u/pc/rhodecode-enterprise-ce-fork-pc Commit - r2664:36dbf06f

api: security, fix problem when absolute paths are specified with API call, that would allow...

marcink -

r2664:36dbf06f stable

parent child

rhodecode/api/tests/test_update_repo.py

0 +3 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import mock
             import pytest
             from rhodecode.model.repo import RepoModel
             from rhodecode.tests import TEST_USER_ADMIN_LOGIN, TEST_USER_REGULAR_LOGIN
             from rhodecode.api.tests.utils import (
                 build_data, api_call, assert_error, assert_ok, crash, jsonify)
             from rhodecode.tests.fixture import Fixture
             from rhodecode.tests.plugin import http_host_stub, http_host_only_stub
             fixture = Fixture()
             UPDATE_REPO_NAME = 'api_update_me'
             class SAME_AS_UPDATES(object):
                 """ Constant used for tests below """
             @pytest.mark.usefixtures("testuser_api", "app")
             class TestApiUpdateRepo(object):
                 @pytest.mark.parametrize("updates, expected", [
                     ({'owner': TEST_USER_REGULAR_LOGIN},
                      SAME_AS_UPDATES),
                     ({'description': 'new description'},
                      SAME_AS_UPDATES),
                     ({'clone_uri': 'http://foo.com/repo'},
                      SAME_AS_UPDATES),
                     ({'clone_uri': None},
                      {'clone_uri': ''}),
                     ({'clone_uri': ''},
                      {'clone_uri': ''}),
                     ({'landing_rev': 'rev:tip'},
                      {'landing_rev': ['rev', 'tip']}),
                     ({'enable_statistics': True},
                      SAME_AS_UPDATES),
                     ({'enable_locking': True},
                      SAME_AS_UPDATES),
                     ({'enable_downloads': True},
                      SAME_AS_UPDATES),
                     ({'repo_name': 'new_repo_name'},
                      {
                         'repo_name': 'new_repo_name',
                         'url': 'http://{}/new_repo_name'.format(http_host_only_stub())
                      }),
                     ({'repo_name': 'test_group_for_update/{}'.format(UPDATE_REPO_NAME),
                       '_group': 'test_group_for_update'},
                      {
                         'repo_name': 'test_group_for_update/{}'.format(UPDATE_REPO_NAME),
                         'url': 'http://{}/test_group_for_update/{}'.format(
                             http_host_only_stub(), UPDATE_REPO_NAME)
                      }),
                 ])
                 def test_api_update_repo(self, updates, expected, backend):
                     repo_name = UPDATE_REPO_NAME
                     repo = fixture.create_repo(repo_name, repo_type=backend.alias)
                     if updates.get('_group'):
                         fixture.create_repo_group(updates['_group'])
                     expected_api_data = repo.get_api_data(include_secrets=True)
                     if expected is SAME_AS_UPDATES:
                         expected_api_data.update(updates)
                     else:
                         expected_api_data.update(expected)
                     id_, params = build_data(
                         self.apikey, 'update_repo', repoid=repo_name, **updates)
-                    response = api_call(self.app, params)
+                    with mock.patch('rhodecode.model.validation_schema.validators.url_validator'):
+                        response = api_call(self.app, params)
                     if updates.get('repo_name'):
                         repo_name = updates['repo_name']
                     try:
                         expected = {
                             'msg': 'updated repo ID:%s %s' % (repo.repo_id, repo_name),
                             'repository': jsonify(expected_api_data)
                         }
                         assert_ok(id_, expected, given=response.body)
                     finally:
                         fixture.destroy_repo(repo_name)
                         if updates.get('_group'):
                             fixture.destroy_repo_group(updates['_group'])
                 def test_api_update_repo_fork_of_field(self, backend):
                     master_repo = backend.create_repo()
                     repo = backend.create_repo()
                     updates = {
                         'fork_of': master_repo.repo_name,
                         'fork_of_id': master_repo.repo_id
                     }
                     expected_api_data = repo.get_api_data(include_secrets=True)
                     expected_api_data.update(updates)
                     id_, params = build_data(
                         self.apikey, 'update_repo', repoid=repo.repo_name, **updates)
                     response = api_call(self.app, params)
                     expected = {
                         'msg': 'updated repo ID:%s %s' % (repo.repo_id, repo.repo_name),
                         'repository': jsonify(expected_api_data)
                     }
                     assert_ok(id_, expected, given=response.body)
                     result = response.json['result']['repository']
                     assert result['fork_of'] == master_repo.repo_name
                     assert result['fork_of_id'] == master_repo.repo_id
                 def test_api_update_repo_fork_of_not_found(self, backend):
                     master_repo_name = 'fake-parent-repo'
                     repo = backend.create_repo()
                     updates = {
                         'fork_of': master_repo_name
                     }
                     id_, params = build_data(
                         self.apikey, 'update_repo', repoid=repo.repo_name, **updates)
                     response = api_call(self.app, params)
                     expected = {
                         'repo_fork_of': 'Fork with id `{}` does not exists'.format(
                             master_repo_name)}
                     assert_error(id_, expected, given=response.body)
                 def test_api_update_repo_with_repo_group_not_existing(self):
                     repo_name = 'admin_owned'
                     fake_repo_group = 'test_group_for_update'
                     fixture.create_repo(repo_name)
                     updates = {'repo_name': '{}/{}'.format(fake_repo_group, repo_name)}
                     id_, params = build_data(
                         self.apikey, 'update_repo', repoid=repo_name, **updates)
                     response = api_call(self.app, params)
                     try:
                         expected = {
                             'repo_group': 'Repository group `{}` does not exist'.format(fake_repo_group)
                         }
                         assert_error(id_, expected, given=response.body)
                     finally:
                         fixture.destroy_repo(repo_name)
                 def test_api_update_repo_regular_user_not_allowed(self):
                     repo_name = 'admin_owned'
                     fixture.create_repo(repo_name)
                     updates = {'active': False}
                     id_, params = build_data(
                         self.apikey_regular, 'update_repo', repoid=repo_name, **updates)
                     response = api_call(self.app, params)
                     try:
                         expected = 'repository `%s` does not exist' % (repo_name,)
                         assert_error(id_, expected, given=response.body)
                     finally:
                         fixture.destroy_repo(repo_name)
                 @mock.patch.object(RepoModel, 'update', crash)
                 def test_api_update_repo_exception_occurred(self, backend):
                     repo_name = UPDATE_REPO_NAME
                     fixture.create_repo(repo_name, repo_type=backend.alias)
                     id_, params = build_data(
                         self.apikey, 'update_repo', repoid=repo_name,
                         owner=TEST_USER_ADMIN_LOGIN,)
                     response = api_call(self.app, params)
                     try:
                         expected = 'failed to update repo `%s`' % (repo_name,)
                         assert_error(id_, expected, given=response.body)
                     finally:
                         fixture.destroy_repo(repo_name)

rhodecode/api/views/repo_api.py

0 +5 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import time
             import rhodecode
             from rhodecode.api import (
                 jsonrpc_method, JSONRPCError, JSONRPCForbidden, JSONRPCValidationError)
             from rhodecode.api.utils import (
                 has_superadmin_permission, Optional, OAttr, get_repo_or_error,
                 get_user_group_or_error, get_user_or_error, validate_repo_permissions,
                 get_perm_or_error, parse_args, get_origin, build_commit_data,
                 validate_set_owner_permissions)
             from rhodecode.lib import audit_logger
             from rhodecode.lib import repo_maintenance
             from rhodecode.lib.auth import HasPermissionAnyApi, HasUserGroupPermissionAnyApi
             from rhodecode.lib.celerylib.utils import get_task_id
             from rhodecode.lib.utils2 import str2bool, time_to_datetime
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.exceptions import StatusChangeOnClosedPullRequestError
             from rhodecode.model.changeset_status import ChangesetStatusModel
             from rhodecode.model.comment import CommentsModel
             from rhodecode.model.db import (
                 Session, ChangesetStatus, RepositoryField, Repository, RepoGroup,
                 ChangesetComment)
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.scm import ScmModel, RepoList
             from rhodecode.model.settings import SettingsModel, VcsSettingsModel
             from rhodecode.model import validation_schema
             from rhodecode.model.validation_schema.schemas import repo_schema
             log = logging.getLogger(__name__)
             @jsonrpc_method()
             def get_repo(request, apiuser, repoid, cache=Optional(True)):
                 """
                 Gets an existing repository by its name or repository_id.
                 The members section so the output returns users groups or users
                 associated with that repository.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository id.
                 :type repoid: str or int
                 :param cache: use the cached value for last changeset
                 :type: cache: Optional(bool)
                 Example output:
                 .. code-block:: bash
                     {
                       "error": null,
                       "id": <repo_id>,
                       "result": {
                         "clone_uri": null,
                         "created_on": "timestamp",
                         "description": "repo description",
                         "enable_downloads": false,
                         "enable_locking": false,
                         "enable_statistics": false,
                         "followers": [
                           {
                             "active": true,
                             "admin": false,
                             "api_key": "****************************************",
                             "api_keys": [
                               "****************************************"
                             ],
                             "email": "user@example.com",
                             "emails": [
                               "user@example.com"
                             ],
                             "extern_name": "rhodecode",
                             "extern_type": "rhodecode",
                             "firstname": "username",
                             "ip_addresses": [],
                             "language": null,
                             "last_login": "2015-09-16T17:16:35.854",
                             "lastname": "surname",
                             "user_id": <user_id>,
                             "username": "name"
                           }
                         ],
                         "fork_of": "parent-repo",
                         "landing_rev": [
                           "rev",
                           "tip"
                         ],
                         "last_changeset": {
                           "author": "User <user@example.com>",
                           "branch": "default",
                           "date": "timestamp",
                           "message": "last commit message",
                           "parents": [
                             {
                               "raw_id": "commit-id"
                             }
                           ],
                           "raw_id": "commit-id",
                           "revision": <revision number>,
                           "short_id": "short id"
                         },
                         "lock_reason": null,
                         "locked_by": null,
                         "locked_date": null,
                         "owner": "owner-name",
                         "permissions": [
                           {
                             "name": "super-admin-name",
                             "origin": "super-admin",
                             "permission": "repository.admin",
                             "type": "user"
                           },
                           {
                             "name": "owner-name",
                             "origin": "owner",
                             "permission": "repository.admin",
                             "type": "user"
                           },
                           {
                             "name": "user-group-name",
                             "origin": "permission",
                             "permission": "repository.write",
                             "type": "user_group"
                           }
                         ],
                         "private": true,
                         "repo_id": 676,
                         "repo_name": "user-group/repo-name",
                         "repo_type": "hg"
                       }
                     }
                 """
                 repo = get_repo_or_error(repoid)
                 cache = Optional.extract(cache)
                 include_secrets = False
                 if has_superadmin_permission(apiuser):
                     include_secrets = True
                 else:
                     # check if we have at least read permission for this repo !
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 permissions = []
                 for _user in repo.permissions():
                     user_data = {
                         'name': _user.username,
                         'permission': _user.permission,
                         'origin': get_origin(_user),
                         'type': "user",
                     }
                     permissions.append(user_data)
                 for _user_group in repo.permission_user_groups():
                     user_group_data = {
                         'name': _user_group.users_group_name,
                         'permission': _user_group.permission,
                         'origin': get_origin(_user_group),
                         'type': "user_group",
                     }
                     permissions.append(user_group_data)
                 following_users = [
                     user.user.get_api_data(include_secrets=include_secrets)
                     for user in repo.followers]
                 if not cache:
                     repo.update_commit_cache()
                 data = repo.get_api_data(include_secrets=include_secrets)
                 data['permissions'] = permissions
                 data['followers'] = following_users
                 return data
             @jsonrpc_method()
             def get_repos(request, apiuser, root=Optional(None), traverse=Optional(True)):
                 """
                 Lists all existing repositories.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param root: specify root repository group to fetch repositories.
                     filters the returned repositories to be members of given root group.
                 :type root: Optional(None)
                 :param traverse: traverse given root into subrepositories. With this flag
                     set to False, it will only return top-level repositories from `root`.
                     if root is empty it will return just top-level repositories.
                 :type traverse: Optional(True)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: [
                               {
                                 "repo_id" :          "<repo_id>",
                                 "repo_name" :        "<reponame>"
                                 "repo_type" :        "<repo_type>",
                                 "clone_uri" :        "<clone_uri>",
                                 "private": :         "<bool>",
                                 "created_on" :       "<datetimecreated>",
                                 "description" :      "<description>",
                                 "landing_rev":       "<landing_rev>",
                                 "owner":             "<repo_owner>",
                                 "fork_of":           "<name_of_fork_parent>",
                                 "enable_downloads":  "<bool>",
                                 "enable_locking":    "<bool>",
                                 "enable_statistics": "<bool>",
                               },
                               ...
                             ]
                     error:  null
                 """
                 include_secrets = has_superadmin_permission(apiuser)
                 _perms = ('repository.read', 'repository.write', 'repository.admin',)
                 extras = {'user': apiuser}
                 root = Optional.extract(root)
                 traverse = Optional.extract(traverse, binary=True)
                 if root:
                     # verify parent existance, if it's empty return an error
                     parent = RepoGroup.get_by_group_name(root)
                     if not parent:
                         raise JSONRPCError(
                             'Root repository group `{}` does not exist'.format(root))
                     if traverse:
                         repos = RepoModel().get_repos_for_root(root=root, traverse=traverse)
                     else:
                         repos = RepoModel().get_repos_for_root(root=parent)
                 else:
                     if traverse:
                         repos = RepoModel().get_all()
                     else:
                         # return just top-level
                         repos = RepoModel().get_repos_for_root(root=None)
                 repo_list = RepoList(repos, perm_set=_perms, extra_kwargs=extras)
                 return [repo.get_api_data(include_secrets=include_secrets)
                         for repo in repo_list]
             @jsonrpc_method()
             def get_repo_changeset(request, apiuser, repoid, revision,
                                    details=Optional('basic')):
                 """
                 Returns information about a changeset.
                 Additionally parameters define the amount of details returned by
                 this function.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository id
                 :type repoid: str or int
                 :param revision: revision for which listing should be done
                 :type revision: str
                 :param details: details can be 'basic|extended|full' full gives diff
                     info details like the diff itself, and number of changed files etc.
                 :type details: Optional(str)
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 changes_details = Optional.extract(details)
                 _changes_details_types = ['basic', 'extended', 'full']
                 if changes_details not in _changes_details_types:
                     raise JSONRPCError(
                         'ret_type must be one of %s' % (
                             ','.join(_changes_details_types)))
                 pre_load = ['author', 'branch', 'date', 'message', 'parents',
                             'status', '_commit', '_file_paths']
                 try:
                     cs = repo.get_commit(commit_id=revision, pre_load=pre_load)
                 except TypeError as e:
                     raise JSONRPCError(e.message)
                 _cs_json = cs.__json__()
                 _cs_json['diff'] = build_commit_data(cs, changes_details)
                 if changes_details == 'full':
                     _cs_json['refs'] = cs._get_refs()
                 return _cs_json
             @jsonrpc_method()
             def get_repo_changesets(request, apiuser, repoid, start_rev, limit,
                                     details=Optional('basic')):
                 """
                 Returns a set of commits limited by the number starting
                 from the `start_rev` option.
                 Additional parameters define the amount of details returned by this
                 function.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 :param start_rev: The starting revision from where to get changesets.
                 :type start_rev: str
                 :param limit: Limit the number of commits to this amount
                 :type limit: str or int
                 :param details: Set the level of detail returned. Valid option are:
                     ``basic``, ``extended`` and ``full``.
                 :type details: Optional(str)
                 .. note::
                    Setting the parameter `details` to the value ``full`` is extensive
                    and returns details like the diff itself, and the number
                    of changed files.
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 changes_details = Optional.extract(details)
                 _changes_details_types = ['basic', 'extended', 'full']
                 if changes_details not in _changes_details_types:
                     raise JSONRPCError(
                         'ret_type must be one of %s' % (
                             ','.join(_changes_details_types)))
                 limit = int(limit)
                 pre_load = ['author', 'branch', 'date', 'message', 'parents',
                             'status', '_commit', '_file_paths']
                 vcs_repo = repo.scm_instance()
                 # SVN needs a special case to distinguish its index and commit id
                 if vcs_repo and vcs_repo.alias == 'svn' and (start_rev == '0'):
                     start_rev = vcs_repo.commit_ids[0]
                 try:
                     commits = vcs_repo.get_commits(
                         start_id=start_rev, pre_load=pre_load)
                 except TypeError as e:
                     raise JSONRPCError(e.message)
                 except Exception:
                     log.exception('Fetching of commits failed')
                     raise JSONRPCError('Error occurred during commit fetching')
                 ret = []
                 for cnt, commit in enumerate(commits):
                     if cnt >= limit != -1:
                         break
                     _cs_json = commit.__json__()
                     _cs_json['diff'] = build_commit_data(commit, changes_details)
                     if changes_details == 'full':
                         _cs_json['refs'] = {
                             'branches': [commit.branch],
                             'bookmarks': getattr(commit, 'bookmarks', []),
                             'tags': commit.tags
                         }
                     ret.append(_cs_json)
                 return ret
             @jsonrpc_method()
             def get_repo_nodes(request, apiuser, repoid, revision, root_path,
                                ret_type=Optional('all'), details=Optional('basic'),
                                max_file_bytes=Optional(None)):
                 """
                 Returns a list of nodes and children in a flat list for a given
                 path at given revision.
                 It's possible to specify ret_type to show only `files` or `dirs`.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 :param revision: The revision for which listing should be done.
                 :type revision: str
                 :param root_path: The path from which to start displaying.
                 :type root_path: str
                 :param ret_type: Set the return type. Valid options are
                     ``all`` (default), ``files`` and ``dirs``.
                 :type ret_type: Optional(str)
                 :param details: Returns extended information about nodes, such as
                     md5, binary, and or content.  The valid options are ``basic`` and
                     ``full``.
                 :type details: Optional(str)
                 :param max_file_bytes: Only return file content under this file size bytes
                 :type details: Optional(int)
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: [
                               {
                                 "name" : "<name>"
                                 "type" : "<type>",
                                 "binary": "<true|false>" (only in extended mode)
                                 "md5"  : "<md5 of file content>" (only in extended mode)
                               },
                               ...
                             ]
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 ret_type = Optional.extract(ret_type)
                 details = Optional.extract(details)
                 _extended_types = ['basic', 'full']
                 if details not in _extended_types:
                     raise JSONRPCError(
                         'ret_type must be one of %s' % (','.join(_extended_types)))
                 extended_info = False
                 content = False
                 if details == 'basic':
                     extended_info = True
                 if details == 'full':
                     extended_info = content = True
                 _map = {}
                 try:
                     # check if repo is not empty by any chance, skip quicker if it is.
                     _scm = repo.scm_instance()
                     if _scm.is_empty():
                         return []
                     _d, _f = ScmModel().get_nodes(
                         repo, revision, root_path, flat=False,
                         extended_info=extended_info, content=content,
                         max_file_bytes=max_file_bytes)
                     _map = {
                         'all': _d + _f,
                         'files': _f,
                         'dirs': _d,
                     }
                     return _map[ret_type]
                 except KeyError:
                     raise JSONRPCError(
                         'ret_type must be one of %s' % (','.join(sorted(_map.keys()))))
                 except Exception:
                     log.exception("Exception occurred while trying to get repo nodes")
                     raise JSONRPCError(
                         'failed to get repo: `%s` nodes' % repo.repo_name
                     )
             @jsonrpc_method()
             def get_repo_refs(request, apiuser, repoid):
                 """
                 Returns a dictionary of current references. It returns
                 bookmarks, branches, closed_branches, and tags for given repository
                 It's possible to specify ret_type to show only `files` or `dirs`.
                 This command can only be run using an |authtoken| with admin rights,
                 or users with at least read rights to |repos|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     "result": {
                         "bookmarks": {
                           "dev": "5611d30200f4040ba2ab4f3d64e5b06408a02188",
                           "master": "367f590445081d8ec8c2ea0456e73ae1f1c3d6cf"
                         },
                         "branches": {
                           "default": "5611d30200f4040ba2ab4f3d64e5b06408a02188",
                           "stable": "367f590445081d8ec8c2ea0456e73ae1f1c3d6cf"
                         },
                         "branches_closed": {},
                         "tags": {
                           "tip": "5611d30200f4040ba2ab4f3d64e5b06408a02188",
                           "v4.4.0": "1232313f9e6adac5ce5399c2a891dc1e72b79022",
                           "v4.4.1": "cbb9f1d329ae5768379cdec55a62ebdd546c4e27",
                           "v4.4.2": "24ffe44a27fcd1c5b6936144e176b9f6dd2f3a17",
                         }
                     }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin', 'repository.write', 'repository.read',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     # check if repo is not empty by any chance, skip quicker if it is.
                     vcs_instance = repo.scm_instance()
                     refs = vcs_instance.refs()
                     return refs
                 except Exception:
                     log.exception("Exception occurred while trying to get repo refs")
                     raise JSONRPCError(
                         'failed to get repo: `%s` references' % repo.repo_name
                     )
             @jsonrpc_method()
             def create_repo(
                     request, apiuser, repo_name, repo_type,
                     owner=Optional(OAttr('apiuser')),
                     description=Optional(''),
                     private=Optional(False),
                     clone_uri=Optional(None),
                     landing_rev=Optional('rev:tip'),
                     enable_statistics=Optional(False),
                     enable_locking=Optional(False),
                     enable_downloads=Optional(False),
                     copy_permissions=Optional(False)):
                 """
                 Creates a repository.
                 * If the repository name contains "/", repository will be created inside
                   a repository group or nested repository groups
                   For example "foo/bar/repo1" will create |repo| called "repo1" inside
                   group "foo/bar". You have to have permissions to access and write to
                   the last repository group ("bar" in this example)
                 This command can only be run using an |authtoken| with at least
                 permissions to create repositories, or write permissions to
                 parent repository groups.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repo_name: Set the repository name.
                 :type repo_name: str
                 :param repo_type: Set the repository type; 'hg','git', or 'svn'.
                 :type repo_type: str
                 :param owner: user_id or username
                 :type owner: Optional(str)
                 :param description: Set the repository description.
                 :type description: Optional(str)
                 :param private: set repository as private
                 :type private: bool
                 :param clone_uri: set clone_uri
                 :type clone_uri: str
                 :param landing_rev: <rev_type>:<rev>
                 :type landing_rev: str
                 :param enable_locking:
                 :type enable_locking: bool
                 :param enable_downloads:
                 :type enable_downloads: bool
                 :param enable_statistics:
                 :type enable_statistics: bool
                 :param copy_permissions: Copy permission from group in which the
                     repository is being created.
                 :type copy_permissions: bool
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "Created new repository `<reponame>`",
                               "success": true,
                               "task": "<celery task id or None if done sync>"
                             }
                     error:  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                      'failed to create repository `<repo_name>`'
                   }
                 """
                 owner = validate_set_owner_permissions(apiuser, owner)
                 description = Optional.extract(description)
                 copy_permissions = Optional.extract(copy_permissions)
                 clone_uri = Optional.extract(clone_uri)
                 landing_commit_ref = Optional.extract(landing_rev)
                 defs = SettingsModel().get_default_repo_settings(strip_prefix=True)
                 if isinstance(private, Optional):
                     private = defs.get('repo_private') or Optional.extract(private)
                 if isinstance(repo_type, Optional):
                     repo_type = defs.get('repo_type')
                 if isinstance(enable_statistics, Optional):
                     enable_statistics = defs.get('repo_enable_statistics')
                 if isinstance(enable_locking, Optional):
                     enable_locking = defs.get('repo_enable_locking')
                 if isinstance(enable_downloads, Optional):
                     enable_downloads = defs.get('repo_enable_downloads')
                 schema = repo_schema.RepoSchema().bind(
                     repo_type_options=rhodecode.BACKENDS.keys(),
+                    repo_type=repo_type,
                     # user caller
                     user=apiuser)
                 try:
                     schema_data = schema.deserialize(dict(
                         repo_name=repo_name,
                         repo_type=repo_type,
                         repo_owner=owner.username,
                         repo_description=description,
                         repo_landing_commit_ref=landing_commit_ref,
                         repo_clone_uri=clone_uri,
                         repo_private=private,
                         repo_copy_permissions=copy_permissions,
                         repo_enable_statistics=enable_statistics,
                         repo_enable_downloads=enable_downloads,
                         repo_enable_locking=enable_locking))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 try:
                     data = {
                         'owner': owner,
                         'repo_name': schema_data['repo_group']['repo_name_without_group'],
                         'repo_name_full': schema_data['repo_name'],
                         'repo_group': schema_data['repo_group']['repo_group_id'],
                         'repo_type': schema_data['repo_type'],
                         'repo_description': schema_data['repo_description'],
                         'repo_private': schema_data['repo_private'],
                         'clone_uri': schema_data['repo_clone_uri'],
                         'repo_landing_rev': schema_data['repo_landing_commit_ref'],
                         'enable_statistics': schema_data['repo_enable_statistics'],
                         'enable_locking': schema_data['repo_enable_locking'],
                         'enable_downloads': schema_data['repo_enable_downloads'],
                         'repo_copy_permissions': schema_data['repo_copy_permissions'],
                     }
                     task = RepoModel().create(form_data=data, cur_user=owner)
                     task_id = get_task_id(task)
                     # no commit, it's done in RepoModel, or async via celery
                     return {
                         'msg': "Created new repository `%s`" % (schema_data['repo_name'],),
                         'success': True,  # cannot return the repo data here since fork
                         # can be done async
                         'task': task_id
                     }
                 except Exception:
                     log.exception(
                         u"Exception while trying to create the repository %s",
                         schema_data['repo_name'])
                     raise JSONRPCError(
                         'failed to create repository `%s`' % (schema_data['repo_name'],))
             @jsonrpc_method()
             def add_field_to_repo(request, apiuser, repoid, key, label=Optional(''),
                                   description=Optional('')):
                 """
                 Adds an extra field to a repository.
                 This command can only be run using an |authtoken| with at least
                 write permissions to the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository id.
                 :type repoid: str or int
                 :param key: Create a unique field key for this repository.
                 :type key: str
                 :param label:
                 :type label: Optional(str)
                 :param description:
                 :type description: Optional(str)
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 label = Optional.extract(label) or key
                 description = Optional.extract(description)
                 field = RepositoryField.get_by_key_name(key, repo)
                 if field:
                     raise JSONRPCError('Field with key '
                                        '`%s` exists for repo `%s`' % (key, repoid))
                 try:
                     RepoModel().add_repo_field(repo, key, field_label=label,
                                                field_desc=description)
                     Session().commit()
                     return {
                         'msg': "Added new repository field `%s`" % (key,),
                         'success': True,
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to add field to repo")
                     raise JSONRPCError(
                         'failed to create new field for repository `%s`' % (repoid,))
             @jsonrpc_method()
             def remove_field_from_repo(request, apiuser, repoid, key):
                 """
                 Removes an extra field from a repository.
                 This command can only be run using an |authtoken| with at least
                 write permissions to the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param key: Set the unique field key for this repository.
                 :type key: str
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 field = RepositoryField.get_by_key_name(key, repo)
                 if not field:
                     raise JSONRPCError('Field with key `%s` does not '
                                        'exists for repo `%s`' % (key, repoid))
                 try:
                     RepoModel().delete_repo_field(repo, field_key=key)
                     Session().commit()
                     return {
                         'msg': "Deleted repository field `%s`" % (key,),
                         'success': True,
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying to delete field from repo")
                     raise JSONRPCError(
                         'failed to delete field for repository `%s`' % (repoid,))
             @jsonrpc_method()
             def update_repo(
                     request, apiuser, repoid, repo_name=Optional(None),
                     owner=Optional(OAttr('apiuser')), description=Optional(''),
                     private=Optional(False), clone_uri=Optional(None),
                     landing_rev=Optional('rev:tip'), fork_of=Optional(None),
                     enable_statistics=Optional(False),
                     enable_locking=Optional(False),
                     enable_downloads=Optional(False), fields=Optional('')):
                 """
                 Updates a repository with the given information.
                 This command can only be run using an |authtoken| with at least
                 admin permissions to the |repo|.
                 * If the repository name contains "/", repository will be updated
                   accordingly with a repository group or nested repository groups
                   For example repoid=repo-test name="foo/bar/repo-test" will update |repo|
                   called "repo-test" and place it inside group "foo/bar".
                   You have to have permissions to access and write to the last repository
                   group ("bar" in this example)
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: repository name or repository ID.
                 :type repoid: str or int
                 :param repo_name: Update the |repo| name, including the
                     repository group it's in.
                 :type repo_name: str
                 :param owner: Set the |repo| owner.
                 :type owner: str
                 :param fork_of: Set the |repo| as fork of another |repo|.
                 :type fork_of: str
                 :param description: Update the |repo| description.
                 :type description: str
                 :param private: Set the |repo| as private. (True | False)
                 :type private: bool
                 :param clone_uri: Update the |repo| clone URI.
                 :type clone_uri: str
                 :param landing_rev: Set the |repo| landing revision. Default is ``rev:tip``.
                 :type landing_rev: str
                 :param enable_statistics: Enable statistics on the |repo|, (True | False).
                 :type enable_statistics: bool
                 :param enable_locking: Enable |repo| locking.
                 :type enable_locking: bool
                 :param enable_downloads: Enable downloads from the |repo|, (True | False).
                 :type enable_downloads: bool
                 :param fields: Add extra fields to the |repo|. Use the following
                     example format: ``field_key=field_val,field_key2=fieldval2``.
                     Escape ', ' with \,
                 :type fields: str
                 """
                 repo = get_repo_or_error(repoid)
                 include_secrets = False
                 if not has_superadmin_permission(apiuser):
                     validate_repo_permissions(apiuser, repoid, repo, ('repository.admin',))
                 else:
                     include_secrets = True
                 updates = dict(
                     repo_name=repo_name
                     if not isinstance(repo_name, Optional) else repo.repo_name,
                     fork_id=fork_of
                     if not isinstance(fork_of, Optional) else repo.fork.repo_name if repo.fork else None,
                     user=owner
                     if not isinstance(owner, Optional) else repo.user.username,
                     repo_description=description
                     if not isinstance(description, Optional) else repo.description,
                     repo_private=private
                     if not isinstance(private, Optional) else repo.private,
                     clone_uri=clone_uri
                     if not isinstance(clone_uri, Optional) else repo.clone_uri,
                     repo_landing_rev=landing_rev
                     if not isinstance(landing_rev, Optional) else repo._landing_revision,
                     repo_enable_statistics=enable_statistics
                     if not isinstance(enable_statistics, Optional) else repo.enable_statistics,
                     repo_enable_locking=enable_locking
                     if not isinstance(enable_locking, Optional) else repo.enable_locking,
                     repo_enable_downloads=enable_downloads
                     if not isinstance(enable_downloads, Optional) else repo.enable_downloads)
                 ref_choices, _labels = ScmModel().get_repo_landing_revs(
                     request.translate, repo=repo)
                 old_values = repo.get_api_data()
+                repo_type = repo.repo_type
                 schema = repo_schema.RepoSchema().bind(
                     repo_type_options=rhodecode.BACKENDS.keys(),
                     repo_ref_options=ref_choices,
+                    repo_type=repo_type,
                     # user caller
                     user=apiuser,
                     old_values=old_values)
                 try:
                     schema_data = schema.deserialize(dict(
                         # we save old value, users cannot change type
-                        repo_type=repo.repo_type,
+                        repo_type=repo_type,
                         repo_name=updates['repo_name'],
                         repo_owner=updates['user'],
                         repo_description=updates['repo_description'],
                         repo_clone_uri=updates['clone_uri'],
                         repo_fork_of=updates['fork_id'],
                         repo_private=updates['repo_private'],
                         repo_landing_commit_ref=updates['repo_landing_rev'],
                         repo_enable_statistics=updates['repo_enable_statistics'],
                         repo_enable_downloads=updates['repo_enable_downloads'],
                         repo_enable_locking=updates['repo_enable_locking']))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 # save validated data back into the updates dict
                 validated_updates = dict(
                     repo_name=schema_data['repo_group']['repo_name_without_group'],
                     repo_group=schema_data['repo_group']['repo_group_id'],
                     user=schema_data['repo_owner'],
                     repo_description=schema_data['repo_description'],
                     repo_private=schema_data['repo_private'],
                     clone_uri=schema_data['repo_clone_uri'],
                     repo_landing_rev=schema_data['repo_landing_commit_ref'],
                     repo_enable_statistics=schema_data['repo_enable_statistics'],
                     repo_enable_locking=schema_data['repo_enable_locking'],
                     repo_enable_downloads=schema_data['repo_enable_downloads'],
                 )
                 if schema_data['repo_fork_of']:
                     fork_repo = get_repo_or_error(schema_data['repo_fork_of'])
                     validated_updates['fork_id'] = fork_repo.repo_id
                 # extra fields
                 fields = parse_args(Optional.extract(fields), key_prefix='ex_')
                 if fields:
                     validated_updates.update(fields)
                 try:
                     RepoModel().update(repo, **validated_updates)
                     audit_logger.store_api(
                         'repo.edit', action_data={'old_data': old_values},
                         user=apiuser, repo=repo)
                     Session().commit()
                     return {
                         'msg': 'updated repo ID:%s %s' % (repo.repo_id, repo.repo_name),
                         'repository': repo.get_api_data(include_secrets=include_secrets)
                     }
                 except Exception:
                     log.exception(
                         u"Exception while trying to update the repository %s",
                         repoid)
                     raise JSONRPCError('failed to update repo `%s`' % repoid)
             @jsonrpc_method()
             def fork_repo(request, apiuser, repoid, fork_name,
                           owner=Optional(OAttr('apiuser')),
                           description=Optional(''),
                           private=Optional(False),
                           clone_uri=Optional(None),
                           landing_rev=Optional('rev:tip'),
                           copy_permissions=Optional(False)):
                 """
                 Creates a fork of the specified |repo|.
                 * If the fork_name contains "/", fork will be created inside
                   a repository group or nested repository groups
                   For example "foo/bar/fork-repo" will create fork called "fork-repo"
                   inside group "foo/bar". You have to have permissions to access and
                   write to the last repository group ("bar" in this example)
                 This command can only be run using an |authtoken| with minimum
                 read permissions of the forked repo, create fork permissions for an user.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set repository name or repository ID.
                 :type repoid: str or int
                 :param fork_name: Set the fork name, including it's repository group membership.
                 :type fork_name: str
                 :param owner: Set the fork owner.
                 :type owner: str
                 :param description: Set the fork description.
                 :type description: str
                 :param copy_permissions: Copy permissions from parent |repo|. The
                     default is False.
                 :type copy_permissions: bool
                 :param private: Make the fork private. The default is False.
                 :type private: bool
                 :param landing_rev: Set the landing revision. The default is tip.
                 Example output:
                 .. code-block:: bash
                     id : <id_for_response>
                     api_key : "<api_key>"
                     args:     {
                                 "repoid" :          "<reponame or repo_id>",
                                 "fork_name":        "<forkname>",
                                 "owner":            "<username or user_id = Optional(=apiuser)>",
                                 "description":      "<description>",
                                 "copy_permissions": "<bool>",
                                 "private":          "<bool>",
                                 "landing_rev":      "<landing_rev>"
                               }
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "Created fork of `<reponame>` as `<forkname>`",
                               "success": true,
                               "task": "<celery task id or None if done sync>"
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 repo_name = repo.repo_name
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for
                     # this repo that we fork !
                     _perms = (
                         'repository.admin', 'repository.write', 'repository.read')
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                     # check if the regular user has at least fork permissions as well
                     if not HasPermissionAnyApi('hg.fork.repository')(user=apiuser):
                         raise JSONRPCForbidden()
                 # check if user can set owner parameter
                 owner = validate_set_owner_permissions(apiuser, owner)
                 description = Optional.extract(description)
                 copy_permissions = Optional.extract(copy_permissions)
                 clone_uri = Optional.extract(clone_uri)
                 landing_commit_ref = Optional.extract(landing_rev)
                 private = Optional.extract(private)
                 schema = repo_schema.RepoSchema().bind(
                     repo_type_options=rhodecode.BACKENDS.keys(),
+                    repo_type=repo.repo_type,
                     # user caller
                     user=apiuser)
                 try:
                     schema_data = schema.deserialize(dict(
                         repo_name=fork_name,
                         repo_type=repo.repo_type,
                         repo_owner=owner.username,
                         repo_description=description,
                         repo_landing_commit_ref=landing_commit_ref,
                         repo_clone_uri=clone_uri,
                         repo_private=private,
                         repo_copy_permissions=copy_permissions))
                 except validation_schema.Invalid as err:
                     raise JSONRPCValidationError(colander_exc=err)
                 try:
                     data = {
                         'fork_parent_id': repo.repo_id,
                         'repo_name': schema_data['repo_group']['repo_name_without_group'],
                         'repo_name_full': schema_data['repo_name'],
                         'repo_group': schema_data['repo_group']['repo_group_id'],
                         'repo_type': schema_data['repo_type'],
                         'description': schema_data['repo_description'],
                         'private': schema_data['repo_private'],
                         'copy_permissions': schema_data['repo_copy_permissions'],
                         'landing_rev': schema_data['repo_landing_commit_ref'],
                     }
                     task = RepoModel().create_fork(data, cur_user=owner)
                     # no commit, it's done in RepoModel, or async via celery
                     task_id = get_task_id(task)
                     return {
                         'msg': 'Created fork of `%s` as `%s`' % (
                             repo.repo_name, schema_data['repo_name']),
                         'success': True,  # cannot return the repo data here since fork
                         # can be done async
                         'task': task_id
                     }
                 except Exception:
                     log.exception(
                         u"Exception while trying to create fork %s",
                         schema_data['repo_name'])
                     raise JSONRPCError(
                         'failed to fork repository `%s` as `%s`' % (
                             repo_name, schema_data['repo_name']))
             @jsonrpc_method()
             def delete_repo(request, apiuser, repoid, forks=Optional('')):
                 """
                 Deletes a repository.
                 * When the `forks` parameter is set it's possible to detach or delete
                   forks of deleted repository.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param forks: Set to `detach` or `delete` forks from the |repo|.
                 :type forks: Optional(str)
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg": "Deleted repository `<reponame>`",
                               "success": true
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 repo_name = repo.repo_name
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     handle_forks = Optional.extract(forks)
                     _forks_msg = ''
                     _forks = [f for f in repo.forks]
                     if handle_forks == 'detach':
                         _forks_msg = ' ' + 'Detached %s forks' % len(_forks)
                     elif handle_forks == 'delete':
                         _forks_msg = ' ' + 'Deleted %s forks' % len(_forks)
                     elif _forks:
                         raise JSONRPCError(
                             'Cannot delete `%s` it still contains attached forks' %
                             (repo.repo_name,)
                         )
                     old_data = repo.get_api_data()
                     RepoModel().delete(repo, forks=forks)
                     repo = audit_logger.RepoWrap(repo_id=None,
                                                  repo_name=repo.repo_name)
                     audit_logger.store_api(
                         'repo.delete', action_data={'old_data': old_data},
                         user=apiuser, repo=repo)
                     ScmModel().mark_for_invalidation(repo_name, delete=True)
                     Session().commit()
                     return {
                         'msg': 'Deleted repository `%s`%s' % (repo_name, _forks_msg),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to delete repo")
                     raise JSONRPCError(
                         'failed to delete repository `%s`' % (repo_name,)
                     )
             #TODO: marcink, change name ?
             @jsonrpc_method()
             def invalidate_cache(request, apiuser, repoid, delete_keys=Optional(False)):
                 """
                 Invalidates the cache for the specified repository.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Sets the repository name or repository ID.
                 :type repoid: str or int
                 :param delete_keys: This deletes the invalidated keys instead of
                     just flagging them.
                 :type delete_keys: Optional(``True`` | ``False``)
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     'msg': Cache for repository `<repository name>` was invalidated,
                     'repository': <repository name>
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error : {
                      'Error occurred during cache invalidation action'
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin', 'repository.write',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 delete = Optional.extract(delete_keys)
                 try:
                     ScmModel().mark_for_invalidation(repo.repo_name, delete=delete)
                     return {
                         'msg': 'Cache for repository `%s` was invalidated' % (repoid,),
                         'repository': repo.repo_name
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying to invalidate repo cache")
                     raise JSONRPCError(
                         'Error occurred during cache invalidation action'
                     )
             #TODO: marcink, change name ?
             @jsonrpc_method()
             def lock(request, apiuser, repoid, locked=Optional(None),
                      userid=Optional(OAttr('apiuser'))):
                 """
                 Sets the lock state of the specified |repo| by the given user.
                 From more information, see :ref:`repo-locking`.
                 * If the ``userid`` option is not set, the repository is locked to the
                   user who called the method.
                 * If the ``locked`` parameter is not set, the current lock state of the
                   repository is displayed.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Sets the repository name or repository ID.
                 :type repoid: str or int
                 :param locked: Sets the lock state.
                 :type locked: Optional(``True`` | ``False``)
                 :param userid: Set the repository lock to this user.
                 :type userid: Optional(str or int)
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     'repo': '<reponame>',
                     'locked': <bool: lock state>,
                     'locked_since': <int: lock timestamp>,
                     'locked_by': <username of person who made the lock>,
                     'lock_reason': <str: reason for locking>,
                     'lock_state_changed': <bool: True if lock state has been changed in this request>,
                     'msg': 'Repo `<reponame>` locked by `<username>` on <timestamp>.'
                     or
                     'msg': 'Repo `<repository name>` not locked.'
                     or
                     'msg': 'User `<user name>` set lock state for repo `<repository name>` to `<new lock state>`'
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     'Error occurred locking repository `<reponame>`'
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least write permission for this repo !
                     _perms = ('repository.admin', 'repository.write',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                     # make sure normal user does not pass someone else userid,
                     # he is not allowed to do that
                     if not isinstance(userid, Optional) and userid != apiuser.user_id:
                         raise JSONRPCError('userid is not the same as your user')
                 if isinstance(userid, Optional):
                     userid = apiuser.user_id
                 user = get_user_or_error(userid)
                 if isinstance(locked, Optional):
                     lockobj = repo.locked
                     if lockobj[0] is None:
                         _d = {
                             'repo': repo.repo_name,
                             'locked': False,
                             'locked_since': None,
                             'locked_by': None,
                             'lock_reason': None,
                             'lock_state_changed': False,
                             'msg': 'Repo `%s` not locked.' % repo.repo_name
                         }
                         return _d
                     else:
                         _user_id, _time, _reason = lockobj
                         lock_user = get_user_or_error(userid)
                         _d = {
                             'repo': repo.repo_name,
                             'locked': True,
                             'locked_since': _time,
                             'locked_by': lock_user.username,
                             'lock_reason': _reason,
                             'lock_state_changed': False,
                             'msg': ('Repo `%s` locked by `%s` on `%s`.'
                                     % (repo.repo_name, lock_user.username,
                                        json.dumps(time_to_datetime(_time))))
                         }
                         return _d
                 # force locked state through a flag
                 else:
                     locked = str2bool(locked)
                     lock_reason = Repository.LOCK_API
                     try:
                         if locked:
                             lock_time = time.time()
                             Repository.lock(repo, user.user_id, lock_time, lock_reason)
                         else:
                             lock_time = None
                             Repository.unlock(repo)
                         _d = {
                             'repo': repo.repo_name,
                             'locked': locked,
                             'locked_since': lock_time,
                             'locked_by': user.username,
                             'lock_reason': lock_reason,
                             'lock_state_changed': True,
                             'msg': ('User `%s` set lock state for repo `%s` to `%s`'
                                     % (user.username, repo.repo_name, locked))
                         }
                         return _d
                     except Exception:
                         log.exception(
                             "Exception occurred while trying to lock repository")
                         raise JSONRPCError(
                             'Error occurred locking repository `%s`' % repo.repo_name
                         )
             @jsonrpc_method()
             def comment_commit(
                     request, apiuser, repoid, commit_id, message, status=Optional(None),
                     comment_type=Optional(ChangesetComment.COMMENT_TYPE_NOTE),
                     resolves_comment_id=Optional(None),
                     userid=Optional(OAttr('apiuser'))):
                 """
                 Set a commit comment, and optionally change the status of the commit.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param commit_id: Specify the commit_id for which to set a comment.
                 :type commit_id: str
                 :param message: The comment text.
                 :type message: str
                 :param status: (**Optional**) status of commit, one of: 'not_reviewed',
                     'approved', 'rejected', 'under_review'
                 :type status: str
                 :param comment_type: Comment type, one of: 'note', 'todo'
                 :type comment_type: Optional(str), default: 'note'
                 :param userid: Set the user name of the comment creator.
                 :type userid: Optional(str or int)
                 Example error output:
                 .. code-block:: bash
                     {
                         "id" : <id_given_in_input>,
                         "result" : {
                             "msg": "Commented on commit `<commit_id>` for repository `<repoid>`",
                             "status_change": null or <status>,
                             "success": true
                         },
                         "error" :  null
                     }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.read', 'repository.write', 'repository.admin')
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     commit_id = repo.scm_instance().get_commit(commit_id=commit_id).raw_id
                 except Exception as e:
                     log.exception('Failed to fetch commit')
                     raise JSONRPCError(e.message)
                 if isinstance(userid, Optional):
                     userid = apiuser.user_id
                 user = get_user_or_error(userid)
                 status = Optional.extract(status)
                 comment_type = Optional.extract(comment_type)
                 resolves_comment_id = Optional.extract(resolves_comment_id)
                 allowed_statuses = [x[0] for x in ChangesetStatus.STATUSES]
                 if status and status not in allowed_statuses:
                     raise JSONRPCError('Bad status, must be on '
                                        'of %s got %s' % (allowed_statuses, status,))
                 if resolves_comment_id:
                     comment = ChangesetComment.get(resolves_comment_id)
                     if not comment:
                         raise JSONRPCError(
                             'Invalid resolves_comment_id `%s` for this commit.'
                             % resolves_comment_id)
                     if comment.comment_type != ChangesetComment.COMMENT_TYPE_TODO:
                         raise JSONRPCError(
                             'Comment `%s` is wrong type for setting status to resolved.'
                             % resolves_comment_id)
                 try:
                     rc_config = SettingsModel().get_all_settings()
                     renderer = rc_config.get('rhodecode_markup_renderer', 'rst')
                     status_change_label = ChangesetStatus.get_status_lbl(status)
                     comment = CommentsModel().create(
                         message, repo, user, commit_id=commit_id,
                         status_change=status_change_label,
                         status_change_type=status,
                         renderer=renderer,
                         comment_type=comment_type,
                         resolves_comment_id=resolves_comment_id
                     )
                     if status:
                         # also do a status change
                         try:
                             ChangesetStatusModel().set_status(
                                 repo, status, user, comment, revision=commit_id,
                                 dont_allow_on_closed_pull_request=True
                             )
                         except StatusChangeOnClosedPullRequestError:
                             log.exception(
                                 "Exception occurred while trying to change repo commit status")
                             msg = ('Changing status on a changeset associated with '
                                    'a closed pull request is not allowed')
                             raise JSONRPCError(msg)
                     Session().commit()
                     return {
                         'msg': (
                             'Commented on commit `%s` for repository `%s`' % (
                                 comment.revision, repo.repo_name)),
                         'status_change': status,
                         'success': True,
                     }
                 except JSONRPCError:
                     # catch any inside errors, and re-raise them to prevent from
                     # below global catch to silence them
                     raise
                 except Exception:
                     log.exception("Exception occurred while trying to comment on commit")
                     raise JSONRPCError(
                         'failed to set comment on repository `%s`' % (repo.repo_name,)
                     )
             @jsonrpc_method()
             def grant_user_permission(request, apiuser, repoid, userid, perm):
                 """
                 Grant permissions for the specified user on the given repository,
                 or update existing permissions if found.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param userid: Set the user name.
                 :type userid: str
                 :param perm: Set the user permissions, using the following format
                     ``(repository.(none|read|write|admin))``
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Granted perm: `<perm>` for user: `<username>` in repo: `<reponame>`",
                               "success": true
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 user = get_user_or_error(userid)
                 perm = get_perm_or_error(perm)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     RepoModel().grant_user_permission(repo=repo, user=user, perm=perm)
                     Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` for user: `%s` in repo: `%s`' % (
                             perm.permission_name, user.username, repo.repo_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying edit permissions for repo")
                     raise JSONRPCError(
                         'failed to edit permission for user: `%s` in repo: `%s`' % (
                             userid, repoid
                         )
                     )
             @jsonrpc_method()
             def revoke_user_permission(request, apiuser, repoid, userid):
                 """
                 Revoke permission for a user on the specified repository.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param userid: Set the user name of revoked user.
                 :type userid: str or int
                 Example error output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Revoked perm for user: `<username>` in repo: `<reponame>`",
                               "success": true
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 user = get_user_or_error(userid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     RepoModel().revoke_user_permission(repo=repo, user=user)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm for user: `%s` in repo: `%s`' % (
                             user.username, repo.repo_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying revoke permissions to repo")
                     raise JSONRPCError(
                         'failed to edit permission for user: `%s` in repo: `%s`' % (
                             userid, repoid
                         )
                     )
             @jsonrpc_method()
             def grant_user_group_permission(request, apiuser, repoid, usergroupid, perm):
                 """
                 Grant permission for a user group on the specified repository,
                 or update existing permissions.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param usergroupid: Specify the ID of the user group.
                 :type usergroupid: str or int
                 :param perm: Set the user group permissions using the following
                     format: (repository.(none|read|write|admin))
                 :type perm: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg" : "Granted perm: `<perm>` for group: `<usersgroupname>` in repo: `<reponame>`",
                     "success": true
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "failed to edit permission for user group: `<usergroup>` in repo `<repo>`'
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 perm = get_perm_or_error(perm)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 try:
                     RepoModel().grant_user_group_permission(
                         repo=repo, group_name=user_group, perm=perm)
                     Session().commit()
                     return {
                         'msg': 'Granted perm: `%s` for user group: `%s` in '
                                'repo: `%s`' % (
                                    perm.permission_name, user_group.users_group_name,
                                    repo.repo_name
                                ),
                         'success': True
                     }
                 except Exception:
                     log.exception(
                         "Exception occurred while trying change permission on repo")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'repo: `%s`' % (
                             usergroupid, repo.repo_name
                         )
                     )
             @jsonrpc_method()
             def revoke_user_group_permission(request, apiuser, repoid, usergroupid):
                 """
                 Revoke the permissions of a user group on a given repository.
                 This command can only be run using an |authtoken| with admin
                 permissions on the |repo|.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: Set the repository name or repository ID.
                 :type repoid: str or int
                 :param usergroupid: Specify the user group ID.
                 :type usergroupid: str or int
                 Example output:
                 .. code-block:: bash
                     id : <id_given_in_input>
                     result: {
                               "msg" : "Revoked perm for group: `<usersgroupname>` in repo: `<reponame>`",
                               "success": true
                             }
                     error:  null
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 user_group = get_user_group_or_error(usergroupid)
                 if not has_superadmin_permission(apiuser):
                     # check if we have at least read permission for this user group !
                     _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
                     if not HasUserGroupPermissionAnyApi(*_perms)(
                             user=apiuser, user_group_name=user_group.users_group_name):
                         raise JSONRPCError(
                             'user group `%s` does not exist' % (usergroupid,))
                 try:
                     RepoModel().revoke_user_group_permission(
                         repo=repo, group_name=user_group)
                     Session().commit()
                     return {
                         'msg': 'Revoked perm for user group: `%s` in repo: `%s`' % (
                             user_group.users_group_name, repo.repo_name
                         ),
                         'success': True
                     }
                 except Exception:
                     log.exception("Exception occurred while trying revoke "
                                   "user group permission on repo")
                     raise JSONRPCError(
                         'failed to edit permission for user group: `%s` in '
                         'repo: `%s`' % (
                             user_group.users_group_name, repo.repo_name
                         )
                     )
             @jsonrpc_method()
             def pull(request, apiuser, repoid):
                 """
                 Triggers a pull on the given repository from a remote location. You
                 can use this to keep remote repositories up-to-date.
                 This command can only be run using an |authtoken| with admin
                 rights to the specified repository. For more information,
                 see :ref:`config-token-ref`.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "Pulled from `<repository name>`"
                     "repository": "<repository name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "Unable to pull changes from `<reponame>`"
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     ScmModel().pull_changes(repo.repo_name, apiuser.username)
                     return {
                         'msg': 'Pulled from `%s`' % repo.repo_name,
                         'repository': repo.repo_name
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to "
                                   "pull changes from remote location")
                     raise JSONRPCError(
                         'Unable to pull changes from `%s`' % repo.repo_name
                     )
             @jsonrpc_method()
             def strip(request, apiuser, repoid, revision, branch):
                 """
                 Strips the given revision from the specified repository.
                 * This will remove the revision and all of its decendants.
                 This command can only be run using an |authtoken| with admin rights to
                 the specified repository.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 :param revision: The revision you wish to strip.
                 :type revision: str
                 :param branch: The branch from which to strip the revision.
                 :type branch: str
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "'Stripped commit <commit_hash> from repo `<repository name>`'"
                     "repository": "<repository name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "Unable to strip commit <commit_hash> from repo `<repository name>`"
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     ScmModel().strip(repo, revision, branch)
                     audit_logger.store_api(
                         'repo.commit.strip', action_data={'commit_id': revision},
                         repo=repo,
                         user=apiuser, commit=True)
                     return {
                         'msg': 'Stripped commit %s from repo `%s`' % (
                             revision, repo.repo_name),
                         'repository': repo.repo_name
                     }
                 except Exception:
                     log.exception("Exception while trying to strip")
                     raise JSONRPCError(
                         'Unable to strip commit %s from repo `%s`' % (
                             revision, repo.repo_name)
                     )
             @jsonrpc_method()
             def get_repo_settings(request, apiuser, repoid, key=Optional(None)):
                 """
                 Returns all settings for a repository. If key is given it only returns the
                 setting identified by the key or null.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository id.
                 :type repoid: str or int
                 :param key: Key of the setting to return.
                 :type: key: Optional(str)
                 Example output:
                 .. code-block:: bash
                     {
                         "error": null,
                         "id": 237,
                         "result": {
                             "extensions_largefiles": true,
                             "extensions_evolve": true,
                             "hooks_changegroup_push_logger": true,
                             "hooks_changegroup_repo_size": false,
                             "hooks_outgoing_pull_logger": true,
                             "phases_publish": "True",
                             "rhodecode_hg_use_rebase_for_merging": true,
                             "rhodecode_pr_merge_enabled": true,
                             "rhodecode_use_outdated_comments": true
                         }
                     }
                 """
                 # Restrict access to this api method to admins only.
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 try:
                     repo = get_repo_or_error(repoid)
                     settings_model = VcsSettingsModel(repo=repo)
                     settings = settings_model.get_global_settings()
                     settings.update(settings_model.get_repo_settings())
                     # If only a single setting is requested fetch it from all settings.
                     key = Optional.extract(key)
                     if key is not None:
                         settings = settings.get(key, None)
                 except Exception:
                     msg = 'Failed to fetch settings for repository `{}`'.format(repoid)
                     log.exception(msg)
                     raise JSONRPCError(msg)
                 return settings
             @jsonrpc_method()
             def set_repo_settings(request, apiuser, repoid, settings):
                 """
                 Update repository settings. Returns true on success.
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository id.
                 :type repoid: str or int
                 :param settings: The new settings for the repository.
                 :type: settings: dict
                 Example output:
                 .. code-block:: bash
                     {
                         "error": null,
                         "id": 237,
                         "result": true
                     }
                 """
                 # Restrict access to this api method to admins only.
                 if not has_superadmin_permission(apiuser):
                     raise JSONRPCForbidden()
                 if type(settings) is not dict:
                     raise JSONRPCError('Settings have to be a JSON Object.')
                 try:
                     settings_model = VcsSettingsModel(repo=repoid)
                     # Merge global, repo and incoming settings.
                     new_settings = settings_model.get_global_settings()
                     new_settings.update(settings_model.get_repo_settings())
                     new_settings.update(settings)
                     # Update the settings.
                     inherit_global_settings = new_settings.get(
                         'inherit_global_settings', False)
                     settings_model.create_or_update_repo_settings(
                         new_settings, inherit_global_settings=inherit_global_settings)
                     Session().commit()
                 except Exception:
                     msg = 'Failed to update settings for repository `{}`'.format(repoid)
                     log.exception(msg)
                     raise JSONRPCError(msg)
                 # Indicate success.
                 return True
             @jsonrpc_method()
             def maintenance(request, apiuser, repoid):
                 """
                 Triggers a maintenance on the given repository.
                 This command can only be run using an |authtoken| with admin
                 rights to the specified repository. For more information,
                 see :ref:`config-token-ref`.
                 This command takes the following options:
                 :param apiuser: This is filled automatically from the |authtoken|.
                 :type apiuser: AuthUser
                 :param repoid: The repository name or repository ID.
                 :type repoid: str or int
                 Example output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : {
                     "msg": "executed maintenance command",
                     "executed_actions": [
                        <action_message>, <action_message2>...
                     ],
                     "repository": "<repository name>"
                   }
                   error :  null
                 Example error output:
                 .. code-block:: bash
                   id : <id_given_in_input>
                   result : null
                   error :  {
                     "Unable to execute maintenance on `<reponame>`"
                   }
                 """
                 repo = get_repo_or_error(repoid)
                 if not has_superadmin_permission(apiuser):
                     _perms = ('repository.admin',)
                     validate_repo_permissions(apiuser, repoid, repo, _perms)
                 try:
                     maintenance = repo_maintenance.RepoMaintenance()
                     executed_actions = maintenance.execute(repo)
                     return {
                         'msg': 'executed maintenance command',
                         'executed_actions': executed_actions,
                         'repository': repo.repo_name
                     }
                 except Exception:
                     log.exception("Exception occurred while trying to run maintenance")
                     raise JSONRPCError(
                         'Unable to execute maintenance on `%s`' % repo.repo_name)

rhodecode/model/validation_schema/schemas/repo_schema.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import colander
             import deform.widget
             from rhodecode.translation import _
             from rhodecode.model.validation_schema.utils import convert_to_optgroup
             from rhodecode.model.validation_schema import validators, preparers, types
             DEFAULT_LANDING_REF = 'rev:tip'
             def get_group_and_repo(repo_name):
                 from rhodecode.model.repo_group import RepoGroupModel
                 return RepoGroupModel()._get_group_name_and_parent(
                     repo_name, get_object=True)
             def get_repo_group(repo_group_id):
                 from rhodecode.model.repo_group import RepoGroup
                 return RepoGroup.get(repo_group_id), RepoGroup.CHOICES_SEPARATOR
             @colander.deferred
             def deferred_repo_type_validator(node, kw):
                 options = kw.get('repo_type_options', [])
                 return colander.OneOf([x for x in options])
             @colander.deferred
             def deferred_repo_owner_validator(node, kw):
                 def repo_owner_validator(node, value):
                     from rhodecode.model.db import User
                     existing = User.get_by_username(value)
                     if not existing:
                         msg = _(u'Repo owner with id `{}` does not exists').format(value)
                         raise colander.Invalid(node, msg)
                 return repo_owner_validator
             @colander.deferred
             def deferred_landing_ref_validator(node, kw):
                 options = kw.get(
                     'repo_ref_options', [DEFAULT_LANDING_REF])
                 return colander.OneOf([x for x in options])
             @colander.deferred
             def deferred_clone_uri_validator(node, kw):
                 repo_type = kw.get('repo_type')
                 validator = validators.CloneUriValidator(repo_type)
                 return validator
             @colander.deferred
             def deferred_landing_ref_widget(node, kw):
                 items = kw.get(
                     'repo_ref_items', [(DEFAULT_LANDING_REF, DEFAULT_LANDING_REF)])
                 items = convert_to_optgroup(items)
                 return deform.widget.Select2Widget(values=items)
             @colander.deferred
             def deferred_fork_of_validator(node, kw):
                 old_values = kw.get('old_values') or {}
                 def fork_of_validator(node, value):
                     from rhodecode.model.db import Repository, RepoGroup
                     existing = Repository.get_by_repo_name(value)
                     if not existing:
                         msg = _(u'Fork with id `{}` does not exists').format(value)
                         raise colander.Invalid(node, msg)
                     elif old_values['repo_name'] == existing.repo_name:
                         msg = _(u'Cannot set fork of '
                                 u'parameter of this repository to itself').format(value)
                         raise colander.Invalid(node, msg)
                 return fork_of_validator
             @colander.deferred
             def deferred_can_write_to_group_validator(node, kw):
                 request_user = kw.get('user')
                 old_values = kw.get('old_values') or {}
                 def can_write_to_group_validator(node, value):
                     """
                     Checks if given repo path is writable by user. This includes checks if
                     user is allowed to create repositories under root path or under
                     repo group paths
                     """
                     from rhodecode.lib.auth import (
                         HasPermissionAny, HasRepoGroupPermissionAny)
                     from rhodecode.model.repo_group import RepoGroupModel
                     messages = {
                         'invalid_repo_group':
                             _(u"Repository group `{}` does not exist"),
                         # permissions denied we expose as not existing, to prevent
                         # resource discovery
                         'permission_denied':
                             _(u"Repository group `{}` does not exist"),
                         'permission_denied_root':
                             _(u"You do not have the permission to store "
                               u"repositories in the root location.")
                     }
                     value = value['repo_group_name']
                     is_root_location = value is types.RootLocation
                     # NOT initialized validators, we must call them
                     can_create_repos_at_root = HasPermissionAny(
                         'hg.admin', 'hg.create.repository')
                     # if values is root location, we simply need to check if we can write
                     # to root location !
                     if is_root_location:
                         if can_create_repos_at_root(user=request_user):
                             # we can create repo group inside tool-level. No more checks
                             # are required
                             return
                         else:
                             # "fake" node name as repo_name, otherwise we oddly report
                             # the error as if it was coming form repo_group
                             # however repo_group is empty when using root location.
                             node.name = 'repo_name'
                             raise colander.Invalid(node, messages['permission_denied_root'])
                     # parent group not exists ? throw an error
                     repo_group = RepoGroupModel().get_by_group_name(value)
                     if value and not repo_group:
                         raise colander.Invalid(
                             node, messages['invalid_repo_group'].format(value))
                     gr_name = repo_group.group_name
                     # create repositories with write permission on group is set to true
                     create_on_write = HasPermissionAny(
                         'hg.create.write_on_repogroup.true')(user=request_user)
                     group_admin = HasRepoGroupPermissionAny('group.admin')(
                         gr_name, 'can write into group validator', user=request_user)
                     group_write = HasRepoGroupPermissionAny('group.write')(
                         gr_name, 'can write into group validator', user=request_user)
                     forbidden = not (group_admin or (group_write and create_on_write))
                     # TODO: handling of old values, and detecting no-change in path
                     # to skip permission checks in such cases. This only needs to be
                     # implemented if we use this schema in forms as well
                     # gid = (old_data['repo_group'].get('group_id')
                     #        if (old_data and 'repo_group' in old_data) else None)
                     # value_changed = gid != safe_int(value)
                     # new = not old_data
                     # do check if we changed the value, there's a case that someone got
                     # revoked write permissions to a repository, he still created, we
                     # don't need to check permission if he didn't change the value of
                     # groups in form box
                     # if value_changed or new:
                     #     # parent group need to be existing
                     # TODO: ENDS HERE
                     if repo_group and forbidden:
                         msg = messages['permission_denied'].format(value)
                         raise colander.Invalid(node, msg)
                 return can_write_to_group_validator
             @colander.deferred
             def deferred_unique_name_validator(node, kw):
                 request_user = kw.get('user')
                 old_values = kw.get('old_values') or {}
                 def unique_name_validator(node, value):
                     from rhodecode.model.db import Repository, RepoGroup
                     name_changed = value != old_values.get('repo_name')
                     existing = Repository.get_by_repo_name(value)
                     if name_changed and existing:
                         msg = _(u'Repository with name `{}` already exists').format(value)
                         raise colander.Invalid(node, msg)
                     existing_group = RepoGroup.get_by_group_name(value)
                     if name_changed and existing_group:
                         msg = _(u'Repository group with name `{}` already exists').format(
                             value)
                         raise colander.Invalid(node, msg)
                 return unique_name_validator
             @colander.deferred
             def deferred_repo_name_validator(node, kw):
                 def no_git_suffix_validator(node, value):
                     if value.endswith('.git'):
                         msg = _('Repository name cannot end with .git')
                         raise colander.Invalid(node, msg)
                 return colander.All(
                     no_git_suffix_validator, validators.valid_name_validator)
             @colander.deferred
             def deferred_repo_group_validator(node, kw):
                 options = kw.get(
                     'repo_repo_group_options')
                 return colander.OneOf([x for x in options])
             @colander.deferred
             def deferred_repo_group_widget(node, kw):
                 items = kw.get('repo_repo_group_items')
                 return deform.widget.Select2Widget(values=items)
             class GroupType(colander.Mapping):
                 def _validate(self, node, value):
                     try:
                         return dict(repo_group_name=value)
                     except Exception as e:
                         raise colander.Invalid(
                             node, '"${val}" is not a mapping type: ${err}'.format(
                                 val=value, err=e))
                 def deserialize(self, node, cstruct):
                     if cstruct is colander.null:
                         return cstruct
                     appstruct = super(GroupType, self).deserialize(node, cstruct)
                     validated_name = appstruct['repo_group_name']
                     # inject group based on once deserialized data
                     (repo_name_without_group,
                      parent_group_name,
                      parent_group) = get_group_and_repo(validated_name)
                     appstruct['repo_name_with_group'] = validated_name
                     appstruct['repo_name_without_group'] = repo_name_without_group
                     appstruct['repo_group_name'] = parent_group_name or types.RootLocation
                     if parent_group:
                         appstruct['repo_group_id'] = parent_group.group_id
                     return appstruct
             class GroupSchema(colander.SchemaNode):
                 schema_type = GroupType
                 validator = deferred_can_write_to_group_validator
                 missing = colander.null
             class RepoGroup(GroupSchema):
                 repo_group_name = colander.SchemaNode(
                     types.GroupNameType())
                 repo_group_id = colander.SchemaNode(
                     colander.String(), missing=None)
                 repo_name_without_group = colander.SchemaNode(
                     colander.String(), missing=None)
             class RepoGroupAccessSchema(colander.MappingSchema):
                 repo_group = RepoGroup()
             class RepoNameUniqueSchema(colander.MappingSchema):
                 unique_repo_name = colander.SchemaNode(
                     colander.String(),
                     validator=deferred_unique_name_validator)
             class RepoSchema(colander.MappingSchema):
                 repo_name = colander.SchemaNode(
                     types.RepoNameType(),
                     validator=deferred_repo_name_validator)
                 repo_type = colander.SchemaNode(
                     colander.String(),
                     validator=deferred_repo_type_validator)
                 repo_owner = colander.SchemaNode(
                     colander.String(),
                     validator=deferred_repo_owner_validator,
                     widget=deform.widget.TextInputWidget())
                 repo_description = colander.SchemaNode(
                     colander.String(), missing='',
                     widget=deform.widget.TextAreaWidget())
                 repo_landing_commit_ref = colander.SchemaNode(
                     colander.String(),
                     validator=deferred_landing_ref_validator,
                     preparers=[preparers.strip_preparer],
                     missing=DEFAULT_LANDING_REF,
                     widget=deferred_landing_ref_widget)
                 repo_clone_uri = colander.SchemaNode(
                     colander.String(),
-                    validator=colander.All(colander.Length(min=1)),
+                    validator=deferred_clone_uri_validator,
                     preparers=[preparers.strip_preparer],
                     missing='')
                 repo_fork_of = colander.SchemaNode(
                     colander.String(),
                     validator=deferred_fork_of_validator,
                     missing=None)
                 repo_private = colander.SchemaNode(
                     types.StringBooleanType(),
                     missing=False, widget=deform.widget.CheckboxWidget())
                 repo_copy_permissions = colander.SchemaNode(
                     types.StringBooleanType(),
                     missing=False, widget=deform.widget.CheckboxWidget())
                 repo_enable_statistics = colander.SchemaNode(
                     types.StringBooleanType(),
                     missing=False, widget=deform.widget.CheckboxWidget())
                 repo_enable_downloads = colander.SchemaNode(
                     types.StringBooleanType(),
                     missing=False, widget=deform.widget.CheckboxWidget())
                 repo_enable_locking = colander.SchemaNode(
                     types.StringBooleanType(),
                     missing=False, widget=deform.widget.CheckboxWidget())
                 def deserialize(self, cstruct):
                     """
                     Custom deserialize that allows to chain validation, and verify
                     permissions, and as last step uniqueness
                     """
                     # first pass, to validate given data
                     appstruct = super(RepoSchema, self).deserialize(cstruct)
                     validated_name = appstruct['repo_name']
                     # second pass to validate permissions to repo_group
                     second = RepoGroupAccessSchema().bind(**self.bindings)
                     appstruct_second = second.deserialize({'repo_group': validated_name})
                     # save result
                     appstruct['repo_group'] = appstruct_second['repo_group']
                     # thirds to validate uniqueness
                     third = RepoNameUniqueSchema().bind(**self.bindings)
                     third.deserialize({'unique_repo_name': validated_name})
                     return appstruct
             class RepoSettingsSchema(RepoSchema):
                 repo_group = colander.SchemaNode(
                     colander.Integer(),
                     validator=deferred_repo_group_validator,
                     widget=deferred_repo_group_widget,
                     missing='')
                 repo_clone_uri_change = colander.SchemaNode(
                     colander.String(),
                     missing='NEW')
                 repo_clone_uri = colander.SchemaNode(
                     colander.String(),
                     preparers=[preparers.strip_preparer],
                     validator=deferred_clone_uri_validator,
                     missing='')
                 def deserialize(self, cstruct):
                     """
                     Custom deserialize that allows to chain validation, and verify
                     permissions, and as last step uniqueness
                     """
                     # first pass, to validate given data
                     appstruct = super(RepoSchema, self).deserialize(cstruct)
                     validated_name = appstruct['repo_name']
                     # because of repoSchema adds repo-group as an ID, we inject it as
                     # full name here because validators require it, it's unwrapped later
                     # so it's safe to use and final name is going to be without group anyway
                     group, separator = get_repo_group(appstruct['repo_group'])
                     if group:
                         validated_name = separator.join([group.group_name, validated_name])
                     # second pass to validate permissions to repo_group
                     second = RepoGroupAccessSchema().bind(**self.bindings)
                     appstruct_second = second.deserialize({'repo_group': validated_name})
                     # save result
                     appstruct['repo_group'] = appstruct_second['repo_group']
                     # thirds to validate uniqueness
                     third = RepoNameUniqueSchema().bind(**self.bindings)
                     third.deserialize({'unique_repo_name': validated_name})
                     return appstruct

rhodecode/model/validation_schema/validators.py

0 +7 -4

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import os
             import re
             import logging
             import ipaddress
             import colander
             from rhodecode.translation import _
             from rhodecode.lib.utils2 import glob2re, safe_unicode
             from rhodecode.lib.ext_json import json
             log = logging.getLogger(__name__)
             def ip_addr_validator(node, value):
                 try:
                     # this raises an ValueError if address is not IpV4 or IpV6
                     ipaddress.ip_network(safe_unicode(value), strict=False)
                 except ValueError:
                     msg = _(u'Please enter a valid IPv4 or IpV6 address')
                     raise colander.Invalid(node, msg)
             class IpAddrValidator(object):
                 def __init__(self, strict=True):
                     self.strict = strict
                 def __call__(self, node, value):
                     try:
                         # this raises an ValueError if address is not IpV4 or IpV6
                         ipaddress.ip_network(safe_unicode(value), strict=self.strict)
                     except ValueError:
                         msg = _(u'Please enter a valid IPv4 or IpV6 address')
                         raise colander.Invalid(node, msg)
             def glob_validator(node, value):
                 try:
                     re.compile('^' + glob2re(value) + '$')
                 except Exception:
                     msg = _(u'Invalid glob pattern')
                     raise colander.Invalid(node, msg)
             def valid_name_validator(node, value):
                 from rhodecode.model.validation_schema import types
                 if value is types.RootLocation:
                     return
                 msg = _('Name must start with a letter or number. Got `{}`').format(value)
                 if not re.match(r'^[a-zA-z0-9]{1,}', value):
                     raise colander.Invalid(node, msg)
             class InvalidCloneUrl(Exception):
                 allowed_prefixes = ()
             def url_validator(url, repo_type, config):
                 from rhodecode.lib.vcs.backends.hg import MercurialRepository
                 from rhodecode.lib.vcs.backends.git import GitRepository
                 from rhodecode.lib.vcs.backends.svn import SubversionRepository
                 if repo_type == 'hg':
                     allowed_prefixes = ('http', 'svn+http', 'git+http')
                     if 'http' in url[:4]:
                         # initially check if it's at least the proper URL
                         # or does it pass basic auth
                         MercurialRepository.check_url(url, config)
                     elif 'svn+http' in url[:8]:  # svn->hg import
                         SubversionRepository.check_url(url, config)
                     elif 'git+http' in url[:8]:  # git->hg import
                         raise NotImplementedError()
                     else:
                         exc = InvalidCloneUrl('Clone from URI %s not allowed. '
                                               'Allowed url must start with one of %s'
                                               % (url, ','.join(allowed_prefixes)))
                         exc.allowed_prefixes = allowed_prefixes
                         raise exc
                 elif repo_type == 'git':
                     allowed_prefixes = ('http', 'svn+http', 'hg+http')
                     if 'http' in url[:4]:
                         # initially check if it's at least the proper URL
                         # or does it pass basic auth
                         GitRepository.check_url(url, config)
                     elif 'svn+http' in url[:8]:  # svn->git import
                         raise NotImplementedError()
                     elif 'hg+http' in url[:8]:  # hg->git import
                         raise NotImplementedError()
                     else:
                         exc = InvalidCloneUrl('Clone from URI %s not allowed. '
                                               'Allowed url must start with one of %s'
                                               % (url, ','.join(allowed_prefixes)))
                         exc.allowed_prefixes = allowed_prefixes
                         raise exc
+                elif repo_type == 'svn':
+                    # no validation for SVN yet
+                    return
+                raise InvalidCloneUrl('No repo type specified')
             class CloneUriValidator(object):
                 def __init__(self, repo_type):
                     self.repo_type = repo_type
                 def __call__(self, node, value):
                     from rhodecode.lib.utils import make_db_config
                     try:
                         config = make_db_config(clear_session=False)
                         url_validator(value, self.repo_type, config)
                     except InvalidCloneUrl as e:
                         log.warning(e)
-                        msg = _(u'Invalid clone url, provide a valid clone '
+                        raise colander.Invalid(node, e.message)
-                                u'url starting with one of {allowed_prefixes}').format(
-                            allowed_prefixes=e.allowed_prefixes)
-                        raise colander.Invalid(node, msg)
                     except Exception:
                         log.exception('Url validation failed')
                         msg = _(u'invalid clone url for {repo_type} repository').format(
                             repo_type=self.repo_type)
                         raise colander.Invalid(node, msg)
             def json_validator(node, value):
                 try:
                     json.loads(value)
                 except (Exception,):
                     msg = _(u'Please enter a valid json object')
                     raise colander.Invalid(node, msg)

rhodecode/tests/models/schemas/test_repo_schema.py

0 +4 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import colander
             import pytest
             from rhodecode.model.validation_schema import types
             from rhodecode.model.validation_schema.schemas import repo_schema
             class TestRepoSchema(object):
                 #TODO:
                 # test nested groups
                 @pytest.mark.parametrize('given, expected', [
                     ('my repo', 'my-repo'),
                     (' hello   world mike ', 'hello-world-mike'),
                     ('//group1/group2//', 'group1/group2'),
                     ('//group1///group2//', 'group1/group2'),
                     ('///group1/group2///group3', 'group1/group2/group3'),
                     ('word g1/group2///group3', 'word-g1/group2/group3'),
                     ('grou p1/gro;,,##up2//.../group3', 'grou-p1/group2/group3'),
                     ('group,,,/,,,/1/2/3', 'group/1/2/3'),
                     ('grou[]p1/gro;up2///gro up3', 'group1/group2/gro-up3'),
                     (u'grou[]p1/gro;up2///gro up3/ąć', u'group1/group2/gro-up3/ąć'),
                 ])
                 def test_deserialize_repo_name(self, app, user_admin, given, expected):
                     schema = repo_schema.RepoSchema().bind()
                     assert expected == schema.get('repo_name').deserialize(given)
                 def test_deserialize(self, app, user_admin):
                     schema = repo_schema.RepoSchema().bind(
                         repo_type_options=['hg'],
+                        repo_type='hg',
                         user=user_admin
                     )
                     schema_data = schema.deserialize(dict(
                         repo_name='my_schema_repo',
                         repo_type='hg',
                         repo_owner=user_admin.username
                     ))
                     assert schema_data['repo_name'] == u'my_schema_repo'
                     assert schema_data['repo_group'] == {
                         'repo_group_id': None,
                         'repo_group_name': types.RootLocation,
                         'repo_name_with_group': u'my_schema_repo',
                         'repo_name_without_group': u'my_schema_repo'}
                 @pytest.mark.parametrize('given, err_key, expected_exc', [
                     ('xxx/my_schema_repo','repo_group', 'Repository group `xxx` does not exist'),
                     ('', 'repo_name', 'Name must start with a letter or number. Got ``'),
                 ])
                 def test_deserialize_with_bad_group_name(
                         self, app, user_admin, given, err_key, expected_exc):
                     schema = repo_schema.RepoSchema().bind(
                         repo_type_options=['hg'],
+                        repo_type='hg',
                         user=user_admin
                     )
                     with pytest.raises(colander.Invalid) as excinfo:
                         schema.deserialize(dict(
                             repo_name=given,
                             repo_type='hg',
                             repo_owner=user_admin.username
                         ))
                     assert excinfo.value.asdict()[err_key] == expected_exc
                 def test_deserialize_with_group_name(self, app, user_admin, test_repo_group):
                     schema = repo_schema.RepoSchema().bind(
                         repo_type_options=['hg'],
+                        repo_type='hg',
                         user=user_admin
                     )
                     full_name = test_repo_group.group_name + u'/my_schema_repo'
                     schema_data = schema.deserialize(dict(
                         repo_name=full_name,
                         repo_type='hg',
                         repo_owner=user_admin.username
                     ))
                     assert schema_data['repo_name'] == full_name
                     assert schema_data['repo_group'] == {
                         'repo_group_id': test_repo_group.group_id,
                         'repo_group_name': test_repo_group.group_name,
                         'repo_name_with_group': full_name,
                         'repo_name_without_group': u'my_schema_repo'}
                 def test_deserialize_with_group_name_regular_user_no_perms(
                         self, app, user_regular, test_repo_group):
                     schema = repo_schema.RepoSchema().bind(
                         repo_type_options=['hg'],
+                        repo_type='hg',
                         user=user_regular
                     )
                     full_name = test_repo_group.group_name + '/my_schema_repo'
                     with pytest.raises(colander.Invalid) as excinfo:
                         schema.deserialize(dict(
                             repo_name=full_name,
                             repo_type='hg',
                             repo_owner=user_regular.username
                         ))
                     expected = 'Repository group `{}` does not exist'.format(
                         test_repo_group.group_name)
                     assert excinfo.value.asdict()['repo_group'] == expected

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages