upstream/kallithea Commit - r5211:4a2a66bf

AuthUser: Drop ip_addr field...

Søren Løvborg -

r5211:4a2a66bf default

parent child

kallithea/controllers/admin/my_account.py

0 +4 -4

             # -*- coding: utf-8 -*-
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU General Public License as published by
             # the Free Software Foundation, either version 3 of the License, or
             # (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             """
             kallithea.controllers.admin.my_account
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             my account controller for Kallithea admin
             This file was forked by the Kallithea project in July 2014.
             Original author and date, and relevant copyright and licensing information is below:
             :created_on: August 20, 2013
             :author: marcink
             :copyright: (c) 2013 RhodeCode GmbH, and others.
             :license: GPLv3, see LICENSE.md for more details.
             """
             import logging
             import traceback
             import formencode
             from sqlalchemy import func
             from formencode import htmlfill
             from pylons import request, tmpl_context as c, url
             from pylons.controllers.util import redirect
             from pylons.i18n.translation import _
             from kallithea import EXTERN_TYPE_INTERNAL
             from kallithea.lib import helpers as h
             from kallithea.lib.auth import LoginRequired, NotAnonymous, AuthUser
             from kallithea.lib.base import BaseController, render
             from kallithea.lib.utils2 import generate_api_key, safe_int
             from kallithea.lib.compat import json
             from kallithea.model.db import Repository, \
                 UserEmailMap, UserApiKeys, User, UserFollowing
             from kallithea.model.forms import UserForm, PasswordChangeForm
             from kallithea.model.user import UserModel
             from kallithea.model.repo import RepoModel
             from kallithea.model.api_key import ApiKeyModel
             from kallithea.model.meta import Session
             log = logging.getLogger(__name__)
             class MyAccountController(BaseController):
                 """REST Controller styled on the Atom Publishing Protocol"""
                 # To properly map this controller, ensure your config/routing.py
                 # file has a resource setup:
                 #     map.resource('setting', 'settings', controller='admin/settings',
                 #         path_prefix='/admin', name_prefix='admin_')
                 @LoginRequired()
                 @NotAnonymous()
                 def __before__(self):
                     super(MyAccountController, self).__before__()
                 def __load_data(self):
                     c.user = User.get(self.authuser.user_id)
                     if c.user.username == User.DEFAULT_USER:
                         h.flash(_("You can't edit this user since it's"
                                   " crucial for entire application"), category='warning')
                         return redirect(url('users'))
                     c.EXTERN_TYPE_INTERNAL = EXTERN_TYPE_INTERNAL
                 def _load_my_repos_data(self, watched=False):
                     if watched:
                         admin = False
                         repos_list = [x.follows_repository for x in
                                       Session().query(UserFollowing).filter(
                                           UserFollowing.user_id ==
                                           self.authuser.user_id).all()]
                     else:
                         admin = True
                         repos_list = Session().query(Repository)\
                                      .filter(Repository.user_id ==
                                              self.authuser.user_id)\
                                      .order_by(func.lower(Repository.repo_name)).all()
                     repos_data = RepoModel().get_repos_as_dict(repos_list=repos_list,
                                                                admin=admin)
                     #json used to render the grid
                     return json.dumps(repos_data)
                 def my_account(self):
                     """
                     GET /_admin/my_account Displays info about my account
                     """
                     # url('my_account')
                     c.active = 'profile'
                     self.__load_data()
-                    c.perm_user = AuthUser(user_id=self.authuser.user_id,
+                    c.perm_user = AuthUser(user_id=self.authuser.user_id)
-                                           ip_addr=self.ip_addr)
+                    c.ip_addr = self.ip_addr
                     c.extern_type = c.user.extern_type
                     c.extern_name = c.user.extern_name
                     defaults = c.user.get_dict()
                     update = False
                     if request.POST:
                         _form = UserForm(edit=True,
                                          old_data={'user_id': self.authuser.user_id,
                                                    'email': self.authuser.email})()
                         form_result = {}
                         try:
                             post_data = dict(request.POST)
                             post_data['new_password'] = ''
                             post_data['password_confirmation'] = ''
                             form_result = _form.to_python(post_data)
                             # skip updating those attrs for my account
                             skip_attrs = ['admin', 'active', 'extern_type', 'extern_name',
                                           'new_password', 'password_confirmation']
                             #TODO: plugin should define if username can be updated
                             if c.extern_type != EXTERN_TYPE_INTERNAL:
                                 # forbid updating username for external accounts
                                 skip_attrs.append('username')
                             UserModel().update(self.authuser.user_id, form_result,
                                                skip_attrs=skip_attrs)
                             h.flash(_('Your account was updated successfully'),
                                     category='success')
                             Session().commit()
                             update = True
                         except formencode.Invalid, errors:
                             return htmlfill.render(
                                 render('admin/my_account/my_account.html'),
                                 defaults=errors.value,
                                 errors=errors.error_dict or {},
                                 prefix_error=False,
                                 encoding="UTF-8",
                                 force_defaults=False)
                         except Exception:
                             log.error(traceback.format_exc())
                             h.flash(_('Error occurred during update of user %s') \
                                     % form_result.get('username'), category='error')
                     if update:
                         return redirect('my_account')
                     return htmlfill.render(
                         render('admin/my_account/my_account.html'),
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False)
                 def my_account_password(self):
                     c.active = 'password'
                     self.__load_data()
                     if request.POST:
                         _form = PasswordChangeForm(self.authuser.username)()
                         try:
                             form_result = _form.to_python(request.POST)
                             UserModel().update(self.authuser.user_id, form_result)
                             Session().commit()
                             h.flash(_("Successfully updated password"), category='success')
                         except formencode.Invalid as errors:
                             return htmlfill.render(
                                 render('admin/my_account/my_account.html'),
                                 defaults=errors.value,
                                 errors=errors.error_dict or {},
                                 prefix_error=False,
                                 encoding="UTF-8",
                                 force_defaults=False)
                         except Exception:
                             log.error(traceback.format_exc())
                             h.flash(_('Error occurred during update of user password'),
                                     category='error')
                     return render('admin/my_account/my_account.html')
                 def my_account_repos(self):
                     c.active = 'repos'
                     self.__load_data()
                     #json used to render the grid
                     c.data = self._load_my_repos_data()
                     return render('admin/my_account/my_account.html')
                 def my_account_watched(self):
                     c.active = 'watched'
                     self.__load_data()
                     #json used to render the grid
                     c.data = self._load_my_repos_data(watched=True)
                     return render('admin/my_account/my_account.html')
                 def my_account_perms(self):
                     c.active = 'perms'
                     self.__load_data()
-                    c.perm_user = AuthUser(user_id=self.authuser.user_id,
+                    c.perm_user = AuthUser(user_id=self.authuser.user_id)
-                                           ip_addr=self.ip_addr)
+                    c.ip_addr = self.ip_addr
                     return render('admin/my_account/my_account.html')
                 def my_account_emails(self):
                     c.active = 'emails'
                     self.__load_data()
                     c.user_email_map = UserEmailMap.query()\
                         .filter(UserEmailMap.user == c.user).all()
                     return render('admin/my_account/my_account.html')
                 def my_account_emails_add(self):
                     email = request.POST.get('new_email')
                     try:
                         UserModel().add_extra_email(self.authuser.user_id, email)
                         Session().commit()
                         h.flash(_("Added email %s to user") % email, category='success')
                     except formencode.Invalid, error:
                         msg = error.error_dict['email']
                         h.flash(msg, category='error')
                     except Exception:
                         log.error(traceback.format_exc())
                         h.flash(_('An error occurred during email saving'),
                                 category='error')
                     return redirect(url('my_account_emails'))
                 def my_account_emails_delete(self):
                     email_id = request.POST.get('del_email_id')
                     user_model = UserModel()
                     user_model.delete_extra_email(self.authuser.user_id, email_id)
                     Session().commit()
                     h.flash(_("Removed email from user"), category='success')
                     return redirect(url('my_account_emails'))
                 def my_account_api_keys(self):
                     c.active = 'api_keys'
                     self.__load_data()
                     show_expired = True
                     c.lifetime_values = [
                         (str(-1), _('Forever')),
                         (str(5), _('5 minutes')),
                         (str(60), _('1 hour')),
                         (str(60 * 24), _('1 day')),
                         (str(60 * 24 * 30), _('1 month')),
                     ]
                     c.lifetime_options = [(c.lifetime_values, _("Lifetime"))]
                     c.user_api_keys = ApiKeyModel().get_api_keys(self.authuser.user_id,
                                                                  show_expired=show_expired)
                     return render('admin/my_account/my_account.html')
                 def my_account_api_keys_add(self):
                     lifetime = safe_int(request.POST.get('lifetime'), -1)
                     description = request.POST.get('description')
                     ApiKeyModel().create(self.authuser.user_id, description, lifetime)
                     Session().commit()
                     h.flash(_("API key successfully created"), category='success')
                     return redirect(url('my_account_api_keys'))
                 def my_account_api_keys_delete(self):
                     api_key = request.POST.get('del_api_key')
                     user_id = self.authuser.user_id
                     if request.POST.get('del_api_key_builtin'):
                         user = User.get(user_id)
                         if user:
                             user.api_key = generate_api_key(user.username)
                             Session().add(user)
                             Session().commit()
                             h.flash(_("API key successfully reset"), category='success')
                     elif api_key:
                         ApiKeyModel().delete(api_key, self.authuser.user_id)
                         Session().commit()
                         h.flash(_("API key successfully deleted"), category='success')
                     return redirect(url('my_account_api_keys'))

kallithea/controllers/admin/users.py

0 +8 -4

             # -*- coding: utf-8 -*-
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU General Public License as published by
             # the Free Software Foundation, either version 3 of the License, or
             # (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             """
             kallithea.controllers.admin.users
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             Users crud controller for pylons
             This file was forked by the Kallithea project in July 2014.
             Original author and date, and relevant copyright and licensing information is below:
             :created_on: Apr 4, 2010
             :author: marcink
             :copyright: (c) 2013 RhodeCode GmbH, and others.
             :license: GPLv3, see LICENSE.md for more details.
             """
             import logging
             import traceback
             import formencode
             from formencode import htmlfill
             from pylons import request, tmpl_context as c, url, config
             from pylons.controllers.util import redirect
             from pylons.i18n.translation import _
             from sqlalchemy.sql.expression import func
             from webob.exc import HTTPNotFound
             import kallithea
             from kallithea.lib.exceptions import DefaultUserException, \
                 UserOwnsReposException, UserCreationError
             from kallithea.lib import helpers as h
             from kallithea.lib.auth import LoginRequired, HasPermissionAllDecorator, \
                 AuthUser
             import kallithea.lib.auth_modules.auth_internal
             from kallithea.lib import auth_modules
             from kallithea.lib.base import BaseController, render
             from kallithea.model.api_key import ApiKeyModel
             from kallithea.model.db import User, UserEmailMap, UserIpMap, UserToPerm
             from kallithea.model.forms import UserForm, CustomDefaultPermissionsForm
             from kallithea.model.user import UserModel
             from kallithea.model.meta import Session
             from kallithea.lib.utils import action_logger
             from kallithea.lib.compat import json
             from kallithea.lib.utils2 import datetime_to_time, safe_int, generate_api_key
             log = logging.getLogger(__name__)
             class UsersController(BaseController):
                 """REST Controller styled on the Atom Publishing Protocol"""
                 @LoginRequired()
                 @HasPermissionAllDecorator('hg.admin')
                 def __before__(self):
                     super(UsersController, self).__before__()
                     c.available_permissions = config['available_permissions']
                     c.EXTERN_TYPE_INTERNAL = kallithea.EXTERN_TYPE_INTERNAL
                 def index(self, format='html'):
                     """GET /users: All items in the collection"""
                     # url('users')
                     c.users_list = User.query().order_by(User.username)\
                                     .filter(User.username != User.DEFAULT_USER)\
                                     .order_by(func.lower(User.username))\
                                     .all()
                     users_data = []
                     total_records = len(c.users_list)
                     _tmpl_lookup = kallithea.CONFIG['pylons.app_globals'].mako_lookup
                     template = _tmpl_lookup.get_template('data_table/_dt_elements.html')
                     grav_tmpl = '<div class="gravatar">%s</div>'
                     username = lambda user_id, username: (
                             template.get_def("user_name")
                             .render(user_id, username, _=_, h=h, c=c))
                     user_actions = lambda user_id, username: (
                             template.get_def("user_actions")
                             .render(user_id, username, _=_, h=h, c=c))
                     for user in c.users_list:
                         users_data.append({
                             "gravatar": grav_tmpl % h.gravatar(user.email, size=20),
                             "raw_name": user.username,
                             "username": username(user.user_id, user.username),
                             "firstname": h.escape(user.name),
                             "lastname": h.escape(user.lastname),
                             "last_login": h.fmt_date(user.last_login),
                             "last_login_raw": datetime_to_time(user.last_login),
                             "active": h.boolicon(user.active),
                             "admin": h.boolicon(user.admin),
                             "extern_type": user.extern_type,
                             "extern_name": user.extern_name,
                             "action": user_actions(user.user_id, user.username),
                         })
                     c.data = json.dumps({
                         "totalRecords": total_records,
                         "startIndex": 0,
                         "sort": None,
                         "dir": "asc",
                         "records": users_data
                     })
                     return render('admin/users/users.html')
                 def create(self):
                     """POST /users: Create a new item"""
                     # url('users')
                     c.default_extern_type = auth_modules.auth_internal.KallitheaAuthPlugin.name
                     user_model = UserModel()
                     user_form = UserForm()()
                     try:
                         form_result = user_form.to_python(dict(request.POST))
                         user = user_model.create(form_result)
                         usr = form_result['username']
                         action_logger(self.authuser, 'admin_created_user:%s' % usr,
                                       None, self.ip_addr, self.sa)
                         h.flash(h.literal(_('Created user %s') % h.link_to(h.escape(usr), url('edit_user', id=user.user_id))),
                                 category='success')
                         Session().commit()
                     except formencode.Invalid, errors:
                         return htmlfill.render(
                             render('admin/users/user_add.html'),
                             defaults=errors.value,
                             errors=errors.error_dict or {},
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False)
                     except UserCreationError, e:
                         h.flash(e, 'error')
                     except Exception:
                         log.error(traceback.format_exc())
                         h.flash(_('Error occurred during creation of user %s') \
                                 % request.POST.get('username'), category='error')
                     return redirect(url('users'))
                 def new(self, format='html'):
                     """GET /users/new: Form to create a new item"""
                     # url('new_user')
                     c.default_extern_type = auth_modules.auth_internal.KallitheaAuthPlugin.name
                     return render('admin/users/user_add.html')
                 def update(self, id):
                     """PUT /users/id: Update an existing item"""
                     # Forms posted to this method should contain a hidden field:
                     #    <input type="hidden" name="_method" value="PUT" />
                     # Or using helpers:
                     #    h.form(url('update_user', id=ID),
                     #           method='put')
                     # url('user', id=ID)
                     c.active = 'profile'
                     user_model = UserModel()
                     c.user = user_model.get(id)
                     c.extern_type = c.user.extern_type
                     c.extern_name = c.user.extern_name
-                    c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr)
+                    c.perm_user = AuthUser(user_id=id)
+                    c.ip_addr = self.ip_addr
                     _form = UserForm(edit=True, old_data={'user_id': id,
                                                           'email': c.user.email})()
                     form_result = {}
                     try:
                         form_result = _form.to_python(dict(request.POST))
                         skip_attrs = ['extern_type', 'extern_name']
                         #TODO: plugin should define if username can be updated
                         if c.extern_type != kallithea.EXTERN_TYPE_INTERNAL:
                             # forbid updating username for external accounts
                             skip_attrs.append('username')
                         user_model.update(id, form_result, skip_attrs=skip_attrs)
                         usr = form_result['username']
                         action_logger(self.authuser, 'admin_updated_user:%s' % usr,
                                       None, self.ip_addr, self.sa)
                         h.flash(_('User updated successfully'), category='success')
                         Session().commit()
                     except formencode.Invalid, errors:
                         defaults = errors.value
                         e = errors.error_dict or {}
                         defaults.update({
                             'create_repo_perm': user_model.has_perm(id,
                                                                     'hg.create.repository'),
                             'fork_repo_perm': user_model.has_perm(id, 'hg.fork.repository'),
                             '_method': 'put'
                         })
                         return htmlfill.render(
                             render('admin/users/user_edit.html'),
                             defaults=defaults,
                             errors=e,
                             prefix_error=False,
                             encoding="UTF-8",
                             force_defaults=False)
                     except Exception:
                         log.error(traceback.format_exc())
                         h.flash(_('Error occurred during update of user %s') \
                                 % form_result.get('username'), category='error')
                     return redirect(url('edit_user', id=id))
                 def delete(self, id):
                     """DELETE /users/id: Delete an existing item"""
                     # Forms posted to this method should contain a hidden field:
                     #    <input type="hidden" name="_method" value="DELETE" />
                     # Or using helpers:
                     #    h.form(url('delete_user', id=ID),
                     #           method='delete')
                     # url('user', id=ID)
                     usr = User.get_or_404(id)
                     try:
                         UserModel().delete(usr)
                         Session().commit()
                         h.flash(_('Successfully deleted user'), category='success')
                     except (UserOwnsReposException, DefaultUserException), e:
                         h.flash(e, category='warning')
                     except Exception:
                         log.error(traceback.format_exc())
                         h.flash(_('An error occurred during deletion of user'),
                                 category='error')
                     return redirect(url('users'))
                 def show(self, id, format='html'):
                     """GET /users/id: Show a specific item"""
                     # url('user', id=ID)
                     User.get_or_404(-1)
                 def _get_user_or_raise_if_default(self, id):
                     try:
                         return User.get_or_404(id, allow_default=False)
                     except DefaultUserException:
                         h.flash(_("The default user cannot be edited"), category='warning')
                         raise HTTPNotFound
                 def edit(self, id, format='html'):
                     """GET /users/id/edit: Form to edit an existing item"""
                     # url('edit_user', id=ID)
                     c.user = self._get_user_or_raise_if_default(id)
                     c.active = 'profile'
                     c.extern_type = c.user.extern_type
                     c.extern_name = c.user.extern_name
-                    c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr)
+                    c.perm_user = AuthUser(user_id=id)
+                    c.ip_addr = self.ip_addr
                     defaults = c.user.get_dict()
                     return htmlfill.render(
                         render('admin/users/user_edit.html'),
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False)
                 def edit_advanced(self, id):
                     c.user = self._get_user_or_raise_if_default(id)
                     c.active = 'advanced'
-                    c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr)
+                    c.perm_user = AuthUser(user_id=id)
+                    c.ip_addr = self.ip_addr
                     umodel = UserModel()
                     defaults = c.user.get_dict()
                     defaults.update({
                         'create_repo_perm': umodel.has_perm(c.user, 'hg.create.repository'),
                         'create_user_group_perm': umodel.has_perm(c.user,
                                                                   'hg.usergroup.create.true'),
                         'fork_repo_perm': umodel.has_perm(c.user, 'hg.fork.repository'),
                     })
                     return htmlfill.render(
                         render('admin/users/user_edit.html'),
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False)
                 def edit_api_keys(self, id):
                     c.user = self._get_user_or_raise_if_default(id)
                     c.active = 'api_keys'
                     show_expired = True
                     c.lifetime_values = [
                         (str(-1), _('Forever')),
                         (str(5), _('5 minutes')),
                         (str(60), _('1 hour')),
                         (str(60 * 24), _('1 day')),
                         (str(60 * 24 * 30), _('1 month')),
                     ]
                     c.lifetime_options = [(c.lifetime_values, _("Lifetime"))]
                     c.user_api_keys = ApiKeyModel().get_api_keys(c.user.user_id,
                                                                  show_expired=show_expired)
                     defaults = c.user.get_dict()
                     return htmlfill.render(
                         render('admin/users/user_edit.html'),
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False)
                 def add_api_key(self, id):
                     c.user = self._get_user_or_raise_if_default(id)
                     lifetime = safe_int(request.POST.get('lifetime'), -1)
                     description = request.POST.get('description')
                     ApiKeyModel().create(c.user.user_id, description, lifetime)
                     Session().commit()
                     h.flash(_("API key successfully created"), category='success')
                     return redirect(url('edit_user_api_keys', id=c.user.user_id))
                 def delete_api_key(self, id):
                     c.user = self._get_user_or_raise_if_default(id)
                     api_key = request.POST.get('del_api_key')
                     if request.POST.get('del_api_key_builtin'):
                         user = User.get(c.user.user_id)
                         if user:
                             user.api_key = generate_api_key(user.username)
                             Session().add(user)
                             Session().commit()
                             h.flash(_("API key successfully reset"), category='success')
                     elif api_key:
                         ApiKeyModel().delete(api_key, c.user.user_id)
                         Session().commit()
                         h.flash(_("API key successfully deleted"), category='success')
                     return redirect(url('edit_user_api_keys', id=c.user.user_id))
                 def update_account(self, id):
                     pass
                 def edit_perms(self, id):
                     c.user = self._get_user_or_raise_if_default(id)
                     c.active = 'perms'
-                    c.perm_user = AuthUser(user_id=id, ip_addr=self.ip_addr)
+                    c.perm_user = AuthUser(user_id=id)
+                    c.ip_addr = self.ip_addr
                     umodel = UserModel()
                     defaults = c.user.get_dict()
                     defaults.update({
                         'create_repo_perm': umodel.has_perm(c.user, 'hg.create.repository'),
                         'create_user_group_perm': umodel.has_perm(c.user,
                                                                   'hg.usergroup.create.true'),
                         'fork_repo_perm': umodel.has_perm(c.user, 'hg.fork.repository'),
                     })
                     return htmlfill.render(
                         render('admin/users/user_edit.html'),
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False)
                 def update_perms(self, id):
                     """PUT /users_perm/id: Update an existing item"""
                     # url('user_perm', id=ID, method='put')
                     user = self._get_user_or_raise_if_default(id)
                     try:
                         form = CustomDefaultPermissionsForm()()
                         form_result = form.to_python(request.POST)
                         inherit_perms = form_result['inherit_default_permissions']
                         user.inherit_default_permissions = inherit_perms
                         Session().add(user)
                         user_model = UserModel()
                         defs = UserToPerm.query()\
                             .filter(UserToPerm.user == user)\
                             .all()
                         for ug in defs:
                             Session().delete(ug)
                         if form_result['create_repo_perm']:
                             user_model.grant_perm(id, 'hg.create.repository')
                         else:
                             user_model.grant_perm(id, 'hg.create.none')
                         if form_result['create_user_group_perm']:
                             user_model.grant_perm(id, 'hg.usergroup.create.true')
                         else:
                             user_model.grant_perm(id, 'hg.usergroup.create.false')
                         if form_result['fork_repo_perm']:
                             user_model.grant_perm(id, 'hg.fork.repository')
                         else:
                             user_model.grant_perm(id, 'hg.fork.none')
                         h.flash(_("Updated permissions"), category='success')
                         Session().commit()
                     except Exception:
                         log.error(traceback.format_exc())
                         h.flash(_('An error occurred during permissions saving'),
                                 category='error')
                     return redirect(url('edit_user_perms', id=id))
                 def edit_emails(self, id):
                     c.user = self._get_user_or_raise_if_default(id)
                     c.active = 'emails'
                     c.user_email_map = UserEmailMap.query()\
                         .filter(UserEmailMap.user == c.user).all()
                     defaults = c.user.get_dict()
                     return htmlfill.render(
                         render('admin/users/user_edit.html'),
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False)
                 def add_email(self, id):
                     """POST /user_emails:Add an existing item"""
                     # url('user_emails', id=ID, method='put')
                     user = self._get_user_or_raise_if_default(id)
                     email = request.POST.get('new_email')
                     user_model = UserModel()
                     try:
                         user_model.add_extra_email(id, email)
                         Session().commit()
                         h.flash(_("Added email %s to user") % email, category='success')
                     except formencode.Invalid, error:
                         msg = error.error_dict['email']
                         h.flash(msg, category='error')
                     except Exception:
                         log.error(traceback.format_exc())
                         h.flash(_('An error occurred during email saving'),
                                 category='error')
                     return redirect(url('edit_user_emails', id=id))
                 def delete_email(self, id):
                     """DELETE /user_emails_delete/id: Delete an existing item"""
                     # url('user_emails_delete', id=ID, method='delete')
                     user = self._get_user_or_raise_if_default(id)
                     email_id = request.POST.get('del_email_id')
                     user_model = UserModel()
                     user_model.delete_extra_email(id, email_id)
                     Session().commit()
                     h.flash(_("Removed email from user"), category='success')
                     return redirect(url('edit_user_emails', id=id))
                 def edit_ips(self, id):
                     c.user = self._get_user_or_raise_if_default(id)
                     c.active = 'ips'
                     c.user_ip_map = UserIpMap.query()\
                         .filter(UserIpMap.user == c.user).all()
                     c.inherit_default_ips = c.user.inherit_default_permissions
                     c.default_user_ip_map = UserIpMap.query()\
                         .filter(UserIpMap.user == User.get_default_user()).all()
                     defaults = c.user.get_dict()
                     return htmlfill.render(
                         render('admin/users/user_edit.html'),
                         defaults=defaults,
                         encoding="UTF-8",
                         force_defaults=False)
                 def add_ip(self, id):
                     """POST /user_ips:Add an existing item"""
                     # url('user_ips', id=ID, method='put')
                     ip = request.POST.get('new_ip')
                     user_model = UserModel()
                     try:
                         user_model.add_extra_ip(id, ip)
                         Session().commit()
                         h.flash(_("Added IP address %s to user whitelist") % ip, category='success')
                     except formencode.Invalid, error:
                         msg = error.error_dict['ip']
                         h.flash(msg, category='error')
                     except Exception:
                         log.error(traceback.format_exc())
                         h.flash(_('An error occurred during ip saving'),
                                 category='error')
                     if 'default_user' in request.POST:
                         return redirect(url('admin_permissions_ips'))
                     return redirect(url('edit_user_ips', id=id))
                 def delete_ip(self, id):
                     """DELETE /user_ips_delete/id: Delete an existing item"""
                     # url('user_ips_delete', id=ID, method='delete')
                     ip_id = request.POST.get('del_ip_id')
                     user_model = UserModel()
                     user_model.delete_extra_ip(id, ip_id)
                     Session().commit()
                     h.flash(_("Removed IP address from user whitelist"), category='success')
                     if 'default_user' in request.POST:
                         return redirect(url('admin_permissions_ips'))
                     return redirect(url('edit_user_ips', id=id))

kallithea/controllers/api/__init__.py

0 +2 -2

             # -*- coding: utf-8 -*-
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU General Public License as published by
             # the Free Software Foundation, either version 3 of the License, or
             # (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             """
             kallithea.controllers.api
             ~~~~~~~~~~~~~~~~~~~~~~~~~
             JSON RPC controller
             This file was forked by the Kallithea project in July 2014.
             Original author and date, and relevant copyright and licensing information is below:
             :created_on: Aug 20, 2011
             :author: marcink
             :copyright: (c) 2013 RhodeCode GmbH, and others.
             :license: GPLv3, see LICENSE.md for more details.
             """
             import inspect
             import logging
             import types
             import traceback
             import time
             from paste.response import replace_header
             from pylons.controllers import WSGIController
             from webob.exc import HTTPError
             from kallithea.model.db import User
             from kallithea.model import meta
             from kallithea.lib.compat import izip_longest, json
             from kallithea.lib.auth import AuthUser
             from kallithea.lib.base import _get_ip_addr as _get_ip, _get_access_path
             from kallithea.lib.utils2 import safe_unicode, safe_str
             log = logging.getLogger('JSONRPC')
             class JSONRPCError(BaseException):
                 def __init__(self, message):
                     self.message = message
                     super(JSONRPCError, self).__init__()
                 def __str__(self):
                     return safe_str(self.message)
             def jsonrpc_error(message, retid=None, code=None):
                 """
                 Generate a Response object with a JSON-RPC error body
                 :param code:
                 :param retid:
                 :param message:
                 """
                 from pylons.controllers.util import Response
                 return Response(
                     body=json.dumps(dict(id=retid, result=None, error=message)),
                     status=code,
                     content_type='application/json'
                 )
             class JSONRPCController(WSGIController):
                 """
                  A WSGI-speaking JSON-RPC controller class
                  See the specification:
                  <http://json-rpc.org/wiki/specification>`.
                  Valid controller return values should be json-serializable objects.
                  Sub-classes should catch their exceptions and raise JSONRPCError
                  if they want to pass meaningful errors to the client.
                  """
                 def _get_ip_addr(self, environ):
                     return _get_ip(environ)
                 def _get_method_args(self):
                     """
                     Return `self._rpc_args` to dispatched controller method
                     chosen by __call__
                     """
                     return self._rpc_args
                 def __call__(self, environ, start_response):
                     """
                     Parse the request body as JSON, look up the method on the
                     controller and if it exists, dispatch to it.
                     """
                     try:
                         return self._handle_request(environ, start_response)
                     finally:
                         meta.Session.remove()
                 def _handle_request(self, environ, start_response):
                     start = time.time()
                     ip_addr = self.ip_addr = self._get_ip_addr(environ)
                     self._req_id = None
                     if 'CONTENT_LENGTH' not in environ:
                         log.debug("No Content-Length")
                         return jsonrpc_error(retid=self._req_id,
                                              message="No Content-Length in request")
                     else:
                         length = environ['CONTENT_LENGTH'] or 0
                         length = int(environ['CONTENT_LENGTH'])
                         log.debug('Content-Length: %s' % length)
                     if length == 0:
                         log.debug("Content-Length is 0")
                         return jsonrpc_error(retid=self._req_id,
                                              message="Content-Length is 0")
                     raw_body = environ['wsgi.input'].read(length)
                     try:
                         json_body = json.loads(raw_body)
                     except ValueError, e:
                         # catch JSON errors Here
                         return jsonrpc_error(retid=self._req_id,
                                              message="JSON parse error ERR:%s RAW:%r"
                                              % (e, raw_body))
                     # check AUTH based on API key
                     try:
                         self._req_api_key = json_body['api_key']
                         self._req_id = json_body['id']
                         self._req_method = json_body['method']
                         self._request_params = json_body['args']
                         if not isinstance(self._request_params, dict):
                             self._request_params = {}
                         log.debug(
                             'method: %s, params: %s' % (self._req_method,
                                                         self._request_params)
                         )
                     except KeyError, e:
                         return jsonrpc_error(retid=self._req_id,
                                              message='Incorrect JSON query missing %s' % e)
                     # check if we can find this session using api_key
                     try:
                         u = User.get_by_api_key(self._req_api_key)
                         if u is None:
                             return jsonrpc_error(retid=self._req_id,
                                                  message='Invalid API key')
                         #check if we are allowed to use this IP
-                        auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr)
+                        auth_u = AuthUser(u.user_id, self._req_api_key)
-                        if not auth_u.ip_allowed:
+                        if not auth_u.is_ip_allowed(ip_addr):
                             return jsonrpc_error(retid=self._req_id,
                                     message='request from IP:%s not allowed' % (ip_addr,))
                         else:
                             log.info('Access for IP:%s allowed' % (ip_addr,))
                     except Exception, e:
                         return jsonrpc_error(retid=self._req_id,
                                              message='Invalid API key')
                     self._error = None
                     try:
                         self._func = self._find_method()
                     except AttributeError, e:
                         return jsonrpc_error(retid=self._req_id,
                                              message=str(e))
                     # now that we have a method, add self._req_params to
                     # self.kargs and dispatch control to WGIController
                     argspec = inspect.getargspec(self._func)
                     arglist = argspec[0][1:]
                     defaults = map(type, argspec[3] or [])
                     default_empty = types.NotImplementedType
                     # kw arguments required by this method
                     func_kwargs = dict(izip_longest(reversed(arglist), reversed(defaults),
                                                     fillvalue=default_empty))
                     # this is little trick to inject logged in user for
                     # perms decorators to work they expect the controller class to have
                     # authuser attribute set
                     self.authuser = auth_u
                     # This attribute will need to be first param of a method that uses
                     # api_key, which is translated to instance of user at that name
                     USER_SESSION_ATTR = 'apiuser'
                     if USER_SESSION_ATTR not in arglist:
                         return jsonrpc_error(
                             retid=self._req_id,
                             message='This method [%s] does not support '
                                      'authentication (missing %s param)' % (
                                                 self._func.__name__, USER_SESSION_ATTR)
                         )
                     # get our arglist and check if we provided them as args
                     for arg, default in func_kwargs.iteritems():
                         if arg == USER_SESSION_ATTR:
                             # USER_SESSION_ATTR is something translated from API key and
                             # this is checked before so we don't need validate it
                             continue
                         # skip the required param check if it's default value is
                         # NotImplementedType (default_empty)
                         if default == default_empty and arg not in self._request_params:
                             return jsonrpc_error(
                                 retid=self._req_id,
                                 message=(
                                     'Missing non optional `%s` arg in JSON DATA' % arg
                                 )
                             )
                     self._rpc_args = {USER_SESSION_ATTR: u}
                     self._rpc_args.update(self._request_params)
                     self._rpc_args['action'] = self._req_method
                     self._rpc_args['environ'] = environ
                     self._rpc_args['start_response'] = start_response
                     status = []
                     headers = []
                     exc_info = []
                     def change_content(new_status, new_headers, new_exc_info=None):
                         status.append(new_status)
                         headers.extend(new_headers)
                         exc_info.append(new_exc_info)
                     output = WSGIController.__call__(self, environ, change_content)
                     output = list(output)
                     headers.append(('Content-Length', str(len(output[0]))))
                     replace_header(headers, 'Content-Type', 'application/json')
                     start_response(status[0], headers, exc_info[0])
                     log.info('IP: %s Request to %s time: %.3fs' % (
                         self._get_ip_addr(environ),
                         safe_unicode(_get_access_path(environ)), time.time() - start)
                     )
                     return output
                 def _dispatch_call(self):
                     """
                     Implement dispatch interface specified by WSGIController
                     """
                     raw_response = ''
                     try:
                         raw_response = self._inspect_call(self._func)
                         if isinstance(raw_response, HTTPError):
                             self._error = str(raw_response)
                     except JSONRPCError, e:
                         self._error = safe_str(e)
                     except Exception, e:
                         log.error('Encountered unhandled exception: %s'
                                   % (traceback.format_exc(),))
                         json_exc = JSONRPCError('Internal server error')
                         self._error = safe_str(json_exc)
                     if self._error is not None:
                         raw_response = None
                     response = dict(id=self._req_id, result=raw_response, error=self._error)
                     try:
                         return json.dumps(response)
                     except TypeError, e:
                         log.error('API FAILED. Error encoding response: %s' % e)
                         return json.dumps(
                             dict(
                                 id=self._req_id,
                                 result=None,
                                 error="Error encoding response"
                             )
                         )
                 def _find_method(self):
                     """
                     Return method named by `self._req_method` in controller if able
                     """
                     log.debug('Trying to find JSON-RPC method: %s' % (self._req_method,))
                     if self._req_method.startswith('_'):
                         raise AttributeError("Method not allowed")
                     try:
                         func = getattr(self, self._req_method, None)
                     except UnicodeEncodeError:
                         raise AttributeError("Problem decoding unicode in requested "
                                              "method name.")
                     if isinstance(func, types.MethodType):
                         return func
                     else:
                         raise AttributeError("No such method: %s" % (self._req_method,))

kallithea/controllers/login.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU General Public License as published by
             # the Free Software Foundation, either version 3 of the License, or
             # (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             """
             kallithea.controllers.login
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~
             Login controller for Kallithea
             This file was forked by the Kallithea project in July 2014.
             Original author and date, and relevant copyright and licensing information is below:
             :created_on: Apr 22, 2010
             :author: marcink
             :copyright: (c) 2013 RhodeCode GmbH, and others.
             :license: GPLv3, see LICENSE.md for more details.
             """
             import logging
             import formencode
             import datetime
             import urlparse
             from formencode import htmlfill
             from webob.exc import HTTPFound
             from pylons.i18n.translation import _
             from pylons.controllers.util import redirect
             from pylons import request, session, tmpl_context as c, url
             import kallithea.lib.helpers as h
             from kallithea.lib.auth import AuthUser, HasPermissionAnyDecorator
             from kallithea.lib.auth_modules import importplugin
             from kallithea.lib.base import BaseController, render
             from kallithea.lib.exceptions import UserCreationError
             from kallithea.lib.utils2 import safe_str
             from kallithea.model.db import User, Setting
             from kallithea.model.forms import LoginForm, RegisterForm, PasswordResetForm
             from kallithea.model.user import UserModel
             from kallithea.model.meta import Session
             log = logging.getLogger(__name__)
             class LoginController(BaseController):
                 def __before__(self):
                     super(LoginController, self).__before__()
                 def _store_user_in_session(self, username, remember=False):
                     user = User.get_by_username(username, case_insensitive=True)
                     auth_user = AuthUser(user.user_id)
                     auth_user.set_authenticated()
                     cs = auth_user.get_cookie_store()
                     session['authuser'] = cs
                     user.update_lastlogin()
                     Session().commit()
                     # If they want to be remembered, update the cookie
                     if remember:
                         _year = (datetime.datetime.now() +
                                  datetime.timedelta(seconds=60 * 60 * 24 * 365))
                         session._set_cookie_expires(_year)
                     session.save()
                     log.info('user %s is now authenticated and stored in '
                              'session, session attrs %s' % (username, cs))
                     # dumps session attrs back to cookie
                     session._update_cookie_out()
                 def _validate_came_from(self, came_from):
                     """Return True if came_from is valid and can and should be used"""
                     if not came_from:
                         return False
                     parsed = urlparse.urlparse(came_from)
                     server_parsed = urlparse.urlparse(url.current())
                     allowed_schemes = ['http', 'https']
                     if parsed.scheme and parsed.scheme not in allowed_schemes:
                         log.error('Suspicious URL scheme detected %s for url %s' %
                                  (parsed.scheme, parsed))
                         return False
                     if server_parsed.netloc != parsed.netloc:
                         log.error('Suspicious NETLOC detected %s for url %s server url '
                                   'is: %s' % (parsed.netloc, parsed, server_parsed))
                         return False
                     return True
                 def _redirect_to_origin(self, origin):
                     '''redirect to the original page, preserving any get arguments given'''
                     request.GET.pop('came_from', None)
                     raise HTTPFound(location=url(origin, **request.GET))
                 def index(self):
                     c.came_from = safe_str(request.GET.get('came_from', ''))
                     if not self._validate_came_from(c.came_from):
                         c.came_from = url('home')
                     not_default = self.authuser.username != User.DEFAULT_USER
-                    ip_allowed = self.authuser.ip_allowed
+                    ip_allowed = self.authuser.is_ip_allowed(self.ip_addr)
                     # redirect if already logged in
                     if self.authuser.is_authenticated and not_default and ip_allowed:
                         return self._redirect_to_origin(c.came_from)
                     if request.POST:
                         # import Login Form validator class
                         login_form = LoginForm()
                         try:
                             session.invalidate()
                             c.form_result = login_form.to_python(dict(request.POST))
                             # form checks for username/password, now we're authenticated
                             self._store_user_in_session(
                                                     username=c.form_result['username'],
                                                     remember=c.form_result['remember'])
                             return self._redirect_to_origin(c.came_from)
                         except formencode.Invalid, errors:
                             defaults = errors.value
                             # remove password from filling in form again
                             del defaults['password']
                             return htmlfill.render(
                                 render('/login.html'),
                                 defaults=errors.value,
                                 errors=errors.error_dict or {},
                                 prefix_error=False,
                                 encoding="UTF-8",
                                 force_defaults=False)
                         except UserCreationError, e:
                             # container auth or other auth functions that create users on
                             # the fly can throw this exception signaling that there's issue
                             # with user creation, explanation should be provided in
                             # Exception itself
                             h.flash(e, 'error')
                     # check if we use container plugin, and try to login using it.
                     auth_plugins = Setting.get_auth_plugins()
                     if any((importplugin(name).is_container_auth for name in auth_plugins)):
                         from kallithea.lib import auth_modules
                         try:
                             auth_info = auth_modules.authenticate('', '', request.environ)
                         except UserCreationError, e:
                             log.error(e)
                             h.flash(e, 'error')
                             # render login, with flash message about limit
                             return render('/login.html')
                         if auth_info:
                             self._store_user_in_session(auth_info.get('username'))
                             return self._redirect_to_origin(c.came_from)
                     return render('/login.html')
                 @HasPermissionAnyDecorator('hg.admin', 'hg.register.auto_activate',
                                            'hg.register.manual_activate')
                 def register(self):
                     c.auto_active = 'hg.register.auto_activate' in User.get_default_user()\
                         .AuthUser.permissions['global']
                     settings = Setting.get_app_settings()
                     captcha_private_key = settings.get('captcha_private_key')
                     c.captcha_active = bool(captcha_private_key)
                     c.captcha_public_key = settings.get('captcha_public_key')
                     if request.POST:
                         register_form = RegisterForm()()
                         try:
                             form_result = register_form.to_python(dict(request.POST))
                             form_result['active'] = c.auto_active
                             if c.captcha_active:
                                 from kallithea.lib.recaptcha import submit
                                 response = submit(request.POST.get('recaptcha_challenge_field'),
                                                   request.POST.get('recaptcha_response_field'),
                                                   private_key=captcha_private_key,
                                                   remoteip=self.ip_addr)
                                 if c.captcha_active and not response.is_valid:
                                     _value = form_result
                                     _msg = _('Bad captcha')
                                     error_dict = {'recaptcha_field': _msg}
                                     raise formencode.Invalid(_msg, _value, None,
                                                              error_dict=error_dict)
                             UserModel().create_registration(form_result)
                             h.flash(_('You have successfully registered into Kallithea'),
                                     category='success')
                             Session().commit()
                             return redirect(url('login_home'))
                         except formencode.Invalid, errors:
                             return htmlfill.render(
                                 render('/register.html'),
                                 defaults=errors.value,
                                 errors=errors.error_dict or {},
                                 prefix_error=False,
                                 encoding="UTF-8",
                                 force_defaults=False)
                         except UserCreationError, e:
                             # container auth or other auth functions that create users on
                             # the fly can throw this exception signaling that there's issue
                             # with user creation, explanation should be provided in
                             # Exception itself
                             h.flash(e, 'error')
                     return render('/register.html')
                 def password_reset(self):
                     settings = Setting.get_app_settings()
                     captcha_private_key = settings.get('captcha_private_key')
                     c.captcha_active = bool(captcha_private_key)
                     c.captcha_public_key = settings.get('captcha_public_key')
                     if request.POST:
                         password_reset_form = PasswordResetForm()()
                         try:
                             form_result = password_reset_form.to_python(dict(request.POST))
                             if c.captcha_active:
                                 from kallithea.lib.recaptcha import submit
                                 response = submit(request.POST.get('recaptcha_challenge_field'),
                                                   request.POST.get('recaptcha_response_field'),
                                                   private_key=captcha_private_key,
                                                   remoteip=self.ip_addr)
                                 if c.captcha_active and not response.is_valid:
                                     _value = form_result
                                     _msg = _('Bad captcha')
                                     error_dict = {'recaptcha_field': _msg}
                                     raise formencode.Invalid(_msg, _value, None,
                                                              error_dict=error_dict)
                             UserModel().reset_password_link(form_result)
                             h.flash(_('Your password reset link was sent'),
                                         category='success')
                             return redirect(url('login_home'))
                         except formencode.Invalid, errors:
                             return htmlfill.render(
                                 render('/password_reset.html'),
                                 defaults=errors.value,
                                 errors=errors.error_dict or {},
                                 prefix_error=False,
                                 encoding="UTF-8",
                                 force_defaults=False)
                     return render('/password_reset.html')
                 def password_reset_confirmation(self):
                     if request.GET and request.GET.get('key'):
                         try:
                             user = User.get_by_api_key(request.GET.get('key'))
                             data = dict(email=user.email)
                             UserModel().reset_password(data)
                             h.flash(_('Your password reset was successful, '
                                       'new password has been sent to your email'),
                                         category='success')
                         except Exception, e:
                             log.error(e)
                             return redirect(url('reset_password'))
                     return redirect(url('login_home'))
                 def logout(self):
                     session.delete()
                     log.info('Logging out and deleting session for user')
                     redirect(url('home'))
                 def authentication_token(self):
                     """Return the CSRF protection token for the session - just like it
                     could have been screen scrabed from a page with a form.
                     Only intended for testing but might also be useful for other kinds
                     of automation.
                     """
                     return h.authentication_token()

kallithea/lib/auth.py

0 +12 -17

             # -*- coding: utf-8 -*-
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU General Public License as published by
             # the Free Software Foundation, either version 3 of the License, or
             # (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             """
             kallithea.lib.auth
             ~~~~~~~~~~~~~~~~~~
             authentication and permission libraries
             This file was forked by the Kallithea project in July 2014.
             Original author and date, and relevant copyright and licensing information is below:
             :created_on: Apr 4, 2010
             :author: marcink
             :copyright: (c) 2013 RhodeCode GmbH, and others.
             :license: GPLv3, see LICENSE.md for more details.
             """
             from __future__ import with_statement
             import time
             import random
             import logging
             import traceback
             import hashlib
             import itertools
             import collections
             from tempfile import _RandomNameSequence
             from decorator import decorator
             from pylons import url, request
             from pylons.controllers.util import abort, redirect
             from pylons.i18n.translation import _
             from webhelpers.pylonslib import secure_form
             from sqlalchemy import or_
             from sqlalchemy.orm.exc import ObjectDeletedError
             from sqlalchemy.orm import joinedload
             from kallithea import __platform__, is_windows, is_unix
             from kallithea.lib.vcs.utils.lazy import LazyProperty
             from kallithea.model import meta
             from kallithea.model.meta import Session
             from kallithea.model.user import UserModel
             from kallithea.model.db import User, Repository, Permission, \
                 UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \
                 RepoGroup, UserGroupRepoGroupToPerm, UserIpMap, UserGroupUserGroupToPerm, \
                 UserGroup, UserApiKeys
             from kallithea.lib.utils2 import safe_unicode, aslist
             from kallithea.lib.utils import get_repo_slug, get_repo_group_slug, \
                 get_user_group_slug, conditional_cache
             from kallithea.lib.caching_query import FromCache
             log = logging.getLogger(__name__)
             class PasswordGenerator(object):
                 """
                 This is a simple class for generating password from different sets of
                 characters
                 usage::
                     passwd_gen = PasswordGenerator()
                     #print 8-letter password containing only big and small letters
                         of alphabet
                     passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
                 """
                 ALPHABETS_NUM = r'''1234567890'''
                 ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''
                 ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''
                 ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''
                 ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \
                     + ALPHABETS_NUM + ALPHABETS_SPECIAL
                 ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM
                 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
                 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM
                 ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM
                 def __init__(self, passwd=''):
                     self.passwd = passwd
                 def gen_password(self, length, type_=None):
                     if type_ is None:
                         type_ = self.ALPHABETS_FULL
                     self.passwd = ''.join([random.choice(type_) for _ in xrange(length)])
                     return self.passwd
             class KallitheaCrypto(object):
                 @classmethod
                 def hash_string(cls, str_):
                     """
                     Cryptographic function used for password hashing based on pybcrypt
                     or pycrypto in windows
                     :param password: password to hash
                     """
                     if is_windows:
                         from hashlib import sha256
                         return sha256(str_).hexdigest()
                     elif is_unix:
                         import bcrypt
                         return bcrypt.hashpw(str_, bcrypt.gensalt(10))
                     else:
                         raise Exception('Unknown or unsupported platform %s' \
                                         % __platform__)
                 @classmethod
                 def hash_check(cls, password, hashed):
                     """
                     Checks matching password with it's hashed value, runs different
                     implementation based on platform it runs on
                     :param password: password
                     :param hashed: password in hashed form
                     """
                     if is_windows:
                         from hashlib import sha256
                         return sha256(password).hexdigest() == hashed
                     elif is_unix:
                         import bcrypt
                         return bcrypt.hashpw(password, hashed) == hashed
                     else:
                         raise Exception('Unknown or unsupported platform %s' \
                                         % __platform__)
             def get_crypt_password(password):
                 return KallitheaCrypto.hash_string(password)
             def check_password(password, hashed):
                 return KallitheaCrypto.hash_check(password, hashed)
             class CookieStoreWrapper(object):
                 def __init__(self, cookie_store):
                     self.cookie_store = cookie_store
                 def __repr__(self):
                     return 'CookieStore<%s>' % (self.cookie_store)
                 def get(self, key, other=None):
                     if isinstance(self.cookie_store, dict):
                         return self.cookie_store.get(key, other)
                     elif isinstance(self.cookie_store, AuthUser):
                         return self.cookie_store.__dict__.get(key, other)
             def _cached_perms_data(user_id, user_is_admin, user_inherit_default_permissions,
                                    explicit, algo):
                 RK = 'repositories'
                 GK = 'repositories_groups'
                 UK = 'user_groups'
                 GLOBAL = 'global'
                 PERM_WEIGHTS = Permission.PERM_WEIGHTS
                 permissions = {RK: {}, GK: {}, UK: {}, GLOBAL: set()}
                 def _choose_perm(new_perm, cur_perm):
                     new_perm_val = PERM_WEIGHTS[new_perm]
                     cur_perm_val = PERM_WEIGHTS[cur_perm]
                     if algo == 'higherwin':
                         if new_perm_val > cur_perm_val:
                             return new_perm
                         return cur_perm
                     elif algo == 'lowerwin':
                         if new_perm_val < cur_perm_val:
                             return new_perm
                         return cur_perm
                 #======================================================================
                 # fetch default permissions
                 #======================================================================
                 default_user = User.get_by_username('default', cache=True)
                 default_user_id = default_user.user_id
                 default_repo_perms = Permission.get_default_perms(default_user_id)
                 default_repo_groups_perms = Permission.get_default_group_perms(default_user_id)
                 default_user_group_perms = Permission.get_default_user_group_perms(default_user_id)
                 if user_is_admin:
                     #==================================================================
                     # admin user have all default rights for repositories
                     # and groups set to admin
                     #==================================================================
                     permissions[GLOBAL].add('hg.admin')
                     permissions[GLOBAL].add('hg.create.write_on_repogroup.true')
                     # repositories
                     for perm in default_repo_perms:
                         r_k = perm.UserRepoToPerm.repository.repo_name
                         p = 'repository.admin'
                         permissions[RK][r_k] = p
                     # repository groups
                     for perm in default_repo_groups_perms:
                         rg_k = perm.UserRepoGroupToPerm.group.group_name
                         p = 'group.admin'
                         permissions[GK][rg_k] = p
                     # user groups
                     for perm in default_user_group_perms:
                         u_k = perm.UserUserGroupToPerm.user_group.users_group_name
                         p = 'usergroup.admin'
                         permissions[UK][u_k] = p
                     return permissions
                 #==================================================================
                 # SET DEFAULTS GLOBAL, REPOS, REPOSITORY GROUPS
                 #==================================================================
                 uid = user_id
                 # default global permissions taken from the default user
                 default_global_perms = UserToPerm.query()\
                     .filter(UserToPerm.user_id == default_user_id)\
                     .options(joinedload(UserToPerm.permission))
                 for perm in default_global_perms:
                     permissions[GLOBAL].add(perm.permission.permission_name)
                 # defaults for repositories, taken from default user
                 for perm in default_repo_perms:
                     r_k = perm.UserRepoToPerm.repository.repo_name
                     if perm.Repository.private and not (perm.Repository.user_id == uid):
                         # disable defaults for private repos,
                         p = 'repository.none'
                     elif perm.Repository.user_id == uid:
                         # set admin if owner
                         p = 'repository.admin'
                     else:
                         p = perm.Permission.permission_name
                     permissions[RK][r_k] = p
                 # defaults for repository groups taken from default user permission
                 # on given group
                 for perm in default_repo_groups_perms:
                     rg_k = perm.UserRepoGroupToPerm.group.group_name
                     p = perm.Permission.permission_name
                     permissions[GK][rg_k] = p
                 # defaults for user groups taken from default user permission
                 # on given user group
                 for perm in default_user_group_perms:
                     u_k = perm.UserUserGroupToPerm.user_group.users_group_name
                     p = perm.Permission.permission_name
                     permissions[UK][u_k] = p
                 #======================================================================
                 # !! OVERRIDE GLOBALS !! with user permissions if any found
                 #======================================================================
                 # those can be configured from groups or users explicitly
                 _configurable = set([
                     'hg.fork.none', 'hg.fork.repository',
                     'hg.create.none', 'hg.create.repository',
                     'hg.usergroup.create.false', 'hg.usergroup.create.true'
                 ])
                 # USER GROUPS comes first
                 # user group global permissions
                 user_perms_from_users_groups = Session().query(UserGroupToPerm)\
                     .options(joinedload(UserGroupToPerm.permission))\
                     .join((UserGroupMember, UserGroupToPerm.users_group_id ==
                            UserGroupMember.users_group_id))\
                     .filter(UserGroupMember.user_id == uid)\
                     .order_by(UserGroupToPerm.users_group_id)\
                     .all()
                 # need to group here by groups since user can be in more than
                 # one group
                 _grouped = [[x, list(y)] for x, y in
                             itertools.groupby(user_perms_from_users_groups,
                                               lambda x:x.users_group)]
                 for gr, perms in _grouped:
                     # since user can be in multiple groups iterate over them and
                     # select the lowest permissions first (more explicit)
                     ##TODO: do this^^
                     if not gr.inherit_default_permissions:
                         # NEED TO IGNORE all configurable permissions and
                         # replace them with explicitly set
                         permissions[GLOBAL] = permissions[GLOBAL]\
                                                         .difference(_configurable)
                     for perm in perms:
                         permissions[GLOBAL].add(perm.permission.permission_name)
                 # user specific global permissions
                 user_perms = Session().query(UserToPerm)\
                         .options(joinedload(UserToPerm.permission))\
                         .filter(UserToPerm.user_id == uid).all()
                 if not user_inherit_default_permissions:
                     # NEED TO IGNORE all configurable permissions and
                     # replace them with explicitly set
                     permissions[GLOBAL] = permissions[GLOBAL]\
                                                     .difference(_configurable)
                     for perm in user_perms:
                         permissions[GLOBAL].add(perm.permission.permission_name)
                 ## END GLOBAL PERMISSIONS
                 #======================================================================
                 # !! PERMISSIONS FOR REPOSITORIES !!
                 #======================================================================
                 #======================================================================
                 # check if user is part of user groups for this repository and
                 # fill in his permission from it. _choose_perm decides of which
                 # permission should be selected based on selected method
                 #======================================================================
                 # user group for repositories permissions
                 user_repo_perms_from_users_groups = \
                  Session().query(UserGroupRepoToPerm, Permission, Repository,)\
                     .join((Repository, UserGroupRepoToPerm.repository_id ==
                            Repository.repo_id))\
                     .join((Permission, UserGroupRepoToPerm.permission_id ==
                            Permission.permission_id))\
                     .join((UserGroupMember, UserGroupRepoToPerm.users_group_id ==
                            UserGroupMember.users_group_id))\
                     .filter(UserGroupMember.user_id == uid)\
                     .all()
                 multiple_counter = collections.defaultdict(int)
                 for perm in user_repo_perms_from_users_groups:
                     r_k = perm.UserGroupRepoToPerm.repository.repo_name
                     multiple_counter[r_k] += 1
                     p = perm.Permission.permission_name
                     cur_perm = permissions[RK][r_k]
                     if perm.Repository.user_id == uid:
                         # set admin if owner
                         p = 'repository.admin'
                     else:
                         if multiple_counter[r_k] > 1:
                             p = _choose_perm(p, cur_perm)
                     permissions[RK][r_k] = p
                 # user explicit permissions for repositories, overrides any specified
                 # by the group permission
                 user_repo_perms = Permission.get_default_perms(uid)
                 for perm in user_repo_perms:
                     r_k = perm.UserRepoToPerm.repository.repo_name
                     cur_perm = permissions[RK][r_k]
                     # set admin if owner
                     if perm.Repository.user_id == uid:
                         p = 'repository.admin'
                     else:
                         p = perm.Permission.permission_name
                         if not explicit:
                             p = _choose_perm(p, cur_perm)
                     permissions[RK][r_k] = p
                 #======================================================================
                 # !! PERMISSIONS FOR REPOSITORY GROUPS !!
                 #======================================================================
                 #======================================================================
                 # check if user is part of user groups for this repository groups and
                 # fill in his permission from it. _choose_perm decides of which
                 # permission should be selected based on selected method
                 #======================================================================
                 # user group for repo groups permissions
                 user_repo_group_perms_from_users_groups = \
                  Session().query(UserGroupRepoGroupToPerm, Permission, RepoGroup)\
                  .join((RepoGroup, UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\
                  .join((Permission, UserGroupRepoGroupToPerm.permission_id
                         == Permission.permission_id))\
                  .join((UserGroupMember, UserGroupRepoGroupToPerm.users_group_id
                         == UserGroupMember.users_group_id))\
                  .filter(UserGroupMember.user_id == uid)\
                  .all()
                 multiple_counter = collections.defaultdict(int)
                 for perm in user_repo_group_perms_from_users_groups:
                     g_k = perm.UserGroupRepoGroupToPerm.group.group_name
                     multiple_counter[g_k] += 1
                     p = perm.Permission.permission_name
                     cur_perm = permissions[GK][g_k]
                     if multiple_counter[g_k] > 1:
                         p = _choose_perm(p, cur_perm)
                     permissions[GK][g_k] = p
                 # user explicit permissions for repository groups
                 user_repo_groups_perms = Permission.get_default_group_perms(uid)
                 for perm in user_repo_groups_perms:
                     rg_k = perm.UserRepoGroupToPerm.group.group_name
                     p = perm.Permission.permission_name
                     cur_perm = permissions[GK][rg_k]
                     if not explicit:
                         p = _choose_perm(p, cur_perm)
                     permissions[GK][rg_k] = p
                 #======================================================================
                 # !! PERMISSIONS FOR USER GROUPS !!
                 #======================================================================
                 # user group for user group permissions
                 user_group_user_groups_perms = \
                  Session().query(UserGroupUserGroupToPerm, Permission, UserGroup)\
                  .join((UserGroup, UserGroupUserGroupToPerm.target_user_group_id
                         == UserGroup.users_group_id))\
                  .join((Permission, UserGroupUserGroupToPerm.permission_id
                         == Permission.permission_id))\
                  .join((UserGroupMember, UserGroupUserGroupToPerm.user_group_id
                         == UserGroupMember.users_group_id))\
                  .filter(UserGroupMember.user_id == uid)\
                  .all()
                 multiple_counter = collections.defaultdict(int)
                 for perm in user_group_user_groups_perms:
                     g_k = perm.UserGroupUserGroupToPerm.target_user_group.users_group_name
                     multiple_counter[g_k] += 1
                     p = perm.Permission.permission_name
                     cur_perm = permissions[UK][g_k]
                     if multiple_counter[g_k] > 1:
                         p = _choose_perm(p, cur_perm)
                     permissions[UK][g_k] = p
                 #user explicit permission for user groups
                 user_user_groups_perms = Permission.get_default_user_group_perms(uid)
                 for perm in user_user_groups_perms:
                     u_k = perm.UserUserGroupToPerm.user_group.users_group_name
                     p = perm.Permission.permission_name
                     cur_perm = permissions[UK][u_k]
                     if not explicit:
                         p = _choose_perm(p, cur_perm)
                     permissions[UK][u_k] = p
                 return permissions
             def allowed_api_access(controller_name, whitelist=None, api_key=None):
                 """
                 Check if given controller_name is in whitelist API access
                 """
                 if not whitelist:
                     from kallithea import CONFIG
                     whitelist = aslist(CONFIG.get('api_access_controllers_whitelist'),
                                        sep=',')
                     log.debug('whitelist of API access is: %s' % (whitelist))
                 api_access_valid = controller_name in whitelist
                 if api_access_valid:
                     log.debug('controller:%s is in API whitelist' % (controller_name))
                 else:
                     msg = 'controller: %s is *NOT* in API whitelist' % (controller_name)
                     if api_key:
                         #if we use API key and don't have access it's a warning
                         log.warning(msg)
                     else:
                         log.debug(msg)
                 return api_access_valid
             class AuthUser(object):
                 """
                 A simple object that handles all attributes of user in Kallithea
                 It does lookup based on API key,given user, or user present in session
                 Then it fills all required information for such user. It also checks if
                 anonymous access is enabled and if so, it returns default user as logged in
                 """
-                def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None):
+                def __init__(self, user_id=None, api_key=None, username=None):
                     self.user_id = user_id
                     self._api_key = api_key
                     self.api_key = None
                     self.username = username
-                    self.ip_addr = ip_addr
                     self.name = ''
                     self.lastname = ''
                     self.email = ''
                     self.is_authenticated = False
                     self.admin = False
                     self.inherit_default_permissions = False
                     self.propagate_data()
                     self._instance = None
                 @LazyProperty
                 def permissions(self):
                     return self.get_perms(user=self, cache=False)
                 @property
                 def api_keys(self):
                     return self.get_api_keys()
                 def propagate_data(self):
                     user_model = UserModel()
                     self.anonymous_user = User.get_default_user(cache=True)
                     is_user_loaded = False
                     # lookup by userid
                     if self.user_id is not None and self.user_id != self.anonymous_user.user_id:
                         log.debug('Auth User lookup by USER ID %s' % self.user_id)
                         is_user_loaded = user_model.fill_data(self, user_id=self.user_id)
                     # try go get user by API key
                     elif self._api_key and self._api_key != self.anonymous_user.api_key:
                         log.debug('Auth User lookup by API key %s' % self._api_key)
                         is_user_loaded = user_model.fill_data(self, api_key=self._api_key)
                     # lookup by username
                     elif self.username:
                         log.debug('Auth User lookup by USER NAME %s' % self.username)
                         is_user_loaded = user_model.fill_data(self, username=self.username)
                     else:
                         log.debug('No data in %s that could been used to log in' % self)
                     if not is_user_loaded:
                         # if we cannot authenticate user try anonymous
                         if self.anonymous_user.active:
                             user_model.fill_data(self, user_id=self.anonymous_user.user_id)
                             # then we set this user is logged in
                             self.is_authenticated = True
                         else:
                             self.user_id = None
                             self.username = None
                             self.is_authenticated = False
                     if not self.username:
                         self.username = 'None'
                     log.debug('Auth User is now %s' % self)
                 def get_perms(self, user, explicit=True, algo='higherwin', cache=False):
                     """
                     Fills user permission attribute with permissions taken from database
                     works for permissions given for repositories, and for permissions that
                     are granted to groups
                     :param user: instance of User object from database
                     :param explicit: In case there are permissions both for user and a group
                         that user is part of, explicit flag will define if user will
                         explicitly override permissions from group, if it's False it will
                         make decision based on the algo
                     :param algo: algorithm to decide what permission should be choose if
                         it's multiple defined, eg user in two different groups. It also
                         decides if explicit flag is turned off how to specify the permission
                         for case when user is in a group + have defined separate permission
                     """
                     user_id = user.user_id
                     user_is_admin = user.is_admin
                     user_inherit_default_permissions = user.inherit_default_permissions
                     log.debug('Getting PERMISSION tree')
                     compute = conditional_cache('short_term', 'cache_desc',
                                                 condition=cache, func=_cached_perms_data)
                     return compute(user_id, user_is_admin,
                                    user_inherit_default_permissions, explicit, algo)
                 def get_api_keys(self):
                     api_keys = [self.api_key]
                     for api_key in UserApiKeys.query()\
                             .filter(UserApiKeys.user_id == self.user_id)\
                             .filter(or_(UserApiKeys.expires == -1,
                                         UserApiKeys.expires >= time.time())).all():
                         api_keys.append(api_key.api_key)
                     return api_keys
                 @property
                 def is_admin(self):
                     return self.admin
                 @property
                 def repositories_admin(self):
                     """
                     Returns list of repositories you're an admin of
                     """
                     return [x[0] for x in self.permissions['repositories'].iteritems()
                             if x[1] == 'repository.admin']
                 @property
                 def repository_groups_admin(self):
                     """
                     Returns list of repository groups you're an admin of
                     """
                     return [x[0] for x in self.permissions['repositories_groups'].iteritems()
                             if x[1] == 'group.admin']
                 @property
                 def user_groups_admin(self):
                     """
                     Returns list of user groups you're an admin of
                     """
                     return [x[0] for x in self.permissions['user_groups'].iteritems()
                             if x[1] == 'usergroup.admin']
-                @property
+                def is_ip_allowed(self, ip_addr):
-                def ip_allowed(self):
                     """
-                    Checks if ip_addr used in constructor is allowed from defined list of
+                    Determine if `ip_addr` is on the list of allowed IP addresses
-                    allowed ip_addresses for user
+                    for this user.
-                    :returns: boolean, True if ip is in allowed ip range
                     """
-                    # check IP
                     inherit = self.inherit_default_permissions
-                    return AuthUser.check_ip_allowed(self.user_id, self.ip_addr,
+                    return AuthUser.check_ip_allowed(self.user_id, ip_addr,
                                                      inherit_from_default=inherit)
                 @classmethod
                 def check_ip_allowed(cls, user_id, ip_addr, inherit_from_default):
                     allowed_ips = AuthUser.get_allowed_ips(user_id, cache=True,
                                     inherit_from_default=inherit_from_default)
                     if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
                         log.debug('IP:%s is in range of %s' % (ip_addr, allowed_ips))
                         return True
                     else:
                         log.info('Access for IP:%s forbidden, '
                                  'not in %s' % (ip_addr, allowed_ips))
                         return False
                 def __repr__(self):
-                    return "<AuthUser('id:%s[%s] ip:%s auth:%s')>"\
+                    return "<AuthUser('id:%s[%s] auth:%s')>"\
-                        % (self.user_id, self.username, self.ip_addr, self.is_authenticated)
+                        % (self.user_id, self.username, self.is_authenticated)
                 def set_authenticated(self, authenticated=True):
                     if self.user_id != self.anonymous_user.user_id:
                         self.is_authenticated = authenticated
                 def get_cookie_store(self):
                     return {'username': self.username,
                             'user_id': self.user_id,
                             'is_authenticated': self.is_authenticated}
                 @classmethod
                 def from_cookie_store(cls, cookie_store):
                     """
                     Creates AuthUser from a cookie store
                     :param cls:
                     :param cookie_store:
                     """
                     user_id = cookie_store.get('user_id')
                     username = cookie_store.get('username')
                     api_key = cookie_store.get('api_key')
                     return AuthUser(user_id, api_key, username)
                 @classmethod
                 def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
                     _set = set()
                     if inherit_from_default:
                         default_ips = UserIpMap.query().filter(UserIpMap.user ==
                                                         User.get_default_user(cache=True))
                         if cache:
                             default_ips = default_ips.options(FromCache("sql_cache_short",
                                                               "get_user_ips_default"))
                         # populate from default user
                         for ip in default_ips:
                             try:
                                 _set.add(ip.ip_addr)
                             except ObjectDeletedError:
                                 # since we use heavy caching sometimes it happens that we get
                                 # deleted objects here, we just skip them
                                 pass
                     user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
                     if cache:
                         user_ips = user_ips.options(FromCache("sql_cache_short",
                                                               "get_user_ips_%s" % user_id))
                     for ip in user_ips:
                         try:
                             _set.add(ip.ip_addr)
                         except ObjectDeletedError:
                             # since we use heavy caching sometimes it happens that we get
                             # deleted objects here, we just skip them
                             pass
                     return _set or set(['0.0.0.0/0', '::/0'])
             def set_available_permissions(config):
                 """
                 This function will propagate pylons globals with all available defined
                 permission given in db. We don't want to check each time from db for new
                 permissions since adding a new permission also requires application restart
                 ie. to decorate new views with the newly created permission
                 :param config: current pylons config instance
                 """
                 log.info('getting information about all available permissions')
                 try:
                     sa = meta.Session
                     all_perms = sa.query(Permission).all()
                     config['available_permissions'] = [x.permission_name for x in all_perms]
                 finally:
                     meta.Session.remove()
             #==============================================================================
             # CHECK DECORATORS
             #==============================================================================
             def redirect_to_login(message=None):
                 from kallithea.lib import helpers as h
                 p = url.current()
                 if message:
                     h.flash(h.literal(message), category='warning')
                 log.debug('Redirecting to login page, origin: %s' % p)
                 return redirect(url('login_home', came_from=p, **request.GET))
             class LoginRequired(object):
                 """
                 Must be logged in to execute this function else
                 redirect to login page
                 :param api_access: if enabled this checks only for valid auth token
                     and grants access based on valid token
                 """
                 def __init__(self, api_access=False):
                     self.api_access = api_access
                 def __call__(self, func):
                     return decorator(self.__wrapper, func)
                 def __wrapper(self, func, *fargs, **fkwargs):
-                    cls = fargs[0]
+                    controller = fargs[0]
-                    user = cls.authuser
+                    user = controller.authuser
-                    loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
+                    loc = "%s:%s" % (controller.__class__.__name__, func.__name__)
                     log.debug('Checking access for user %s @ %s' % (user, loc))
                     # check if our IP is allowed
-                    if not user.ip_allowed:
+                    if not user.is_ip_allowed(controller.ip_addr):
-                        return redirect_to_login(_('IP %s not allowed' % (user.ip_addr)))
+                        return redirect_to_login(_('IP %s not allowed') % controller.ip_addr)
                     # check if we used an API key and it's a valid one
                     api_key = request.GET.get('api_key')
                     if api_key is not None:
                         # explicit controller is enabled or API is in our whitelist
                         if self.api_access or allowed_api_access(loc, api_key=api_key):
                             if api_key in user.api_keys:
                                 log.info('user %s authenticated with API key ****%s @ %s'
                                          % (user, api_key[-4:], loc))
                                 return func(*fargs, **fkwargs)
                             else:
                                 log.warning('API key ****%s is NOT valid' % api_key[-4:])
                                 return redirect_to_login(_('Invalid API key'))
                         else:
                             # controller does not allow API access
                             log.warning('API access to %s is not allowed' % loc)
                             return abort(403)
                     # CSRF protection - POSTs with session auth must contain correct token
                     if request.POST and user.is_authenticated:
                         token = request.POST.get(secure_form.token_key)
                         if not token or token != secure_form.authentication_token():
                             log.error('CSRF check failed')
                             return abort(403)
                     # regular user authentication
                     if user.is_authenticated:
                         log.info('user %s authenticated with regular auth @ %s' % (user, loc))
                         return func(*fargs, **fkwargs)
                     else:
                         log.warning('user %s NOT authenticated with regular auth @ %s' % (user, loc))
                         return redirect_to_login()
             class NotAnonymous(object):
                 """
                 Must be logged in to execute this function else
                 redirect to login page"""
                 def __call__(self, func):
                     return decorator(self.__wrapper, func)
                 def __wrapper(self, func, *fargs, **fkwargs):
                     cls = fargs[0]
                     self.user = cls.authuser
                     log.debug('Checking if user is not anonymous @%s' % cls)
                     anonymous = self.user.username == User.DEFAULT_USER
                     if anonymous:
                         return redirect_to_login(_('You need to be a registered user to '
                                 'perform this action'))
                     else:
                         return func(*fargs, **fkwargs)
             class PermsDecorator(object):
                 """Base class for controller decorators"""
                 def __init__(self, *required_perms):
                     self.required_perms = set(required_perms)
                     self.user_perms = None
                 def __call__(self, func):
                     return decorator(self.__wrapper, func)
                 def __wrapper(self, func, *fargs, **fkwargs):
                     cls = fargs[0]
                     self.user = cls.authuser
                     self.user_perms = self.user.permissions
                     log.debug('checking %s permissions %s for %s %s',
                        self.__class__.__name__, self.required_perms, cls, self.user)
                     if self.check_permissions():
                         log.debug('Permission granted for %s %s' % (cls, self.user))
                         return func(*fargs, **fkwargs)
                     else:
                         log.debug('Permission denied for %s %s' % (cls, self.user))
                         anonymous = self.user.username == User.DEFAULT_USER
                         if anonymous:
                             return redirect_to_login(_('You need to be signed in to view this page'))
                         else:
                             # redirect with forbidden ret code
                             return abort(403)
                 def check_permissions(self):
                     """Dummy function for overriding"""
                     raise Exception('You have to write this function in child class')
             class HasPermissionAllDecorator(PermsDecorator):
                 """
                 Checks for access permission for all given predicates. All of them
                 have to be meet in order to fulfill the request
                 """
                 def check_permissions(self):
                     if self.required_perms.issubset(self.user_perms.get('global')):
                         return True
                     return False
             class HasPermissionAnyDecorator(PermsDecorator):
                 """
                 Checks for access permission for any of given predicates. In order to
                 fulfill the request any of predicates must be meet
                 """
                 def check_permissions(self):
                     if self.required_perms.intersection(self.user_perms.get('global')):
                         return True
                     return False
             class HasRepoPermissionAllDecorator(PermsDecorator):
                 """
                 Checks for access permission for all given predicates for specific
                 repository. All of them have to be meet in order to fulfill the request
                 """
                 def check_permissions(self):
                     repo_name = get_repo_slug(request)
                     try:
                         user_perms = set([self.user_perms['repositories'][repo_name]])
                     except KeyError:
                         return False
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasRepoPermissionAnyDecorator(PermsDecorator):
                 """
                 Checks for access permission for any of given predicates for specific
                 repository. In order to fulfill the request any of predicates must be meet
                 """
                 def check_permissions(self):
                     repo_name = get_repo_slug(request)
                     try:
                         user_perms = set([self.user_perms['repositories'][repo_name]])
                     except KeyError:
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAllDecorator(PermsDecorator):
                 """
                 Checks for access permission for all given predicates for specific
                 repository group. All of them have to be meet in order to fulfill the request
                 """
                 def check_permissions(self):
                     group_name = get_repo_group_slug(request)
                     try:
                         user_perms = set([self.user_perms['repositories_groups'][group_name]])
                     except KeyError:
                         return False
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAnyDecorator(PermsDecorator):
                 """
                 Checks for access permission for any of given predicates for specific
                 repository group. In order to fulfill the request any of predicates must be meet
                 """
                 def check_permissions(self):
                     group_name = get_repo_group_slug(request)
                     try:
                         user_perms = set([self.user_perms['repositories_groups'][group_name]])
                     except KeyError:
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAllDecorator(PermsDecorator):
                 """
                 Checks for access permission for all given predicates for specific
                 user group. All of them have to be meet in order to fulfill the request
                 """
                 def check_permissions(self):
                     group_name = get_user_group_slug(request)
                     try:
                         user_perms = set([self.user_perms['user_groups'][group_name]])
                     except KeyError:
                         return False
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAnyDecorator(PermsDecorator):
                 """
                 Checks for access permission for any of given predicates for specific
                 user group. In order to fulfill the request any of predicates must be meet
                 """
                 def check_permissions(self):
                     group_name = get_user_group_slug(request)
                     try:
                         user_perms = set([self.user_perms['user_groups'][group_name]])
                     except KeyError:
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             #==============================================================================
             # CHECK FUNCTIONS
             #==============================================================================
             class PermsFunction(object):
                 """Base function for other check functions"""
                 def __init__(self, *perms):
                     self.required_perms = set(perms)
                     self.user_perms = None
                     self.repo_name = None
                     self.group_name = None
                 def __call__(self, check_location='', user=None):
                     if not user:
                         #TODO: remove this someday,put as user as attribute here
                         user = request.user
                     # init auth user if not already given
                     if not isinstance(user, AuthUser):
                         user = AuthUser(user.user_id)
                     cls_name = self.__class__.__name__
                     check_scope = {
                         'HasPermissionAll': '',
                         'HasPermissionAny': '',
                         'HasRepoPermissionAll': 'repo:%s' % self.repo_name,
                         'HasRepoPermissionAny': 'repo:%s' % self.repo_name,
                         'HasRepoGroupPermissionAll': 'group:%s' % self.group_name,
                         'HasRepoGroupPermissionAny': 'group:%s' % self.group_name,
                     }.get(cls_name, '?')
                     log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,
                               self.required_perms, user, check_scope,
                               check_location or 'unspecified location')
                     if not user:
                         log.debug('Empty request user')
                         return False
                     self.user_perms = user.permissions
                     if self.check_permissions():
                         log.debug('Permission to %s granted for user: %s @ %s'
                                   % (check_scope, user,
                                      check_location or 'unspecified location'))
                         return True
                     else:
                         log.debug('Permission to %s denied for user: %s @ %s'
                                   % (check_scope, user,
                                      check_location or 'unspecified location'))
                         return False
                 def check_permissions(self):
                     """Dummy function for overriding"""
                     raise Exception('You have to write this function in child class')
             class HasPermissionAll(PermsFunction):
                 def check_permissions(self):
                     if self.required_perms.issubset(self.user_perms.get('global')):
                         return True
                     return False
             class HasPermissionAny(PermsFunction):
                 def check_permissions(self):
                     if self.required_perms.intersection(self.user_perms.get('global')):
                         return True
                     return False
             class HasRepoPermissionAll(PermsFunction):
                 def __call__(self, repo_name=None, check_location='', user=None):
                     self.repo_name = repo_name
                     return super(HasRepoPermissionAll, self).__call__(check_location, user)
                 def check_permissions(self):
                     if not self.repo_name:
                         self.repo_name = get_repo_slug(request)
                     try:
                         self._user_perms = set(
                             [self.user_perms['repositories'][self.repo_name]]
                         )
                     except KeyError:
                         return False
                     if self.required_perms.issubset(self._user_perms):
                         return True
                     return False
             class HasRepoPermissionAny(PermsFunction):
                 def __call__(self, repo_name=None, check_location='', user=None):
                     self.repo_name = repo_name
                     return super(HasRepoPermissionAny, self).__call__(check_location, user)
                 def check_permissions(self):
                     if not self.repo_name:
                         self.repo_name = get_repo_slug(request)
                     try:
                         self._user_perms = set(
                             [self.user_perms['repositories'][self.repo_name]]
                         )
                     except KeyError:
                         return False
                     if self.required_perms.intersection(self._user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAny(PermsFunction):
                 def __call__(self, group_name=None, check_location='', user=None):
                     self.group_name = group_name
                     return super(HasRepoGroupPermissionAny, self).__call__(check_location, user)
                 def check_permissions(self):
                     try:
                         self._user_perms = set(
                             [self.user_perms['repositories_groups'][self.group_name]]
                         )
                     except KeyError:
                         return False
                     if self.required_perms.intersection(self._user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAll(PermsFunction):
                 def __call__(self, group_name=None, check_location='', user=None):
                     self.group_name = group_name
                     return super(HasRepoGroupPermissionAll, self).__call__(check_location, user)
                 def check_permissions(self):
                     try:
                         self._user_perms = set(
                             [self.user_perms['repositories_groups'][self.group_name]]
                         )
                     except KeyError:
                         return False
                     if self.required_perms.issubset(self._user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAny(PermsFunction):
                 def __call__(self, user_group_name=None, check_location='', user=None):
                     self.user_group_name = user_group_name
                     return super(HasUserGroupPermissionAny, self).__call__(check_location, user)
                 def check_permissions(self):
                     try:
                         self._user_perms = set(
                             [self.user_perms['user_groups'][self.user_group_name]]
                         )
                     except KeyError:
                         return False
                     if self.required_perms.intersection(self._user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAll(PermsFunction):
                 def __call__(self, user_group_name=None, check_location='', user=None):
                     self.user_group_name = user_group_name
                     return super(HasUserGroupPermissionAll, self).__call__(check_location, user)
                 def check_permissions(self):
                     try:
                         self._user_perms = set(
                             [self.user_perms['user_groups'][self.user_group_name]]
                         )
                     except KeyError:
                         return False
                     if self.required_perms.issubset(self._user_perms):
                         return True
                     return False
             #==============================================================================
             # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
             #==============================================================================
             class HasPermissionAnyMiddleware(object):
                 def __init__(self, *perms):
                     self.required_perms = set(perms)
                 def __call__(self, user, repo_name):
                     # repo_name MUST be unicode, since we handle keys in permission
                     # dict by unicode
                     repo_name = safe_unicode(repo_name)
                     usr = AuthUser(user.user_id)
                     self.user_perms = set([usr.permissions['repositories'][repo_name]])
                     self.username = user.username
                     self.repo_name = repo_name
                     return self.check_permissions()
                 def check_permissions(self):
                     log.debug('checking VCS protocol '
                               'permissions %s for user:%s repository:%s', self.user_perms,
                                                             self.username, self.repo_name)
                     if self.required_perms.intersection(self.user_perms):
                         log.debug('Permission to repo: %s granted for user: %s @ %s'
                                   % (self.repo_name, self.username, 'PermissionMiddleware'))
                         return True
                     log.debug('Permission to repo: %s denied for user: %s @ %s'
                               % (self.repo_name, self.username, 'PermissionMiddleware'))
                     return False
             #==============================================================================
             # SPECIAL VERSION TO HANDLE API AUTH
             #==============================================================================
             class _BaseApiPerm(object):
                 def __init__(self, *perms):
                     self.required_perms = set(perms)
                 def __call__(self, check_location=None, user=None, repo_name=None,
                              group_name=None):
                     cls_name = self.__class__.__name__
                     check_scope = 'user:%s' % (user)
                     if repo_name:
                         check_scope += ', repo:%s' % (repo_name)
                     if group_name:
                         check_scope += ', repo group:%s' % (group_name)
                     log.debug('checking cls:%s %s %s @ %s'
                               % (cls_name, self.required_perms, check_scope, check_location))
                     if not user:
                         log.debug('Empty User passed into arguments')
                         return False
                     ## process user
                     if not isinstance(user, AuthUser):
                         user = AuthUser(user.user_id)
                     if not check_location:
                         check_location = 'unspecified'
                     if self.check_permissions(user.permissions, repo_name, group_name):
                         log.debug('Permission to %s granted for user: %s @ %s'
                                   % (check_scope, user, check_location))
                         return True
                     else:
                         log.debug('Permission to %s denied for user: %s @ %s'
                                   % (check_scope, user, check_location))
                         return False
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None):
                     """
                     implement in child class should return True if permissions are ok,
                     False otherwise
                     :param perm_defs: dict with permission definitions
                     :param repo_name: repo name
                     """
                     raise NotImplementedError()
             class HasPermissionAllApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None):
                     if self.required_perms.issubset(perm_defs.get('global')):
                         return True
                     return False
             class HasPermissionAnyApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None):
                     if self.required_perms.intersection(perm_defs.get('global')):
                         return True
                     return False
             class HasRepoPermissionAllApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None):
                     try:
                         _user_perms = set([perm_defs['repositories'][repo_name]])
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.issubset(_user_perms):
                         return True
                     return False
             class HasRepoPermissionAnyApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None):
                     try:
                         _user_perms = set([perm_defs['repositories'][repo_name]])
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.intersection(_user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAnyApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None):
                     try:
                         _user_perms = set([perm_defs['repositories_groups'][group_name]])
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.intersection(_user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAllApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None):
                     try:
                         _user_perms = set([perm_defs['repositories_groups'][group_name]])
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.issubset(_user_perms):
                         return True
                     return False
             def check_ip_access(source_ip, allowed_ips=None):
                 """
                 Checks if source_ip is a subnet of any of allowed_ips.
                 :param source_ip:
                 :param allowed_ips: list of allowed ips together with mask
                 """
                 from kallithea.lib import ipaddr
                 log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips))
                 if isinstance(allowed_ips, (tuple, list, set)):
                     for ip in allowed_ips:
                         if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
                             log.debug('IP %s is network %s' %
                                       (ipaddr.IPAddress(source_ip), ipaddr.IPNetwork(ip)))
                             return True
                 return False

kallithea/lib/base.py

0 +4 -5

             # -*- coding: utf-8 -*-
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU General Public License as published by
             # the Free Software Foundation, either version 3 of the License, or
             # (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             """
             kallithea.lib.base
             ~~~~~~~~~~~~~~~~~~
             The base Controller API
             Provides the BaseController class for subclassing. And usage in different
             controllers
             This file was forked by the Kallithea project in July 2014.
             Original author and date, and relevant copyright and licensing information is below:
             :created_on: Oct 06, 2010
             :author: marcink
             :copyright: (c) 2013 RhodeCode GmbH, and others.
             :license: GPLv3, see LICENSE.md for more details.
             """
             import logging
             import time
             import traceback
             import webob.exc
             import paste.httpexceptions
             import paste.auth.basic
             import paste.httpheaders
             from pylons import config, tmpl_context as c, request, session, url
             from pylons.controllers import WSGIController
             from pylons.controllers.util import redirect
             from pylons.templating import render_mako as render  # don't remove this import
             from pylons.i18n.translation import _
             from kallithea import __version__, BACKENDS
             from kallithea.lib.utils2 import str2bool, safe_unicode, AttributeDict,\
                 safe_str, safe_int
             from kallithea.lib import auth_modules
             from kallithea.lib.auth import AuthUser, HasPermissionAnyMiddleware, CookieStoreWrapper
             from kallithea.lib.utils import get_repo_slug
             from kallithea.lib.exceptions import UserCreationError
             from kallithea.lib.vcs.exceptions import RepositoryError, EmptyRepositoryError, ChangesetDoesNotExistError
             from kallithea.model import meta
             from kallithea.model.db import Repository, Ui, User, Setting
             from kallithea.model.notification import NotificationModel
             from kallithea.model.scm import ScmModel
             from kallithea.model.pull_request import PullRequestModel
             log = logging.getLogger(__name__)
             def _filter_proxy(ip):
                 """
                 HEADERS can have multiple ips inside the left-most being the original
                 client, and each successive proxy that passed the request adding the IP
                 address where it received the request from.
                 :param ip:
                 """
                 if ',' in ip:
                     _ips = ip.split(',')
                     _first_ip = _ips[0].strip()
                     log.debug('Got multiple IPs %s, using %s' % (','.join(_ips), _first_ip))
                     return _first_ip
                 return ip
             def _get_ip_addr(environ):
                 proxy_key = 'HTTP_X_REAL_IP'
                 proxy_key2 = 'HTTP_X_FORWARDED_FOR'
                 def_key = 'REMOTE_ADDR'
                 ip = environ.get(proxy_key)
                 if ip:
                     return _filter_proxy(ip)
                 ip = environ.get(proxy_key2)
                 if ip:
                     return _filter_proxy(ip)
                 ip = environ.get(def_key, '0.0.0.0')
                 return _filter_proxy(ip)
             def _get_access_path(environ):
                 path = environ.get('PATH_INFO')
                 org_req = environ.get('pylons.original_request')
                 if org_req:
                     path = org_req.environ.get('PATH_INFO')
                 return path
             class BasicAuth(paste.auth.basic.AuthBasicAuthenticator):
                 def __init__(self, realm, authfunc, auth_http_code=None):
                     self.realm = realm
                     self.authfunc = authfunc
                     self._rc_auth_http_code = auth_http_code
                 def build_authentication(self):
                     head = paste.httpheaders.WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)
                     if self._rc_auth_http_code and self._rc_auth_http_code == '403':
                         # return 403 if alternative http return code is specified in
                         # Kallithea config
                         return paste.httpexceptions.HTTPForbidden(headers=head)
                     return paste.httpexceptions.HTTPUnauthorized(headers=head)
                 def authenticate(self, environ):
                     authorization = paste.httpheaders.AUTHORIZATION(environ)
                     if not authorization:
                         return self.build_authentication()
                     (authmeth, auth) = authorization.split(' ', 1)
                     if 'basic' != authmeth.lower():
                         return self.build_authentication()
                     auth = auth.strip().decode('base64')
                     _parts = auth.split(':', 1)
                     if len(_parts) == 2:
                         username, password = _parts
                         if self.authfunc(username, password, environ):
                             return username
                     return self.build_authentication()
                 __call__ = authenticate
             class BaseVCSController(object):
                 def __init__(self, application, config):
                     self.application = application
                     self.config = config
                     # base path of repo locations
                     self.basepath = self.config['base_path']
                     #authenticate this VCS request using authfunc
                     self.authenticate = BasicAuth('', auth_modules.authenticate,
                                                   config.get('auth_ret_code'))
                     self.ip_addr = '0.0.0.0'
                 def _handle_request(self, environ, start_response):
                     raise NotImplementedError()
                 def _get_by_id(self, repo_name):
                     """
                     Gets a special pattern _<ID> from clone url and tries to replace it
                     with a repository_name for support of _<ID> permanent URLs
                     :param repo_name:
                     """
                     data = repo_name.split('/')
                     if len(data) >= 2:
                         from kallithea.lib.utils import get_repo_by_id
                         by_id_match = get_repo_by_id(repo_name)
                         if by_id_match:
                             data[1] = by_id_match
                     return '/'.join(data)
                 def _invalidate_cache(self, repo_name):
                     """
                     Sets cache for this repository for invalidation on next access
                     :param repo_name: full repo name, also a cache key
                     """
                     ScmModel().mark_for_invalidation(repo_name)
                 def _check_permission(self, action, user, repo_name, ip_addr=None):
                     """
                     Checks permissions using action (push/pull) user and repository
                     name
                     :param action: push or pull action
                     :param user: user instance
                     :param repo_name: repository name
                     """
                     # check IP
                     inherit = user.inherit_default_permissions
                     ip_allowed = AuthUser.check_ip_allowed(user.user_id, ip_addr,
                                                            inherit_from_default=inherit)
                     if ip_allowed:
                         log.info('Access for IP:%s allowed' % (ip_addr,))
                     else:
                         return False
                     if action == 'push':
                         if not HasPermissionAnyMiddleware('repository.write',
                                                           'repository.admin')(user,
                                                                               repo_name):
                             return False
                     else:
                         #any other action need at least read permission
                         if not HasPermissionAnyMiddleware('repository.read',
                                                           'repository.write',
                                                           'repository.admin')(user,
                                                                               repo_name):
                             return False
                     return True
                 def _get_ip_addr(self, environ):
                     return _get_ip_addr(environ)
                 def _check_ssl(self, environ):
                     """
                     Checks the SSL check flag and returns False if SSL is not present
                     and required True otherwise
                     """
                     #check if we have SSL required  ! if not it's a bad request !
                     if str2bool(Ui.get_by_key('push_ssl').ui_value):
                         org_proto = environ.get('wsgi._org_proto', environ['wsgi.url_scheme'])
                         if org_proto != 'https':
                             log.debug('proto is %s and SSL is required BAD REQUEST !'
                                       % org_proto)
                             return False
                     return True
                 def _check_locking_state(self, environ, action, repo, user_id):
                     """
                     Checks locking on this repository, if locking is enabled and lock is
                     present returns a tuple of make_lock, locked, locked_by.
                     make_lock can have 3 states None (do nothing) True, make lock
                     False release lock, This value is later propagated to hooks, which
                     do the locking. Think about this as signals passed to hooks what to do.
                     """
                     locked = False  # defines that locked error should be thrown to user
                     make_lock = None
                     repo = Repository.get_by_repo_name(repo)
                     user = User.get(user_id)
                     # this is kind of hacky, but due to how mercurial handles client-server
                     # server see all operation on changeset; bookmarks, phases and
                     # obsolescence marker in different transaction, we don't want to check
                     # locking on those
                     obsolete_call = environ['QUERY_STRING'] in ['cmd=listkeys',]
                     locked_by = repo.locked
                     if repo and repo.enable_locking and not obsolete_call:
                         if action == 'push':
                             #check if it's already locked !, if it is compare users
                             user_id, _date = repo.locked
                             if user.user_id == user_id:
                                 log.debug('Got push from user %s, now unlocking' % (user))
                                 # unlock if we have push from user who locked
                                 make_lock = False
                             else:
                                 # we're not the same user who locked, ban with 423 !
                                 locked = True
                         if action == 'pull':
                             if repo.locked[0] and repo.locked[1]:
                                 locked = True
                             else:
                                 log.debug('Setting lock on repo %s by %s' % (repo, user))
                                 make_lock = True
                     else:
                         log.debug('Repository %s do not have locking enabled' % (repo))
                     log.debug('FINAL locking values make_lock:%s,locked:%s,locked_by:%s'
                               % (make_lock, locked, locked_by))
                     return make_lock, locked, locked_by
                 def __call__(self, environ, start_response):
                     start = time.time()
                     try:
                         return self._handle_request(environ, start_response)
                     finally:
                         log = logging.getLogger('kallithea.' + self.__class__.__name__)
                         log.debug('Request time: %.3fs' % (time.time() - start))
                         meta.Session.remove()
             class BaseController(WSGIController):
                 def __before__(self):
                     """
                     __before__ is called before controller methods and after __call__
                     """
                     c.kallithea_version = __version__
                     rc_config = Setting.get_app_settings()
                     # Visual options
                     c.visual = AttributeDict({})
                     ## DB stored
                     c.visual.show_public_icon = str2bool(rc_config.get('show_public_icon'))
                     c.visual.show_private_icon = str2bool(rc_config.get('show_private_icon'))
                     c.visual.stylify_metatags = str2bool(rc_config.get('stylify_metatags'))
                     c.visual.dashboard_items = safe_int(rc_config.get('dashboard_items', 100))
                     c.visual.admin_grid_items = safe_int(rc_config.get('admin_grid_items', 100))
                     c.visual.repository_fields = str2bool(rc_config.get('repository_fields'))
                     c.visual.show_version = str2bool(rc_config.get('show_version'))
                     c.visual.use_gravatar = str2bool(rc_config.get('use_gravatar'))
                     c.visual.gravatar_url = rc_config.get('gravatar_url')
                     c.ga_code = rc_config.get('ga_code')
                     # TODO: replace undocumented backwards compatibility hack with db upgrade and rename ga_code
                     if c.ga_code and '<' not in c.ga_code:
                         c.ga_code = '''<script type="text/javascript">
                             var _gaq = _gaq || [];
                             _gaq.push(['_setAccount', '%s']);
                             _gaq.push(['_trackPageview']);
                             (function() {
                                 var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
                                 ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
                                 var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
                                 })();
                         </script>''' % c.ga_code
                     c.site_name = rc_config.get('title')
                     c.clone_uri_tmpl = rc_config.get('clone_uri_tmpl')
                     ## INI stored
                     c.visual.allow_repo_location_change = str2bool(config.get('allow_repo_location_change', True))
                     c.visual.allow_custom_hooks_settings = str2bool(config.get('allow_custom_hooks_settings', True))
                     c.instance_id = config.get('instance_id')
                     c.issues_url = config.get('bugtracker', url('issues_url'))
                     # END CONFIG VARS
                     c.repo_name = get_repo_slug(request)  # can be empty
                     c.backends = BACKENDS.keys()
                     c.unread_notifications = NotificationModel()\
                                     .get_unread_cnt_for_user(c.authuser.user_id)
                     self.cut_off_limit = safe_int(config.get('cut_off_limit'))
                     c.my_pr_count = PullRequestModel().get_pullrequest_cnt_for_user(c.authuser.user_id)
                     self.sa = meta.Session
                     self.scm_model = ScmModel(self.sa)
                 @staticmethod
-                def _determine_auth_user(ip_addr, api_key, session_authuser):
+                def _determine_auth_user(api_key, session_authuser):
                     """
                     Create an `AuthUser` object given the IP address of the request, the
                     API key (if any), and the authuser from the session.
                     """
                     if api_key:
                         # when using API_KEY we are sure user exists.
-                        auth_user = AuthUser(api_key=api_key, ip_addr=ip_addr)
+                        auth_user = AuthUser(api_key=api_key)
                         authenticated = False
                     else:
                         cookie_store = CookieStoreWrapper(session_authuser)
                         user_id = cookie_store.get('user_id')
                         try:
-                            auth_user = AuthUser(user_id=user_id, ip_addr=ip_addr)
+                            auth_user = AuthUser(user_id=user_id)
                         except UserCreationError as e:
                             # container auth or other auth functions that create users on
                             # the fly can throw UserCreationError to signal issues with
                             # user creation. Explanation should be provided in the
                             # exception object.
                             from kallithea.lib import helpers as h
                             h.flash(e, 'error')
-                            auth_user = AuthUser(ip_addr=ip_addr)
+                            auth_user = AuthUser()
                         authenticated = cookie_store.get('is_authenticated')
                     if not auth_user.is_authenticated and auth_user.user_id is not None:
                         # user is not authenticated and not empty
                         auth_user.set_authenticated(authenticated)
                     return auth_user
                 def __call__(self, environ, start_response):
                     """Invoke the Controller"""
                     # WSGIController.__call__ dispatches to the Controller method
                     # the request is routed to. This routing information is
                     # available in environ['pylons.routes_dict']
                     try:
                         self.ip_addr = _get_ip_addr(environ)
                         # make sure that we update permissions each time we call controller
                         #set globals for auth user
                         self.authuser = c.authuser = request.user = self._determine_auth_user(
-                            self.ip_addr,
                             request.GET.get('api_key'),
                             session.get('authuser'),
                         )
                         log.info('IP: %s User: %s accessed %s',
                             self.ip_addr, self.authuser,
                             safe_unicode(_get_access_path(environ)),
                         )
                         return WSGIController.__call__(self, environ, start_response)
                     finally:
                         meta.Session.remove()
             class BaseRepoController(BaseController):
                 """
                 Base class for controllers responsible for loading all needed data for
                 repository loaded items are
                 c.db_repo_scm_instance: instance of scm repository
                 c.db_repo: instance of db
                 c.repository_followers: number of followers
                 c.repository_forks: number of forks
                 c.repository_following: weather the current user is following the current repo
                 """
                 def __before__(self):
                     super(BaseRepoController, self).__before__()
                     if c.repo_name:  # extracted from routes
                         _dbr = Repository.get_by_repo_name(c.repo_name)
                         if not _dbr:
                             return
                         log.debug('Found repository in database %s with state `%s`'
                                   % (safe_unicode(_dbr), safe_unicode(_dbr.repo_state)))
                         route = getattr(request.environ.get('routes.route'), 'name', '')
                         # allow to delete repos that are somehow damages in filesystem
                         if route in ['delete_repo']:
                             return
                         if _dbr.repo_state in [Repository.STATE_PENDING]:
                             if route in ['repo_creating_home']:
                                 return
                             check_url = url('repo_creating_home', repo_name=c.repo_name)
                             return redirect(check_url)
                         dbr = c.db_repo = _dbr
                         c.db_repo_scm_instance = c.db_repo.scm_instance
                         if c.db_repo_scm_instance is None:
                             log.error('%s this repository is present in database but it '
                                       'cannot be created as an scm instance', c.repo_name)
                             from kallithea.lib import helpers as h
                             h.flash(h.literal(_('Repository not found in the filesystem')),
                                     category='error')
                             raise paste.httpexceptions.HTTPNotFound()
                         # some globals counter for menu
                         c.repository_followers = self.scm_model.get_followers(dbr)
                         c.repository_forks = self.scm_model.get_forks(dbr)
                         c.repository_pull_requests = self.scm_model.get_pull_requests(dbr)
                         c.repository_following = self.scm_model.is_following_repo(
                                                 c.repo_name, self.authuser.user_id)
                 @staticmethod
                 def _get_ref_rev(repo, ref_type, ref_name, returnempty=False):
                     """
                     Safe way to get changeset. If error occurs show error.
                     """
                     from kallithea.lib import helpers as h
                     try:
                         return repo.scm_instance.get_ref_revision(ref_type, ref_name)
                     except EmptyRepositoryError as e:
                         if returnempty:
                             return repo.scm_instance.EMPTY_CHANGESET
                         h.flash(h.literal(_('There are no changesets yet')),
                                 category='error')
                         raise webob.exc.HTTPNotFound()
                     except ChangesetDoesNotExistError as e:
                         h.flash(h.literal(_('Changeset not found')),
                                 category='error')
                         raise webob.exc.HTTPNotFound()
                     except RepositoryError as e:
                         log.error(traceback.format_exc())
                         h.flash(safe_str(e), category='error')
                         raise webob.exc.HTTPBadRequest()

kallithea/templates/admin/my_account/my_account_profile.html

0 +1 -1

             ${h.form(url('my_account'), method='post')}
                 <div class="form">
                      <div class="field">
                        <div class="gravatar_box">
                            <div class="gravatar">
                              ${h.gravatar(c.user.email)}
                            </div>
                             <p>
                             %if c.visual.use_gravatar:
                             <strong>${_('Change your avatar at')} <a href="http://gravatar.com">gravatar.com</a></strong>
                             <br/>${_('Using')} ${c.user.email}
                             %else:
                             <strong>${_('Avatars are disabled')}</strong>
                             <br/>${c.user.email or _('Missing email, please update your user email address.')}
-                                [${_('Current IP')}: ${c.perm_user.ip_addr or "?"}]
+                                [${_('Current IP')}: ${c.ip_addr}]
                             %endif
                            </p>
                        </div>
                      </div>
                     <% readonly = None %>
                     <% disabled = "" %>
                     <div class="fields">
                        %if c.extern_type != c.EXTERN_TYPE_INTERNAL:
                             <% readonly = "readonly" %>
                             <% disabled = " disabled" %>
                             <strong>${_('Your user is in an external Source of Record; some details cannot be managed here')}.</strong>
                        %endif
                          <div class="field">
                             <div class="label">
                                 <label for="username">${_('Username')}:</label>
                             </div>
                             <div class="input">
                               ${h.text('username',class_='medium%s' % disabled, readonly=readonly)}
                               ${h.hidden('extern_name', c.extern_name)}
                               ${h.hidden('extern_type', c.extern_type)}
                             </div>
                          </div>
                          <div class="field">
                             <div class="label">
                                 <label for="name">${_('First Name')}:</label>
                             </div>
                             <div class="input">
                                 ${h.text('firstname',class_="medium")}
                             </div>
                          </div>
                          <div class="field">
                             <div class="label">
                                 <label for="lastname">${_('Last Name')}:</label>
                             </div>
                             <div class="input">
                                 ${h.text('lastname',class_="medium")}
                             </div>
                          </div>
                          <div class="field">
                             <div class="label">
                                 <label for="email">${_('Email')}:</label>
                             </div>
                             <div class="input">
                                 ## we should be able to edit email !
                                 ${h.text('email',class_="medium")}
                             </div>
                          </div>
                         <div class="buttons">
                           ${h.submit('save',_('Save'),class_="btn")}
                           ${h.reset('reset',_('Reset'),class_="btn")}
                         </div>
                     </div>
                 </div>
             ${h.end_form()}

kallithea/templates/admin/users/user_edit_profile.html

0 +1 -1

             ${h.form(url('update_user', id=c.user.user_id),method='put')}
             <div class="form">
                     <div class="field">
                        <div class="gravatar_box">
                             <div class="gravatar">${h.gravatar(c.user.email)}</div>
                             <p>
                             %if c.visual.use_gravatar:
                             <strong>${_('Change avatar at')} <a href="http://gravatar.com">gravatar.com</a></strong>
                             <br/>${_('Using')} ${c.user.email}
                             %else:
                             <strong>${_('Avatars are disabled')}</strong>
                             <br/>${c.user.email or _('Missing email, please update this user email address.')}
                                     ##show current ip just if we show ourself
                                     %if c.authuser.username == c.user.username:
-                                        [${_('Current IP')}: ${c.perm_user.ip_addr or "?"}]
+                                        [${_('Current IP')}: ${c.ip_addr}]
                                     %endif
                             %endif
                        </div>
                     </div>
                     <% readonly = None %>
                     <% disabled = "" %>
                     <div class="fields">
                         %if c.extern_type != c.EXTERN_TYPE_INTERNAL:
                          <div class="field">
                            <% readonly = "readonly" %>
                            <% disabled = " disabled" %>
                            <strong>${_('This user is in an external Source of Record (%s); some details cannot be managed here.' % c.extern_type)}.</strong>
                          </div>
                         %endif
                          <div class="field">
                             <div class="label">
                                 <label for="username">${_('Username')}:</label>
                             </div>
                             <div class="input">
                               ${h.text('username',class_='medium%s' % disabled, readonly=readonly)}
                             </div>
                          </div>
                          <div class="field">
                             <div class="label">
                                 <label for="email">${_('Email')}:</label>
                             </div>
                             <div class="input">
                                 ${h.text('email',class_='medium')}
                             </div>
                          </div>
                          <div class="field">
                             <div class="label">
                                 <label for="extern_type">${_('Source of Record')}:</label>
                             </div>
                             <div class="input">
                                 ${h.text('extern_type',class_='medium disabled',readonly="readonly")}
                             </div>
                          </div>
                          <div class="field">
                             <div class="label">
                                 <label for="extern_name">${_('Name in Source of Record')}:</label>
                             </div>
                             <div class="input">
                                 ${h.text('extern_name',class_='medium disabled',readonly="readonly")}
                             </div>
                          </div>
                          <div class="field">
                             <div class="label">
                                 <label for="new_password">${_('New password')}:</label>
                             </div>
                             <div class="input">
                                 ${h.password('new_password',class_='medium%s' % disabled,readonly=readonly)}
                             </div>
                          </div>
                          <div class="field">
                             <div class="label">
                                 <label for="password_confirmation">${_('New password confirmation')}:</label>
                             </div>
                             <div class="input">
                                 ${h.password('password_confirmation',class_="medium%s" % disabled,readonly=readonly)}
                             </div>
                          </div>
                          <div class="field">
                             <div class="label">
                                 <label for="firstname">${_('First Name')}:</label>
                             </div>
                             <div class="input">
                                 ${h.text('firstname',class_='medium')}
                             </div>
                          </div>
                          <div class="field">
                             <div class="label">
                                 <label for="lastname">${_('Last Name')}:</label>
                             </div>
                             <div class="input">
                                 ${h.text('lastname',class_='medium')}
                             </div>
                          </div>
                          <div class="field">
                             <div class="label label-checkbox">
                                 <label for="active">${_('Active')}:</label>
                             </div>
                             <div class="checkboxes">
                                 ${h.checkbox('active',value=True)}
                             </div>
                          </div>
                          <div class="field">
                             <div class="label label-checkbox">
                                 <label for="admin">${_('Admin')}:</label>
                             </div>
                             <div class="checkboxes">
                                 ${h.checkbox('admin',value=True)}
                             </div>
                          </div>
                         <div class="buttons">
                           ${h.submit('save',_('Save'),class_="btn")}
                           ${h.reset('reset',_('Reset'),class_="btn")}
                         </div>
                     </div>
             </div>
             ${h.end_form()}

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages