##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

repo group: stop giving explicit admin permission to owner on create...
Mads Kiilerich -
r8771:1aa109ae stable
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,535 +1,529 b''
1 # -*- coding: utf-8 -*-
1 # -*- coding: utf-8 -*-
2 # This program is free software: you can redistribute it and/or modify
2 # This program is free software: you can redistribute it and/or modify
3 # it under the terms of the GNU General Public License as published by
3 # it under the terms of the GNU General Public License as published by
4 # the Free Software Foundation, either version 3 of the License, or
4 # the Free Software Foundation, either version 3 of the License, or
5 # (at your option) any later version.
5 # (at your option) any later version.
6 #
6 #
7 # This program is distributed in the hope that it will be useful,
7 # This program is distributed in the hope that it will be useful,
8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 # GNU General Public License for more details.
10 # GNU General Public License for more details.
11 #
11 #
12 # You should have received a copy of the GNU General Public License
12 # You should have received a copy of the GNU General Public License
13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 """
14 """
15 kallithea.model.repo_group
15 kallithea.model.repo_group
16 ~~~~~~~~~~~~~~~~~~~~~~~~~~
16 ~~~~~~~~~~~~~~~~~~~~~~~~~~
17
17
18 repo group model for Kallithea
18 repo group model for Kallithea
19
19
20 This file was forked by the Kallithea project in July 2014.
20 This file was forked by the Kallithea project in July 2014.
21 Original author and date, and relevant copyright and licensing information is below:
21 Original author and date, and relevant copyright and licensing information is below:
22 :created_on: Jan 25, 2011
22 :created_on: Jan 25, 2011
23 :author: marcink
23 :author: marcink
24 :copyright: (c) 2013 RhodeCode GmbH, and others.
24 :copyright: (c) 2013 RhodeCode GmbH, and others.
25 :license: GPLv3, see LICENSE.md for more details.
25 :license: GPLv3, see LICENSE.md for more details.
26 """
26 """
27
27
28
28
29 import datetime
29 import datetime
30 import logging
30 import logging
31 import os
31 import os
32 import shutil
32 import shutil
33 import traceback
33 import traceback
34
34
35 import kallithea.lib.utils2
35 import kallithea.lib.utils2
36 from kallithea.lib.utils2 import LazyProperty
36 from kallithea.lib.utils2 import LazyProperty
37 from kallithea.model import db, meta, repo
37 from kallithea.model import db, meta, repo
38
38
39
39
40 log = logging.getLogger(__name__)
40 log = logging.getLogger(__name__)
41
41
42
42
43 class RepoGroupModel(object):
43 class RepoGroupModel(object):
44
44
45 @LazyProperty
45 @LazyProperty
46 def repos_path(self):
46 def repos_path(self):
47 """
47 """
48 Gets the repositories root path from database
48 Gets the repositories root path from database
49 """
49 """
50
50
51 q = db.Ui.get_by_key('paths', '/')
51 q = db.Ui.get_by_key('paths', '/')
52 return q.ui_value
52 return q.ui_value
53
53
54 def _create_default_perms(self, new_group):
54 def _create_default_perms(self, new_group):
55 # create default permission
55 # create default permission
56 default_perm = 'group.read'
56 default_perm = 'group.read'
57 def_user = db.User.get_default_user()
57 def_user = db.User.get_default_user()
58 for p in def_user.user_perms:
58 for p in def_user.user_perms:
59 if p.permission.permission_name.startswith('group.'):
59 if p.permission.permission_name.startswith('group.'):
60 default_perm = p.permission.permission_name
60 default_perm = p.permission.permission_name
61 break
61 break
62
62
63 repo_group_to_perm = db.UserRepoGroupToPerm()
63 repo_group_to_perm = db.UserRepoGroupToPerm()
64 repo_group_to_perm.permission = db.Permission.get_by_key(default_perm)
64 repo_group_to_perm.permission = db.Permission.get_by_key(default_perm)
65
65
66 repo_group_to_perm.group = new_group
66 repo_group_to_perm.group = new_group
67 repo_group_to_perm.user_id = def_user.user_id
67 repo_group_to_perm.user_id = def_user.user_id
68 meta.Session().add(repo_group_to_perm)
68 meta.Session().add(repo_group_to_perm)
69 return repo_group_to_perm
69 return repo_group_to_perm
70
70
71 def _create_group(self, group_name):
71 def _create_group(self, group_name):
72 """
72 """
73 makes repository group on filesystem
73 makes repository group on filesystem
74
74
75 :param repo_name:
75 :param repo_name:
76 :param parent_id:
76 :param parent_id:
77 """
77 """
78
78
79 create_path = os.path.join(self.repos_path, group_name)
79 create_path = os.path.join(self.repos_path, group_name)
80 log.debug('creating new group in %s', create_path)
80 log.debug('creating new group in %s', create_path)
81
81
82 if os.path.isdir(create_path):
82 if os.path.isdir(create_path):
83 raise Exception('That directory already exists !')
83 raise Exception('That directory already exists !')
84
84
85 os.makedirs(create_path)
85 os.makedirs(create_path)
86 log.debug('Created group in %s', create_path)
86 log.debug('Created group in %s', create_path)
87
87
88 def _rename_group(self, old, new):
88 def _rename_group(self, old, new):
89 """
89 """
90 Renames a group on filesystem
90 Renames a group on filesystem
91
91
92 :param group_name:
92 :param group_name:
93 """
93 """
94
94
95 if old == new:
95 if old == new:
96 log.debug('skipping group rename')
96 log.debug('skipping group rename')
97 return
97 return
98
98
99 log.debug('renaming repository group from %s to %s', old, new)
99 log.debug('renaming repository group from %s to %s', old, new)
100
100
101 old_path = os.path.join(self.repos_path, old)
101 old_path = os.path.join(self.repos_path, old)
102 new_path = os.path.join(self.repos_path, new)
102 new_path = os.path.join(self.repos_path, new)
103
103
104 log.debug('renaming repos paths from %s to %s', old_path, new_path)
104 log.debug('renaming repos paths from %s to %s', old_path, new_path)
105
105
106 if os.path.isdir(new_path):
106 if os.path.isdir(new_path):
107 raise Exception('Was trying to rename to already '
107 raise Exception('Was trying to rename to already '
108 'existing dir %s' % new_path)
108 'existing dir %s' % new_path)
109 shutil.move(old_path, new_path)
109 shutil.move(old_path, new_path)
110
110
111 def _delete_group(self, group, force_delete=False):
111 def _delete_group(self, group, force_delete=False):
112 """
112 """
113 Deletes a group from a filesystem
113 Deletes a group from a filesystem
114
114
115 :param group: instance of group from database
115 :param group: instance of group from database
116 :param force_delete: use shutil rmtree to remove all objects
116 :param force_delete: use shutil rmtree to remove all objects
117 """
117 """
118 paths = group.full_path.split(kallithea.URL_SEP)
118 paths = group.full_path.split(kallithea.URL_SEP)
119 paths = os.sep.join(paths)
119 paths = os.sep.join(paths)
120
120
121 rm_path = os.path.join(self.repos_path, paths)
121 rm_path = os.path.join(self.repos_path, paths)
122 log.info("Removing group %s", rm_path)
122 log.info("Removing group %s", rm_path)
123 # delete only if that path really exists
123 # delete only if that path really exists
124 if os.path.isdir(rm_path):
124 if os.path.isdir(rm_path):
125 if force_delete:
125 if force_delete:
126 shutil.rmtree(rm_path)
126 shutil.rmtree(rm_path)
127 else:
127 else:
128 # archive that group
128 # archive that group
129 _now = datetime.datetime.now()
129 _now = datetime.datetime.now()
130 _ms = str(_now.microsecond).rjust(6, '0')
130 _ms = str(_now.microsecond).rjust(6, '0')
131 _d = 'rm__%s_GROUP_%s' % (_now.strftime('%Y%m%d_%H%M%S_' + _ms),
131 _d = 'rm__%s_GROUP_%s' % (_now.strftime('%Y%m%d_%H%M%S_' + _ms),
132 group.name)
132 group.name)
133 shutil.move(rm_path, os.path.join(self.repos_path, _d))
133 shutil.move(rm_path, os.path.join(self.repos_path, _d))
134
134
135 def create(self, group_name, group_description, owner, parent=None,
135 def create(self, group_name, group_description, owner, parent=None,
136 just_db=False, copy_permissions=False):
136 just_db=False, copy_permissions=False):
137 try:
137 try:
138 if kallithea.lib.utils2.repo_name_slug(group_name) != group_name:
138 if kallithea.lib.utils2.repo_name_slug(group_name) != group_name:
139 raise Exception('invalid repo group name %s' % group_name)
139 raise Exception('invalid repo group name %s' % group_name)
140
140
141 owner = db.User.guess_instance(owner)
141 owner = db.User.guess_instance(owner)
142 parent_group = db.RepoGroup.guess_instance(parent)
142 parent_group = db.RepoGroup.guess_instance(parent)
143 new_repo_group = db.RepoGroup()
143 new_repo_group = db.RepoGroup()
144 new_repo_group.owner = owner
144 new_repo_group.owner = owner
145 new_repo_group.group_description = group_description or group_name
145 new_repo_group.group_description = group_description or group_name
146 new_repo_group.parent_group = parent_group
146 new_repo_group.parent_group = parent_group
147 new_repo_group.group_name = new_repo_group.get_new_name(group_name)
147 new_repo_group.group_name = new_repo_group.get_new_name(group_name)
148
148
149 meta.Session().add(new_repo_group)
149 meta.Session().add(new_repo_group)
150
150
151 # create an ADMIN permission for owner except if we're super admin,
152 # later owner should go into the owner field of groups
153 if not owner.is_admin:
154 self.grant_user_permission(repo_group=new_repo_group,
155 user=owner, perm='group.admin')
156
157 if parent_group and copy_permissions:
151 if parent_group and copy_permissions:
158 # copy permissions from parent
152 # copy permissions from parent
159 user_perms = db.UserRepoGroupToPerm.query() \
153 user_perms = db.UserRepoGroupToPerm.query() \
160 .filter(db.UserRepoGroupToPerm.group == parent_group).all()
154 .filter(db.UserRepoGroupToPerm.group == parent_group).all()
161
155
162 group_perms = db.UserGroupRepoGroupToPerm.query() \
156 group_perms = db.UserGroupRepoGroupToPerm.query() \
163 .filter(db.UserGroupRepoGroupToPerm.group == parent_group).all()
157 .filter(db.UserGroupRepoGroupToPerm.group == parent_group).all()
164
158
165 for perm in user_perms:
159 for perm in user_perms:
166 # don't copy over the permission for user who is creating
160 # don't copy over the permission for user who is creating
167 # this group, if he is not super admin he get's admin
161 # this group, if he is not super admin he get's admin
168 # permission set above
162 # permission set above
169 if perm.user != owner or owner.is_admin:
163 if perm.user != owner or owner.is_admin:
170 db.UserRepoGroupToPerm.create(perm.user, new_repo_group, perm.permission)
164 db.UserRepoGroupToPerm.create(perm.user, new_repo_group, perm.permission)
171
165
172 for perm in group_perms:
166 for perm in group_perms:
173 db.UserGroupRepoGroupToPerm.create(perm.users_group, new_repo_group, perm.permission)
167 db.UserGroupRepoGroupToPerm.create(perm.users_group, new_repo_group, perm.permission)
174 else:
168 else:
175 self._create_default_perms(new_repo_group)
169 self._create_default_perms(new_repo_group)
176
170
177 if not just_db:
171 if not just_db:
178 # we need to flush here, in order to check if database won't
172 # we need to flush here, in order to check if database won't
179 # throw any exceptions, create filesystem dirs at the very end
173 # throw any exceptions, create filesystem dirs at the very end
180 meta.Session().flush()
174 meta.Session().flush()
181 self._create_group(new_repo_group.group_name)
175 self._create_group(new_repo_group.group_name)
182
176
183 return new_repo_group
177 return new_repo_group
184 except Exception:
178 except Exception:
185 log.error(traceback.format_exc())
179 log.error(traceback.format_exc())
186 raise
180 raise
187
181
188 def _update_permissions(self, repo_group, perms_new=None,
182 def _update_permissions(self, repo_group, perms_new=None,
189 perms_updates=None, recursive=None,
183 perms_updates=None, recursive=None,
190 check_perms=True):
184 check_perms=True):
191 from kallithea.lib.auth import HasUserGroupPermissionLevel
185 from kallithea.lib.auth import HasUserGroupPermissionLevel
192
186
193 if not perms_new:
187 if not perms_new:
194 perms_new = []
188 perms_new = []
195 if not perms_updates:
189 if not perms_updates:
196 perms_updates = []
190 perms_updates = []
197
191
198 def _set_perm_user(obj, user, perm):
192 def _set_perm_user(obj, user, perm):
199 if isinstance(obj, db.RepoGroup):
193 if isinstance(obj, db.RepoGroup):
200 self.grant_user_permission(repo_group=obj, user=user, perm=perm)
194 self.grant_user_permission(repo_group=obj, user=user, perm=perm)
201 elif isinstance(obj, db.Repository):
195 elif isinstance(obj, db.Repository):
202 user = db.User.guess_instance(user)
196 user = db.User.guess_instance(user)
203
197
204 # private repos will not allow to change the default permissions
198 # private repos will not allow to change the default permissions
205 # using recursive mode
199 # using recursive mode
206 if obj.private and user.is_default_user:
200 if obj.private and user.is_default_user:
207 return
201 return
208
202
209 # we set group permission but we have to switch to repo
203 # we set group permission but we have to switch to repo
210 # permission
204 # permission
211 perm = perm.replace('group.', 'repository.')
205 perm = perm.replace('group.', 'repository.')
212 repo.RepoModel().grant_user_permission(
206 repo.RepoModel().grant_user_permission(
213 repo=obj, user=user, perm=perm
207 repo=obj, user=user, perm=perm
214 )
208 )
215
209
216 def _set_perm_group(obj, users_group, perm):
210 def _set_perm_group(obj, users_group, perm):
217 if isinstance(obj, db.RepoGroup):
211 if isinstance(obj, db.RepoGroup):
218 self.grant_user_group_permission(repo_group=obj,
212 self.grant_user_group_permission(repo_group=obj,
219 group_name=users_group,
213 group_name=users_group,
220 perm=perm)
214 perm=perm)
221 elif isinstance(obj, db.Repository):
215 elif isinstance(obj, db.Repository):
222 # we set group permission but we have to switch to repo
216 # we set group permission but we have to switch to repo
223 # permission
217 # permission
224 perm = perm.replace('group.', 'repository.')
218 perm = perm.replace('group.', 'repository.')
225 repo.RepoModel().grant_user_group_permission(
219 repo.RepoModel().grant_user_group_permission(
226 repo=obj, group_name=users_group, perm=perm
220 repo=obj, group_name=users_group, perm=perm
227 )
221 )
228
222
229 # start updates
223 # start updates
230 updates = []
224 updates = []
231 log.debug('Now updating permissions for %s in recursive mode:%s',
225 log.debug('Now updating permissions for %s in recursive mode:%s',
232 repo_group, recursive)
226 repo_group, recursive)
233
227
234 for obj in repo_group.recursive_groups_and_repos():
228 for obj in repo_group.recursive_groups_and_repos():
235 # iterated obj is an instance of a repos group or repository in
229 # iterated obj is an instance of a repos group or repository in
236 # that group, recursive option can be: none, repos, groups, all
230 # that group, recursive option can be: none, repos, groups, all
237 if recursive == 'all':
231 if recursive == 'all':
238 pass
232 pass
239 elif recursive == 'repos':
233 elif recursive == 'repos':
240 # skip groups, other than this one
234 # skip groups, other than this one
241 if isinstance(obj, db.RepoGroup) and not obj == repo_group:
235 if isinstance(obj, db.RepoGroup) and not obj == repo_group:
242 continue
236 continue
243 elif recursive == 'groups':
237 elif recursive == 'groups':
244 # skip repos
238 # skip repos
245 if isinstance(obj, db.Repository):
239 if isinstance(obj, db.Repository):
246 continue
240 continue
247 else: # recursive == 'none': # DEFAULT don't apply to iterated objects
241 else: # recursive == 'none': # DEFAULT don't apply to iterated objects
248 obj = repo_group
242 obj = repo_group
249 # also we do a break at the end of this loop.
243 # also we do a break at the end of this loop.
250
244
251 # update permissions
245 # update permissions
252 for member, perm, member_type in perms_updates:
246 for member, perm, member_type in perms_updates:
253 ## set for user
247 ## set for user
254 if member_type == 'user':
248 if member_type == 'user':
255 # this updates also current one if found
249 # this updates also current one if found
256 _set_perm_user(obj, user=member, perm=perm)
250 _set_perm_user(obj, user=member, perm=perm)
257 ## set for user group
251 ## set for user group
258 else:
252 else:
259 # check if we have permissions to alter this usergroup's access
253 # check if we have permissions to alter this usergroup's access
260 if not check_perms or HasUserGroupPermissionLevel('read')(member):
254 if not check_perms or HasUserGroupPermissionLevel('read')(member):
261 _set_perm_group(obj, users_group=member, perm=perm)
255 _set_perm_group(obj, users_group=member, perm=perm)
262 # set new permissions
256 # set new permissions
263 for member, perm, member_type in perms_new:
257 for member, perm, member_type in perms_new:
264 if member_type == 'user':
258 if member_type == 'user':
265 _set_perm_user(obj, user=member, perm=perm)
259 _set_perm_user(obj, user=member, perm=perm)
266 else:
260 else:
267 # check if we have permissions to alter this usergroup's access
261 # check if we have permissions to alter this usergroup's access
268 if not check_perms or HasUserGroupPermissionLevel('read')(member):
262 if not check_perms or HasUserGroupPermissionLevel('read')(member):
269 _set_perm_group(obj, users_group=member, perm=perm)
263 _set_perm_group(obj, users_group=member, perm=perm)
270 updates.append(obj)
264 updates.append(obj)
271 # if it's not recursive call for all,repos,groups
265 # if it's not recursive call for all,repos,groups
272 # break the loop and don't proceed with other changes
266 # break the loop and don't proceed with other changes
273 if recursive not in ['all', 'repos', 'groups']:
267 if recursive not in ['all', 'repos', 'groups']:
274 break
268 break
275
269
276 return updates
270 return updates
277
271
278 def update(self, repo_group, repo_group_args):
272 def update(self, repo_group, repo_group_args):
279 try:
273 try:
280 repo_group = db.RepoGroup.guess_instance(repo_group)
274 repo_group = db.RepoGroup.guess_instance(repo_group)
281 old_path = repo_group.full_path # aka .group_name
275 old_path = repo_group.full_path # aka .group_name
282
276
283 if 'owner' in repo_group_args:
277 if 'owner' in repo_group_args:
284 repo_group.owner = db.User.get_by_username(repo_group_args['owner'])
278 repo_group.owner = db.User.get_by_username(repo_group_args['owner'])
285 if 'group_description' in repo_group_args:
279 if 'group_description' in repo_group_args:
286 repo_group.group_description = repo_group_args['group_description']
280 repo_group.group_description = repo_group_args['group_description']
287 if 'parent_group_id' in repo_group_args:
281 if 'parent_group_id' in repo_group_args:
288 assert repo_group_args['parent_group_id'] != '-1', repo_group_args # RepoGroupForm should have converted to None
282 assert repo_group_args['parent_group_id'] != '-1', repo_group_args # RepoGroupForm should have converted to None
289 new_parent_group = db.RepoGroup.get(repo_group_args['parent_group_id'])
283 new_parent_group = db.RepoGroup.get(repo_group_args['parent_group_id'])
290 if new_parent_group is not repo_group.parent_group:
284 if new_parent_group is not repo_group.parent_group:
291 repo_group.parent_group = new_parent_group
285 repo_group.parent_group = new_parent_group
292 repo_group.group_name = repo_group.get_new_name(repo_group.name)
286 repo_group.group_name = repo_group.get_new_name(repo_group.name)
293 log.debug('Moving repo group %s to %s', old_path, repo_group.group_name)
287 log.debug('Moving repo group %s to %s', old_path, repo_group.group_name)
294 if 'group_name' in repo_group_args:
288 if 'group_name' in repo_group_args:
295 group_name = repo_group_args['group_name']
289 group_name = repo_group_args['group_name']
296 if kallithea.lib.utils2.repo_name_slug(group_name) != group_name:
290 if kallithea.lib.utils2.repo_name_slug(group_name) != group_name:
297 raise Exception('invalid repo group name %s' % group_name)
291 raise Exception('invalid repo group name %s' % group_name)
298 if repo_group.name != group_name:
292 if repo_group.name != group_name:
299 repo_group.group_name = repo_group.get_new_name(group_name)
293 repo_group.group_name = repo_group.get_new_name(group_name)
300 log.debug('Renaming repo group %s to %s', old_path, repo_group.group_name)
294 log.debug('Renaming repo group %s to %s', old_path, repo_group.group_name)
301 new_path = repo_group.full_path
295 new_path = repo_group.full_path
302 meta.Session().add(repo_group)
296 meta.Session().add(repo_group)
303
297
304 # Iterate over all members of this repo group and update the full
298 # Iterate over all members of this repo group and update the full
305 # path (repo_name and group_name) based on the (already updated)
299 # path (repo_name and group_name) based on the (already updated)
306 # full path of the parent.
300 # full path of the parent.
307 # This can potentially be a heavy operation.
301 # This can potentially be a heavy operation.
308 for obj in repo_group.recursive_groups_and_repos():
302 for obj in repo_group.recursive_groups_and_repos():
309 if obj is repo_group:
303 if obj is repo_group:
310 continue # already updated and logged
304 continue # already updated and logged
311 if isinstance(obj, db.RepoGroup):
305 if isinstance(obj, db.RepoGroup):
312 new_name = obj.get_new_name(obj.name)
306 new_name = obj.get_new_name(obj.name)
313 log.debug('Fixing repo group %s to new name %s', obj.group_name, new_name)
307 log.debug('Fixing repo group %s to new name %s', obj.group_name, new_name)
314 obj.group_name = new_name
308 obj.group_name = new_name
315 elif isinstance(obj, db.Repository):
309 elif isinstance(obj, db.Repository):
316 new_name = obj.get_new_name(obj.just_name)
310 new_name = obj.get_new_name(obj.just_name)
317 log.debug('Fixing repo %s to new name %s', obj.repo_name, new_name)
311 log.debug('Fixing repo %s to new name %s', obj.repo_name, new_name)
318 obj.repo_name = new_name
312 obj.repo_name = new_name
319
313
320 # Rename in file system
314 # Rename in file system
321 self._rename_group(old_path, new_path)
315 self._rename_group(old_path, new_path)
322
316
323 return repo_group
317 return repo_group
324 except Exception:
318 except Exception:
325 log.error(traceback.format_exc())
319 log.error(traceback.format_exc())
326 raise
320 raise
327
321
328 def delete(self, repo_group, force_delete=False):
322 def delete(self, repo_group, force_delete=False):
329 repo_group = db.RepoGroup.guess_instance(repo_group)
323 repo_group = db.RepoGroup.guess_instance(repo_group)
330 try:
324 try:
331 meta.Session().delete(repo_group)
325 meta.Session().delete(repo_group)
332 self._delete_group(repo_group, force_delete)
326 self._delete_group(repo_group, force_delete)
333 except Exception:
327 except Exception:
334 log.error('Error removing repo_group %s', repo_group)
328 log.error('Error removing repo_group %s', repo_group)
335 raise
329 raise
336
330
337 def add_permission(self, repo_group, obj, obj_type, perm, recursive):
331 def add_permission(self, repo_group, obj, obj_type, perm, recursive):
338 repo_group = db.RepoGroup.guess_instance(repo_group)
332 repo_group = db.RepoGroup.guess_instance(repo_group)
339 perm = db.Permission.guess_instance(perm)
333 perm = db.Permission.guess_instance(perm)
340
334
341 for el in repo_group.recursive_groups_and_repos():
335 for el in repo_group.recursive_groups_and_repos():
342 # iterated obj is an instance of a repos group or repository in
336 # iterated obj is an instance of a repos group or repository in
343 # that group, recursive option can be: none, repos, groups, all
337 # that group, recursive option can be: none, repos, groups, all
344 if recursive == 'all':
338 if recursive == 'all':
345 pass
339 pass
346 elif recursive == 'repos':
340 elif recursive == 'repos':
347 # skip groups, other than this one
341 # skip groups, other than this one
348 if isinstance(el, db.RepoGroup) and not el == repo_group:
342 if isinstance(el, db.RepoGroup) and not el == repo_group:
349 continue
343 continue
350 elif recursive == 'groups':
344 elif recursive == 'groups':
351 # skip repos
345 # skip repos
352 if isinstance(el, db.Repository):
346 if isinstance(el, db.Repository):
353 continue
347 continue
354 else: # recursive == 'none': # DEFAULT don't apply to iterated objects
348 else: # recursive == 'none': # DEFAULT don't apply to iterated objects
355 el = repo_group
349 el = repo_group
356 # also we do a break at the end of this loop.
350 # also we do a break at the end of this loop.
357
351
358 if isinstance(el, db.RepoGroup):
352 if isinstance(el, db.RepoGroup):
359 if obj_type == 'user':
353 if obj_type == 'user':
360 RepoGroupModel().grant_user_permission(el, user=obj, perm=perm)
354 RepoGroupModel().grant_user_permission(el, user=obj, perm=perm)
361 elif obj_type == 'user_group':
355 elif obj_type == 'user_group':
362 RepoGroupModel().grant_user_group_permission(el, group_name=obj, perm=perm)
356 RepoGroupModel().grant_user_group_permission(el, group_name=obj, perm=perm)
363 else:
357 else:
364 raise Exception('undefined object type %s' % obj_type)
358 raise Exception('undefined object type %s' % obj_type)
365 elif isinstance(el, db.Repository):
359 elif isinstance(el, db.Repository):
366 # for repos we need to hotfix the name of permission
360 # for repos we need to hotfix the name of permission
367 _perm = perm.permission_name.replace('group.', 'repository.')
361 _perm = perm.permission_name.replace('group.', 'repository.')
368 if obj_type == 'user':
362 if obj_type == 'user':
369 repo.RepoModel().grant_user_permission(el, user=obj, perm=_perm)
363 repo.RepoModel().grant_user_permission(el, user=obj, perm=_perm)
370 elif obj_type == 'user_group':
364 elif obj_type == 'user_group':
371 repo.RepoModel().grant_user_group_permission(el, group_name=obj, perm=_perm)
365 repo.RepoModel().grant_user_group_permission(el, group_name=obj, perm=_perm)
372 else:
366 else:
373 raise Exception('undefined object type %s' % obj_type)
367 raise Exception('undefined object type %s' % obj_type)
374 else:
368 else:
375 raise Exception('el should be instance of Repository or '
369 raise Exception('el should be instance of Repository or '
376 'RepositoryGroup got %s instead' % type(el))
370 'RepositoryGroup got %s instead' % type(el))
377
371
378 # if it's not recursive call for all,repos,groups
372 # if it's not recursive call for all,repos,groups
379 # break the loop and don't proceed with other changes
373 # break the loop and don't proceed with other changes
380 if recursive not in ['all', 'repos', 'groups']:
374 if recursive not in ['all', 'repos', 'groups']:
381 break
375 break
382
376
383 def delete_permission(self, repo_group, obj, obj_type, recursive):
377 def delete_permission(self, repo_group, obj, obj_type, recursive):
384 """
378 """
385 Revokes permission for repo_group for given obj(user or users_group),
379 Revokes permission for repo_group for given obj(user or users_group),
386 obj_type can be user or user group
380 obj_type can be user or user group
387
381
388 :param repo_group:
382 :param repo_group:
389 :param obj: user or user group id
383 :param obj: user or user group id
390 :param obj_type: user or user group type
384 :param obj_type: user or user group type
391 :param recursive: recurse to all children of group
385 :param recursive: recurse to all children of group
392 """
386 """
393 repo_group = db.RepoGroup.guess_instance(repo_group)
387 repo_group = db.RepoGroup.guess_instance(repo_group)
394
388
395 for el in repo_group.recursive_groups_and_repos():
389 for el in repo_group.recursive_groups_and_repos():
396 # iterated obj is an instance of a repos group or repository in
390 # iterated obj is an instance of a repos group or repository in
397 # that group, recursive option can be: none, repos, groups, all
391 # that group, recursive option can be: none, repos, groups, all
398 if recursive == 'all':
392 if recursive == 'all':
399 pass
393 pass
400 elif recursive == 'repos':
394 elif recursive == 'repos':
401 # skip groups, other than this one
395 # skip groups, other than this one
402 if isinstance(el, db.RepoGroup) and not el == repo_group:
396 if isinstance(el, db.RepoGroup) and not el == repo_group:
403 continue
397 continue
404 elif recursive == 'groups':
398 elif recursive == 'groups':
405 # skip repos
399 # skip repos
406 if isinstance(el, db.Repository):
400 if isinstance(el, db.Repository):
407 continue
401 continue
408 else: # recursive == 'none': # DEFAULT don't apply to iterated objects
402 else: # recursive == 'none': # DEFAULT don't apply to iterated objects
409 el = repo_group
403 el = repo_group
410 # also we do a break at the end of this loop.
404 # also we do a break at the end of this loop.
411
405
412 if isinstance(el, db.RepoGroup):
406 if isinstance(el, db.RepoGroup):
413 if obj_type == 'user':
407 if obj_type == 'user':
414 RepoGroupModel().revoke_user_permission(el, user=obj)
408 RepoGroupModel().revoke_user_permission(el, user=obj)
415 elif obj_type == 'user_group':
409 elif obj_type == 'user_group':
416 RepoGroupModel().revoke_user_group_permission(el, group_name=obj)
410 RepoGroupModel().revoke_user_group_permission(el, group_name=obj)
417 else:
411 else:
418 raise Exception('undefined object type %s' % obj_type)
412 raise Exception('undefined object type %s' % obj_type)
419 elif isinstance(el, db.Repository):
413 elif isinstance(el, db.Repository):
420 if obj_type == 'user':
414 if obj_type == 'user':
421 repo.RepoModel().revoke_user_permission(el, user=obj)
415 repo.RepoModel().revoke_user_permission(el, user=obj)
422 elif obj_type == 'user_group':
416 elif obj_type == 'user_group':
423 repo.RepoModel().revoke_user_group_permission(el, group_name=obj)
417 repo.RepoModel().revoke_user_group_permission(el, group_name=obj)
424 else:
418 else:
425 raise Exception('undefined object type %s' % obj_type)
419 raise Exception('undefined object type %s' % obj_type)
426 else:
420 else:
427 raise Exception('el should be instance of Repository or '
421 raise Exception('el should be instance of Repository or '
428 'RepositoryGroup got %s instead' % type(el))
422 'RepositoryGroup got %s instead' % type(el))
429
423
430 # if it's not recursive call for all,repos,groups
424 # if it's not recursive call for all,repos,groups
431 # break the loop and don't proceed with other changes
425 # break the loop and don't proceed with other changes
432 if recursive not in ['all', 'repos', 'groups']:
426 if recursive not in ['all', 'repos', 'groups']:
433 break
427 break
434
428
435 def grant_user_permission(self, repo_group, user, perm):
429 def grant_user_permission(self, repo_group, user, perm):
436 """
430 """
437 Grant permission for user on given repository group, or update
431 Grant permission for user on given repository group, or update
438 existing one if found
432 existing one if found
439
433
440 :param repo_group: Instance of RepoGroup, repositories_group_id,
434 :param repo_group: Instance of RepoGroup, repositories_group_id,
441 or repositories_group name
435 or repositories_group name
442 :param user: Instance of User, user_id or username
436 :param user: Instance of User, user_id or username
443 :param perm: Instance of Permission, or permission_name
437 :param perm: Instance of Permission, or permission_name
444 """
438 """
445
439
446 repo_group = db.RepoGroup.guess_instance(repo_group)
440 repo_group = db.RepoGroup.guess_instance(repo_group)
447 user = db.User.guess_instance(user)
441 user = db.User.guess_instance(user)
448 permission = db.Permission.guess_instance(perm)
442 permission = db.Permission.guess_instance(perm)
449
443
450 # check if we have that permission already
444 # check if we have that permission already
451 obj = db.UserRepoGroupToPerm.query() \
445 obj = db.UserRepoGroupToPerm.query() \
452 .filter(db.UserRepoGroupToPerm.user == user) \
446 .filter(db.UserRepoGroupToPerm.user == user) \
453 .filter(db.UserRepoGroupToPerm.group == repo_group) \
447 .filter(db.UserRepoGroupToPerm.group == repo_group) \
454 .scalar()
448 .scalar()
455 if obj is None:
449 if obj is None:
456 # create new !
450 # create new !
457 obj = db.UserRepoGroupToPerm()
451 obj = db.UserRepoGroupToPerm()
458 meta.Session().add(obj)
452 meta.Session().add(obj)
459 obj.group = repo_group
453 obj.group = repo_group
460 obj.user = user
454 obj.user = user
461 obj.permission = permission
455 obj.permission = permission
462 log.debug('Granted perm %s to %s on %s', perm, user, repo_group)
456 log.debug('Granted perm %s to %s on %s', perm, user, repo_group)
463 return obj
457 return obj
464
458
465 def revoke_user_permission(self, repo_group, user):
459 def revoke_user_permission(self, repo_group, user):
466 """
460 """
467 Revoke permission for user on given repository group
461 Revoke permission for user on given repository group
468
462
469 :param repo_group: Instance of RepoGroup, repositories_group_id,
463 :param repo_group: Instance of RepoGroup, repositories_group_id,
470 or repositories_group name
464 or repositories_group name
471 :param user: Instance of User, user_id or username
465 :param user: Instance of User, user_id or username
472 """
466 """
473
467
474 repo_group = db.RepoGroup.guess_instance(repo_group)
468 repo_group = db.RepoGroup.guess_instance(repo_group)
475 user = db.User.guess_instance(user)
469 user = db.User.guess_instance(user)
476
470
477 obj = db.UserRepoGroupToPerm.query() \
471 obj = db.UserRepoGroupToPerm.query() \
478 .filter(db.UserRepoGroupToPerm.user == user) \
472 .filter(db.UserRepoGroupToPerm.user == user) \
479 .filter(db.UserRepoGroupToPerm.group == repo_group) \
473 .filter(db.UserRepoGroupToPerm.group == repo_group) \
480 .scalar()
474 .scalar()
481 if obj is not None:
475 if obj is not None:
482 meta.Session().delete(obj)
476 meta.Session().delete(obj)
483 log.debug('Revoked perm on %s on %s', repo_group, user)
477 log.debug('Revoked perm on %s on %s', repo_group, user)
484
478
485 def grant_user_group_permission(self, repo_group, group_name, perm):
479 def grant_user_group_permission(self, repo_group, group_name, perm):
486 """
480 """
487 Grant permission for user group on given repository group, or update
481 Grant permission for user group on given repository group, or update
488 existing one if found
482 existing one if found
489
483
490 :param repo_group: Instance of RepoGroup, repositories_group_id,
484 :param repo_group: Instance of RepoGroup, repositories_group_id,
491 or repositories_group name
485 or repositories_group name
492 :param group_name: Instance of UserGroup, users_group_id,
486 :param group_name: Instance of UserGroup, users_group_id,
493 or user group name
487 or user group name
494 :param perm: Instance of Permission, or permission_name
488 :param perm: Instance of Permission, or permission_name
495 """
489 """
496 repo_group = db.RepoGroup.guess_instance(repo_group)
490 repo_group = db.RepoGroup.guess_instance(repo_group)
497 group_name = db.UserGroup.guess_instance(group_name)
491 group_name = db.UserGroup.guess_instance(group_name)
498 permission = db.Permission.guess_instance(perm)
492 permission = db.Permission.guess_instance(perm)
499
493
500 # check if we have that permission already
494 # check if we have that permission already
501 obj = db.UserGroupRepoGroupToPerm.query() \
495 obj = db.UserGroupRepoGroupToPerm.query() \
502 .filter(db.UserGroupRepoGroupToPerm.group == repo_group) \
496 .filter(db.UserGroupRepoGroupToPerm.group == repo_group) \
503 .filter(db.UserGroupRepoGroupToPerm.users_group == group_name) \
497 .filter(db.UserGroupRepoGroupToPerm.users_group == group_name) \
504 .scalar()
498 .scalar()
505
499
506 if obj is None:
500 if obj is None:
507 # create new
501 # create new
508 obj = db.UserGroupRepoGroupToPerm()
502 obj = db.UserGroupRepoGroupToPerm()
509 meta.Session().add(obj)
503 meta.Session().add(obj)
510
504
511 obj.group = repo_group
505 obj.group = repo_group
512 obj.users_group = group_name
506 obj.users_group = group_name
513 obj.permission = permission
507 obj.permission = permission
514 log.debug('Granted perm %s to %s on %s', perm, group_name, repo_group)
508 log.debug('Granted perm %s to %s on %s', perm, group_name, repo_group)
515 return obj
509 return obj
516
510
517 def revoke_user_group_permission(self, repo_group, group_name):
511 def revoke_user_group_permission(self, repo_group, group_name):
518 """
512 """
519 Revoke permission for user group on given repository group
513 Revoke permission for user group on given repository group
520
514
521 :param repo_group: Instance of RepoGroup, repositories_group_id,
515 :param repo_group: Instance of RepoGroup, repositories_group_id,
522 or repositories_group name
516 or repositories_group name
523 :param group_name: Instance of UserGroup, users_group_id,
517 :param group_name: Instance of UserGroup, users_group_id,
524 or user group name
518 or user group name
525 """
519 """
526 repo_group = db.RepoGroup.guess_instance(repo_group)
520 repo_group = db.RepoGroup.guess_instance(repo_group)
527 group_name = db.UserGroup.guess_instance(group_name)
521 group_name = db.UserGroup.guess_instance(group_name)
528
522
529 obj = db.UserGroupRepoGroupToPerm.query() \
523 obj = db.UserGroupRepoGroupToPerm.query() \
530 .filter(db.UserGroupRepoGroupToPerm.group == repo_group) \
524 .filter(db.UserGroupRepoGroupToPerm.group == repo_group) \
531 .filter(db.UserGroupRepoGroupToPerm.users_group == group_name) \
525 .filter(db.UserGroupRepoGroupToPerm.users_group == group_name) \
532 .scalar()
526 .scalar()
533 if obj is not None:
527 if obj is not None:
534 meta.Session().delete(obj)
528 meta.Session().delete(obj)
535 log.debug('Revoked perm to %s on %s', repo_group, group_name)
529 log.debug('Revoked perm to %s on %s', repo_group, group_name)
General Comments 0
You need to be logged in to leave comments. Login now