user.py
803 lines
| 30.9 KiB
| text/x-python
|
PythonLexer
r761 | # -*- coding: utf-8 -*- | |||
""" | ||||
r956 | rhodecode.model.user | |||
~~~~~~~~~~~~~~~~~~~~ | ||||
r761 | ||||
users model for RhodeCode | ||||
r1203 | ||||
r761 | :created_on: Apr 9, 2010 | |||
:author: marcink | ||||
r1824 | :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com> | |||
r761 | :license: GPLv3, see COPYING for more details. | |||
""" | ||||
r1206 | # This program is free software: you can redistribute it and/or modify | |||
# it under the terms of the GNU General Public License as published by | ||||
# the Free Software Foundation, either version 3 of the License, or | ||||
# (at your option) any later version. | ||||
r1203 | # | |||
r629 | # This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||
# GNU General Public License for more details. | ||||
r1203 | # | |||
r629 | # You should have received a copy of the GNU General Public License | |||
r1206 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
r750 | ||||
r629 | import logging | |||
import traceback | ||||
r2709 | import itertools | |||
r3094 | import collections | |||
r1731 | from pylons import url | |||
r761 | from pylons.i18n.translation import _ | |||
r2479 | from sqlalchemy.exc import DatabaseError | |||
from sqlalchemy.orm import joinedload | ||||
r2109 | from rhodecode.lib.utils2 import safe_unicode, generate_api_key | |||
r1669 | from rhodecode.lib.caching_query import FromCache | |||
r761 | from rhodecode.model import BaseModel | |||
r1633 | from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \ | |||
Mads Kiilerich
|
r3417 | UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \ | ||
Notification, RepoGroup, UserRepoGroupToPerm, UserGroupRepoGroupToPerm, \ | ||||
r3788 | UserEmailMap, UserIpMap, UserGroupUserGroupToPerm, UserGroup | |||
r1269 | from rhodecode.lib.exceptions import DefaultUserException, \ | |||
UserOwnsReposException | ||||
r3401 | from rhodecode.model.meta import Session | |||
r713 | ||||
r761 | ||||
log = logging.getLogger(__name__) | ||||
r629 | ||||
r2709 | PERM_WEIGHTS = Permission.PERM_WEIGHTS | |||
r1117 | ||||
r1267 | ||||
r752 | class UserModel(BaseModel): | |||
r2522 | cls = User | |||
r1716 | ||||
r1594 | def get(self, user_id, cache=False): | |||
r629 | user = self.sa.query(User) | |||
if cache: | ||||
user = user.options(FromCache("sql_cache_short", | ||||
"get_user_%s" % user_id)) | ||||
return user.get(user_id) | ||||
r2009 | def get_user(self, user): | |||
r2432 | return self._get_user(user) | |||
r2009 | ||||
r1594 | def get_by_username(self, username, cache=False, case_insensitive=False): | |||
r750 | ||||
r742 | if case_insensitive: | |||
user = self.sa.query(User).filter(User.username.ilike(username)) | ||||
else: | ||||
user = self.sa.query(User)\ | ||||
.filter(User.username == username) | ||||
r629 | if cache: | |||
user = user.options(FromCache("sql_cache_short", | ||||
"get_user_%s" % username)) | ||||
return user.scalar() | ||||
r2522 | def get_by_email(self, email, cache=False, case_insensitive=False): | |||
return User.get_by_email(email, case_insensitive, cache) | ||||
r1594 | def get_by_api_key(self, api_key, cache=False): | |||
r1693 | return User.get_by_api_key(api_key, cache) | |||
r1117 | ||||
r629 | def create(self, form_data): | |||
r2467 | from rhodecode.lib.auth import get_crypt_password | |||
r629 | try: | |||
new_user = User() | ||||
for k, v in form_data.items(): | ||||
r2467 | if k == 'password': | |||
v = get_crypt_password(v) | ||||
r2544 | if k == 'firstname': | |||
k = 'name' | ||||
r629 | setattr(new_user, k, v) | |||
r1116 | new_user.api_key = generate_api_key(form_data['username']) | |||
r629 | self.sa.add(new_user) | |||
Nicolas VINOT
|
r1586 | return new_user | ||
r3631 | except Exception: | |||
r629 | log.error(traceback.format_exc()) | |||
raise | ||||
r2513 | def create_or_update(self, username, password, email, firstname='', | |||
lastname='', active=True, admin=False, ldap_dn=None): | ||||
r1634 | """ | |||
Creates a new instance if not found, or updates current one | ||||
r1818 | ||||
r1634 | :param username: | |||
:param password: | ||||
:param email: | ||||
:param active: | ||||
r2513 | :param firstname: | |||
r1634 | :param lastname: | |||
:param active: | ||||
:param admin: | ||||
:param ldap_dn: | ||||
""" | ||||
r1728 | ||||
r1634 | from rhodecode.lib.auth import get_crypt_password | |||
r1728 | ||||
r1976 | log.debug('Checking for %s account in RhodeCode database' % username) | |||
r1634 | user = User.get_by_username(username, case_insensitive=True) | |||
if user is None: | ||||
r1976 | log.debug('creating new user %s' % username) | |||
r1634 | new_user = User() | |||
r2513 | edit = False | |||
r1634 | else: | |||
r1976 | log.debug('updating user %s' % username) | |||
r1634 | new_user = user | |||
r2513 | edit = True | |||
r1728 | ||||
r1634 | try: | |||
new_user.username = username | ||||
new_user.admin = admin | ||||
r2513 | # set password only if creating an user or password is changed | |||
Mads Kiilerich
|
r3625 | if not edit or user.password != password: | ||
r3809 | new_user.password = get_crypt_password(password) if password else None | |||
r2513 | new_user.api_key = generate_api_key(username) | |||
r1634 | new_user.email = email | |||
new_user.active = active | ||||
new_user.ldap_dn = safe_unicode(ldap_dn) if ldap_dn else None | ||||
r2513 | new_user.name = firstname | |||
r1634 | new_user.lastname = lastname | |||
self.sa.add(new_user) | ||||
return new_user | ||||
except (DatabaseError,): | ||||
log.error(traceback.format_exc()) | ||||
raise | ||||
r1728 | ||||
Liad Shani
|
r1621 | def create_for_container_auth(self, username, attrs): | ||
""" | ||||
Creates the given user if it's not already in the database | ||||
r1818 | ||||
Liad Shani
|
r1621 | :param username: | ||
:param attrs: | ||||
""" | ||||
if self.get_by_username(username, case_insensitive=True) is None: | ||||
r1690 | ||||
# autogenerate email for container account without one | ||||
generate_email = lambda usr: '%s@container_auth.account' % usr | ||||
Liad Shani
|
r1621 | try: | ||
new_user = User() | ||||
new_user.username = username | ||||
new_user.password = None | ||||
new_user.api_key = generate_api_key(username) | ||||
new_user.email = attrs['email'] | ||||
r1628 | new_user.active = attrs.get('active', True) | |||
r1690 | new_user.name = attrs['name'] or generate_email(username) | |||
Liad Shani
|
r1621 | new_user.lastname = attrs['lastname'] | ||
self.sa.add(new_user) | ||||
r1628 | return new_user | |||
Liad Shani
|
r1621 | except (DatabaseError,): | ||
log.error(traceback.format_exc()) | ||||
self.sa.rollback() | ||||
raise | ||||
r1628 | log.debug('User %s already exists. Skipping creation of account' | |||
' for container auth.', username) | ||||
return None | ||||
Liad Shani
|
r1621 | |||
Thayne Harbaugh
|
r991 | def create_ldap(self, username, password, user_dn, attrs): | ||
r705 | """ | |||
Checks if user is in database, if not creates this user marked | ||||
as ldap user | ||||
r1818 | ||||
r705 | :param username: | |||
:param password: | ||||
Thayne Harbaugh
|
r991 | :param user_dn: | ||
:param attrs: | ||||
r705 | """ | |||
r750 | from rhodecode.lib.auth import get_crypt_password | |||
r761 | log.debug('Checking for such ldap account in RhodeCode database') | |||
r1594 | if self.get_by_username(username, case_insensitive=True) is None: | |||
r1689 | ||||
# autogenerate email for ldap account without one | ||||
generate_email = lambda usr: '%s@ldap.account' % usr | ||||
r705 | try: | |||
new_user = User() | ||||
r1689 | username = username.lower() | |||
r1269 | # add ldap account always lowercase | |||
r1689 | new_user.username = username | |||
r750 | new_user.password = get_crypt_password(password) | |||
r1116 | new_user.api_key = generate_api_key(username) | |||
r1689 | new_user.email = attrs['email'] or generate_email(username) | |||
r1628 | new_user.active = attrs.get('active', True) | |||
r1516 | new_user.ldap_dn = safe_unicode(user_dn) | |||
Thayne Harbaugh
|
r991 | new_user.name = attrs['name'] | ||
new_user.lastname = attrs['lastname'] | ||||
r705 | ||||
self.sa.add(new_user) | ||||
r1628 | return new_user | |||
r761 | except (DatabaseError,): | |||
r705 | log.error(traceback.format_exc()) | |||
self.sa.rollback() | ||||
raise | ||||
r761 | log.debug('this %s user exists skipping creation of ldap account', | |||
username) | ||||
r1628 | return None | |||
r705 | ||||
r629 | def create_registration(self, form_data): | |||
r1731 | from rhodecode.model.notification import NotificationModel | |||
r629 | try: | |||
r2248 | form_data['admin'] = False | |||
new_user = self.create(form_data) | ||||
r629 | ||||
self.sa.add(new_user) | ||||
r1731 | self.sa.flush() | |||
# notification to admins | ||||
Mads Kiilerich
|
r3654 | subject = _('New user registration') | ||
r689 | body = ('New user registration\n' | |||
r1731 | '---------------------\n' | |||
'- Username: %s\n' | ||||
'- Full Name: %s\n' | ||||
'- Email: %s\n') | ||||
body = body % (new_user.username, new_user.full_name, | ||||
new_user.email) | ||||
edit_url = url('edit_user', id=new_user.user_id, qualified=True) | ||||
r1950 | kw = {'registered_user_url': edit_url} | |||
r1731 | NotificationModel().create(created_by=new_user, subject=subject, | |||
body=body, recipients=None, | ||||
type_=Notification.TYPE_REGISTRATION, | ||||
email_kwargs=kw) | ||||
r689 | ||||
r3631 | except Exception: | |||
r629 | log.error(traceback.format_exc()) | |||
raise | ||||
r3021 | def update(self, user_id, form_data, skip_attrs=[]): | |||
r2488 | from rhodecode.lib.auth import get_crypt_password | |||
r629 | try: | |||
r1594 | user = self.get(user_id, cache=False) | |||
r1116 | if user.username == 'default': | |||
r629 | raise DefaultUserException( | |||
_("You can't Edit this user since it's" | ||||
" crucial for entire application")) | ||||
r713 | ||||
r629 | for k, v in form_data.items(): | |||
r3021 | if k in skip_attrs: | |||
continue | ||||
r2544 | if k == 'new_password' and v: | |||
r2488 | user.password = get_crypt_password(v) | |||
r1116 | user.api_key = generate_api_key(user.username) | |||
r629 | else: | |||
r2544 | if k == 'firstname': | |||
k = 'name' | ||||
r1116 | setattr(user, k, v) | |||
self.sa.add(user) | ||||
r3631 | except Exception: | |||
r629 | log.error(traceback.format_exc()) | |||
raise | ||||
r2657 | def update_user(self, user, **kwargs): | |||
from rhodecode.lib.auth import get_crypt_password | ||||
try: | ||||
user = self._get_user(user) | ||||
if user.username == 'default': | ||||
raise DefaultUserException( | ||||
_("You can't Edit this user since it's" | ||||
" crucial for entire application") | ||||
) | ||||
for k, v in kwargs.items(): | ||||
if k == 'password' and v: | ||||
v = get_crypt_password(v) | ||||
user.api_key = generate_api_key(user.username) | ||||
setattr(user, k, v) | ||||
self.sa.add(user) | ||||
return user | ||||
r3631 | except Exception: | |||
r2657 | log.error(traceback.format_exc()) | |||
raise | ||||
r1758 | def delete(self, user): | |||
r2432 | user = self._get_user(user) | |||
r1818 | ||||
r629 | try: | |||
if user.username == 'default': | ||||
raise DefaultUserException( | ||||
r2153 | _(u"You can't remove this user since it's" | |||
r2124 | " crucial for entire application") | |||
) | ||||
r713 | if user.repositories: | |||
r2153 | repos = [x.repo_name for x in user.repositories] | |||
r2124 | raise UserOwnsReposException( | |||
r2153 | _(u'user "%s" still owns %s repositories and cannot be ' | |||
'removed. Switch owners or remove those repositories. %s') | ||||
% (user.username, len(repos), ', '.join(repos)) | ||||
r2124 | ) | |||
r629 | self.sa.delete(user) | |||
r3631 | except Exception: | |||
r629 | log.error(traceback.format_exc()) | |||
raise | ||||
r1417 | def reset_password_link(self, data): | |||
from rhodecode.lib.celerylib import tasks, run_task | ||||
r3401 | from rhodecode.model.notification import EmailNotificationModel | |||
user_email = data['email'] | ||||
try: | ||||
user = User.get_by_email(user_email) | ||||
if user: | ||||
log.debug('password reset user found %s' % user) | ||||
link = url('reset_password_confirmation', key=user.api_key, | ||||
qualified=True) | ||||
reg_type = EmailNotificationModel.TYPE_PASSWORD_RESET | ||||
body = EmailNotificationModel().get_email_tmpl(reg_type, | ||||
**{'user': user.short_contact, | ||||
'reset_url': link}) | ||||
log.debug('sending email') | ||||
run_task(tasks.send_email, user_email, | ||||
Mads Kiilerich
|
r3654 | _("Password reset link"), body, body) | ||
r3401 | log.info('send new password mail to %s' % user_email) | |||
else: | ||||
log.debug("password reset email %s not found" % user_email) | ||||
r3631 | except Exception: | |||
r3401 | log.error(traceback.format_exc()) | |||
return False | ||||
return True | ||||
r1417 | ||||
r629 | def reset_password(self, data): | |||
from rhodecode.lib.celerylib import tasks, run_task | ||||
r3401 | from rhodecode.lib import auth | |||
user_email = data['email'] | ||||
try: | ||||
try: | ||||
user = User.get_by_email(user_email) | ||||
new_passwd = auth.PasswordGenerator().gen_password(8, | ||||
auth.PasswordGenerator.ALPHABETS_BIG_SMALL) | ||||
if user: | ||||
user.password = auth.get_crypt_password(new_passwd) | ||||
user.api_key = auth.generate_api_key(user.username) | ||||
Session().add(user) | ||||
Session().commit() | ||||
log.info('change password for %s' % user_email) | ||||
if new_passwd is None: | ||||
raise Exception('unable to generate new password') | ||||
r3631 | except Exception: | |||
r3401 | log.error(traceback.format_exc()) | |||
Session().rollback() | ||||
run_task(tasks.send_email, user_email, | ||||
_('Your new password'), | ||||
_('Your new RhodeCode password:%s') % (new_passwd)) | ||||
log.info('send new password mail to %s' % user_email) | ||||
r3631 | except Exception: | |||
r3401 | log.error('Failed to update user password') | |||
log.error(traceback.format_exc()) | ||||
return True | ||||
r673 | ||||
r1594 | def fill_data(self, auth_user, user_id=None, api_key=None): | |||
r673 | """ | |||
r1117 | Fetches auth_user by user_id,or api_key if present. | |||
Fills auth_user attributes with those taken from database. | ||||
r1203 | Additionally set's is_authenitated if lookup fails | |||
r673 | present in database | |||
r1203 | ||||
r1117 | :param auth_user: instance of user to set attributes | |||
:param user_id: user id to fetch by | ||||
:param api_key: api key to fetch by | ||||
r673 | """ | |||
r1120 | if user_id is None and api_key is None: | |||
r1117 | raise Exception('You need to pass user_id or api_key') | |||
r686 | ||||
r1117 | try: | |||
if api_key: | ||||
dbuser = self.get_by_api_key(api_key) | ||||
else: | ||||
dbuser = self.get(user_id) | ||||
Liad Shani
|
r1618 | if dbuser is not None and dbuser.active: | ||
r1976 | log.debug('filling %s data' % dbuser) | |||
r1120 | for k, v in dbuser.get_dict().items(): | |||
setattr(auth_user, k, v) | ||||
Liad Shani
|
r1618 | else: | ||
return False | ||||
r1117 | ||||
r3631 | except Exception: | |||
r1117 | log.error(traceback.format_exc()) | |||
auth_user.is_authenticated = False | ||||
Liad Shani
|
r1618 | return False | ||
r1117 | ||||
Liad Shani
|
r1618 | return True | ||
r686 | ||||
r3094 | def fill_perms(self, user, explicit=True, algo='higherwin'): | |||
r1269 | """ | |||
Fills user permission attribute with permissions taken from database | ||||
r1117 | works for permissions given for repositories, and for permissions that | |||
r1269 | are granted to groups | |||
r1203 | ||||
r1117 | :param user: user instance to fill his perms | |||
r3094 | :param explicit: In case there are permissions both for user and a group | |||
that user is part of, explicit flag will defiine if user will | ||||
explicitly override permissions from group, if it's False it will | ||||
make decision based on the algo | ||||
:param algo: algorithm to decide what permission should be choose if | ||||
it's multiple defined, eg user in two different groups. It also | ||||
decides if explicit flag is turned off how to specify the permission | ||||
for case when user is in a group + have defined separate permission | ||||
r1117 | """ | |||
r1982 | RK = 'repositories' | |||
GK = 'repositories_groups' | ||||
r3714 | UK = 'user_groups' | |||
r1982 | GLOBAL = 'global' | |||
user.permissions[RK] = {} | ||||
user.permissions[GK] = {} | ||||
r3714 | user.permissions[UK] = {} | |||
r1982 | user.permissions[GLOBAL] = set() | |||
r1117 | ||||
r3094 | def _choose_perm(new_perm, cur_perm): | |||
new_perm_val = PERM_WEIGHTS[new_perm] | ||||
cur_perm_val = PERM_WEIGHTS[cur_perm] | ||||
if algo == 'higherwin': | ||||
if new_perm_val > cur_perm_val: | ||||
return new_perm | ||||
return cur_perm | ||||
elif algo == 'lowerwin': | ||||
if new_perm_val < cur_perm_val: | ||||
return new_perm | ||||
return cur_perm | ||||
r1267 | #====================================================================== | |||
r1117 | # fetch default permissions | |||
r1267 | #====================================================================== | |||
r1728 | default_user = User.get_by_username('default', cache=True) | |||
default_user_id = default_user.user_id | ||||
r1117 | ||||
r1982 | default_repo_perms = Permission.get_default_perms(default_user_id) | |||
default_repo_groups_perms = Permission.get_default_group_perms(default_user_id) | ||||
r3714 | default_user_group_perms = Permission.get_default_user_group_perms(default_user_id) | |||
r1117 | ||||
if user.is_admin: | ||||
r1267 | #================================================================== | |||
r1982 | # admin user have all default rights for repositories | |||
# and groups set to admin | ||||
r1267 | #================================================================== | |||
r1982 | user.permissions[GLOBAL].add('hg.admin') | |||
r1117 | ||||
r1982 | # repositories | |||
for perm in default_repo_perms: | ||||
r_k = perm.UserRepoToPerm.repository.repo_name | ||||
r1117 | p = 'repository.admin' | |||
r1982 | user.permissions[RK][r_k] = p | |||
Mads Kiilerich
|
r3410 | # repository groups | ||
r1982 | for perm in default_repo_groups_perms: | |||
rg_k = perm.UserRepoGroupToPerm.group.group_name | ||||
p = 'group.admin' | ||||
user.permissions[GK][rg_k] = p | ||||
r3714 | ||||
# user groups | ||||
for perm in default_user_group_perms: | ||||
u_k = perm.UserUserGroupToPerm.user_group.users_group_name | ||||
p = 'usergroup.admin' | ||||
user.permissions[UK][u_k] = p | ||||
r2186 | return user | |||
r1117 | ||||
r2186 | #================================================================== | |||
Mads Kiilerich
|
r3653 | # SET DEFAULTS GLOBAL, REPOS, REPOSITORY GROUPS | ||
r2186 | #================================================================== | |||
uid = user.user_id | ||||
r1117 | ||||
r2709 | # default global permissions taken fron the default user | |||
r2186 | default_global_perms = self.sa.query(UserToPerm)\ | |||
.filter(UserToPerm.user_id == default_user_id) | ||||
r1117 | ||||
r2186 | for perm in default_global_perms: | |||
user.permissions[GLOBAL].add(perm.permission.permission_name) | ||||
r1117 | ||||
r2186 | # defaults for repositories, taken from default user | |||
for perm in default_repo_perms: | ||||
r_k = perm.UserRepoToPerm.repository.repo_name | ||||
if perm.Repository.private and not (perm.Repository.user_id == uid): | ||||
# disable defaults for private repos, | ||||
p = 'repository.none' | ||||
elif perm.Repository.user_id == uid: | ||||
# set admin if owner | ||||
p = 'repository.admin' | ||||
else: | ||||
p = perm.Permission.permission_name | ||||
user.permissions[RK][r_k] = p | ||||
r1117 | ||||
Mads Kiilerich
|
r3410 | # defaults for repository groups taken from default user permission | ||
r2186 | # on given group | |||
for perm in default_repo_groups_perms: | ||||
rg_k = perm.UserRepoGroupToPerm.group.group_name | ||||
p = perm.Permission.permission_name | ||||
user.permissions[GK][rg_k] = p | ||||
r3714 | # defaults for user groups taken from default user permission | |||
# on given user group | ||||
for perm in default_user_group_perms: | ||||
u_k = perm.UserUserGroupToPerm.user_group.users_group_name | ||||
p = perm.Permission.permission_name | ||||
user.permissions[UK][u_k] = p | ||||
r2709 | #====================================================================== | |||
# !! OVERRIDE GLOBALS !! with user permissions if any found | ||||
#====================================================================== | ||||
# those can be configured from groups or users explicitly | ||||
r3736 | _configurable = set([ | |||
'hg.fork.none', 'hg.fork.repository', | ||||
'hg.create.none', 'hg.create.repository', | ||||
'hg.usergroup.create.false', 'hg.usergroup.create.true' | ||||
]) | ||||
r2186 | ||||
r2709 | # USER GROUPS comes first | |||
r3415 | # user group global permissions | |||
Mads Kiilerich
|
r3417 | user_perms_from_users_groups = self.sa.query(UserGroupToPerm)\ | ||
.options(joinedload(UserGroupToPerm.permission))\ | ||||
.join((UserGroupMember, UserGroupToPerm.users_group_id == | ||||
UserGroupMember.users_group_id))\ | ||||
.filter(UserGroupMember.user_id == uid)\ | ||||
.order_by(UserGroupToPerm.users_group_id)\ | ||||
r2709 | .all() | |||
#need to group here by groups since user can be in more than one group | ||||
_grouped = [[x, list(y)] for x, y in | ||||
itertools.groupby(user_perms_from_users_groups, | ||||
lambda x:x.users_group)] | ||||
for gr, perms in _grouped: | ||||
# since user can be in multiple groups iterate over them and | ||||
# select the lowest permissions first (more explicit) | ||||
##TODO: do this^^ | ||||
if not gr.inherit_default_permissions: | ||||
# NEED TO IGNORE all configurable permissions and | ||||
# replace them with explicitly set | ||||
user.permissions[GLOBAL] = user.permissions[GLOBAL]\ | ||||
.difference(_configurable) | ||||
for perm in perms: | ||||
user.permissions[GLOBAL].add(perm.permission.permission_name) | ||||
# user specific global permissions | ||||
r2186 | user_perms = self.sa.query(UserToPerm)\ | |||
.options(joinedload(UserToPerm.permission))\ | ||||
.filter(UserToPerm.user_id == uid).all() | ||||
r2709 | if not user.inherit_default_permissions: | |||
# NEED TO IGNORE all configurable permissions and | ||||
# replace them with explicitly set | ||||
user.permissions[GLOBAL] = user.permissions[GLOBAL]\ | ||||
.difference(_configurable) | ||||
for perm in user_perms: | ||||
user.permissions[GLOBAL].add(perm.permission.permission_name) | ||||
r3736 | ## END GLOBAL PERMISSIONS | |||
r2709 | #====================================================================== | |||
r3094 | # !! PERMISSIONS FOR REPOSITORIES !! | |||
r2709 | #====================================================================== | |||
#====================================================================== | ||||
# check if user is part of user groups for this repository and | ||||
r3094 | # fill in his permission from it. _choose_perm decides of which | |||
# permission should be selected based on selected method | ||||
r2709 | #====================================================================== | |||
r3094 | ||||
r3415 | # user group for repositories permissions | |||
r2709 | user_repo_perms_from_users_groups = \ | |||
Mads Kiilerich
|
r3417 | self.sa.query(UserGroupRepoToPerm, Permission, Repository,)\ | ||
.join((Repository, UserGroupRepoToPerm.repository_id == | ||||
r2709 | Repository.repo_id))\ | |||
Mads Kiilerich
|
r3417 | .join((Permission, UserGroupRepoToPerm.permission_id == | ||
r2709 | Permission.permission_id))\ | |||
Mads Kiilerich
|
r3417 | .join((UserGroupMember, UserGroupRepoToPerm.users_group_id == | ||
UserGroupMember.users_group_id))\ | ||||
.filter(UserGroupMember.user_id == uid)\ | ||||
r2709 | .all() | |||
r3096 | multiple_counter = collections.defaultdict(int) | |||
r2709 | for perm in user_repo_perms_from_users_groups: | |||
Mads Kiilerich
|
r3417 | r_k = perm.UserGroupRepoToPerm.repository.repo_name | ||
r3094 | multiple_counter[r_k] += 1 | |||
r2709 | p = perm.Permission.permission_name | |||
cur_perm = user.permissions[RK][r_k] | ||||
r2864 | ||||
r3094 | if perm.Repository.user_id == uid: | |||
# set admin if owner | ||||
p = 'repository.admin' | ||||
else: | ||||
if multiple_counter[r_k] > 1: | ||||
p = _choose_perm(p, cur_perm) | ||||
user.permissions[RK][r_k] = p | ||||
r1982 | ||||
r3094 | # user explicit permissions for repositories, overrides any specified | |||
# by the group permission | ||||
r3714 | user_repo_perms = Permission.get_default_perms(uid) | |||
r2186 | for perm in user_repo_perms: | |||
r3094 | r_k = perm.UserRepoToPerm.repository.repo_name | |||
cur_perm = user.permissions[RK][r_k] | ||||
r2186 | # set admin if owner | |||
if perm.Repository.user_id == uid: | ||||
p = 'repository.admin' | ||||
else: | ||||
p = perm.Permission.permission_name | ||||
r3094 | if not explicit: | |||
p = _choose_perm(p, cur_perm) | ||||
r2186 | user.permissions[RK][r_k] = p | |||
r1267 | ||||
r3094 | #====================================================================== | |||
Mads Kiilerich
|
r3410 | # !! PERMISSIONS FOR REPOSITORY GROUPS !! | ||
r3094 | #====================================================================== | |||
#====================================================================== | ||||
# check if user is part of user groups for this repository groups and | ||||
# fill in his permission from it. _choose_perm decides of which | ||||
# permission should be selected based on selected method | ||||
#====================================================================== | ||||
r3415 | # user group for repo groups permissions | |||
r3094 | user_repo_group_perms_from_users_groups = \ | |||
Mads Kiilerich
|
r3417 | self.sa.query(UserGroupRepoGroupToPerm, Permission, RepoGroup)\ | ||
.join((RepoGroup, UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\ | ||||
.join((Permission, UserGroupRepoGroupToPerm.permission_id | ||||
r3094 | == Permission.permission_id))\ | |||
Mads Kiilerich
|
r3417 | .join((UserGroupMember, UserGroupRepoGroupToPerm.users_group_id | ||
== UserGroupMember.users_group_id))\ | ||||
.filter(UserGroupMember.user_id == uid)\ | ||||
r3094 | .all() | |||
r1269 | ||||
r3096 | multiple_counter = collections.defaultdict(int) | |||
r3094 | for perm in user_repo_group_perms_from_users_groups: | |||
Mads Kiilerich
|
r3417 | g_k = perm.UserGroupRepoGroupToPerm.group.group_name | ||
r3094 | multiple_counter[g_k] += 1 | |||
p = perm.Permission.permission_name | ||||
cur_perm = user.permissions[GK][g_k] | ||||
if multiple_counter[g_k] > 1: | ||||
p = _choose_perm(p, cur_perm) | ||||
user.permissions[GK][g_k] = p | ||||
# user explicit permissions for repository groups | ||||
r3714 | user_repo_groups_perms = Permission.get_default_group_perms(uid) | |||
r2186 | for perm in user_repo_groups_perms: | |||
rg_k = perm.UserRepoGroupToPerm.group.group_name | ||||
p = perm.Permission.permission_name | ||||
cur_perm = user.permissions[GK][rg_k] | ||||
r3094 | if not explicit: | |||
p = _choose_perm(p, cur_perm) | ||||
user.permissions[GK][rg_k] = p | ||||
r2129 | ||||
r3714 | #====================================================================== | |||
# !! PERMISSIONS FOR USER GROUPS !! | ||||
#====================================================================== | ||||
r3788 | # user group for user group permissions | |||
user_group_user_groups_perms = \ | ||||
self.sa.query(UserGroupUserGroupToPerm, Permission, UserGroup)\ | ||||
.join((UserGroup, UserGroupUserGroupToPerm.target_user_group_id | ||||
== UserGroup.users_group_id))\ | ||||
.join((Permission, UserGroupUserGroupToPerm.permission_id | ||||
== Permission.permission_id))\ | ||||
.join((UserGroupMember, UserGroupUserGroupToPerm.user_group_id | ||||
== UserGroupMember.users_group_id))\ | ||||
.filter(UserGroupMember.user_id == uid)\ | ||||
.all() | ||||
multiple_counter = collections.defaultdict(int) | ||||
for perm in user_group_user_groups_perms: | ||||
g_k = perm.UserGroupUserGroupToPerm.target_user_group.users_group_name | ||||
multiple_counter[g_k] += 1 | ||||
p = perm.Permission.permission_name | ||||
cur_perm = user.permissions[UK][g_k] | ||||
if multiple_counter[g_k] > 1: | ||||
p = _choose_perm(p, cur_perm) | ||||
user.permissions[UK][g_k] = p | ||||
r3714 | #user explicit permission for user groups | |||
user_user_groups_perms = Permission.get_default_user_group_perms(uid) | ||||
for perm in user_user_groups_perms: | ||||
u_k = perm.UserUserGroupToPerm.user_group.users_group_name | ||||
p = perm.Permission.permission_name | ||||
cur_perm = user.permissions[UK][u_k] | ||||
if not explicit: | ||||
p = _choose_perm(p, cur_perm) | ||||
user.permissions[UK][u_k] = p | ||||
r673 | return user | |||
r1594 | ||||
r1749 | def has_perm(self, user, perm): | |||
r2709 | perm = self._get_perm(perm) | |||
r2432 | user = self._get_user(user) | |||
r1749 | ||||
r1758 | return UserToPerm.query().filter(UserToPerm.user == user)\ | |||
r1749 | .filter(UserToPerm.permission == perm).scalar() is not None | |||
def grant_perm(self, user, perm): | ||||
r1982 | """ | |||
Grant user global permissions | ||||
r1749 | ||||
r1982 | :param user: | |||
:param perm: | ||||
""" | ||||
r2432 | user = self._get_user(user) | |||
perm = self._get_perm(perm) | ||||
r2078 | # if this permission is already granted skip it | |||
_perm = UserToPerm.query()\ | ||||
.filter(UserToPerm.user == user)\ | ||||
.filter(UserToPerm.permission == perm)\ | ||||
.scalar() | ||||
if _perm: | ||||
return | ||||
r1749 | new = UserToPerm() | |||
r1758 | new.user = user | |||
r1749 | new.permission = perm | |||
self.sa.add(new) | ||||
def revoke_perm(self, user, perm): | ||||
r1982 | """ | |||
Revoke users global permissions | ||||
r1818 | ||||
r1982 | :param user: | |||
:param perm: | ||||
""" | ||||
r2432 | user = self._get_user(user) | |||
perm = self._get_perm(perm) | ||||
r1818 | ||||
r2078 | obj = UserToPerm.query()\ | |||
.filter(UserToPerm.user == user)\ | ||||
.filter(UserToPerm.permission == perm)\ | ||||
.scalar() | ||||
r1758 | if obj: | |||
self.sa.delete(obj) | ||||
r2330 | ||||
def add_extra_email(self, user, email): | ||||
""" | ||||
Adds email address to UserEmailMap | ||||
:param user: | ||||
:param email: | ||||
""" | ||||
r2479 | from rhodecode.model import forms | |||
form = forms.UserExtraEmailForm()() | ||||
data = form.to_python(dict(email=email)) | ||||
r2432 | user = self._get_user(user) | |||
r2479 | ||||
r2330 | obj = UserEmailMap() | |||
obj.user = user | ||||
r2479 | obj.email = data['email'] | |||
r2330 | self.sa.add(obj) | |||
return obj | ||||
def delete_extra_email(self, user, email_id): | ||||
""" | ||||
Removes email address from UserEmailMap | ||||
:param user: | ||||
:param email_id: | ||||
""" | ||||
r2432 | user = self._get_user(user) | |||
r2330 | obj = UserEmailMap.query().get(email_id) | |||
if obj: | ||||
r2478 | self.sa.delete(obj) | |||
r3125 | ||||
def add_extra_ip(self, user, ip): | ||||
""" | ||||
Adds ip address to UserIpMap | ||||
:param user: | ||||
:param ip: | ||||
""" | ||||
from rhodecode.model import forms | ||||
form = forms.UserExtraIpForm()() | ||||
data = form.to_python(dict(ip=ip)) | ||||
user = self._get_user(user) | ||||
obj = UserIpMap() | ||||
obj.user = user | ||||
obj.ip_addr = data['ip'] | ||||
self.sa.add(obj) | ||||
return obj | ||||
def delete_extra_ip(self, user, ip_id): | ||||
""" | ||||
Removes ip address from UserIpMap | ||||
:param user: | ||||
:param ip_id: | ||||
""" | ||||
user = self._get_user(user) | ||||
obj = UserIpMap.query().get(ip_id) | ||||
if obj: | ||||
self.sa.delete(obj) | ||||