# -*- coding: utf-8 -*-

# Copyright (C) 2011-2018 RhodeCode GmbH
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License, version 3
# (only), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
# This program is dual-licensed. If you wish to learn more about the
# RhodeCode Enterprise Edition, including its added features, Support services,
# and proprietary license terms, please see https://rhodecode.com/licenses/


"""
repo group model for RhodeCode
"""

import os
import datetime
import itertools
import logging
import shutil
import traceback
import string

from zope.cachedescriptors.property import Lazy as LazyProperty

from rhodecode import events
from rhodecode.model import BaseModel
from rhodecode.model.db import (_hash_key,
    RepoGroup, UserRepoGroupToPerm, User, Permission, UserGroupRepoGroupToPerm,
    UserGroup, Repository)
from rhodecode.model.settings import VcsSettingsModel, SettingsModel
from rhodecode.lib.caching_query import FromCache
from rhodecode.lib.utils2 import action_logger_generic, datetime_to_time

log = logging.getLogger(__name__)


class RepoGroupModel(BaseModel):

    cls = RepoGroup
    PERSONAL_GROUP_DESC = 'personal repo group of user `%(username)s`'
    PERSONAL_GROUP_PATTERN = '${username}'  # default

    def _get_user_group(self, users_group):
        return self._get_instance(UserGroup, users_group,
                                  callback=UserGroup.get_by_group_name)

    def _get_repo_group(self, repo_group):
        return self._get_instance(RepoGroup, repo_group,
                                  callback=RepoGroup.get_by_group_name)

    @LazyProperty
    def repos_path(self):
        """
        Gets the repositories root path from database
        """

        settings_model = VcsSettingsModel(sa=self.sa)
        return settings_model.get_repos_location()

    def get_by_group_name(self, repo_group_name, cache=None):
        repo = self.sa.query(RepoGroup) \
            .filter(RepoGroup.group_name == repo_group_name)

        if cache:
            name_key = _hash_key(repo_group_name)
            repo = repo.options(
                FromCache("sql_cache_short", "get_repo_group_%s" % name_key))
        return repo.scalar()

    def get_default_create_personal_repo_group(self):
        value = SettingsModel().get_setting_by_name(
            'create_personal_repo_group')
        return value.app_settings_value if value else None or False

    def get_personal_group_name_pattern(self):
        value = SettingsModel().get_setting_by_name(
            'personal_repo_group_pattern')
        val = value.app_settings_value if value else None
        group_template = val or self.PERSONAL_GROUP_PATTERN

        group_template = group_template.lstrip('/')
        return group_template

    def get_personal_group_name(self, user):
        template = self.get_personal_group_name_pattern()
        return string.Template(template).safe_substitute(
            username=user.username,
            user_id=user.user_id,
        )

    def create_personal_repo_group(self, user, commit_early=True):
        desc = self.PERSONAL_GROUP_DESC % {'username': user.username}
        personal_repo_group_name = self.get_personal_group_name(user)

        # create a new one
        RepoGroupModel().create(
            group_name=personal_repo_group_name,
            group_description=desc,
            owner=user.username,
            personal=True,
            commit_early=commit_early)

    def _create_default_perms(self, new_group):
        # create default permission
        default_perm = 'group.read'
        def_user = User.get_default_user()
        for p in def_user.user_perms:
            if p.permission.permission_name.startswith('group.'):
                default_perm = p.permission.permission_name
                break

        repo_group_to_perm = UserRepoGroupToPerm()
        repo_group_to_perm.permission = Permission.get_by_key(default_perm)

        repo_group_to_perm.group = new_group
        repo_group_to_perm.user_id = def_user.user_id
        return repo_group_to_perm

    def _get_group_name_and_parent(self, group_name_full, repo_in_path=False,
                                   get_object=False):
        """
        Get's the group name and a parent group name from given group name.
        If repo_in_path is set to truth, we asume the full path also includes
        repo name, in such case we clean the last element.

        :param group_name_full:
        """
        split_paths = 1
        if repo_in_path:
            split_paths = 2
        _parts = group_name_full.rsplit(RepoGroup.url_sep(), split_paths)

        if repo_in_path and len(_parts) > 1:
            # such case last element is the repo_name
            _parts.pop(-1)
        group_name_cleaned = _parts[-1]  # just the group name
        parent_repo_group_name = None

        if len(_parts) > 1:
            parent_repo_group_name = _parts[0]

        parent_group = None
        if parent_repo_group_name:
            parent_group = RepoGroup.get_by_group_name(parent_repo_group_name)

        if get_object:
            return group_name_cleaned, parent_repo_group_name, parent_group

        return group_name_cleaned, parent_repo_group_name

    def check_exist_filesystem(self, group_name, exc_on_failure=True):
        create_path = os.path.join(self.repos_path, group_name)
        log.debug('creating new group in %s', create_path)

        if os.path.isdir(create_path):
            if exc_on_failure:
                abs_create_path = os.path.abspath(create_path)
                raise Exception('Directory `{}` already exists !'.format(abs_create_path))
            return False
        return True

    def _create_group(self, group_name):
        """
        makes repository group on filesystem

        :param repo_name:
        :param parent_id:
        """

        self.check_exist_filesystem(group_name)
        create_path = os.path.join(self.repos_path, group_name)
        log.debug('creating new group in %s', create_path)
        os.makedirs(create_path, mode=0755)
        log.debug('created group in %s', create_path)

    def _rename_group(self, old, new):
        """
        Renames a group on filesystem

        :param group_name:
        """

        if old == new:
            log.debug('skipping group rename')
            return

        log.debug('renaming repository group from %s to %s', old, new)

        old_path = os.path.join(self.repos_path, old)
        new_path = os.path.join(self.repos_path, new)

        log.debug('renaming repos paths from %s to %s', old_path, new_path)

        if os.path.isdir(new_path):
            raise Exception('Was trying to rename to already '
                            'existing dir %s' % new_path)
        shutil.move(old_path, new_path)

    def _delete_filesystem_group(self, group, force_delete=False):
        """
        Deletes a group from a filesystem

        :param group: instance of group from database
        :param force_delete: use shutil rmtree to remove all objects
        """
        paths = group.full_path.split(RepoGroup.url_sep())
        paths = os.sep.join(paths)

        rm_path = os.path.join(self.repos_path, paths)
        log.info("Removing group %s", rm_path)
        # delete only if that path really exists
        if os.path.isdir(rm_path):
            if force_delete:
                shutil.rmtree(rm_path)
            else:
                # archive that group`
                _now = datetime.datetime.now()
                _ms = str(_now.microsecond).rjust(6, '0')
                _d = 'rm__%s_GROUP_%s' % (
                    _now.strftime('%Y%m%d_%H%M%S_' + _ms), group.name)
                shutil.move(rm_path, os.path.join(self.repos_path, _d))

    def create(self, group_name, group_description, owner, just_db=False,
               copy_permissions=False, personal=None, commit_early=True):

        (group_name_cleaned,
         parent_group_name) = RepoGroupModel()._get_group_name_and_parent(group_name)

        parent_group = None
        if parent_group_name:
            parent_group = self._get_repo_group(parent_group_name)
            if not parent_group:
                # we tried to create a nested group, but the parent is not
                # existing
                raise ValueError(
                    'Parent group `%s` given in `%s` group name '
                    'is not yet existing.' % (parent_group_name, group_name))

        # because we are doing a cleanup, we need to check if such directory
        # already exists. If we don't do that we can accidentally delete
        # existing directory via cleanup that can cause data issues, since
        # delete does a folder rename to special syntax later cleanup
        # functions can delete this
        cleanup_group = self.check_exist_filesystem(group_name,
                                                    exc_on_failure=False)
        user = self._get_user(owner)
        if not user:
            raise ValueError('Owner %s not found as rhodecode user', owner)

        try:
            new_repo_group = RepoGroup()
            new_repo_group.user = user
            new_repo_group.group_description = group_description or group_name
            new_repo_group.parent_group = parent_group
            new_repo_group.group_name = group_name
            new_repo_group.personal = personal

            self.sa.add(new_repo_group)

            # create an ADMIN permission for owner except if we're super admin,
            # later owner should go into the owner field of groups
            if not user.is_admin:
                self.grant_user_permission(repo_group=new_repo_group,
                                           user=owner, perm='group.admin')

            if parent_group and copy_permissions:
                # copy permissions from parent
                user_perms = UserRepoGroupToPerm.query() \
                    .filter(UserRepoGroupToPerm.group == parent_group).all()

                group_perms = UserGroupRepoGroupToPerm.query() \
                    .filter(UserGroupRepoGroupToPerm.group == parent_group).all()

                for perm in user_perms:
                    # don't copy over the permission for user who is creating
                    # this group, if he is not super admin he get's admin
                    # permission set above
                    if perm.user != user or user.is_admin:
                        UserRepoGroupToPerm.create(
                            perm.user, new_repo_group, perm.permission)

                for perm in group_perms:
                    UserGroupRepoGroupToPerm.create(
                        perm.users_group, new_repo_group, perm.permission)
            else:
                perm_obj = self._create_default_perms(new_repo_group)
                self.sa.add(perm_obj)

            # now commit the changes, earlier so we are sure everything is in
            # the database.
            if commit_early:
                self.sa.commit()
            if not just_db:
                self._create_group(new_repo_group.group_name)

            # trigger the post hook
            from rhodecode.lib.hooks_base import log_create_repository_group
            repo_group = RepoGroup.get_by_group_name(group_name)
            log_create_repository_group(
                created_by=user.username, **repo_group.get_dict())

            # Trigger create event.
            events.trigger(events.RepoGroupCreateEvent(repo_group))

            return new_repo_group
        except Exception:
            self.sa.rollback()
            log.exception('Exception occurred when creating repository group, '
                          'doing cleanup...')
            # rollback things manually !
            repo_group = RepoGroup.get_by_group_name(group_name)
            if repo_group:
                RepoGroup.delete(repo_group.group_id)
                self.sa.commit()
                if cleanup_group:
                    RepoGroupModel()._delete_filesystem_group(repo_group)
            raise

    def update_permissions(
            self, repo_group, perm_additions=None, perm_updates=None,
            perm_deletions=None, recursive=None, check_perms=True,
            cur_user=None):
        from rhodecode.model.repo import RepoModel
        from rhodecode.lib.auth import HasUserGroupPermissionAny

        if not perm_additions:
            perm_additions = []
        if not perm_updates:
            perm_updates = []
        if not perm_deletions:
            perm_deletions = []

        req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')

        changes = {
            'added': [],
            'updated': [],
            'deleted': []
        }

        def _set_perm_user(obj, user, perm):
            if isinstance(obj, RepoGroup):
                self.grant_user_permission(
                    repo_group=obj, user=user, perm=perm)
            elif isinstance(obj, Repository):
                # private repos will not allow to change the default
                # permissions using recursive mode
                if obj.private and user == User.DEFAULT_USER:
                    return

                # we set group permission but we have to switch to repo
                # permission
                perm = perm.replace('group.', 'repository.')
                RepoModel().grant_user_permission(
                    repo=obj, user=user, perm=perm)

        def _set_perm_group(obj, users_group, perm):
            if isinstance(obj, RepoGroup):
                self.grant_user_group_permission(
                    repo_group=obj, group_name=users_group, perm=perm)
            elif isinstance(obj, Repository):
                # we set group permission but we have to switch to repo
                # permission
                perm = perm.replace('group.', 'repository.')
                RepoModel().grant_user_group_permission(
                    repo=obj, group_name=users_group, perm=perm)

        def _revoke_perm_user(obj, user):
            if isinstance(obj, RepoGroup):
                self.revoke_user_permission(repo_group=obj, user=user)
            elif isinstance(obj, Repository):
                RepoModel().revoke_user_permission(repo=obj, user=user)

        def _revoke_perm_group(obj, user_group):
            if isinstance(obj, RepoGroup):
                self.revoke_user_group_permission(
                    repo_group=obj, group_name=user_group)
            elif isinstance(obj, Repository):
                RepoModel().revoke_user_group_permission(
                    repo=obj, group_name=user_group)

        # start updates
        log.debug('Now updating permissions for %s in recursive mode:%s',
                  repo_group, recursive)

        # initialize check function, we'll call that multiple times
        has_group_perm = HasUserGroupPermissionAny(*req_perms)

        for obj in repo_group.recursive_groups_and_repos():
            # iterated obj is an instance of a repos group or repository in
            # that group, recursive option can be: none, repos, groups, all
            if recursive == 'all':
                obj = obj
            elif recursive == 'repos':
                # skip groups, other than this one
                if isinstance(obj, RepoGroup) and not obj == repo_group:
                    continue
            elif recursive == 'groups':
                # skip repos
                if isinstance(obj, Repository):
                    continue
            else:  # recursive == 'none':
                #  DEFAULT option - don't apply to iterated objects
                # also we do a break at the end of this loop. if we are not
                # in recursive mode
                obj = repo_group

            change_obj = obj.get_api_data()

            # update permissions
            for member_id, perm, member_type in perm_updates:
                member_id = int(member_id)
                if member_type == 'user':
                    member_name = User.get(member_id).username
                    # this updates also current one if found
                    _set_perm_user(obj, user=member_id, perm=perm)
                elif member_type == 'user_group':
                    member_name = UserGroup.get(member_id).users_group_name
                    if not check_perms or has_group_perm(member_name,
                                                         user=cur_user):
                        _set_perm_group(obj, users_group=member_id, perm=perm)
                else:
                    raise ValueError("member_type must be 'user' or 'user_group' "
                                     "got {} instead".format(member_type))

                changes['updated'].append(
                    {'change_obj': change_obj, 'type': member_type,
                     'id': member_id, 'name': member_name, 'new_perm': perm})

            # set new permissions
            for member_id, perm, member_type in perm_additions:
                member_id = int(member_id)
                if member_type == 'user':
                    member_name = User.get(member_id).username
                    _set_perm_user(obj, user=member_id, perm=perm)
                elif member_type == 'user_group':
                    # check if we have permissions to alter this usergroup
                    member_name = UserGroup.get(member_id).users_group_name
                    if not check_perms or has_group_perm(member_name,
                                                         user=cur_user):
                        _set_perm_group(obj, users_group=member_id, perm=perm)
                else:
                    raise ValueError("member_type must be 'user' or 'user_group' "
                                     "got {} instead".format(member_type))

                changes['added'].append(
                    {'change_obj': change_obj, 'type': member_type,
                     'id': member_id, 'name': member_name, 'new_perm': perm})

            # delete permissions
            for member_id, perm, member_type in perm_deletions:
                member_id = int(member_id)
                if member_type == 'user':
                    member_name = User.get(member_id).username
                    _revoke_perm_user(obj, user=member_id)
                elif member_type == 'user_group':
                    # check if we have permissions to alter this usergroup
                    member_name = UserGroup.get(member_id).users_group_name
                    if not check_perms or has_group_perm(member_name,
                                                         user=cur_user):
                        _revoke_perm_group(obj, user_group=member_id)
                else:
                    raise ValueError("member_type must be 'user' or 'user_group' "
                                     "got {} instead".format(member_type))

                changes['deleted'].append(
                    {'change_obj': change_obj, 'type': member_type,
                     'id': member_id, 'name': member_name, 'new_perm': perm})

            # if it's not recursive call for all,repos,groups
            # break the loop and don't proceed with other changes
            if recursive not in ['all', 'repos', 'groups']:
                break

        return changes

    def update(self, repo_group, form_data):
        try:
            repo_group = self._get_repo_group(repo_group)
            old_path = repo_group.full_path

            # change properties
            if 'group_description' in form_data:
                repo_group.group_description = form_data['group_description']

            if 'enable_locking' in form_data:
                repo_group.enable_locking = form_data['enable_locking']

            if 'group_parent_id' in form_data:
                parent_group = (
                    self._get_repo_group(form_data['group_parent_id']))
                repo_group.group_parent_id = (
                    parent_group.group_id if parent_group else None)
                repo_group.parent_group = parent_group

            # mikhail: to update the full_path, we have to explicitly
            # update group_name
            group_name = form_data.get('group_name', repo_group.name)
            repo_group.group_name = repo_group.get_new_name(group_name)

            new_path = repo_group.full_path

            if 'user' in form_data:
                repo_group.user = User.get_by_username(form_data['user'])
            repo_group.updated_on = datetime.datetime.now()
            self.sa.add(repo_group)

            # iterate over all members of this groups and do fixes
            # set locking if given
            # if obj is a repoGroup also fix the name of the group according
            # to the parent
            # if obj is a Repo fix it's name
            # this can be potentially heavy operation
            for obj in repo_group.recursive_groups_and_repos():
                # set the value from it's parent
                obj.enable_locking = repo_group.enable_locking
                if isinstance(obj, RepoGroup):
                    new_name = obj.get_new_name(obj.name)
                    log.debug('Fixing group %s to new name %s',
                              obj.group_name, new_name)
                    obj.group_name = new_name
                    obj.updated_on = datetime.datetime.now()
                elif isinstance(obj, Repository):
                    # we need to get all repositories from this new group and
                    # rename them accordingly to new group path
                    new_name = obj.get_new_name(obj.just_name)
                    log.debug('Fixing repo %s to new name %s',
                              obj.repo_name, new_name)
                    obj.repo_name = new_name
                    obj.updated_on = datetime.datetime.now()
                self.sa.add(obj)

            self._rename_group(old_path, new_path)

            # Trigger update event.
            events.trigger(events.RepoGroupUpdateEvent(repo_group))

            return repo_group
        except Exception:
            log.error(traceback.format_exc())
            raise

    def delete(self, repo_group, force_delete=False, fs_remove=True):
        repo_group = self._get_repo_group(repo_group)
        if not repo_group:
            return False
        try:
            self.sa.delete(repo_group)
            if fs_remove:
                self._delete_filesystem_group(repo_group, force_delete)
            else:
                log.debug('skipping removal from filesystem')

            # Trigger delete event.
            events.trigger(events.RepoGroupDeleteEvent(repo_group))
            return True

        except Exception:
            log.error('Error removing repo_group %s', repo_group)
            raise

    def grant_user_permission(self, repo_group, user, perm):
        """
        Grant permission for user on given repository group, or update
        existing one if found

        :param repo_group: Instance of RepoGroup, repositories_group_id,
            or repositories_group name
        :param user: Instance of User, user_id or username
        :param perm: Instance of Permission, or permission_name
        """

        repo_group = self._get_repo_group(repo_group)
        user = self._get_user(user)
        permission = self._get_perm(perm)

        # check if we have that permission already
        obj = self.sa.query(UserRepoGroupToPerm)\
            .filter(UserRepoGroupToPerm.user == user)\
            .filter(UserRepoGroupToPerm.group == repo_group)\
            .scalar()
        if obj is None:
            # create new !
            obj = UserRepoGroupToPerm()
        obj.group = repo_group
        obj.user = user
        obj.permission = permission
        self.sa.add(obj)
        log.debug('Granted perm %s to %s on %s', perm, user, repo_group)
        action_logger_generic(
            'granted permission: {} to user: {} on repogroup: {}'.format(
                perm, user, repo_group), namespace='security.repogroup')
        return obj

    def revoke_user_permission(self, repo_group, user):
        """
        Revoke permission for user on given repository group

        :param repo_group: Instance of RepoGroup, repositories_group_id,
            or repositories_group name
        :param user: Instance of User, user_id or username
        """

        repo_group = self._get_repo_group(repo_group)
        user = self._get_user(user)

        obj = self.sa.query(UserRepoGroupToPerm)\
            .filter(UserRepoGroupToPerm.user == user)\
            .filter(UserRepoGroupToPerm.group == repo_group)\
            .scalar()
        if obj:
            self.sa.delete(obj)
            log.debug('Revoked perm on %s on %s', repo_group, user)
            action_logger_generic(
                'revoked permission from user: {} on repogroup: {}'.format(
                    user, repo_group), namespace='security.repogroup')

    def grant_user_group_permission(self, repo_group, group_name, perm):
        """
        Grant permission for user group on given repository group, or update
        existing one if found

        :param repo_group: Instance of RepoGroup, repositories_group_id,
            or repositories_group name
        :param group_name: Instance of UserGroup, users_group_id,
            or user group name
        :param perm: Instance of Permission, or permission_name
        """
        repo_group = self._get_repo_group(repo_group)
        group_name = self._get_user_group(group_name)
        permission = self._get_perm(perm)

        # check if we have that permission already
        obj = self.sa.query(UserGroupRepoGroupToPerm)\
            .filter(UserGroupRepoGroupToPerm.group == repo_group)\
            .filter(UserGroupRepoGroupToPerm.users_group == group_name)\
            .scalar()

        if obj is None:
            # create new
            obj = UserGroupRepoGroupToPerm()

        obj.group = repo_group
        obj.users_group = group_name
        obj.permission = permission
        self.sa.add(obj)
        log.debug('Granted perm %s to %s on %s', perm, group_name, repo_group)
        action_logger_generic(
            'granted permission: {} to usergroup: {} on repogroup: {}'.format(
                perm, group_name, repo_group), namespace='security.repogroup')
        return obj

    def revoke_user_group_permission(self, repo_group, group_name):
        """
        Revoke permission for user group on given repository group

        :param repo_group: Instance of RepoGroup, repositories_group_id,
            or repositories_group name
        :param group_name: Instance of UserGroup, users_group_id,
            or user group name
        """
        repo_group = self._get_repo_group(repo_group)
        group_name = self._get_user_group(group_name)

        obj = self.sa.query(UserGroupRepoGroupToPerm)\
            .filter(UserGroupRepoGroupToPerm.group == repo_group)\
            .filter(UserGroupRepoGroupToPerm.users_group == group_name)\
            .scalar()
        if obj:
            self.sa.delete(obj)
            log.debug('Revoked perm to %s on %s', repo_group, group_name)
            action_logger_generic(
                'revoked permission from usergroup: {} on repogroup: {}'.format(
                    group_name, repo_group), namespace='security.repogroup')

    def get_repo_groups_as_dict(self, repo_group_list=None, admin=False,
                                super_user_actions=False):

        from pyramid.threadlocal import get_current_request
        _render = get_current_request().get_partial_renderer(
            'rhodecode:templates/data_table/_dt_elements.mako')
        c = _render.get_call_context()
        h = _render.get_helpers()

        def quick_menu(repo_group_name):
            return _render('quick_repo_group_menu', repo_group_name)

        def repo_group_lnk(repo_group_name):
            return _render('repo_group_name', repo_group_name)

        def last_change(last_change):
            if admin and isinstance(last_change, datetime.datetime) and not last_change.tzinfo:
                last_change = last_change + datetime.timedelta(seconds=
                    (datetime.datetime.now() - datetime.datetime.utcnow()).seconds)
            return _render("last_change", last_change)

        def desc(desc, personal):
            return _render(
                'repo_group_desc', desc, personal, c.visual.stylify_metatags)

        def repo_group_actions(repo_group_id, repo_group_name, gr_count):
            return _render(
                'repo_group_actions', repo_group_id, repo_group_name, gr_count)

        def repo_group_name(repo_group_name, children_groups):
            return _render("repo_group_name", repo_group_name, children_groups)

        def user_profile(username):
            return _render('user_profile', username)

        repo_group_data = []
        for group in repo_group_list:

            row = {
                "menu": quick_menu(group.group_name),
                "name": repo_group_lnk(group.group_name),
                "name_raw": group.group_name,
                "last_change": last_change(group.last_db_change),
                "last_change_raw": datetime_to_time(group.last_db_change),
                "desc": desc(group.description_safe, group.personal),
                "top_level_repos": 0,
                "owner": user_profile(group.user.username)
            }
            if admin:
                repo_count = group.repositories.count()
                children_groups = map(
                    h.safe_unicode,
                    itertools.chain((g.name for g in group.parents),
                                    (x.name for x in [group])))
                row.update({
                    "action": repo_group_actions(
                        group.group_id, group.group_name, repo_count),
                    "top_level_repos": repo_count,
                    "name": repo_group_name(group.group_name, children_groups),

                })
            repo_group_data.append(row)

        return repo_group_data

    def _get_defaults(self, repo_group_name):
        repo_group = RepoGroup.get_by_group_name(repo_group_name)

        if repo_group is None:
            return None

        defaults = repo_group.get_dict()
        defaults['repo_group_name'] = repo_group.name
        defaults['repo_group_description'] = repo_group.group_description
        defaults['repo_group_enable_locking'] = repo_group.enable_locking

        # we use -1 as this is how in HTML, we mark an empty group
        defaults['repo_group'] = defaults['group_parent_id'] or -1

        # fill owner
        if repo_group.user:
            defaults.update({'user': repo_group.user.username})
        else:
            replacement_user = User.get_first_super_admin().username
            defaults.update({'user': replacement_user})

        return defaults