##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

added repo creation filesystem test
added repo creation filesystem test
marcink - - Load All Authors

File last commit:

r1036:405b80e4 beta
r1037:b1d6478d beta
Show More
auth.py
609 lines | 22.5 KiB | text/x-python | PythonLexer
/ rhodecode / lib / auth.py
History | Source | Raw |Copy content |Copy permalink
marcink
Added some more details into user edit permissions view
 r895 # -*- coding: utf-8 -*-
"""
rhodecode.lib.auth
~~~~~~~~~~~~~~~~~~
authentication and permission libraries
:created_on: Apr 4, 2010
:copyright: (c) 2010 by marcink.
:license: LICENSE_NAME, see LICENSE_FILE for more details.
"""
marcink
renamed project to rhodecode
 r547 # This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; version 2
# of the License or (at your opinion) any later version of the license.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA.
marcink
Added some more details into user edit permissions view
 r895 import bcrypt
import random
import logging
import traceback
from decorator import decorator
marcink
renamed project to rhodecode
 r547 from pylons import config, session, url, request
from pylons.controllers.util import abort, redirect
marcink
Added some more details into user edit permissions view
 r895
from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError
marcink
renamed project to rhodecode
 r547 from rhodecode.lib.utils import get_repo_slug
marcink
fixed #72 show warning on removal when user still is owner of existing repositories...
 r713 from rhodecode.lib.auth_ldap import AuthLdap
marcink
Added some more details into user edit permissions view
 r895
marcink
renamed project to rhodecode
 r547 from rhodecode.model import meta
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 from rhodecode.model.user import UserModel
marcink
renamed project to rhodecode
 r547 from rhodecode.model.db import User, RepoToPerm, Repository, Permission, \
marcink
#56 added propagation of permission from group
 r1016 UserToPerm, UsersGroupToPerm, UsersGroupMember
marcink
Added some more details into user edit permissions view
 r895
marcink
renamed project to rhodecode
 r547
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 log = logging.getLogger(__name__)
marcink
renamed project to rhodecode
 r547
marcink
#56 added propagation of permission from group
 r1016
PERM_WEIGHTS = {'repository.none':0,
'repository.read':1,
'repository.write':3,
'repository.admin':3}
marcink
renamed project to rhodecode
 r547 class PasswordGenerator(object):
"""This is a simple class for generating password from
different sets of characters
usage:
passwd_gen = PasswordGenerator()
#print 8-letter password containing only big and small letters of alphabet
print passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
"""
ALPHABETS_NUM = r'''1234567890'''#[0]
ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''#[1]
ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''#[2]
ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?''' #[3]
ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM + ALPHABETS_SPECIAL#[4]
ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM#[5]
ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM#[6]
ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM#[7]
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __init__(self, passwd=''):
self.passwd = passwd
def gen_password(self, len, type):
self.passwd = ''.join([random.choice(type) for _ in xrange(len)])
return self.passwd
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def get_crypt_password(password):
marcink
#56 added propagation of permission from group
 r1016 """Cryptographic function used for password hashing based on pybcrypt
marcink
fixed @repo into :repo for docs...
 r604 :param password: password to hash
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 """
marcink
renamed project to rhodecode
 r547 return bcrypt.hashpw(password, bcrypt.gensalt(10))
def check_password(password, hashed):
return bcrypt.hashpw(password, hashed) == hashed
def authfunc(environ, username, password):
marcink
#56 added propagation of permission from group
 r1016 """Dummy authentication function used in Mercurial/Git/ and access control,
marcink
ldap auth rewrite, moved split authfunc into two functions,...
 r761
:param environ: needed only for using in Basic auth
"""
return authenticate(username, password)
def authenticate(username, password):
marcink
#56 added propagation of permission from group
 r1016 """Authentication function used for access control,
marcink
Code refactor for auth func, preparing for ldap support...
 r699 firstly checks for db authentication then if ldap is enabled for ldap
marcink
implements #60, ldap configuration and authentication....
 r705 authentication, also creates ldap user if not in database
marcink
Code refactor for auth func, preparing for ldap support...
 r699 :param username: username
:param password: password
"""
marcink
implements #60, ldap configuration and authentication....
 r705 user_model = UserModel()
user = user_model.get_by_username(username, cache=False)
marcink
Code refactor for auth func, preparing for ldap support...
 r699
marcink
ldap auth rewrite, moved split authfunc into two functions,...
 r761 log.debug('Authenticating user using RhodeCode account')
Thayne Harbaugh
Improve LDAP authentication...
 r991 if user is not None and not user.ldap_dn:
marcink
renamed project to rhodecode
 r547 if user.active:
marcink
#49 Enabled anonymous access push and pull commands
 r674
if user.username == 'default' and user.active:
marcink
ldap auth rewrite, moved split authfunc into two functions,...
 r761 log.info('user %s authenticated correctly as anonymous user',
username)
marcink
#49 Enabled anonymous access push and pull commands
 r674 return True
elif user.username == username and check_password(password, user.password):
marcink
renamed project to rhodecode
 r547 log.info('user %s authenticated correctly', username)
return True
else:
marcink
ldap auth rewrite, moved split authfunc into two functions,...
 r761 log.warning('user %s is disabled', username)
marcink
implements #60, ldap configuration and authentication....
 r705
else:
marcink
ldap auth rewrite, moved split authfunc into two functions,...
 r761 log.debug('Regular authentication failed')
marcink
#78, fixed more reliable case insensitive searches
 r742 user_obj = user_model.get_by_username(username, cache=False,
case_insensitive=True)
marcink
ldap auth rewrite, moved split authfunc into two functions,...
 r761
Thayne Harbaugh
Improve LDAP authentication...
 r991 if user_obj is not None and not user_obj.ldap_dn:
marcink
added debug message for ldap auth
 r749 log.debug('this user already exists as non ldap')
marcink
fixed ldap issue and small template fix
 r748 return False
marcink
implements #60, ldap configuration and authentication....
 r705 from rhodecode.model.settings import SettingsModel
ldap_settings = SettingsModel().get_ldap_settings()
#======================================================================
marcink
#56 added propagation of permission from group
 r1016 # FALLBACK TO LDAP AUTH IF ENABLE
marcink
implements #60, ldap configuration and authentication....
 r705 #======================================================================
if ldap_settings.get('ldap_active', False):
marcink
ldap auth rewrite, moved split authfunc into two functions,...
 r761 log.debug("Authenticating user using ldap")
marcink
implements #60, ldap configuration and authentication....
 r705 kwargs = {
'server':ldap_settings.get('ldap_host', ''),
'base_dn':ldap_settings.get('ldap_base_dn', ''),
'port':ldap_settings.get('ldap_port'),
'bind_dn':ldap_settings.get('ldap_dn_user'),
'bind_pass':ldap_settings.get('ldap_dn_pass'),
'use_ldaps':ldap_settings.get('ldap_ldaps'),
Thayne Harbaugh
Improve LDAP authentication...
 r991 'tls_reqcert':ldap_settings.get('ldap_tls_reqcert'),
'ldap_filter':ldap_settings.get('ldap_filter'),
'search_scope':ldap_settings.get('ldap_search_scope'),
'attr_login':ldap_settings.get('ldap_attr_login'),
marcink
implements #60, ldap configuration and authentication....
 r705 'ldap_version':3,
}
log.debug('Checking for ldap authentication')
try:
aldap = AuthLdap(**kwargs)
Thayne Harbaugh
Improve LDAP authentication...
 r991 (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
log.debug('Got ldap DN response %s', user_dn)
marcink
implements #60, ldap configuration and authentication....
 r705
Thayne Harbaugh
Improve LDAP authentication...
 r991 user_attrs = {
'name' : ldap_attrs[ldap_settings.get('ldap_attr_firstname')][0],
'lastname' : ldap_attrs[ldap_settings.get('ldap_attr_lastname')][0],
'email' : ldap_attrs[ldap_settings.get('ldap_attr_email')][0],
}
if user_model.create_ldap(username, password, user_dn, user_attrs):
marcink
#56 added propagation of permission from group
 r1016 log.info('created new ldap user %s', username)
marcink
implements #60, ldap configuration and authentication....
 r705
marcink
ldap auth rewrite, moved split authfunc into two functions,...
 r761 return True
except (LdapUsernameError, LdapPasswordError,):
pass
except (Exception,):
marcink
implements #60, ldap configuration and authentication....
 r705 log.error(traceback.format_exc())
marcink
ldap auth rewrite, moved split authfunc into two functions,...
 r761 pass
marcink
renamed project to rhodecode
 r547 return False
class AuthUser(object):
marcink
#56 added propagation of permission from group
 r1016 """A simple object that handles a mercurial username for authentication
marcink
renamed project to rhodecode
 r547 """
marcink
#56 added propagation of permission from group
 r1016
marcink
renamed project to rhodecode
 r547 def __init__(self):
self.username = 'None'
self.name = ''
self.lastname = ''
self.email = ''
self.user_id = None
self.is_authenticated = False
self.is_admin = False
self.permissions = {}
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 def __repr__(self):
return "<AuthUser('id:%s:%s')>" % (self.user_id, self.username)
marcink
renamed project to rhodecode
 r547
def set_available_permissions(config):
marcink
Added some more details into user edit permissions view
 r895 """This function will propagate pylons globals with all available defined
marcink
#56 added propagation of permission from group
 r1016 permission given in db. We don't want to check each time from db for new
marcink
renamed project to rhodecode
 r547 permissions since adding a new permission also requires application restart
ie. to decorate new views with the newly created permission
marcink
Added some more details into user edit permissions view
 r895
:param config: current pylons config instance
marcink
renamed project to rhodecode
 r547 """
log.info('getting information about all available permissions')
try:
marcink
Code refactoring,models renames...
 r629 sa = meta.Session()
marcink
renamed project to rhodecode
 r547 all_perms = sa.query(Permission).all()
marcink
Code refactoring,models renames...
 r629 except:
pass
marcink
renamed project to rhodecode
 r547 finally:
meta.Session.remove()
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 config['available_permissions'] = [x.permission_name for x in all_perms]
def fill_perms(user):
marcink
Added some more details into user edit permissions view
 r895 """Fills user permission attribute with permissions taken from database
marcink
#56 added propagation of permission from group
 r1016 works for permissions given for repositories, and for permissions that
as part of beeing group member
marcink
Added some more details into user edit permissions view
 r895
marcink
#56 added propagation of permission from group
 r1016 :param user: user instance to fill his perms
marcink
renamed project to rhodecode
 r547 """
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
Code refactoring,models renames...
 r629 sa = meta.Session()
marcink
renamed project to rhodecode
 r547 user.permissions['repositories'] = {}
user.permissions['global'] = set()
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 #===========================================================================
# fetch default permissions
#===========================================================================
marcink
#50 on point cache invalidation changes....
 r692 default_user = UserModel().get_by_username('default', cache=True)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 default_perms = sa.query(RepoToPerm, Repository, Permission)\
.join((Repository, RepoToPerm.repository_id == Repository.repo_id))\
.join((Permission, RepoToPerm.permission_id == Permission.permission_id))\
marcink
moved out sqlalchemy cache from meta to the config files....
 r609 .filter(RepoToPerm.user == default_user).all()
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 if user.is_admin:
#=======================================================================
# #admin have all default rights set to admin
#=======================================================================
user.permissions['global'].add('hg.admin')
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 for perm in default_perms:
p = 'repository.admin'
user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 else:
#=======================================================================
# set default permissions
#=======================================================================
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 #default global
default_global_perms = sa.query(UserToPerm)\
marcink
fixes issue #78, ldap makes user validation caseInsensitive...
 r741 .filter(UserToPerm.user == sa.query(User)\
.filter(User.username == 'default').one())
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 for perm in default_global_perms:
user.permissions['global'].add(perm.permission.permission_name)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
#56 added propagation of permission from group
 r1016 #default for repositories
marcink
renamed project to rhodecode
 r547 for perm in default_perms:
if perm.Repository.private and not perm.Repository.user_id == user.user_id:
#disable defaults for private repos,
p = 'repository.none'
elif perm.Repository.user_id == user.user_id:
#set admin if owner
p = 'repository.admin'
else:
p = perm.Permission.permission_name
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 #=======================================================================
marcink
#56 added propagation of permission from group
 r1016 # overwrite default with user permissions if any
marcink
renamed project to rhodecode
 r547 #=======================================================================
user_perms = sa.query(RepoToPerm, Permission, Repository)\
.join((Repository, RepoToPerm.repository_id == Repository.repo_id))\
.join((Permission, RepoToPerm.permission_id == Permission.permission_id))\
.filter(RepoToPerm.user_id == user.user_id).all()
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 for perm in user_perms:
if perm.Repository.user_id == user.user_id:#set admin if owner
p = 'repository.admin'
else:
p = perm.Permission.permission_name
user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p
marcink
#56 added propagation of permission from group
 r1016
#=======================================================================
# check if user is part of groups for this repository and fill in
# (or replace with higher) permissions
#=======================================================================
user_perms_from_users_groups = sa.query(UsersGroupToPerm, Permission, Repository,)\
.join((Repository, UsersGroupToPerm.repository_id == Repository.repo_id))\
.join((Permission, UsersGroupToPerm.permission_id == Permission.permission_id))\
.join((UsersGroupMember, UsersGroupToPerm.users_group_id == UsersGroupMember.users_group_id))\
.filter(UsersGroupMember.user_id == user.user_id).all()
for perm in user_perms_from_users_groups:
p = perm.Permission.permission_name
cur_perm = user.permissions['repositories'][perm.UsersGroupToPerm.repository.repo_name]
#overwrite permission only if it's greater than permission given from other sources
if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]:
user.permissions['repositories'][perm.UsersGroupToPerm.repository.repo_name] = p
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 meta.Session.remove()
marcink
renamed project to rhodecode
 r547 return user
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def get_user(session):
marcink
#56 added propagation of permission from group
 r1016 """Gets user from session, and wraps permissions into user
marcink
fixed @repo into :repo for docs...
 r604 :param session:
marcink
renamed project to rhodecode
 r547 """
marcink
renamed hg_app to rhodecode
 r548 user = session.get('rhodecode_user', AuthUser())
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 #if the user is not logged in we check for anonymous access
#if user is logged and it's a default user check if we still have anonymous
#access enabled
if user.user_id is None or user.username == 'default':
anonymous_user = UserModel().get_by_username('default', cache=True)
if anonymous_user.active is True:
#then we set this user is logged in
user.is_authenticated = True
marcink
fixed anonymous access bug.
 r686 user.user_id = anonymous_user.user_id
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 else:
user.is_authenticated = False
marcink
renamed project to rhodecode
 r547 if user.is_authenticated:
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 user = UserModel().fill_data(user)
marcink
renamed project to rhodecode
 r547 user = fill_perms(user)
marcink
renamed hg_app to rhodecode
 r548 session['rhodecode_user'] = user
marcink
renamed project to rhodecode
 r547 session.save()
return user
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 #===============================================================================
# CHECK DECORATORS
#===============================================================================
class LoginRequired(object):
marcink
Added isanonymous decorator for checking permissions for anonymous access
 r779 """Must be logged in to execute this function else
redirect to login page"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __call__(self, func):
return decorator(self.__wrapper, func)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __wrapper(self, func, *fargs, **fkwargs):
marcink
renamed hg_app to rhodecode
 r548 user = session.get('rhodecode_user', AuthUser())
marcink
renamed project to rhodecode
 r547 log.debug('Checking login required for user:%s', user.username)
if user.is_authenticated:
log.debug('user %s is authenticated', user.username)
return func(*fargs, **fkwargs)
else:
log.warn('user %s not authenticated', user.username)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 p = ''
if request.environ.get('SCRIPT_NAME') != '/':
p += request.environ.get('SCRIPT_NAME')
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 p += request.environ.get('PATH_INFO')
if request.environ.get('QUERY_STRING'):
p += '?' + request.environ.get('QUERY_STRING')
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
log.debug('redirecting to login page with %s', p)
marcink
renamed project to rhodecode
 r547 return redirect(url('login_home', came_from=p))
marcink
Added isanonymous decorator for checking permissions for anonymous access
 r779 class NotAnonymous(object):
"""Must be logged in to execute this function else
redirect to login page"""
def __call__(self, func):
return decorator(self.__wrapper, func)
def __wrapper(self, func, *fargs, **fkwargs):
user = session.get('rhodecode_user', AuthUser())
log.debug('Checking if user is not anonymous')
anonymous = user.username == 'default'
if anonymous:
p = ''
if request.environ.get('SCRIPT_NAME') != '/':
p += request.environ.get('SCRIPT_NAME')
p += request.environ.get('PATH_INFO')
if request.environ.get('QUERY_STRING'):
p += '?' + request.environ.get('QUERY_STRING')
return redirect(url('login_home', came_from=p))
else:
return func(*fargs, **fkwargs)
marcink
renamed project to rhodecode
 r547 class PermsDecorator(object):
"""Base class for decorators"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __init__(self, *required_perms):
available_perms = config['available_permissions']
for perm in required_perms:
if perm not in available_perms:
raise Exception("'%s' permission is not defined" % perm)
self.required_perms = set(required_perms)
self.user_perms = None
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __call__(self, func):
return decorator(self.__wrapper, func)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __wrapper(self, func, *fargs, **fkwargs):
# _wrapper.__name__ = func.__name__
# _wrapper.__dict__.update(func.__dict__)
# _wrapper.__doc__ = func.__doc__
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 self.user = session.get('rhodecode_user', AuthUser())
self.user_perms = self.user.permissions
log.debug('checking %s permissions %s for %s %s',
self.__class__.__name__, self.required_perms, func.__name__,
self.user)
marcink
renamed project to rhodecode
 r547
if self.check_permissions():
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 log.debug('Permission granted for %s %s', func.__name__, self.user)
marcink
renamed project to rhodecode
 r547 return func(*fargs, **fkwargs)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 else:
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 log.warning('Permission denied for %s %s', func.__name__, self.user)
marcink
renamed project to rhodecode
 r547 #redirect with forbidden ret code
return abort(403)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
"""Dummy function for overriding"""
raise Exception('You have to write this function in child class')
class HasPermissionAllDecorator(PermsDecorator):
"""Checks for access permission for all given predicates. All of them
have to be meet in order to fulfill the request
"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
if self.required_perms.issubset(self.user_perms.get('global')):
return True
return False
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547
class HasPermissionAnyDecorator(PermsDecorator):
"""Checks for access permission for any of given predicates. In order to
fulfill the request any of predicates must be meet
"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
if self.required_perms.intersection(self.user_perms.get('global')):
return True
return False
class HasRepoPermissionAllDecorator(PermsDecorator):
"""Checks for access permission for all given predicates for specific
repository. All of them have to be meet in order to fulfill the request
"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
repo_name = get_repo_slug(request)
try:
user_perms = set([self.user_perms['repositories'][repo_name]])
except KeyError:
return False
if self.required_perms.issubset(user_perms):
return True
return False
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547
class HasRepoPermissionAnyDecorator(PermsDecorator):
"""Checks for access permission for any of given predicates for specific
repository. In order to fulfill the request any of predicates must be meet
"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
repo_name = get_repo_slug(request)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 try:
user_perms = set([self.user_perms['repositories'][repo_name]])
except KeyError:
return False
if self.required_perms.intersection(user_perms):
return True
return False
#===============================================================================
# CHECK FUNCTIONS
#===============================================================================
class PermsFunction(object):
"""Base function for other check functions"""
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __init__(self, *perms):
available_perms = config['available_permissions']
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 for perm in perms:
if perm not in available_perms:
raise Exception("'%s' permission in not defined" % perm)
self.required_perms = set(perms)
self.user_perms = None
self.granted_for = ''
self.repo_name = None
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __call__(self, check_Location=''):
marcink
renamed hg_app to rhodecode
 r548 user = session.get('rhodecode_user', False)
marcink
renamed project to rhodecode
 r547 if not user:
return False
self.user_perms = user.permissions
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 self.granted_for = user.username
log.debug('checking %s %s %s', self.__class__.__name__,
self.required_perms, user)
marcink
renamed project to rhodecode
 r547 if self.check_permissions():
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 log.debug('Permission granted for %s @ %s %s', self.granted_for,
check_Location, user)
marcink
renamed project to rhodecode
 r547 return True
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 else:
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 log.warning('Permission denied for %s @ %s %s', self.granted_for,
check_Location, user)
return False
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
"""Dummy function for overriding"""
raise Exception('You have to write this function in child class')
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 class HasPermissionAll(PermsFunction):
def check_permissions(self):
if self.required_perms.issubset(self.user_perms.get('global')):
return True
return False
class HasPermissionAny(PermsFunction):
def check_permissions(self):
if self.required_perms.intersection(self.user_perms.get('global')):
return True
return False
class HasRepoPermissionAll(PermsFunction):
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __call__(self, repo_name=None, check_Location=''):
self.repo_name = repo_name
return super(HasRepoPermissionAll, self).__call__(check_Location)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
if not self.repo_name:
self.repo_name = get_repo_slug(request)
try:
self.user_perms = set([self.user_perms['repositories']\
[self.repo_name]])
except KeyError:
return False
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 self.granted_for = self.repo_name
marcink
renamed project to rhodecode
 r547 if self.required_perms.issubset(self.user_perms):
return True
return False
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 class HasRepoPermissionAny(PermsFunction):
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __call__(self, repo_name=None, check_Location=''):
self.repo_name = repo_name
return super(HasRepoPermissionAny, self).__call__(check_Location)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
if not self.repo_name:
self.repo_name = get_repo_slug(request)
try:
self.user_perms = set([self.user_perms['repositories']\
[self.repo_name]])
except KeyError:
return False
self.granted_for = self.repo_name
if self.required_perms.intersection(self.user_perms):
return True
return False
#===============================================================================
# SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
#===============================================================================
class HasPermissionAnyMiddleware(object):
def __init__(self, *perms):
self.required_perms = set(perms)
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def __call__(self, user, repo_name):
usr = AuthUser()
usr.user_id = user.user_id
usr.username = user.username
usr.is_admin = user.admin
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 try:
self.user_perms = set([fill_perms(usr)\
.permissions['repositories'][repo_name]])
except:
self.user_perms = set()
self.granted_for = ''
self.username = user.username
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673 self.repo_name = repo_name
marcink
renamed project to rhodecode
 r547 return self.check_permissions()
marcink
#49 Enabled anonymous access for web interface controllable from permissions pannel
 r673
marcink
renamed project to rhodecode
 r547 def check_permissions(self):
log.debug('checking mercurial protocol '
'permissions for user:%s repository:%s',
self.username, self.repo_name)
if self.required_perms.intersection(self.user_perms):
log.debug('permission granted')
return True
log.debug('permission denied')
return False