permission.py
173 lines
| 6.7 KiB
| text/x-python
|
PythonLexer
| r759 | # -*- coding: utf-8 -*- | |||
| r1206 | # This program is free software: you can redistribute it and/or modify | |||
| # it under the terms of the GNU General Public License as published by | ||||
| # the Free Software Foundation, either version 3 of the License, or | ||||
| # (at your option) any later version. | ||||
| r1203 | # | |||
| r692 | # This program is distributed in the hope that it will be useful, | |||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||
| # GNU General Public License for more details. | ||||
| r1203 | # | |||
| r692 | # You should have received a copy of the GNU General Public License | |||
| r1206 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
Bradley M. Kuhn
|
r4116 | """ | ||
| rhodecode.model.permission | ||||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||||
| permissions model for RhodeCode | ||||
| :created_on: Aug 20, 2010 | ||||
| :author: marcink | ||||
| :copyright: (c) 2013 RhodeCode GmbH. | ||||
| :license: GPLv3, see LICENSE for more details. | ||||
| """ | ||||
| r759 | ||||
| import logging | ||||
| import traceback | ||||
| from sqlalchemy.exc import DatabaseError | ||||
| r692 | ||||
| r752 | from rhodecode.model import BaseModel | |||
| r2425 | from rhodecode.model.db import User, Permission, UserToPerm, UserRepoToPerm,\ | |||
| r3735 | UserRepoGroupToPerm, UserUserGroupToPerm | |||
| r3730 | from rhodecode.lib.utils2 import str2bool | |||
| r1669 | ||||
| r692 | log = logging.getLogger(__name__) | |||
| r752 | class PermissionModel(BaseModel): | |||
| r1716 | """ | |||
| Permissions model for RhodeCode | ||||
| r811 | """ | |||
| r692 | ||||
| r2522 | cls = Permission | |||
| r3734 | def create_permissions(self): | |||
| """ | ||||
| Create permissions for whole system | ||||
| """ | ||||
| for p in Permission.PERMS: | ||||
| if not Permission.get_by_key(p[0]): | ||||
| new_perm = Permission() | ||||
| new_perm.permission_name = p[0] | ||||
| new_perm.permission_longname = p[0] #translation err with p[1] | ||||
| self.sa.add(new_perm) | ||||
|
Bradley M. Kuhn
|
r4116 | def create_default_permissions(self, user, force=False): | ||
| r3733 | """ | |||
|
Bradley M. Kuhn
|
r4116 | Creates only missing default permissions for user, if force is set it | ||
| resets the default permissions for that user | ||||
| r3733 | ||||
| :param user: | ||||
| """ | ||||
| user = self._get_user(user) | ||||
| def _make_perm(perm): | ||||
| new_perm = UserToPerm() | ||||
| new_perm.user = user | ||||
| new_perm.permission = Permission.get_by_key(perm) | ||||
| return new_perm | ||||
| def _get_group(perm_name): | ||||
| return '.'.join(perm_name.split('.')[:1]) | ||||
| perms = UserToPerm.query().filter(UserToPerm.user == user).all() | ||||
| defined_perms_groups = map(_get_group, | ||||
| (x.permission.permission_name for x in perms)) | ||||
| log.debug('GOT ALREADY DEFINED:%s' % perms) | ||||
| DEFAULT_PERMS = Permission.DEFAULT_USER_PERMISSIONS | ||||
|
Bradley M. Kuhn
|
r4116 | if force: | ||
| for perm in perms: | ||||
| self.sa.delete(perm) | ||||
| self.sa.commit() | ||||
| defined_perms_groups = [] | ||||
| r3733 | # for every default permission that needs to be created, we check if | |||
| # it's group is already defined, if it's not we create default perm | ||||
| for perm_name in DEFAULT_PERMS: | ||||
| gr = _get_group(perm_name) | ||||
| if gr not in defined_perms_groups: | ||||
| log.debug('GR:%s not found, creating permission %s' | ||||
| % (gr, perm_name)) | ||||
| new_perm = _make_perm(perm_name) | ||||
| self.sa.add(new_perm) | ||||
| r692 | def update(self, form_result): | |||
| r3730 | perm_user = User.get_by_username(username=form_result['perm_user_name']) | |||
| r692 | ||||
| try: | ||||
| r3733 | # stage 1 set anonymous access | |||
|
Bradley M. Kuhn
|
r4116 | if perm_user.username == User.DEFAULT_USER: | ||
| r3733 | perm_user.active = str2bool(form_result['anonymous']) | |||
| self.sa.add(perm_user) | ||||
| # stage 2 reset defaults and set them from form data | ||||
| r3730 | def _make_new(usr, perm_name): | |||
| r3734 | log.debug('Creating new permission:%s' % (perm_name)) | |||
| r3730 | new = UserToPerm() | |||
| new.user = usr | ||||
| new.permission = Permission.get_by_key(perm_name) | ||||
| return new | ||||
| # clear current entries, to make this function idempotent | ||||
| # it will fix even if we define more permissions or permissions | ||||
| # are somehow missing | ||||
| r3733 | u2p = self.sa.query(UserToPerm)\ | |||
| .filter(UserToPerm.user == perm_user)\ | ||||
| .all() | ||||
| r692 | for p in u2p: | |||
| r3730 | self.sa.delete(p) | |||
| #create fresh set of permissions | ||||
|
Bradley M. Kuhn
|
r4116 | for def_perm_key in ['default_repo_perm', | ||
| 'default_group_perm', | ||||
| r3734 | 'default_user_group_perm', | |||
| 'default_repo_create', | ||||
|
Bradley M. Kuhn
|
r4116 | 'create_on_write', # special case for create repos on write access to group | ||
| r3734 | #'default_repo_group_create', #not implemented yet | |||
| 'default_user_group_create', | ||||
|
Bradley M. Kuhn
|
r4116 | 'default_fork', | ||
| 'default_register', | ||||
| r3786 | 'default_extern_activate']: | |||
| r3730 | p = _make_new(perm_user, form_result[def_perm_key]) | |||
| self.sa.add(p) | ||||
| r2709 | ||||
| r3733 | #stage 3 update all default permissions for repos if checked | |||
| r3888 | if form_result['overwrite_default_repo']: | |||
| r3052 | _def_name = form_result['default_repo_perm'].split('repository.')[-1] | |||
| r3730 | _def = Permission.get_by_key('repository.' + _def_name) | |||
| r2425 | # repos | |||
| r1633 | for r2p in self.sa.query(UserRepoToPerm)\ | |||
| r2425 | .filter(UserRepoToPerm.user == perm_user)\ | |||
| .all(): | ||||
| r3220 | ||||
| #don't reset PRIVATE repositories | ||||
Mads Kiilerich
|
r3625 | if not r2p.repository.private: | ||
| r3220 | r2p.permission = _def | |||
| self.sa.add(r2p) | ||||
| r3052 | ||||
| r3888 | if form_result['overwrite_default_group']: | |||
| r3052 | _def_name = form_result['default_group_perm'].split('group.')[-1] | |||
| r2425 | # groups | |||
| r3730 | _def = Permission.get_by_key('group.' + _def_name) | |||
| r2425 | for g2p in self.sa.query(UserRepoGroupToPerm)\ | |||
| .filter(UserRepoGroupToPerm.user == perm_user)\ | ||||
| .all(): | ||||
| g2p.permission = _def | ||||
| self.sa.add(g2p) | ||||
| r692 | ||||
| r3888 | if form_result['overwrite_default_user_group']: | |||
| r3735 | _def_name = form_result['default_user_group_perm'].split('usergroup.')[-1] | |||
| # groups | ||||
| _def = Permission.get_by_key('usergroup.' + _def_name) | ||||
| for g2p in self.sa.query(UserUserGroupToPerm)\ | ||||
| .filter(UserUserGroupToPerm.user == perm_user)\ | ||||
| .all(): | ||||
| g2p.permission = _def | ||||
| self.sa.add(g2p) | ||||
| r3730 | self.sa.commit() | |||
| r759 | except (DatabaseError,): | |||
| r692 | log.error(traceback.format_exc()) | |||
| r3730 | self.sa.rollback() | |||
| r692 | raise | |||
