                        permissions['repositories'][gr.repository.repo_name]  \
+                            = gr.permission.permission_name
+                    ugroup_group_perms = UserGroupRepoGroupToPerm.query()\
+                        .options(joinedload(UserGroupRepoGroupToPerm.permission))\
+                        .options(joinedload(UserGroupRepoGroupToPerm.group))\
+                        .filter(UserGroupRepoGroupToPerm.users_group_id == user_group_id)\
+                        .all()
+                    for gr in ugroup_group_perms:
+                        permissions['repositories_groups'][gr.group.group_name] \
+                            = gr.permission.permission_name
+                    return permissions
                 def enforce_groups(self, user, groups, extern_type=None):
                     user = self._get_user(user)
                     current_groups = user.group_member
                     # find the external created groups, i.e automatically created
                     log.debug('Enforcing user group set `%s` on user %s', groups, user)
                     # calculate from what groups user should be removed
                     # external_groups that are not in groups
                     for gr in [x.users_group for x in current_groups]:
                         managed = gr.group_data.get('extern_type')
                         if managed:
                             if gr.users_group_name not in groups:
                                 log.debug('Removing user %s from user group %s. '
                                           'Group sync managed by: %s', user, gr, managed)
                                 self.remove_user_from_group(gr, user)
                         else:
                             log.debug('Skipping removal from group %s since it is '
                                       'not set to be automatically synchronized' % gr)
                     # now we calculate in which groups user should be == groups params
                     owner = User.get_first_super_admin().username
                     for gr in set(groups):
                         existing_group = UserGroup.get_by_group_name(gr)
                         if not existing_group:
                             desc = 'Automatically created from plugin:%s' % extern_type
                             # we use first admin account to set the owner of the group
                             existing_group = UserGroupModel().create(
                                 gr, desc, owner, group_data={'extern_type': extern_type})
                         # we can only add users to groups which have set sync flag via
                         # extern_type attribute.
                         # This is either set and created via plugins, or manually
                         managed = existing_group.group_data.get('extern_type')
                         if managed:
                             log.debug('Adding user %s to user group %s', user, gr)
                             UserGroupModel().add_user_to_group(existing_group, user)
                         else:
                             log.debug('Skipping addition to group %s since it is '
                                       'not set to be automatically synchronized' % gr)
                 def change_groups(self, user, groups):
                     """
                     This method changes user group assignment
                     :param user:  User
                     :param groups: array of UserGroupModel
                     """
                     user = self._get_user(user)
                     log.debug('Changing user(%s) assignment to groups(%s)', user, groups)
                     current_groups = user.group_member
                     current_groups = [x.users_group for x in current_groups]
                     # calculate from what groups user should be removed/add
                     groups = set(groups)
                     current_groups = set(current_groups)
                     groups_to_remove = current_groups - groups
                     groups_to_add = groups - current_groups
                     removed_from_groups = []
                     added_to_groups = []
                     for gr in groups_to_remove:
                         log.debug('Removing user %s from user group %s',
                                   user.username, gr.users_group_name)
                         removed_from_groups.append(gr.users_group_id)
                         self.remove_user_from_group(gr.users_group_name, user.username)
                     for gr in groups_to_add:
                         log.debug('Adding user %s to user group %s',
                                   user.username, gr.users_group_name)
                         added_to_groups.append(gr.users_group_id)
                         UserGroupModel().add_user_to_group(
                             gr.users_group_name, user.username)
                     return added_to_groups, removed_from_groups
                 def _serialize_user_group(self, user_group):
                     import rhodecode.lib.helpers as h
                     return {
                             'id': user_group.users_group_id,
                             # TODO: marcink figure out a way to generate the url for the
                             # icon
                             'icon_link': '',
                             'value_display': 'Group: %s (%d members)' % (
                                 user_group.users_group_name, len(user_group.members),),
                             'value': user_group.users_group_name,
                             'description': user_group.user_group_description,
                             'owner': user_group.user.username,
                             'owner_icon': h.gravatar_url(user_group.user.email, 30),
                             'value_display_owner': h.person(user_group.user.email),
                             'value_type': 'user_group',
                             'active': user_group.users_group_active,
                         }
                 def get_user_groups(self, name_contains=None, limit=20, only_active=True,
                                     expand_groups=False):
                     query = self.sa.query(UserGroup)
                     if only_active:
                         query = query.filter(UserGroup.users_group_active == true())
                     if name_contains:
                         ilike_expression = u'%{}%'.format(safe_unicode(name_contains))
                         query = query.filter(
                             UserGroup.users_group_name.ilike(ilike_expression))\
                             .order_by(func.length(UserGroup.users_group_name))\
                             .order_by(UserGroup.users_group_name)
                         query = query.limit(limit)
                     user_groups = query.all()
                     perm_set = ['usergroup.read', 'usergroup.write', 'usergroup.admin']
                     user_groups = UserGroupList(user_groups, perm_set=perm_set)
                     # store same serialize method to extract data from User
                     from rhodecode.model.user import UserModel
                     serialize_user = UserModel()._serialize_user
                     _groups = []
                     for group in user_groups:
                         entry = self._serialize_user_group(group)
                         if expand_groups:
                             expanded_members = []
                             for member in group.members:
                                 expanded_members.append(serialize_user(member.user))
                             entry['members'] = expanded_members
                         _groups.append(entry)
                     return _groups
                 @staticmethod
                 def get_user_groups_as_dict(user_group):
                     import rhodecode.lib.helpers as h
                     data = {
                         'users_group_id': user_group.users_group_id,
                         'group_name': user_group.users_group_name,
                         'group_description': user_group.user_group_description,
                         'active': user_group.users_group_active,
                         "owner": user_group.user.username,
                         'owner_icon': h.gravatar_url(user_group.user.email, 30),
                         "owner_data": {
                             'owner': user_group.user.username,
                             'owner_icon': h.gravatar_url(user_group.user.email, 30)}
                         }
                     return data

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages