##// END OF EJS Templates
backported redirection loop fix from beta ref: 222e9432298e
backported redirection loop fix from beta ref: 222e9432298e

File last commit:

r3788:d9b89874 beta
r3804:b95f383f default
Show More
user.py
763 lines | 29.0 KiB | text/x-python | PythonLexer
ldap auth rewrite, moved split authfunc into two functions,...
r761 # -*- coding: utf-8 -*-
"""
started working on issue #56
r956 rhodecode.model.user
~~~~~~~~~~~~~~~~~~~~
ldap auth rewrite, moved split authfunc into two functions,...
r761
users model for RhodeCode
source code cleanup: remove trailing white space, normalize file endings
r1203
ldap auth rewrite, moved split authfunc into two functions,...
r761 :created_on: Apr 9, 2010
:author: marcink
2012 copyrights
r1824 :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com>
ldap auth rewrite, moved split authfunc into two functions,...
r761 :license: GPLv3, see COPYING for more details.
"""
fixed license issue #149
r1206 # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
source code cleanup: remove trailing white space, normalize file endings
r1203 #
Code refactoring,models renames...
r629 # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
source code cleanup: remove trailing white space, normalize file endings
r1203 #
Code refactoring,models renames...
r629 # You should have received a copy of the GNU General Public License
fixed license issue #149
r1206 # along with this program. If not, see <http://www.gnu.org/licenses/>.
fixed security issue when saving ldap user saved plaintext password
r750
Code refactoring,models renames...
r629 import logging
import traceback
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 import itertools
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 import collections
implements #222 registration feedback...
r1731 from pylons import url
ldap auth rewrite, moved split authfunc into two functions,...
r761 from pylons.i18n.translation import _
Added validation into user email map
r2479 from sqlalchemy.exc import DatabaseError
from sqlalchemy.orm import joinedload
utils/conf...
r2109 from rhodecode.lib.utils2 import safe_unicode, generate_api_key
moved caching query to libs
r1669 from rhodecode.lib.caching_query import FromCache
ldap auth rewrite, moved split authfunc into two functions,...
r761 from rhodecode.model import BaseModel
refactoring of models names for repoGroup permissions
r1633 from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \
Mads Kiilerich
further cleanup of UsersGroup...
r3417 UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \
Notification, RepoGroup, UserRepoGroupToPerm, UserGroupRepoGroupToPerm, \
Added UserIpMap interface for allowed IP addresses and IP restriction access...
r3125 UserEmailMap, UserIpMap
tries to fix issue #177 by fallback to user.user_id instead of fetching from db, user.user_id...
r1269 from rhodecode.lib.exceptions import DefaultUserException, \
UserOwnsReposException
moved out password reset tasks from celery, it doesn't make any sense to keep them there, additionally they are broken...
r3401 from rhodecode.model.meta import Session
fixed #72 show warning on removal when user still is owner of existing repositories...
r713
ldap auth rewrite, moved split authfunc into two functions,...
r761
log = logging.getLogger(__name__)
Code refactoring,models renames...
r629
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 PERM_WEIGHTS = Permission.PERM_WEIGHTS
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
user defined permission will update the global permissions, and overwrite default settings.
r1267
fixed Example celery config to ampq,...
r752 class UserModel(BaseModel):
Added associated classes into child models
r2522 cls = User
notification to commit author + gardening
r1716
fixes #288...
r1594 def get(self, user_id, cache=False):
Code refactoring,models renames...
r629 user = self.sa.query(User)
if cache:
user = user.options(FromCache("sql_cache_short",
"get_user_%s" % user_id))
return user.get(user_id)
API updates...
r2009 def get_user(self, user):
Share common getter functions in base model, and remove duplicated functions from other models
r2432 return self._get_user(user)
API updates...
r2009
fixes #288...
r1594 def get_by_username(self, username, cache=False, case_insensitive=False):
fixed security issue when saving ldap user saved plaintext password
r750
#78, fixed more reliable case insensitive searches
r742 if case_insensitive:
user = self.sa.query(User).filter(User.username.ilike(username))
else:
user = self.sa.query(User)\
.filter(User.username == username)
Code refactoring,models renames...
r629 if cache:
user = user.options(FromCache("sql_cache_short",
"get_user_%s" % username))
return user.scalar()
Added associated classes into child models
r2522 def get_by_email(self, email, cache=False, case_insensitive=False):
return User.get_by_email(email, case_insensitive, cache)
fixes #288...
r1594 def get_by_api_key(self, api_key, cache=False):
fix for api key lookup, reuse same function in user model
r1693 return User.get_by_api_key(api_key, cache)
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
Code refactoring,models renames...
r629 def create(self, form_data):
Switched forms to new validators
r2467 from rhodecode.lib.auth import get_crypt_password
Code refactoring,models renames...
r629 try:
new_user = User()
for k, v in form_data.items():
Switched forms to new validators
r2467 if k == 'password':
v = get_crypt_password(v)
Renamed name to firstname in forms...
r2544 if k == 'firstname':
k = 'name'
Code refactoring,models renames...
r629 setattr(new_user, k, v)
Added api_key into user, api key get's generated again after password change...
r1116 new_user.api_key = generate_api_key(form_data['username'])
Code refactoring,models renames...
r629 self.sa.add(new_user)
Nicolas VINOT
Add API for repositories and groups (creation, permission)
r1586 return new_user
Don't catch all exceptions
r3631 except Exception:
Code refactoring,models renames...
r629 log.error(traceback.format_exc())
raise
Updated create_or_update method to not change API key when password is not updated
r2513 def create_or_update(self, username, password, email, firstname='',
lastname='', active=True, admin=False, ldap_dn=None):
User usermodel instead of db model to manage accounts...
r1634 """
Creates a new instance if not found, or updates current one
auto white-space removal
r1818
User usermodel instead of db model to manage accounts...
r1634 :param username:
:param password:
:param email:
:param active:
Updated create_or_update method to not change API key when password is not updated
r2513 :param firstname:
User usermodel instead of db model to manage accounts...
r1634 :param lastname:
:param active:
:param admin:
:param ldap_dn:
"""
- fixes celery sqlalchemy session issues for async forking...
r1728
User usermodel instead of db model to manage accounts...
r1634 from rhodecode.lib.auth import get_crypt_password
- fixes celery sqlalchemy session issues for async forking...
r1728
garden...
r1976 log.debug('Checking for %s account in RhodeCode database' % username)
User usermodel instead of db model to manage accounts...
r1634 user = User.get_by_username(username, case_insensitive=True)
if user is None:
garden...
r1976 log.debug('creating new user %s' % username)
User usermodel instead of db model to manage accounts...
r1634 new_user = User()
Updated create_or_update method to not change API key when password is not updated
r2513 edit = False
User usermodel instead of db model to manage accounts...
r1634 else:
garden...
r1976 log.debug('updating user %s' % username)
User usermodel instead of db model to manage accounts...
r1634 new_user = user
Updated create_or_update method to not change API key when password is not updated
r2513 edit = True
- fixes celery sqlalchemy session issues for async forking...
r1728
User usermodel instead of db model to manage accounts...
r1634 try:
new_user.username = username
new_user.admin = admin
Updated create_or_update method to not change API key when password is not updated
r2513 # set password only if creating an user or password is changed
Mads Kiilerich
follow Python conventions for boolean values...
r3625 if not edit or user.password != password:
Updated create_or_update method to not change API key when password is not updated
r2513 new_user.password = get_crypt_password(password)
new_user.api_key = generate_api_key(username)
User usermodel instead of db model to manage accounts...
r1634 new_user.email = email
new_user.active = active
new_user.ldap_dn = safe_unicode(ldap_dn) if ldap_dn else None
Updated create_or_update method to not change API key when password is not updated
r2513 new_user.name = firstname
User usermodel instead of db model to manage accounts...
r1634 new_user.lastname = lastname
self.sa.add(new_user)
return new_user
except (DatabaseError,):
log.error(traceback.format_exc())
raise
- fixes celery sqlalchemy session issues for async forking...
r1728
Liad Shani
Added basic automatic user creation for container auth
r1621 def create_for_container_auth(self, username, attrs):
"""
Creates the given user if it's not already in the database
auto white-space removal
r1818
Liad Shani
Added basic automatic user creation for container auth
r1621 :param username:
:param attrs:
"""
if self.get_by_username(username, case_insensitive=True) is None:
fixed issues with not unique emails when using ldap or container auth.
r1690
# autogenerate email for container account without one
generate_email = lambda usr: '%s@container_auth.account' % usr
Liad Shani
Added basic automatic user creation for container auth
r1621 try:
new_user = User()
new_user.username = username
new_user.password = None
new_user.api_key = generate_api_key(username)
new_user.email = attrs['email']
Some code cleanups and fixes
r1628 new_user.active = attrs.get('active', True)
fixed issues with not unique emails when using ldap or container auth.
r1690 new_user.name = attrs['name'] or generate_email(username)
Liad Shani
Added basic automatic user creation for container auth
r1621 new_user.lastname = attrs['lastname']
self.sa.add(new_user)
Some code cleanups and fixes
r1628 return new_user
Liad Shani
Added basic automatic user creation for container auth
r1621 except (DatabaseError,):
log.error(traceback.format_exc())
self.sa.rollback()
raise
Some code cleanups and fixes
r1628 log.debug('User %s already exists. Skipping creation of account'
' for container auth.', username)
return None
Liad Shani
Added basic automatic user creation for container auth
r1621
Thayne Harbaugh
Improve LDAP authentication...
r991 def create_ldap(self, username, password, user_dn, attrs):
implements #60, ldap configuration and authentication....
r705 """
Checks if user is in database, if not creates this user marked
as ldap user
auto white-space removal
r1818
implements #60, ldap configuration and authentication....
r705 :param username:
:param password:
Thayne Harbaugh
Improve LDAP authentication...
r991 :param user_dn:
:param attrs:
implements #60, ldap configuration and authentication....
r705 """
fixed security issue when saving ldap user saved plaintext password
r750 from rhodecode.lib.auth import get_crypt_password
ldap auth rewrite, moved split authfunc into two functions,...
r761 log.debug('Checking for such ldap account in RhodeCode database')
fixes #288...
r1594 if self.get_by_username(username, case_insensitive=True) is None:
fix fo empty email passed in attributes of ldap account....
r1689
# autogenerate email for ldap account without one
generate_email = lambda usr: '%s@ldap.account' % usr
implements #60, ldap configuration and authentication....
r705 try:
new_user = User()
fix fo empty email passed in attributes of ldap account....
r1689 username = username.lower()
tries to fix issue #177 by fallback to user.user_id instead of fetching from db, user.user_id...
r1269 # add ldap account always lowercase
fix fo empty email passed in attributes of ldap account....
r1689 new_user.username = username
fixed security issue when saving ldap user saved plaintext password
r750 new_user.password = get_crypt_password(password)
Added api_key into user, api key get's generated again after password change...
r1116 new_user.api_key = generate_api_key(username)
fix fo empty email passed in attributes of ldap account....
r1689 new_user.email = attrs['email'] or generate_email(username)
Some code cleanups and fixes
r1628 new_user.active = attrs.get('active', True)
fixes #256 fixes non ascii chars problems in base_dn on LDAP user creation
r1516 new_user.ldap_dn = safe_unicode(user_dn)
Thayne Harbaugh
Improve LDAP authentication...
r991 new_user.name = attrs['name']
new_user.lastname = attrs['lastname']
implements #60, ldap configuration and authentication....
r705
self.sa.add(new_user)
Some code cleanups and fixes
r1628 return new_user
ldap auth rewrite, moved split authfunc into two functions,...
r761 except (DatabaseError,):
implements #60, ldap configuration and authentication....
r705 log.error(traceback.format_exc())
self.sa.rollback()
raise
ldap auth rewrite, moved split authfunc into two functions,...
r761 log.debug('this %s user exists skipping creation of ldap account',
username)
Some code cleanups and fixes
r1628 return None
implements #60, ldap configuration and authentication....
r705
Code refactoring,models renames...
r629 def create_registration(self, form_data):
implements #222 registration feedback...
r1731 from rhodecode.model.notification import NotificationModel
Code refactoring,models renames...
r629 try:
fixed issue with empty APIKEYS on registration #438
r2248 form_data['admin'] = False
new_user = self.create(form_data)
Code refactoring,models renames...
r629
self.sa.add(new_user)
implements #222 registration feedback...
r1731 self.sa.flush()
# notification to admins
Mads Kiilerich
Fix a lot of casings - use standard casing in most places
r3654 subject = _('New user registration')
fixes #59, notifications for user registrations + some changes to mailer
r689 body = ('New user registration\n'
implements #222 registration feedback...
r1731 '---------------------\n'
'- Username: %s\n'
'- Full Name: %s\n'
'- Email: %s\n')
body = body % (new_user.username, new_user.full_name,
new_user.email)
edit_url = url('edit_user', id=new_user.user_id, qualified=True)
#344 optional firstname lastname on user creation...
r1950 kw = {'registered_user_url': edit_url}
implements #222 registration feedback...
r1731 NotificationModel().create(created_by=new_user, subject=subject,
body=body, recipients=None,
type_=Notification.TYPE_REGISTRATION,
email_kwargs=kw)
fixes #59, notifications for user registrations + some changes to mailer
r689
Don't catch all exceptions
r3631 except Exception:
Code refactoring,models renames...
r629 log.error(traceback.format_exc())
raise
Implemented #658 Changing username in LDAP-Mode should not be allowed....
r3021 def update(self, user_id, form_data, skip_attrs=[]):
fix crypt password on update my account
r2488 from rhodecode.lib.auth import get_crypt_password
Code refactoring,models renames...
r629 try:
fixes #288...
r1594 user = self.get(user_id, cache=False)
Added api_key into user, api key get's generated again after password change...
r1116 if user.username == 'default':
Code refactoring,models renames...
r629 raise DefaultUserException(
_("You can't Edit this user since it's"
" crucial for entire application"))
fixed #72 show warning on removal when user still is owner of existing repositories...
r713
Code refactoring,models renames...
r629 for k, v in form_data.items():
Implemented #658 Changing username in LDAP-Mode should not be allowed....
r3021 if k in skip_attrs:
continue
Renamed name to firstname in forms...
r2544 if k == 'new_password' and v:
fix crypt password on update my account
r2488 user.password = get_crypt_password(v)
Added api_key into user, api key get's generated again after password change...
r1116 user.api_key = generate_api_key(user.username)
Code refactoring,models renames...
r629 else:
Renamed name to firstname in forms...
r2544 if k == 'firstname':
k = 'name'
Added api_key into user, api key get's generated again after password change...
r1116 setattr(user, k, v)
self.sa.add(user)
Don't catch all exceptions
r3631 except Exception:
Code refactoring,models renames...
r629 log.error(traceback.format_exc())
raise
fixed api issue with changing username during update_user
r2657 def update_user(self, user, **kwargs):
from rhodecode.lib.auth import get_crypt_password
try:
user = self._get_user(user)
if user.username == 'default':
raise DefaultUserException(
_("You can't Edit this user since it's"
" crucial for entire application")
)
for k, v in kwargs.items():
if k == 'password' and v:
v = get_crypt_password(v)
user.api_key = generate_api_key(user.username)
setattr(user, k, v)
self.sa.add(user)
return user
Don't catch all exceptions
r3631 except Exception:
fixed api issue with changing username during update_user
r2657 log.error(traceback.format_exc())
raise
fixed repo_create permission by adding missing commit statements...
r1758 def delete(self, user):
Share common getter functions in base model, and remove duplicated functions from other models
r2432 user = self._get_user(user)
auto white-space removal
r1818
Code refactoring,models renames...
r629 try:
if user.username == 'default':
raise DefaultUserException(
Improved message about deleting user who owns repositories
r2153 _(u"You can't remove this user since it's"
fixed #397 Private repository groups shows up before login...
r2124 " crucial for entire application")
)
fixed #72 show warning on removal when user still is owner of existing repositories...
r713 if user.repositories:
Improved message about deleting user who owns repositories
r2153 repos = [x.repo_name for x in user.repositories]
fixed #397 Private repository groups shows up before login...
r2124 raise UserOwnsReposException(
Improved message about deleting user who owns repositories
r2153 _(u'user "%s" still owns %s repositories and cannot be '
'removed. Switch owners or remove those repositories. %s')
% (user.username, len(repos), ', '.join(repos))
fixed #397 Private repository groups shows up before login...
r2124 )
Code refactoring,models renames...
r629 self.sa.delete(user)
Don't catch all exceptions
r3631 except Exception:
Code refactoring,models renames...
r629 log.error(traceback.format_exc())
raise
fixes #223 improve password reset form
r1417 def reset_password_link(self, data):
from rhodecode.lib.celerylib import tasks, run_task
moved out password reset tasks from celery, it doesn't make any sense to keep them there, additionally they are broken...
r3401 from rhodecode.model.notification import EmailNotificationModel
user_email = data['email']
try:
user = User.get_by_email(user_email)
if user:
log.debug('password reset user found %s' % user)
link = url('reset_password_confirmation', key=user.api_key,
qualified=True)
reg_type = EmailNotificationModel.TYPE_PASSWORD_RESET
body = EmailNotificationModel().get_email_tmpl(reg_type,
**{'user': user.short_contact,
'reset_url': link})
log.debug('sending email')
run_task(tasks.send_email, user_email,
Mads Kiilerich
Fix a lot of casings - use standard casing in most places
r3654 _("Password reset link"), body, body)
moved out password reset tasks from celery, it doesn't make any sense to keep them there, additionally they are broken...
r3401 log.info('send new password mail to %s' % user_email)
else:
log.debug("password reset email %s not found" % user_email)
Don't catch all exceptions
r3631 except Exception:
moved out password reset tasks from celery, it doesn't make any sense to keep them there, additionally they are broken...
r3401 log.error(traceback.format_exc())
return False
return True
fixes #223 improve password reset form
r1417
Code refactoring,models renames...
r629 def reset_password(self, data):
from rhodecode.lib.celerylib import tasks, run_task
moved out password reset tasks from celery, it doesn't make any sense to keep them there, additionally they are broken...
r3401 from rhodecode.lib import auth
user_email = data['email']
try:
try:
user = User.get_by_email(user_email)
new_passwd = auth.PasswordGenerator().gen_password(8,
auth.PasswordGenerator.ALPHABETS_BIG_SMALL)
if user:
user.password = auth.get_crypt_password(new_passwd)
user.api_key = auth.generate_api_key(user.username)
Session().add(user)
Session().commit()
log.info('change password for %s' % user_email)
if new_passwd is None:
raise Exception('unable to generate new password')
Don't catch all exceptions
r3631 except Exception:
moved out password reset tasks from celery, it doesn't make any sense to keep them there, additionally they are broken...
r3401 log.error(traceback.format_exc())
Session().rollback()
run_task(tasks.send_email, user_email,
_('Your new password'),
_('Your new RhodeCode password:%s') % (new_passwd))
log.info('send new password mail to %s' % user_email)
Don't catch all exceptions
r3631 except Exception:
moved out password reset tasks from celery, it doesn't make any sense to keep them there, additionally they are broken...
r3401 log.error('Failed to update user password')
log.error(traceback.format_exc())
return True
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673
fixes #288...
r1594 def fill_data(self, auth_user, user_id=None, api_key=None):
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673 """
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 Fetches auth_user by user_id,or api_key if present.
Fills auth_user attributes with those taken from database.
source code cleanup: remove trailing white space, normalize file endings
r1203 Additionally set's is_authenitated if lookup fails
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673 present in database
source code cleanup: remove trailing white space, normalize file endings
r1203
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 :param auth_user: instance of user to set attributes
:param user_id: user id to fetch by
:param api_key: api key to fetch by
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673 """
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal...
r1120 if user_id is None and api_key is None:
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 raise Exception('You need to pass user_id or api_key')
fixed anonymous access bug.
r686
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 try:
if api_key:
dbuser = self.get_by_api_key(api_key)
else:
dbuser = self.get(user_id)
Liad Shani
Added automatic logout of deactivated/deleted users
r1618 if dbuser is not None and dbuser.active:
garden...
r1976 log.debug('filling %s data' % dbuser)
fixed some bugs in api key auth, added access by api key into rss/atom feeds in global journal...
r1120 for k, v in dbuser.get_dict().items():
setattr(auth_user, k, v)
Liad Shani
Added automatic logout of deactivated/deleted users
r1618 else:
return False
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
Don't catch all exceptions
r3631 except Exception:
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 log.error(traceback.format_exc())
auth_user.is_authenticated = False
Liad Shani
Added automatic logout of deactivated/deleted users
r1618 return False
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
Liad Shani
Added automatic logout of deactivated/deleted users
r1618 return True
fixed anonymous access bug.
r686
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 def fill_perms(self, user, explicit=True, algo='higherwin'):
tries to fix issue #177 by fallback to user.user_id instead of fetching from db, user.user_id...
r1269 """
Fills user permission attribute with permissions taken from database
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 works for permissions given for repositories, and for permissions that
tries to fix issue #177 by fallback to user.user_id instead of fetching from db, user.user_id...
r1269 are granted to groups
source code cleanup: remove trailing white space, normalize file endings
r1203
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 :param user: user instance to fill his perms
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 :param explicit: In case there are permissions both for user and a group
that user is part of, explicit flag will defiine if user will
explicitly override permissions from group, if it's False it will
make decision based on the algo
:param algo: algorithm to decide what permission should be choose if
it's multiple defined, eg user in two different groups. It also
decides if explicit flag is turned off how to specify the permission
for case when user is in a group + have defined separate permission
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 """
#227 Initial version of repository groups permissions system...
r1982 RK = 'repositories'
GK = 'repositories_groups'
GLOBAL = 'global'
user.permissions[RK] = {}
user.permissions[GK] = {}
user.permissions[GLOBAL] = set()
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 def _choose_perm(new_perm, cur_perm):
new_perm_val = PERM_WEIGHTS[new_perm]
cur_perm_val = PERM_WEIGHTS[cur_perm]
if algo == 'higherwin':
if new_perm_val > cur_perm_val:
return new_perm
return cur_perm
elif algo == 'lowerwin':
if new_perm_val < cur_perm_val:
return new_perm
return cur_perm
user defined permission will update the global permissions, and overwrite default settings.
r1267 #======================================================================
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 # fetch default permissions
user defined permission will update the global permissions, and overwrite default settings.
r1267 #======================================================================
- fixes celery sqlalchemy session issues for async forking...
r1728 default_user = User.get_by_username('default', cache=True)
default_user_id = default_user.user_id
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
#227 Initial version of repository groups permissions system...
r1982 default_repo_perms = Permission.get_default_perms(default_user_id)
default_repo_groups_perms = Permission.get_default_group_perms(default_user_id)
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
if user.is_admin:
user defined permission will update the global permissions, and overwrite default settings.
r1267 #==================================================================
#227 Initial version of repository groups permissions system...
r1982 # admin user have all default rights for repositories
# and groups set to admin
user defined permission will update the global permissions, and overwrite default settings.
r1267 #==================================================================
#227 Initial version of repository groups permissions system...
r1982 user.permissions[GLOBAL].add('hg.admin')
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
#227 Initial version of repository groups permissions system...
r1982 # repositories
for perm in default_repo_perms:
r_k = perm.UserRepoToPerm.repository.repo_name
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117 p = 'repository.admin'
#227 Initial version of repository groups permissions system...
r1982 user.permissions[RK][r_k] = p
Mads Kiilerich
"Users groups" is grammatically incorrect English - rename to "user groups"...
r3410 # repository groups
#227 Initial version of repository groups permissions system...
r1982 for perm in default_repo_groups_perms:
rg_k = perm.UserRepoGroupToPerm.group.group_name
p = 'group.admin'
user.permissions[GK][rg_k] = p
permission comments + out identation for better readability
r2186 return user
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
permission comments + out identation for better readability
r2186 #==================================================================
Mads Kiilerich
Fix 'repos group' - it is 'repository group'
r3653 # SET DEFAULTS GLOBAL, REPOS, REPOSITORY GROUPS
permission comments + out identation for better readability
r2186 #==================================================================
uid = user.user_id
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 # default global permissions taken fron the default user
permission comments + out identation for better readability
r2186 default_global_perms = self.sa.query(UserToPerm)\
.filter(UserToPerm.user_id == default_user_id)
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
permission comments + out identation for better readability
r2186 for perm in default_global_perms:
user.permissions[GLOBAL].add(perm.permission.permission_name)
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
permission comments + out identation for better readability
r2186 # defaults for repositories, taken from default user
for perm in default_repo_perms:
r_k = perm.UserRepoToPerm.repository.repo_name
if perm.Repository.private and not (perm.Repository.user_id == uid):
# disable defaults for private repos,
p = 'repository.none'
elif perm.Repository.user_id == uid:
# set admin if owner
p = 'repository.admin'
else:
p = perm.Permission.permission_name
user.permissions[RK][r_k] = p
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
Mads Kiilerich
"Users groups" is grammatically incorrect English - rename to "user groups"...
r3410 # defaults for repository groups taken from default user permission
permission comments + out identation for better readability
r2186 # on given group
for perm in default_repo_groups_perms:
rg_k = perm.UserRepoGroupToPerm.group.group_name
p = perm.Permission.permission_name
user.permissions[GK][rg_k] = p
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 #======================================================================
# !! OVERRIDE GLOBALS !! with user permissions if any found
#======================================================================
# those can be configured from groups or users explicitly
_configurable = set(['hg.fork.none', 'hg.fork.repository',
'hg.create.none', 'hg.create.repository'])
permission comments + out identation for better readability
r2186
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 # USER GROUPS comes first
fixed tests and missing replacements from 5f1850e4712a
r3415 # user group global permissions
Mads Kiilerich
further cleanup of UsersGroup...
r3417 user_perms_from_users_groups = self.sa.query(UserGroupToPerm)\
.options(joinedload(UserGroupToPerm.permission))\
.join((UserGroupMember, UserGroupToPerm.users_group_id ==
UserGroupMember.users_group_id))\
.filter(UserGroupMember.user_id == uid)\
.order_by(UserGroupToPerm.users_group_id)\
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 .all()
#need to group here by groups since user can be in more than one group
_grouped = [[x, list(y)] for x, y in
itertools.groupby(user_perms_from_users_groups,
lambda x:x.users_group)]
for gr, perms in _grouped:
# since user can be in multiple groups iterate over them and
# select the lowest permissions first (more explicit)
##TODO: do this^^
if not gr.inherit_default_permissions:
# NEED TO IGNORE all configurable permissions and
# replace them with explicitly set
user.permissions[GLOBAL] = user.permissions[GLOBAL]\
.difference(_configurable)
for perm in perms:
user.permissions[GLOBAL].add(perm.permission.permission_name)
# user specific global permissions
permission comments + out identation for better readability
r2186 user_perms = self.sa.query(UserToPerm)\
.options(joinedload(UserToPerm.permission))\
.filter(UserToPerm.user_id == uid).all()
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 if not user.inherit_default_permissions:
# NEED TO IGNORE all configurable permissions and
# replace them with explicitly set
user.permissions[GLOBAL] = user.permissions[GLOBAL]\
.difference(_configurable)
for perm in user_perms:
user.permissions[GLOBAL].add(perm.permission.permission_name)
#======================================================================
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 # !! PERMISSIONS FOR REPOSITORIES !!
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 #======================================================================
#======================================================================
# check if user is part of user groups for this repository and
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 # fill in his permission from it. _choose_perm decides of which
# permission should be selected based on selected method
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 #======================================================================
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094
fixed tests and missing replacements from 5f1850e4712a
r3415 # user group for repositories permissions
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 user_repo_perms_from_users_groups = \
Mads Kiilerich
further cleanup of UsersGroup...
r3417 self.sa.query(UserGroupRepoToPerm, Permission, Repository,)\
.join((Repository, UserGroupRepoToPerm.repository_id ==
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 Repository.repo_id))\
Mads Kiilerich
further cleanup of UsersGroup...
r3417 .join((Permission, UserGroupRepoToPerm.permission_id ==
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 Permission.permission_id))\
Mads Kiilerich
further cleanup of UsersGroup...
r3417 .join((UserGroupMember, UserGroupRepoToPerm.users_group_id ==
UserGroupMember.users_group_id))\
.filter(UserGroupMember.user_id == uid)\
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 .all()
switch to defaultdict for counter implementation
r3096 multiple_counter = collections.defaultdict(int)
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 for perm in user_repo_perms_from_users_groups:
Mads Kiilerich
further cleanup of UsersGroup...
r3417 r_k = perm.UserGroupRepoToPerm.repository.repo_name
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 multiple_counter[r_k] += 1
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 p = perm.Permission.permission_name
cur_perm = user.permissions[RK][r_k]
fixed #570 explicit users group permissions can overwrite owner permissions...
r2864
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 if perm.Repository.user_id == uid:
# set admin if owner
p = 'repository.admin'
else:
if multiple_counter[r_k] > 1:
p = _choose_perm(p, cur_perm)
user.permissions[RK][r_k] = p
#227 Initial version of repository groups permissions system...
r1982
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 # user explicit permissions for repositories, overrides any specified
# by the group permission
permission comments + out identation for better readability
r2186 user_repo_perms = \
self.sa.query(UserRepoToPerm, Permission, Repository)\
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 .join((Repository, UserRepoToPerm.repository_id ==
Repository.repo_id))\
.join((Permission, UserRepoToPerm.permission_id ==
Permission.permission_id))\
.filter(UserRepoToPerm.user_id == uid)\
.all()
Major rewrite of auth objects. Moved parts of filling user data into user model....
r1117
permission comments + out identation for better readability
r2186 for perm in user_repo_perms:
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 r_k = perm.UserRepoToPerm.repository.repo_name
cur_perm = user.permissions[RK][r_k]
permission comments + out identation for better readability
r2186 # set admin if owner
if perm.Repository.user_id == uid:
p = 'repository.admin'
else:
p = perm.Permission.permission_name
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 if not explicit:
p = _choose_perm(p, cur_perm)
permission comments + out identation for better readability
r2186 user.permissions[RK][r_k] = p
user defined permission will update the global permissions, and overwrite default settings.
r1267
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 #======================================================================
Mads Kiilerich
"Users groups" is grammatically incorrect English - rename to "user groups"...
r3410 # !! PERMISSIONS FOR REPOSITORY GROUPS !!
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 #======================================================================
#======================================================================
# check if user is part of user groups for this repository groups and
# fill in his permission from it. _choose_perm decides of which
# permission should be selected based on selected method
#======================================================================
fixed tests and missing replacements from 5f1850e4712a
r3415 # user group for repo groups permissions
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 user_repo_group_perms_from_users_groups = \
Mads Kiilerich
further cleanup of UsersGroup...
r3417 self.sa.query(UserGroupRepoGroupToPerm, Permission, RepoGroup)\
.join((RepoGroup, UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\
.join((Permission, UserGroupRepoGroupToPerm.permission_id
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 == Permission.permission_id))\
Mads Kiilerich
further cleanup of UsersGroup...
r3417 .join((UserGroupMember, UserGroupRepoGroupToPerm.users_group_id
== UserGroupMember.users_group_id))\
.filter(UserGroupMember.user_id == uid)\
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 .all()
tries to fix issue #177 by fallback to user.user_id instead of fetching from db, user.user_id...
r1269
switch to defaultdict for counter implementation
r3096 multiple_counter = collections.defaultdict(int)
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 for perm in user_repo_group_perms_from_users_groups:
Mads Kiilerich
further cleanup of UsersGroup...
r3417 g_k = perm.UserGroupRepoGroupToPerm.group.group_name
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 multiple_counter[g_k] += 1
p = perm.Permission.permission_name
cur_perm = user.permissions[GK][g_k]
if multiple_counter[g_k] > 1:
p = _choose_perm(p, cur_perm)
user.permissions[GK][g_k] = p
# user explicit permissions for repository groups
permission comments + out identation for better readability
r2186 user_repo_groups_perms = \
self.sa.query(UserRepoGroupToPerm, Permission, RepoGroup)\
.join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 .join((Permission, UserRepoGroupToPerm.permission_id
== Permission.permission_id))\
permission comments + out identation for better readability
r2186 .filter(UserRepoGroupToPerm.user_id == uid)\
.all()
tries to fix issue #177 by fallback to user.user_id instead of fetching from db, user.user_id...
r1269
permission comments + out identation for better readability
r2186 for perm in user_repo_groups_perms:
rg_k = perm.UserRepoGroupToPerm.group.group_name
p = perm.Permission.permission_name
cur_perm = user.permissions[GK][rg_k]
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
r3094 if not explicit:
p = _choose_perm(p, cur_perm)
user.permissions[GK][rg_k] = p
#399 added inheritance of permissions for users group on repos groups
r2129
#49 Enabled anonymous access for web interface controllable from permissions pannel
r673 return user
fixes #288...
r1594
commit less models...
r1749 def has_perm(self, user, perm):
RhodeCode now has a option to explicitly set forking permissions. ref #508...
r2709 perm = self._get_perm(perm)
Share common getter functions in base model, and remove duplicated functions from other models
r2432 user = self._get_user(user)
commit less models...
r1749
fixed repo_create permission by adding missing commit statements...
r1758 return UserToPerm.query().filter(UserToPerm.user == user)\
commit less models...
r1749 .filter(UserToPerm.permission == perm).scalar() is not None
def grant_perm(self, user, perm):
#227 Initial version of repository groups permissions system...
r1982 """
Grant user global permissions
commit less models...
r1749
#227 Initial version of repository groups permissions system...
r1982 :param user:
:param perm:
"""
Share common getter functions in base model, and remove duplicated functions from other models
r2432 user = self._get_user(user)
perm = self._get_perm(perm)
fixes issue when user tried to resubmit same permission into user/user_groups
r2078 # if this permission is already granted skip it
_perm = UserToPerm.query()\
.filter(UserToPerm.user == user)\
.filter(UserToPerm.permission == perm)\
.scalar()
if _perm:
return
commit less models...
r1749 new = UserToPerm()
fixed repo_create permission by adding missing commit statements...
r1758 new.user = user
commit less models...
r1749 new.permission = perm
self.sa.add(new)
def revoke_perm(self, user, perm):
#227 Initial version of repository groups permissions system...
r1982 """
Revoke users global permissions
auto white-space removal
r1818
#227 Initial version of repository groups permissions system...
r1982 :param user:
:param perm:
"""
Share common getter functions in base model, and remove duplicated functions from other models
r2432 user = self._get_user(user)
perm = self._get_perm(perm)
auto white-space removal
r1818
fixes issue when user tried to resubmit same permission into user/user_groups
r2078 obj = UserToPerm.query()\
.filter(UserToPerm.user == user)\
.filter(UserToPerm.permission == perm)\
.scalar()
fixed repo_create permission by adding missing commit statements...
r1758 if obj:
self.sa.delete(obj)
Added simple UI for admin to manage emails map
r2330
def add_extra_email(self, user, email):
"""
Adds email address to UserEmailMap
:param user:
:param email:
"""
Added validation into user email map
r2479 from rhodecode.model import forms
form = forms.UserExtraEmailForm()()
data = form.to_python(dict(email=email))
Share common getter functions in base model, and remove duplicated functions from other models
r2432 user = self._get_user(user)
Added validation into user email map
r2479
Added simple UI for admin to manage emails map
r2330 obj = UserEmailMap()
obj.user = user
Added validation into user email map
r2479 obj.email = data['email']
Added simple UI for admin to manage emails map
r2330 self.sa.add(obj)
return obj
def delete_extra_email(self, user, email_id):
"""
Removes email address from UserEmailMap
:param user:
:param email_id:
"""
Share common getter functions in base model, and remove duplicated functions from other models
r2432 user = self._get_user(user)
Added simple UI for admin to manage emails map
r2330 obj = UserEmailMap.query().get(email_id)
if obj:
white space cleanup
r2478 self.sa.delete(obj)
Added UserIpMap interface for allowed IP addresses and IP restriction access...
r3125
def add_extra_ip(self, user, ip):
"""
Adds ip address to UserIpMap
:param user:
:param ip:
"""
from rhodecode.model import forms
form = forms.UserExtraIpForm()()
data = form.to_python(dict(ip=ip))
user = self._get_user(user)
obj = UserIpMap()
obj.user = user
obj.ip_addr = data['ip']
self.sa.add(obj)
return obj
def delete_extra_ip(self, user, ip_id):
"""
Removes ip address from UserIpMap
:param user:
:param ip_id:
"""
user = self._get_user(user)
obj = UserIpMap.query().get(ip_id)
if obj:
self.sa.delete(obj)