##// END OF EJS Templates
Implemented #738 Giving a user WRITE+ permissions on folder should not allow repo creation in root folder....
marcink -
r3333:06988438 beta
parent child Browse files
Show More
@@ -28,7 +28,7 b' import traceback'
28 import formencode
28 import formencode
29 from formencode import htmlfill
29 from formencode import htmlfill
30
30
31 from webob.exc import HTTPInternalServerError
31 from webob.exc import HTTPInternalServerError, HTTPForbidden
32 from pylons import request, session, tmpl_context as c, url
32 from pylons import request, session, tmpl_context as c, url
33 from pylons.controllers.util import redirect
33 from pylons.controllers.util import redirect
34 from pylons.i18n.translation import _
34 from pylons.i18n.translation import _
@@ -37,7 +37,8 b' from sqlalchemy.exc import IntegrityErro'
37 import rhodecode
37 import rhodecode
38 from rhodecode.lib import helpers as h
38 from rhodecode.lib import helpers as h
39 from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator, \
39 from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator, \
40 HasPermissionAnyDecorator, HasRepoPermissionAllDecorator
40 HasPermissionAnyDecorator, HasRepoPermissionAllDecorator, NotAnonymous,\
41 HasPermissionAny, HasReposGroupPermissionAny
41 from rhodecode.lib.base import BaseRepoController, render
42 from rhodecode.lib.base import BaseRepoController, render
42 from rhodecode.lib.utils import invalidate_cache, action_logger, repo_name_slug
43 from rhodecode.lib.utils import invalidate_cache, action_logger, repo_name_slug
43 from rhodecode.lib.helpers import get_token
44 from rhodecode.lib.helpers import get_token
@@ -61,7 +62,6 b' class ReposController(BaseRepoController'
61 # map.resource('repo', 'repos')
62 # map.resource('repo', 'repos')
62
63
63 @LoginRequired()
64 @LoginRequired()
64 @HasPermissionAnyDecorator('hg.admin', 'hg.create.repository')
65 def __before__(self):
65 def __before__(self):
66 c.admin_user = session.get('admin_user')
66 c.admin_user = session.get('admin_user')
67 c.admin_username = session.get('admin_username')
67 c.admin_username = session.get('admin_username')
@@ -148,7 +148,7 b' class ReposController(BaseRepoController'
148
148
149 return render('admin/repos/repos.html')
149 return render('admin/repos/repos.html')
150
150
151 @HasPermissionAnyDecorator('hg.admin', 'hg.create.repository')
151 @NotAnonymous()
152 def create(self):
152 def create(self):
153 """
153 """
154 POST /repos: Create a new item"""
154 POST /repos: Create a new item"""
@@ -160,6 +160,20 b' class ReposController(BaseRepoController'
160 form_result = RepoForm(repo_groups=c.repo_groups_choices,
160 form_result = RepoForm(repo_groups=c.repo_groups_choices,
161 landing_revs=c.landing_revs_choices)()\
161 landing_revs=c.landing_revs_choices)()\
162 .to_python(dict(request.POST))
162 .to_python(dict(request.POST))
163 #we check ACLs after form, since we want to display nicer errors
164 #if form forbids creation of repos inside a group we don't have
165 #perms for
166 if not HasPermissionAny('hg.admin', 'hg.create.repository')():
167 #you're not super admin nor have global create permissions,
168 #but maybe you have at least write permission to a parent group ?
169 parent_group = request.POST.get('repo_group')
170 _gr = RepoGroup.get(parent_group)
171 gr_name = _gr.group_name if _gr else None
172 if not HasReposGroupPermissionAny('group.admin', 'group.write')(group_name=gr_name):
173 msg = _('no permission to create repository in root location')
174 raise formencode.Invalid('', form_result, None,
175 error_dict={'repo_group': msg})
176
163 new_repo = RepoModel().create(form_result,
177 new_repo = RepoModel().create(form_result,
164 self.rhodecode_user.user_id)
178 self.rhodecode_user.user_id)
165 if form_result['clone_uri']:
179 if form_result['clone_uri']:
@@ -181,16 +195,8 b' class ReposController(BaseRepoController'
181 self.sa)
195 self.sa)
182 Session().commit()
196 Session().commit()
183 except formencode.Invalid, errors:
197 except formencode.Invalid, errors:
184
185 c.new_repo = errors.value['repo_name']
186
187 if request.POST.get('user_created'):
188 r = render('admin/repos/repo_add_create_repository.html')
189 else:
190 r = render('admin/repos/repo_add.html')
191
192 return htmlfill.render(
198 return htmlfill.render(
193 r,
199 render('admin/repos/repo_add.html'),
194 defaults=errors.value,
200 defaults=errors.value,
195 errors=errors.error_dict or {},
201 errors=errors.error_dict or {},
196 prefix_error=False,
202 prefix_error=False,
@@ -201,7 +207,9 b' class ReposController(BaseRepoController'
201 msg = _('error occurred during creation of repository %s') \
207 msg = _('error occurred during creation of repository %s') \
202 % form_result.get('repo_name')
208 % form_result.get('repo_name')
203 h.flash(msg, category='error')
209 h.flash(msg, category='error')
204 return redirect(url('repos'))
210 if c.rhodecode_user.is_admin:
211 return redirect(url('repos'))
212 return redirect(url('home'))
205 #redirect to our new repo !
213 #redirect to our new repo !
206 return redirect(url('summary_home', repo_name=new_repo.repo_name))
214 return redirect(url('summary_home', repo_name=new_repo.repo_name))
207
215
@@ -213,10 +221,7 b' class ReposController(BaseRepoController'
213 GET /repos/new: Form to create a new item
221 GET /repos/new: Form to create a new item
214 """
222 """
215
223
216 new_repo = request.GET.get('repo', '')
217 parent_group = request.GET.get('parent_group')
224 parent_group = request.GET.get('parent_group')
218
219 c.new_repo = repo_name_slug(new_repo)
220 self.__load_defaults()
225 self.__load_defaults()
221 ## apply the defaults from defaults page
226 ## apply the defaults from defaults page
222 defaults = RhodeCodeSetting.get_default_repo_settings(strip_prefix=True)
227 defaults = RhodeCodeSetting.get_default_repo_settings(strip_prefix=True)
@@ -37,7 +37,8 b' from pylons.i18n.translation import _'
37
37
38 from rhodecode.lib import helpers as h
38 from rhodecode.lib import helpers as h
39 from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator, \
39 from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator, \
40 HasPermissionAnyDecorator, NotAnonymous
40 HasPermissionAnyDecorator, NotAnonymous, HasPermissionAny,\
41 HasReposGroupPermissionAll, HasReposGroupPermissionAny
41 from rhodecode.lib.base import BaseController, render
42 from rhodecode.lib.base import BaseController, render
42 from rhodecode.lib.celerylib import tasks, run_task
43 from rhodecode.lib.celerylib import tasks, run_task
43 from rhodecode.lib.utils import repo2db_mapper, invalidate_cache, \
44 from rhodecode.lib.utils import repo2db_mapper, invalidate_cache, \
@@ -54,6 +55,7 b' from rhodecode.model.notification import'
54 from rhodecode.model.meta import Session
55 from rhodecode.model.meta import Session
55 from rhodecode.lib.utils2 import str2bool, safe_unicode
56 from rhodecode.lib.utils2 import str2bool, safe_unicode
56 from rhodecode.lib.compat import json
57 from rhodecode.lib.compat import json
58 from webob.exc import HTTPForbidden
57 log = logging.getLogger(__name__)
59 log = logging.getLogger(__name__)
58
60
59
61
@@ -484,9 +486,17 b' class SettingsController(BaseController)'
484 return render('admin/users/user_edit_my_account_pullrequests.html')
486 return render('admin/users/user_edit_my_account_pullrequests.html')
485
487
486 @NotAnonymous()
488 @NotAnonymous()
487 @HasPermissionAnyDecorator('hg.admin', 'hg.create.repository')
488 def create_repository(self):
489 def create_repository(self):
489 """GET /_admin/create_repository: Form to create a new item"""
490 """GET /_admin/create_repository: Form to create a new item"""
491 new_repo = request.GET.get('repo', '')
492 parent_group = request.GET.get('parent_group')
493 if not HasPermissionAny('hg.admin', 'hg.create.repository')():
494 #you're not super admin nor have global create permissions,
495 #but maybe you have at least write permission to a parent group ?
496 _gr = RepoGroup.get(parent_group)
497 gr_name = _gr.group_name if _gr else None
498 if not HasReposGroupPermissionAny('group.admin', 'group.write')(group_name=gr_name):
499 raise HTTPForbidden
490
500
491 acl_groups = GroupList(RepoGroup.query().all(),
501 acl_groups = GroupList(RepoGroup.query().all(),
492 perm_set=['group.write', 'group.admin'])
502 perm_set=['group.write', 'group.admin'])
@@ -494,8 +504,6 b' class SettingsController(BaseController)'
494 c.repo_groups_choices = map(lambda k: unicode(k[0]), c.repo_groups)
504 c.repo_groups_choices = map(lambda k: unicode(k[0]), c.repo_groups)
495 choices, c.landing_revs = ScmModel().get_repo_landing_revs()
505 choices, c.landing_revs = ScmModel().get_repo_landing_revs()
496
506
497 new_repo = request.GET.get('repo', '')
498 parent_group = request.GET.get('parent_group')
499 c.new_repo = repo_name_slug(new_repo)
507 c.new_repo = repo_name_slug(new_repo)
500
508
501 ## apply the defaults from defaults page
509 ## apply the defaults from defaults page
@@ -504,7 +512,7 b' class SettingsController(BaseController)'
504 defaults.update({'repo_group': parent_group})
512 defaults.update({'repo_group': parent_group})
505
513
506 return htmlfill.render(
514 return htmlfill.render(
507 render('admin/repos/repo_add_create_repository.html'),
515 render('admin/repos/repo_add.html'),
508 defaults=defaults,
516 defaults=defaults,
509 errors={},
517 errors={},
510 prefix_error=False,
518 prefix_error=False,
@@ -6,9 +6,15 b''
6 </%def>
6 </%def>
7
7
8 <%def name="breadcrumbs_links()">
8 <%def name="breadcrumbs_links()">
9 %if c.rhodecode_user.is_admin:
9 ${h.link_to(_('Admin'),h.url('admin_home'))}
10 ${h.link_to(_('Admin'),h.url('admin_home'))}
10 &raquo;
11 &raquo;
11 ${h.link_to(_('Repositories'),h.url('repos'))}
12 ${h.link_to(_('Repositories'),h.url('repos'))}
13 %else:
14 ${_('Admin')}
15 &raquo;
16 ${_('Repositories')}
17 %endif
12 &raquo;
18 &raquo;
13 ${_('add new')}
19 ${_('add new')}
14 </%def>
20 </%def>
@@ -9,8 +9,8 b''
9 <label for="repo_name">${_('Name')}:</label>
9 <label for="repo_name">${_('Name')}:</label>
10 </div>
10 </div>
11 <div class="input">
11 <div class="input">
12 ${h.text('repo_name',c.new_repo,class_="small")}
12 ${h.text('repo_name',class_="small")}
13 %if not h.HasPermissionAll('hg.admin')('repo create form'):
13 %if not c.rhodecode_user.is_admin:
14 ${h.hidden('user_created',True)}
14 ${h.hidden('user_created',True)}
15 %endif
15 %endif
16 </div>
16 </div>
@@ -7,12 +7,10 b''
7 </h5>
7 </h5>
8 %if c.rhodecode_user.username != 'default':
8 %if c.rhodecode_user.username != 'default':
9 <ul class="links">
9 <ul class="links">
10 %if h.HasPermissionAny('hg.admin','hg.create.repository')():
10 %if h.HasPermissionAny('hg.admin','hg.create.repository')() or h.HasReposGroupPermissionAny('group.write', 'group.admin')(c.group.group_name if c.group else None):
11 <li>
11 <li>
12 %if c.group:
12 %if c.group:
13 %if h.HasReposGroupPermissionAny('group.write', 'group.admin')(c.group.group_name):
14 <span>${h.link_to(_('Add repository'),h.url('admin_settings_create_repository',parent_group=c.group.group_id))}</span>
13 <span>${h.link_to(_('Add repository'),h.url('admin_settings_create_repository',parent_group=c.group.group_id))}</span>
15 %endif
16 %else:
14 %else:
17 <span>${h.link_to(_('Add repository'),h.url('admin_settings_create_repository'))}</span>
15 <span>${h.link_to(_('Add repository'),h.url('admin_settings_create_repository'))}</span>
18 %endif
16 %endif
1 NO CONTENT: file was removed
NO CONTENT: file was removed
General Comments 0
You need to be logged in to leave comments. Login now