##// END OF EJS Templates
#399 added inheritance of permissions for users group on repos groups
marcink -
r2129:43481c3d beta
parent child Browse files
Show More
@@ -20,6 +20,7 b' news'
20 - created rcextensions module with additional mappings (ref #322) and
20 - created rcextensions module with additional mappings (ref #322) and
21 post push/pull/create repo hooks callbacks
21 post push/pull/create repo hooks callbacks
22 - implemented #377 Users view for his own permissions on account page
22 - implemented #377 Users view for his own permissions on account page
23 - #399 added inheritance of permissions for users group on repos groups
23
24
24 fixes
25 fixes
25 +++++
26 +++++
@@ -35,7 +35,8 b' from rhodecode.lib.caching_query import '
35 from rhodecode.model import BaseModel
35 from rhodecode.model import BaseModel
36 from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \
36 from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \
37 UserToPerm, UsersGroupRepoToPerm, UsersGroupToPerm, UsersGroupMember, \
37 UserToPerm, UsersGroupRepoToPerm, UsersGroupToPerm, UsersGroupMember, \
38 Notification, RepoGroup, UserRepoGroupToPerm, UsersGroup
38 Notification, RepoGroup, UserRepoGroupToPerm, UsersGroup,\
39 UsersGroupRepoGroupToPerm
39 from rhodecode.lib.exceptions import DefaultUserException, \
40 from rhodecode.lib.exceptions import DefaultUserException, \
40 UserOwnsReposException
41 UserOwnsReposException
41
42
@@ -410,7 +411,7 b' class UserModel(BaseModel):'
410 for perm in default_global_perms:
411 for perm in default_global_perms:
411 user.permissions[GLOBAL].add(perm.permission.permission_name)
412 user.permissions[GLOBAL].add(perm.permission.permission_name)
412
413
413 # default for repositories
414 # defaults for repositories, taken from default user
414 for perm in default_repo_perms:
415 for perm in default_repo_perms:
415 r_k = perm.UserRepoToPerm.repository.repo_name
416 r_k = perm.UserRepoToPerm.repository.repo_name
416 if perm.Repository.private and not (perm.Repository.user_id == uid):
417 if perm.Repository.private and not (perm.Repository.user_id == uid):
@@ -424,17 +425,18 b' class UserModel(BaseModel):'
424
425
425 user.permissions[RK][r_k] = p
426 user.permissions[RK][r_k] = p
426
427
427 # default for repositories groups
428 # defaults for repositories groups taken from default user permission
429 # on given group
428 for perm in default_repo_groups_perms:
430 for perm in default_repo_groups_perms:
429 rg_k = perm.UserRepoGroupToPerm.group.group_name
431 rg_k = perm.UserRepoGroupToPerm.group.group_name
430 p = perm.Permission.permission_name
432 p = perm.Permission.permission_name
431 user.permissions[GK][rg_k] = p
433 user.permissions[GK][rg_k] = p
432
434
433 #==================================================================
435 #==================================================================
434 # overwrite default with user permissions if any
436 # overwrite defaults with user permissions if any found
435 #==================================================================
437 #==================================================================
436
438
437 # user global
439 # user global permissions
438 user_perms = self.sa.query(UserToPerm)\
440 user_perms = self.sa.query(UserToPerm)\
439 .options(joinedload(UserToPerm.permission))\
441 .options(joinedload(UserToPerm.permission))\
440 .filter(UserToPerm.user_id == uid).all()
442 .filter(UserToPerm.user_id == uid).all()
@@ -442,7 +444,7 b' class UserModel(BaseModel):'
442 for perm in user_perms:
444 for perm in user_perms:
443 user.permissions[GLOBAL].add(perm.permission.permission_name)
445 user.permissions[GLOBAL].add(perm.permission.permission_name)
444
446
445 # user repositories
447 # user explicit permissions for repositories
446 user_repo_perms = \
448 user_repo_perms = \
447 self.sa.query(UserRepoToPerm, Permission, Repository)\
449 self.sa.query(UserRepoToPerm, Permission, Repository)\
448 .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\
450 .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\
@@ -460,8 +462,8 b' class UserModel(BaseModel):'
460 user.permissions[RK][r_k] = p
462 user.permissions[RK][r_k] = p
461
463
462 #==================================================================
464 #==================================================================
463 # check if user is part of groups for this repository and fill in
465 # check if user is part of user groups for this repository and
464 # (or replace with higher) permissions
466 # fill in (or replace with higher) permissions
465 #==================================================================
467 #==================================================================
466
468
467 # users group global
469 # users group global
@@ -474,7 +476,7 b' class UserModel(BaseModel):'
474 for perm in user_perms_from_users_groups:
476 for perm in user_perms_from_users_groups:
475 user.permissions[GLOBAL].add(perm.permission.permission_name)
477 user.permissions[GLOBAL].add(perm.permission.permission_name)
476
478
477 # users group repositories
479 # users group for repositories permissions
478 user_repo_perms_from_users_groups = \
480 user_repo_perms_from_users_groups = \
479 self.sa.query(UsersGroupRepoToPerm, Permission, Repository,)\
481 self.sa.query(UsersGroupRepoToPerm, Permission, Repository,)\
480 .join((Repository, UsersGroupRepoToPerm.repository_id == Repository.repo_id))\
482 .join((Repository, UsersGroupRepoToPerm.repository_id == Repository.repo_id))\
@@ -496,7 +498,7 b' class UserModel(BaseModel):'
496 # get access for this user for repos group and override defaults
498 # get access for this user for repos group and override defaults
497 #==================================================================
499 #==================================================================
498
500
499 # user repositories groups
501 # user explicit permissions for repository
500 user_repo_groups_perms = \
502 user_repo_groups_perms = \
501 self.sa.query(UserRepoGroupToPerm, Permission, RepoGroup)\
503 self.sa.query(UserRepoGroupToPerm, Permission, RepoGroup)\
502 .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\
504 .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\
@@ -510,6 +512,31 b' class UserModel(BaseModel):'
510 cur_perm = user.permissions[GK][rg_k]
512 cur_perm = user.permissions[GK][rg_k]
511 if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]:
513 if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]:
512 user.permissions[GK][rg_k] = p
514 user.permissions[GK][rg_k] = p
515
516 #==================================================================
517 # check if user is part of user groups for this repo group and
518 # fill in (or replace with higher) permissions
519 #==================================================================
520
521 # users group for repositories permissions
522 user_repo_group_perms_from_users_groups = \
523 self.sa.query(UsersGroupRepoGroupToPerm, Permission, RepoGroup)\
524 .join((RepoGroup, UsersGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\
525 .join((Permission, UsersGroupRepoGroupToPerm.permission_id == Permission.permission_id))\
526 .join((UsersGroupMember, UsersGroupRepoGroupToPerm.users_group_id == UsersGroupMember.users_group_id))\
527 .filter(UsersGroupMember.user_id == uid)\
528 .all()
529
530 for perm in user_repo_group_perms_from_users_groups:
531 g_k = perm.UsersGroupRepoGroupToPerm.group.group_name
532 print perm, g_k
533 p = perm.Permission.permission_name
534 cur_perm = user.permissions[GK][g_k]
535 # overwrite permission only if it's greater than permission
536 # given from other sources
537 if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]:
538 user.permissions[GK][g_k] = p
539
513 return user
540 return user
514
541
515 def has_perm(self, user, perm):
542 def has_perm(self, user, perm):
@@ -5,7 +5,7 b' from rhodecode.tests import *'
5 from rhodecode.model.repos_group import ReposGroupModel
5 from rhodecode.model.repos_group import ReposGroupModel
6 from rhodecode.model.repo import RepoModel
6 from rhodecode.model.repo import RepoModel
7 from rhodecode.model.db import RepoGroup, User, Notification, UserNotification, \
7 from rhodecode.model.db import RepoGroup, User, Notification, UserNotification, \
8 UsersGroup, UsersGroupMember, Permission
8 UsersGroup, UsersGroupMember, Permission, UsersGroupRepoGroupToPerm
9 from sqlalchemy.exc import IntegrityError
9 from sqlalchemy.exc import IntegrityError
10 from rhodecode.model.user import UserModel
10 from rhodecode.model.user import UserModel
11
11
@@ -608,6 +608,7 b' class TestPermissions(unittest.TestCase)'
608 user=self.anon,
608 user=self.anon,
609 perm='group.none')
609 perm='group.none')
610
610
611
611 u1_auth = AuthUser(user_id=self.u1.user_id)
612 u1_auth = AuthUser(user_id=self.u1.user_id)
612 self.assertEqual(u1_auth.permissions['repositories_groups'],
613 self.assertEqual(u1_auth.permissions['repositories_groups'],
613 {u'group1': u'group.none', u'group2': u'group.none'})
614 {u'group1': u'group.none', u'group2': u'group.none'})
@@ -658,3 +659,57 b' class TestPermissions(unittest.TestCase)'
658 a1_auth = AuthUser(user_id=self.anon.user_id)
659 a1_auth = AuthUser(user_id=self.anon.user_id)
659 self.assertEqual(a1_auth.permissions['repositories_groups'],
660 self.assertEqual(a1_auth.permissions['repositories_groups'],
660 {u'group1': u'group.none', u'group2': u'group.none'})
661 {u'group1': u'group.none', u'group2': u'group.none'})
662
663 def test_repo_group_user_as_user_group_member(self):
664 # create Group1
665 self.g1 = _make_group('group1', skip_if_exists=True)
666 Session.commit()
667 a1_auth = AuthUser(user_id=self.anon.user_id)
668
669 self.assertEqual(a1_auth.permissions['repositories_groups'],
670 {u'group1': u'group.read'})
671
672 # set default permission to none
673 ReposGroupModel().grant_user_permission(repos_group=self.g1,
674 user=self.anon,
675 perm='group.none')
676 # make group
677 self.ug1 = UsersGroupModel().create('G1')
678 # add user to group
679 UsersGroupModel().add_user_to_group(self.ug1, self.u1)
680 Session.commit()
681
682 # check if user is in the group
683 membrs = [x.user_id for x in UsersGroupModel().get(self.ug1.users_group_id).members]
684 self.assertEqual(membrs, [self.u1.user_id])
685 # add some user to that group
686
687 # check his permissions
688 a1_auth = AuthUser(user_id=self.anon.user_id)
689 self.assertEqual(a1_auth.permissions['repositories_groups'],
690 {u'group1': u'group.none'})
691
692 u1_auth = AuthUser(user_id=self.u1.user_id)
693 self.assertEqual(u1_auth.permissions['repositories_groups'],
694 {u'group1': u'group.none'})
695
696 # grant ug1 read permissions for
697 ReposGroupModel().grant_users_group_permission(repos_group=self.g1,
698 group_name=self.ug1,
699 perm='group.read')
700 Session.commit()
701 # check if the
702 obj = Session.query(UsersGroupRepoGroupToPerm)\
703 .filter(UsersGroupRepoGroupToPerm.group == self.g1)\
704 .filter(UsersGroupRepoGroupToPerm.users_group == self.ug1)\
705 .scalar()
706 self.assertEqual(obj.permission.permission_name, 'group.read')
707
708 a1_auth = AuthUser(user_id=self.anon.user_id)
709
710 self.assertEqual(a1_auth.permissions['repositories_groups'],
711 {u'group1': u'group.none'})
712
713 u1_auth = AuthUser(user_id=self.u1.user_id)
714 self.assertEqual(u1_auth.permissions['repositories_groups'],
715 {u'group1': u'group.read'})
General Comments 0
You need to be logged in to leave comments. Login now