##// END OF EJS Templates
#56 added propagation of permission from group
marcink -
r1016:3790279d beta
parent child Browse files
Show More
@@ -41,11 +41,18 b' from rhodecode.lib.auth_ldap import Auth'
41 from rhodecode.model import meta
41 from rhodecode.model import meta
42 from rhodecode.model.user import UserModel
42 from rhodecode.model.user import UserModel
43 from rhodecode.model.db import User, RepoToPerm, Repository, Permission, \
43 from rhodecode.model.db import User, RepoToPerm, Repository, Permission, \
44 UserToPerm
44 UserToPerm, UsersGroupToPerm, UsersGroupMember
45
45
46
46
47 log = logging.getLogger(__name__)
47 log = logging.getLogger(__name__)
48
48
49
50 PERM_WEIGHTS = {'repository.none':0,
51 'repository.read':1,
52 'repository.write':3,
53 'repository.admin':3}
54
55
49 class PasswordGenerator(object):
56 class PasswordGenerator(object):
50 """This is a simple class for generating password from
57 """This is a simple class for generating password from
51 different sets of characters
58 different sets of characters
@@ -73,7 +80,8 b' class PasswordGenerator(object):'
73
80
74
81
75 def get_crypt_password(password):
82 def get_crypt_password(password):
76 """Cryptographic function used for password hashing based on sha1
83 """Cryptographic function used for password hashing based on pybcrypt
84
77 :param password: password to hash
85 :param password: password to hash
78 """
86 """
79 return bcrypt.hashpw(password, bcrypt.gensalt(10))
87 return bcrypt.hashpw(password, bcrypt.gensalt(10))
@@ -82,8 +90,7 b' def check_password(password, hashed):'
82 return bcrypt.hashpw(password, hashed) == hashed
90 return bcrypt.hashpw(password, hashed) == hashed
83
91
84 def authfunc(environ, username, password):
92 def authfunc(environ, username, password):
85 """
93 """Dummy authentication function used in Mercurial/Git/ and access control,
86 Dummy authentication function used in Mercurial/Git/ and access control,
87
94
88 :param environ: needed only for using in Basic auth
95 :param environ: needed only for using in Basic auth
89 """
96 """
@@ -91,8 +98,7 b' def authfunc(environ, username, password'
91
98
92
99
93 def authenticate(username, password):
100 def authenticate(username, password):
94 """
101 """Authentication function used for access control,
95 Authentication function used for access control,
96 firstly checks for db authentication then if ldap is enabled for ldap
102 firstly checks for db authentication then if ldap is enabled for ldap
97 authentication, also creates ldap user if not in database
103 authentication, also creates ldap user if not in database
98
104
@@ -130,7 +136,7 b' def authenticate(username, password):'
130 ldap_settings = SettingsModel().get_ldap_settings()
136 ldap_settings = SettingsModel().get_ldap_settings()
131
137
132 #======================================================================
138 #======================================================================
133 # FALLBACK TO LDAP AUTH IN ENABLE
139 # FALLBACK TO LDAP AUTH IF ENABLE
134 #======================================================================
140 #======================================================================
135 if ldap_settings.get('ldap_active', False):
141 if ldap_settings.get('ldap_active', False):
136 log.debug("Authenticating user using ldap")
142 log.debug("Authenticating user using ldap")
@@ -160,7 +166,7 b' def authenticate(username, password):'
160 }
166 }
161
167
162 if user_model.create_ldap(username, password, user_dn, user_attrs):
168 if user_model.create_ldap(username, password, user_dn, user_attrs):
163 log.info('created new ldap user')
169 log.info('created new ldap user %s', username)
164
170
165 return True
171 return True
166 except (LdapUsernameError, LdapPasswordError,):
172 except (LdapUsernameError, LdapPasswordError,):
@@ -171,9 +177,9 b' def authenticate(username, password):'
171 return False
177 return False
172
178
173 class AuthUser(object):
179 class AuthUser(object):
180 """A simple object that handles a mercurial username for authentication
174 """
181 """
175 A simple object that handles a mercurial username for authentication
182
176 """
177 def __init__(self):
183 def __init__(self):
178 self.username = 'None'
184 self.username = 'None'
179 self.name = ''
185 self.name = ''
@@ -189,7 +195,7 b' class AuthUser(object):'
189
195
190 def set_available_permissions(config):
196 def set_available_permissions(config):
191 """This function will propagate pylons globals with all available defined
197 """This function will propagate pylons globals with all available defined
192 permission given in db. We don't wannt to check each time from db for new
198 permission given in db. We don't want to check each time from db for new
193 permissions since adding a new permission also requires application restart
199 permissions since adding a new permission also requires application restart
194 ie. to decorate new views with the newly created permission
200 ie. to decorate new views with the newly created permission
195
201
@@ -213,9 +219,10 b' def set_base_path(config):'
213
219
214 def fill_perms(user):
220 def fill_perms(user):
215 """Fills user permission attribute with permissions taken from database
221 """Fills user permission attribute with permissions taken from database
222 works for permissions given for repositories, and for permissions that
223 as part of beeing group member
216
224
217 :param user:
225 :param user: user instance to fill his perms
218
219 """
226 """
220
227
221 sa = meta.Session()
228 sa = meta.Session()
@@ -255,7 +262,7 b' def fill_perms(user):'
255 for perm in default_global_perms:
262 for perm in default_global_perms:
256 user.permissions['global'].add(perm.permission.permission_name)
263 user.permissions['global'].add(perm.permission.permission_name)
257
264
258 #default repositories
265 #default for repositories
259 for perm in default_perms:
266 for perm in default_perms:
260 if perm.Repository.private and not perm.Repository.user_id == user.user_id:
267 if perm.Repository.private and not perm.Repository.user_id == user.user_id:
261 #disable defaults for private repos,
268 #disable defaults for private repos,
@@ -269,7 +276,7 b' def fill_perms(user):'
269 user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p
276 user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p
270
277
271 #=======================================================================
278 #=======================================================================
272 # #overwrite default with user permissions if any
279 # overwrite default with user permissions if any
273 #=======================================================================
280 #=======================================================================
274 user_perms = sa.query(RepoToPerm, Permission, Repository)\
281 user_perms = sa.query(RepoToPerm, Permission, Repository)\
275 .join((Repository, RepoToPerm.repository_id == Repository.repo_id))\
282 .join((Repository, RepoToPerm.repository_id == Repository.repo_id))\
@@ -282,12 +289,31 b' def fill_perms(user):'
282 else:
289 else:
283 p = perm.Permission.permission_name
290 p = perm.Permission.permission_name
284 user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p
291 user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p
292
293
294 #=======================================================================
295 # check if user is part of groups for this repository and fill in
296 # (or replace with higher) permissions
297 #=======================================================================
298 user_perms_from_users_groups = sa.query(UsersGroupToPerm, Permission, Repository,)\
299 .join((Repository, UsersGroupToPerm.repository_id == Repository.repo_id))\
300 .join((Permission, UsersGroupToPerm.permission_id == Permission.permission_id))\
301 .join((UsersGroupMember, UsersGroupToPerm.users_group_id == UsersGroupMember.users_group_id))\
302 .filter(UsersGroupMember.user_id == user.user_id).all()
303
304 for perm in user_perms_from_users_groups:
305 p = perm.Permission.permission_name
306 cur_perm = user.permissions['repositories'][perm.UsersGroupToPerm.repository.repo_name]
307 #overwrite permission only if it's greater than permission given from other sources
308 if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]:
309 user.permissions['repositories'][perm.UsersGroupToPerm.repository.repo_name] = p
310
285 meta.Session.remove()
311 meta.Session.remove()
286 return user
312 return user
287
313
288 def get_user(session):
314 def get_user(session):
289 """
315 """Gets user from session, and wraps permissions into user
290 Gets user from session, and wraps permissions into user
316
291 :param session:
317 :param session:
292 """
318 """
293 user = session.get('rhodecode_user', AuthUser())
319 user = session.get('rhodecode_user', AuthUser())
General Comments 0
You need to be logged in to leave comments. Login now