user.py
549 lines
| 20.5 KiB
| text/x-python
|
PythonLexer
| r761 | # -*- coding: utf-8 -*- | |||
| """ | ||||
| r956 | rhodecode.model.user | |||
| ~~~~~~~~~~~~~~~~~~~~ | ||||
| r761 | ||||
| users model for RhodeCode | ||||
| r1203 | ||||
| r761 | :created_on: Apr 9, 2010 | |||
| :author: marcink | ||||
| r1824 | :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com> | |||
| r761 | :license: GPLv3, see COPYING for more details. | |||
| """ | ||||
| r1206 | # This program is free software: you can redistribute it and/or modify | |||
| # it under the terms of the GNU General Public License as published by | ||||
| # the Free Software Foundation, either version 3 of the License, or | ||||
| # (at your option) any later version. | ||||
| r1203 | # | |||
| r629 | # This program is distributed in the hope that it will be useful, | |||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||
| # GNU General Public License for more details. | ||||
| r1203 | # | |||
| r629 | # You should have received a copy of the GNU General Public License | |||
| r1206 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
| r750 | ||||
| r629 | import logging | |||
| import traceback | ||||
| r1731 | from pylons import url | |||
| r761 | from pylons.i18n.translation import _ | |||
| r1516 | from rhodecode.lib import safe_unicode | |||
| r1669 | from rhodecode.lib.caching_query import FromCache | |||
| r761 | from rhodecode.model import BaseModel | |||
| r1633 | from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \ | |||
| r1731 | UserToPerm, UsersGroupRepoToPerm, UsersGroupToPerm, UsersGroupMember, \ | |||
| r1982 | Notification, RepoGroup, UserRepoGroupToPerm, UsersGroup | |||
| r1269 | from rhodecode.lib.exceptions import DefaultUserException, \ | |||
| UserOwnsReposException | ||||
| r713 | ||||
| r761 | from sqlalchemy.exc import DatabaseError | |||
| r1116 | from rhodecode.lib import generate_api_key | |||
| r1269 | from sqlalchemy.orm import joinedload | |||
| r761 | ||||
| log = logging.getLogger(__name__) | ||||
| r629 | ||||
| r1731 | ||||
| r1982 | PERM_WEIGHTS = { | |||
| 'repository.none': 0, | ||||
| 'repository.read': 1, | ||||
| 'repository.write': 3, | ||||
| 'repository.admin': 4, | ||||
| 'group.none': 0, | ||||
| 'group.read': 1, | ||||
| 'group.write': 3, | ||||
| 'group.admin': 4, | ||||
| } | ||||
| r1117 | ||||
| r1267 | ||||
| r752 | class UserModel(BaseModel): | |||
| r1716 | ||||
| r1749 | def __get_user(self, user): | |||
| r1982 | return self._get_instance(User, user, callback=User.get_by_username) | |||
| def __get_perm(self, permission): | ||||
| return self._get_instance(Permission, permission, | ||||
| callback=Permission.get_by_key) | ||||
| r1749 | ||||
| r1594 | def get(self, user_id, cache=False): | |||
| r629 | user = self.sa.query(User) | |||
| if cache: | ||||
| user = user.options(FromCache("sql_cache_short", | ||||
| "get_user_%s" % user_id)) | ||||
| return user.get(user_id) | ||||
| r1594 | def get_by_username(self, username, cache=False, case_insensitive=False): | |||
| r750 | ||||
| r742 | if case_insensitive: | |||
| user = self.sa.query(User).filter(User.username.ilike(username)) | ||||
| else: | ||||
| user = self.sa.query(User)\ | ||||
| .filter(User.username == username) | ||||
| r629 | if cache: | |||
| user = user.options(FromCache("sql_cache_short", | ||||
| "get_user_%s" % username)) | ||||
| return user.scalar() | ||||
| r1594 | def get_by_api_key(self, api_key, cache=False): | |||
| r1693 | return User.get_by_api_key(api_key, cache) | |||
| r1117 | ||||
| r629 | def create(self, form_data): | |||
| try: | ||||
| new_user = User() | ||||
| for k, v in form_data.items(): | ||||
| setattr(new_user, k, v) | ||||
| r1116 | new_user.api_key = generate_api_key(form_data['username']) | |||
| r629 | self.sa.add(new_user) | |||
Nicolas VINOT
|
r1586 | return new_user | ||
| r629 | except: | |||
| log.error(traceback.format_exc()) | ||||
| raise | ||||
| r1728 | def create_or_update(self, username, password, email, name, lastname, | |||
| r1634 | active=True, admin=False, ldap_dn=None): | |||
| """ | ||||
| Creates a new instance if not found, or updates current one | ||||
| r1818 | ||||
| r1634 | :param username: | |||
| :param password: | ||||
| :param email: | ||||
| :param active: | ||||
| :param name: | ||||
| :param lastname: | ||||
| :param active: | ||||
| :param admin: | ||||
| :param ldap_dn: | ||||
| """ | ||||
| r1728 | ||||
| r1634 | from rhodecode.lib.auth import get_crypt_password | |||
| r1728 | ||||
| r1976 | log.debug('Checking for %s account in RhodeCode database' % username) | |||
| r1634 | user = User.get_by_username(username, case_insensitive=True) | |||
| if user is None: | ||||
| r1976 | log.debug('creating new user %s' % username) | |||
| r1634 | new_user = User() | |||
| else: | ||||
| r1976 | log.debug('updating user %s' % username) | |||
| r1634 | new_user = user | |||
| r1728 | ||||
| r1634 | try: | |||
| new_user.username = username | ||||
| new_user.admin = admin | ||||
| new_user.password = get_crypt_password(password) | ||||
| new_user.api_key = generate_api_key(username) | ||||
| new_user.email = email | ||||
| new_user.active = active | ||||
| new_user.ldap_dn = safe_unicode(ldap_dn) if ldap_dn else None | ||||
| new_user.name = name | ||||
| new_user.lastname = lastname | ||||
| self.sa.add(new_user) | ||||
| return new_user | ||||
| except (DatabaseError,): | ||||
| log.error(traceback.format_exc()) | ||||
| raise | ||||
| r1728 | ||||
Liad Shani
|
r1621 | def create_for_container_auth(self, username, attrs): | ||
| """ | ||||
| Creates the given user if it's not already in the database | ||||
| r1818 | ||||
|
Liad Shani
|
r1621 | :param username: | ||
| :param attrs: | ||||
| """ | ||||
| if self.get_by_username(username, case_insensitive=True) is None: | ||||
| r1690 | ||||
| # autogenerate email for container account without one | ||||
| generate_email = lambda usr: '%s@container_auth.account' % usr | ||||
|
Liad Shani
|
r1621 | try: | ||
| new_user = User() | ||||
| new_user.username = username | ||||
| new_user.password = None | ||||
| new_user.api_key = generate_api_key(username) | ||||
| new_user.email = attrs['email'] | ||||
| r1628 | new_user.active = attrs.get('active', True) | |||
| r1690 | new_user.name = attrs['name'] or generate_email(username) | |||
|
Liad Shani
|
r1621 | new_user.lastname = attrs['lastname'] | ||
| self.sa.add(new_user) | ||||
| r1628 | return new_user | |||
|
Liad Shani
|
r1621 | except (DatabaseError,): | ||
| log.error(traceback.format_exc()) | ||||
| self.sa.rollback() | ||||
| raise | ||||
| r1628 | log.debug('User %s already exists. Skipping creation of account' | |||
| ' for container auth.', username) | ||||
| return None | ||||
|
Liad Shani
|
r1621 | |||
Thayne Harbaugh
|
r991 | def create_ldap(self, username, password, user_dn, attrs): | ||
| r705 | """ | |||
| Checks if user is in database, if not creates this user marked | ||||
| as ldap user | ||||
| r1818 | ||||
| r705 | :param username: | |||
| :param password: | ||||
|
Thayne Harbaugh
|
r991 | :param user_dn: | ||
| :param attrs: | ||||
| r705 | """ | |||
| r750 | from rhodecode.lib.auth import get_crypt_password | |||
| r761 | log.debug('Checking for such ldap account in RhodeCode database') | |||
| r1594 | if self.get_by_username(username, case_insensitive=True) is None: | |||
| r1689 | ||||
| # autogenerate email for ldap account without one | ||||
| generate_email = lambda usr: '%s@ldap.account' % usr | ||||
| r705 | try: | |||
| new_user = User() | ||||
| r1689 | username = username.lower() | |||
| r1269 | # add ldap account always lowercase | |||
| r1689 | new_user.username = username | |||
| r750 | new_user.password = get_crypt_password(password) | |||
| r1116 | new_user.api_key = generate_api_key(username) | |||
| r1689 | new_user.email = attrs['email'] or generate_email(username) | |||
| r1628 | new_user.active = attrs.get('active', True) | |||
| r1516 | new_user.ldap_dn = safe_unicode(user_dn) | |||
|
Thayne Harbaugh
|
r991 | new_user.name = attrs['name'] | ||
| new_user.lastname = attrs['lastname'] | ||||
| r705 | ||||
| self.sa.add(new_user) | ||||
| r1628 | return new_user | |||
| r761 | except (DatabaseError,): | |||
| r705 | log.error(traceback.format_exc()) | |||
| self.sa.rollback() | ||||
| raise | ||||
| r761 | log.debug('this %s user exists skipping creation of ldap account', | |||
| username) | ||||
| r1628 | return None | |||
| r705 | ||||
| r629 | def create_registration(self, form_data): | |||
| r1731 | from rhodecode.model.notification import NotificationModel | |||
| r629 | try: | |||
| new_user = User() | ||||
| for k, v in form_data.items(): | ||||
| if k != 'admin': | ||||
| setattr(new_user, k, v) | ||||
| self.sa.add(new_user) | ||||
| r1731 | self.sa.flush() | |||
| # notification to admins | ||||
| subject = _('new user registration') | ||||
| r689 | body = ('New user registration\n' | |||
| r1731 | '---------------------\n' | |||
| '- Username: %s\n' | ||||
| '- Full Name: %s\n' | ||||
| '- Email: %s\n') | ||||
| body = body % (new_user.username, new_user.full_name, | ||||
| new_user.email) | ||||
| edit_url = url('edit_user', id=new_user.user_id, qualified=True) | ||||
| r1950 | kw = {'registered_user_url': edit_url} | |||
| r1731 | NotificationModel().create(created_by=new_user, subject=subject, | |||
| body=body, recipients=None, | ||||
| type_=Notification.TYPE_REGISTRATION, | ||||
| email_kwargs=kw) | ||||
| r689 | ||||
| r629 | except: | |||
| log.error(traceback.format_exc()) | ||||
| raise | ||||
| def update(self, user_id, form_data): | ||||
| try: | ||||
| r1594 | user = self.get(user_id, cache=False) | |||
| r1116 | if user.username == 'default': | |||
| r629 | raise DefaultUserException( | |||
| _("You can't Edit this user since it's" | ||||
| " crucial for entire application")) | ||||
| r713 | ||||
| r629 | for k, v in form_data.items(): | |||
| if k == 'new_password' and v != '': | ||||
| r1116 | user.password = v | |||
| user.api_key = generate_api_key(user.username) | ||||
| r629 | else: | |||
| r1116 | setattr(user, k, v) | |||
| r629 | ||||
| r1116 | self.sa.add(user) | |||
| r629 | except: | |||
| log.error(traceback.format_exc()) | ||||
| raise | ||||
| def update_my_account(self, user_id, form_data): | ||||
| try: | ||||
| r1594 | user = self.get(user_id, cache=False) | |||
| r1116 | if user.username == 'default': | |||
| r629 | raise DefaultUserException( | |||
| _("You can't Edit this user since it's" | ||||
| " crucial for entire application")) | ||||
| for k, v in form_data.items(): | ||||
| if k == 'new_password' and v != '': | ||||
| r1116 | user.password = v | |||
| user.api_key = generate_api_key(user.username) | ||||
| r629 | else: | |||
| if k not in ['admin', 'active']: | ||||
| r1116 | setattr(user, k, v) | |||
| r629 | ||||
| r1116 | self.sa.add(user) | |||
| r629 | except: | |||
| log.error(traceback.format_exc()) | ||||
| raise | ||||
| r1758 | def delete(self, user): | |||
| user = self.__get_user(user) | ||||
| r1818 | ||||
| r629 | try: | |||
| if user.username == 'default': | ||||
| raise DefaultUserException( | ||||
| _("You can't remove this user since it's" | ||||
| " crucial for entire application")) | ||||
| r713 | if user.repositories: | |||
| raise UserOwnsReposException(_('This user still owns %s ' | ||||
| 'repositories and cannot be ' | ||||
| 'removed. Switch owners or ' | ||||
| 'remove those repositories') \ | ||||
| % user.repositories) | ||||
| r629 | self.sa.delete(user) | |||
| except: | ||||
| log.error(traceback.format_exc()) | ||||
| raise | ||||
| r1417 | def reset_password_link(self, data): | |||
| from rhodecode.lib.celerylib import tasks, run_task | ||||
| run_task(tasks.send_password_link, data['email']) | ||||
| r629 | def reset_password(self, data): | |||
| from rhodecode.lib.celerylib import tasks, run_task | ||||
| run_task(tasks.reset_user_password, data['email']) | ||||
| r673 | ||||
| r1594 | def fill_data(self, auth_user, user_id=None, api_key=None): | |||
| r673 | """ | |||
| r1117 | Fetches auth_user by user_id,or api_key if present. | |||
| Fills auth_user attributes with those taken from database. | ||||
| r1203 | Additionally set's is_authenitated if lookup fails | |||
| r673 | present in database | |||
| r1203 | ||||
| r1117 | :param auth_user: instance of user to set attributes | |||
| :param user_id: user id to fetch by | ||||
| :param api_key: api key to fetch by | ||||
| r673 | """ | |||
| r1120 | if user_id is None and api_key is None: | |||
| r1117 | raise Exception('You need to pass user_id or api_key') | |||
| r686 | ||||
| r1117 | try: | |||
| if api_key: | ||||
| dbuser = self.get_by_api_key(api_key) | ||||
| else: | ||||
| dbuser = self.get(user_id) | ||||
|
Liad Shani
|
r1618 | if dbuser is not None and dbuser.active: | ||
| r1976 | log.debug('filling %s data' % dbuser) | |||
| r1120 | for k, v in dbuser.get_dict().items(): | |||
| setattr(auth_user, k, v) | ||||
|
Liad Shani
|
r1618 | else: | ||
| return False | ||||
| r1117 | ||||
| except: | ||||
| log.error(traceback.format_exc()) | ||||
| auth_user.is_authenticated = False | ||||
|
Liad Shani
|
r1618 | return False | ||
| r1117 | ||||
|
Liad Shani
|
r1618 | return True | ||
| r686 | ||||
| r1117 | def fill_perms(self, user): | |||
| r1269 | """ | |||
| Fills user permission attribute with permissions taken from database | ||||
| r1117 | works for permissions given for repositories, and for permissions that | |||
| r1269 | are granted to groups | |||
| r1203 | ||||
| r1117 | :param user: user instance to fill his perms | |||
| """ | ||||
| r1982 | RK = 'repositories' | |||
| GK = 'repositories_groups' | ||||
| GLOBAL = 'global' | ||||
| user.permissions[RK] = {} | ||||
| user.permissions[GK] = {} | ||||
| user.permissions[GLOBAL] = set() | ||||
| r1117 | ||||
| r1267 | #====================================================================== | |||
| r1117 | # fetch default permissions | |||
| r1267 | #====================================================================== | |||
| r1728 | default_user = User.get_by_username('default', cache=True) | |||
| default_user_id = default_user.user_id | ||||
| r1117 | ||||
| r1982 | default_repo_perms = Permission.get_default_perms(default_user_id) | |||
| default_repo_groups_perms = Permission.get_default_group_perms(default_user_id) | ||||
| r1117 | ||||
| if user.is_admin: | ||||
| r1267 | #================================================================== | |||
| r1982 | # admin user have all default rights for repositories | |||
| # and groups set to admin | ||||
| r1267 | #================================================================== | |||
| r1982 | user.permissions[GLOBAL].add('hg.admin') | |||
| r1117 | ||||
| r1982 | # repositories | |||
| for perm in default_repo_perms: | ||||
| r_k = perm.UserRepoToPerm.repository.repo_name | ||||
| r1117 | p = 'repository.admin' | |||
| r1982 | user.permissions[RK][r_k] = p | |||
| # repositories groups | ||||
| for perm in default_repo_groups_perms: | ||||
| rg_k = perm.UserRepoGroupToPerm.group.group_name | ||||
| p = 'group.admin' | ||||
| user.permissions[GK][rg_k] = p | ||||
| r1117 | ||||
| else: | ||||
| r1267 | #================================================================== | |||
| r1982 | # set default permissions first for repositories and groups | |||
| r1267 | #================================================================== | |||
| r1269 | uid = user.user_id | |||
| r1117 | ||||
| r1982 | # default global permissions | |||
| r1117 | default_global_perms = self.sa.query(UserToPerm)\ | |||
| r1728 | .filter(UserToPerm.user_id == default_user_id) | |||
| r1117 | ||||
| for perm in default_global_perms: | ||||
| r1982 | user.permissions[GLOBAL].add(perm.permission.permission_name) | |||
| r1117 | ||||
| r1729 | # default for repositories | |||
| r1982 | for perm in default_repo_perms: | |||
| r_k = perm.UserRepoToPerm.repository.repo_name | ||||
| if perm.Repository.private and not (perm.Repository.user_id == uid): | ||||
| r1729 | # disable defaults for private repos, | |||
| r1117 | p = 'repository.none' | |||
| r1269 | elif perm.Repository.user_id == uid: | |||
| r1729 | # set admin if owner | |||
| r1117 | p = 'repository.admin' | |||
| else: | ||||
| p = perm.Permission.permission_name | ||||
| r1982 | user.permissions[RK][r_k] = p | |||
| # default for repositories groups | ||||
| for perm in default_repo_groups_perms: | ||||
| rg_k = perm.UserRepoGroupToPerm.group.group_name | ||||
| p = perm.Permission.permission_name | ||||
| user.permissions[GK][rg_k] = p | ||||
| r1117 | ||||
| r1267 | #================================================================== | |||
| r1117 | # overwrite default with user permissions if any | |||
| r1267 | #================================================================== | |||
| r1729 | # user global | |||
| r1267 | user_perms = self.sa.query(UserToPerm)\ | |||
| r1269 | .options(joinedload(UserToPerm.permission))\ | |||
| .filter(UserToPerm.user_id == uid).all() | ||||
| r1267 | ||||
| for perm in user_perms: | ||||
| r1982 | user.permissions[GLOBAL].add(perm.permission.permission_name) | |||
| r1267 | ||||
| r1729 | # user repositories | |||
| r1982 | user_repo_perms = \ | |||
| self.sa.query(UserRepoToPerm, Permission, Repository)\ | ||||
| .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\ | ||||
| .join((Permission, UserRepoToPerm.permission_id == Permission.permission_id))\ | ||||
| .filter(UserRepoToPerm.user_id == uid)\ | ||||
| .all() | ||||
| r1117 | ||||
| r1267 | for perm in user_repo_perms: | |||
| r1269 | # set admin if owner | |||
| r1982 | r_k = perm.UserRepoToPerm.repository.repo_name | |||
| r1269 | if perm.Repository.user_id == uid: | |||
| r1117 | p = 'repository.admin' | |||
| else: | ||||
| p = perm.Permission.permission_name | ||||
| r1982 | user.permissions[RK][r_k] = p | |||
| r1117 | ||||
| r1269 | #================================================================== | |||
| r1203 | # check if user is part of groups for this repository and fill in | |||
| r1117 | # (or replace with higher) permissions | |||
| r1269 | #================================================================== | |||
| r1728 | # users group global | |||
| r1269 | user_perms_from_users_groups = self.sa.query(UsersGroupToPerm)\ | |||
| .options(joinedload(UsersGroupToPerm.permission))\ | ||||
| .join((UsersGroupMember, UsersGroupToPerm.users_group_id == | ||||
| UsersGroupMember.users_group_id))\ | ||||
| .filter(UsersGroupMember.user_id == uid).all() | ||||
| r1117 | ||||
| for perm in user_perms_from_users_groups: | ||||
| r1982 | user.permissions[GLOBAL].add(perm.permission.permission_name) | |||
| r1269 | ||||
| r1728 | # users group repositories | |||
| r1982 | user_repo_perms_from_users_groups = \ | |||
| self.sa.query(UsersGroupRepoToPerm, Permission, Repository,)\ | ||||
| .join((Repository, UsersGroupRepoToPerm.repository_id == Repository.repo_id))\ | ||||
| .join((Permission, UsersGroupRepoToPerm.permission_id == Permission.permission_id))\ | ||||
| .join((UsersGroupMember, UsersGroupRepoToPerm.users_group_id == UsersGroupMember.users_group_id))\ | ||||
| .filter(UsersGroupMember.user_id == uid)\ | ||||
| .all() | ||||
| r1269 | ||||
| for perm in user_repo_perms_from_users_groups: | ||||
| r1982 | r_k = perm.UsersGroupRepoToPerm.repository.repo_name | |||
| r1117 | p = perm.Permission.permission_name | |||
| r1982 | cur_perm = user.permissions[RK][r_k] | |||
| r1728 | # overwrite permission only if it's greater than permission | |||
| r1269 | # given from other sources | |||
| r1117 | if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]: | |||
| r1982 | user.permissions[RK][r_k] = p | |||
| #================================================================== | ||||
| # get access for this user for repos group and override defaults | ||||
| #================================================================== | ||||
| # user repositories groups | ||||
| user_repo_groups_perms = \ | ||||
| self.sa.query(UserRepoGroupToPerm, Permission, RepoGroup)\ | ||||
| .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\ | ||||
| .join((Permission, UserRepoGroupToPerm.permission_id == Permission.permission_id))\ | ||||
| .filter(UserRepoToPerm.user_id == uid)\ | ||||
| .all() | ||||
| for perm in user_repo_groups_perms: | ||||
| rg_k = perm.UserRepoGroupToPerm.group.group_name | ||||
| p = perm.Permission.permission_name | ||||
| cur_perm = user.permissions[GK][rg_k] | ||||
| if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]: | ||||
| user.permissions[GK][rg_k] = p | ||||
| r673 | ||||
| return user | ||||
| r1594 | ||||
| r1749 | def has_perm(self, user, perm): | |||
| if not isinstance(perm, Permission): | ||||
| r1758 | raise Exception('perm needs to be an instance of Permission class ' | |||
| 'got %s instead' % type(perm)) | ||||
| r1749 | ||||
| user = self.__get_user(user) | ||||
| r1758 | return UserToPerm.query().filter(UserToPerm.user == user)\ | |||
| r1749 | .filter(UserToPerm.permission == perm).scalar() is not None | |||
| def grant_perm(self, user, perm): | ||||
| r1982 | """ | |||
| Grant user global permissions | ||||
| r1749 | ||||
| r1982 | :param user: | |||
| :param perm: | ||||
| """ | ||||
| r1749 | user = self.__get_user(user) | |||
| r1982 | perm = self.__get_perm(perm) | |||
| r1749 | new = UserToPerm() | |||
| r1758 | new.user = user | |||
| r1749 | new.permission = perm | |||
| self.sa.add(new) | ||||
| def revoke_perm(self, user, perm): | ||||
| r1982 | """ | |||
| Revoke users global permissions | ||||
| r1818 | ||||
| r1982 | :param user: | |||
| :param perm: | ||||
| """ | ||||
| r1749 | user = self.__get_user(user) | |||
| r1982 | perm = self.__get_perm(perm) | |||
| r1818 | ||||
| r1758 | obj = UserToPerm.query().filter(UserToPerm.user == user)\ | |||
| .filter(UserToPerm.permission == perm).scalar() | ||||
| if obj: | ||||
| self.sa.delete(obj) | ||||
