upstream/kallithea Commit - r6471:a17c8e5f

auth: simplify repository permission checks...

Søren Løvborg -

r6471:a17c8e5f default

parent child

kallithea/controllers/admin/repos.py

0 +18 -18

             from kallithea.config.routing import url
             from kallithea.lib import helpers as h
             from kallithea.lib.auth import LoginRequired, \
-                HasRepoPermissionAnyDecorator, NotAnonymous, HasPermissionAny
+                HasRepoPermissionLevelDecorator, NotAnonymous, HasPermissionAny
             from kallithea.lib.base import BaseRepoController, render, jsonify
             from kallithea.lib.utils import action_logger
             from kallithea.lib.vcs import RepositoryError
                 def index(self, format='html'):
                     _list = Repository.query(sorted=True).all()
-                    c.repos_list = RepoList(_list, perm_set=['repository.admin'])
+                    c.repos_list = RepoList(_list, perm_level='admin')
                     repos_data = RepoModel().get_repos_as_dict(repos_list=c.repos_list,
                                                                admin=True,
                                                                super_user_actions=True)
                         return {'result': True}
                     return {'result': False}
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def update(self, repo_name):
                     c.repo_info = self._load_repo()
                     self.__load_defaults(c.repo_info)
                                 % repo_name, category='error')
                     raise HTTPFound(location=url('edit_repo', repo_name=changed_name))
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def delete(self, repo_name):
                     repo_model = RepoModel()
                     repo = repo_model.get_by_repo_name(repo_name)
                         raise HTTPFound(location=url('repos_group_home', group_name=repo.group.group_name))
                     raise HTTPFound(location=url('repos'))
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def edit(self, repo_name):
                     defaults = self.__load_data()
                     c.repo_fields = RepositoryField.query() \
                         encoding="UTF-8",
                         force_defaults=False)
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def edit_permissions(self, repo_name):
                     c.repo_info = self._load_repo()
                     repo_model = RepoModel()
                                 category='error')
                         raise HTTPInternalServerError()
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def edit_fields(self, repo_name):
                     c.repo_info = self._load_repo()
                     c.repo_fields = RepositoryField.query() \
                         raise HTTPFound(location=url('repo_edit_fields'))
                     return render('admin/repos/repo_edit.html')
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def create_repo_field(self, repo_name):
                     try:
                         form_result = RepoFieldForm()().to_python(dict(request.POST))
                         h.flash(msg, category='error')
                     raise HTTPFound(location=url('edit_repo_fields', repo_name=repo_name))
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def delete_repo_field(self, repo_name, field_id):
                     field = RepositoryField.get_or_404(field_id)
                     try:
                         h.flash(msg, category='error')
                     raise HTTPFound(location=url('edit_repo_fields', repo_name=repo_name))
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def edit_advanced(self, repo_name):
                     c.repo_info = self._load_repo()
                     c.default_user_id = User.get_default_user().user_id
                         .filter(UserFollowing.follows_repository == c.repo_info).scalar()
                     _repos = Repository.query(sorted=True).all()
-                    read_access_repos = RepoList(_repos)
+                    read_access_repos = RepoList(_repos, perm_level='read')
                     c.repos_list = [(None, _('-- Not a fork --'))]
                     c.repos_list += [(x.repo_id, x.repo_name)
                                      for x in read_access_repos
                         encoding="UTF-8",
                         force_defaults=False)
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def edit_advanced_journal(self, repo_name):
                     """
                     Sets this repository to be visible in public journal,
                     raise HTTPFound(location=url('edit_repo_advanced', repo_name=repo_name))
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def edit_advanced_fork(self, repo_name):
                     """
                     Mark given repository as a fork of another
                     raise HTTPFound(location=url('edit_repo_advanced', repo_name=repo_name))
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def edit_advanced_locking(self, repo_name):
                     """
                     Unlock repository when it is locked !
                                 category='error')
                     raise HTTPFound(location=url('edit_repo_advanced', repo_name=repo_name))
-                @HasRepoPermissionAnyDecorator('repository.write', 'repository.admin')
+                @HasRepoPermissionLevelDecorator('write')
                 def toggle_locking(self, repo_name):
                     try:
                         repo = Repository.get_by_repo_name(repo_name)
                                 category='error')
                     raise HTTPFound(location=url('summary_home', repo_name=repo_name))
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def edit_caches(self, repo_name):
                     c.repo_info = self._load_repo()
                     c.active = 'caches'
                         raise HTTPFound(location=url('edit_repo_caches', repo_name=c.repo_name))
                     return render('admin/repos/repo_edit.html')
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def edit_remote(self, repo_name):
                     c.repo_info = self._load_repo()
                     c.active = 'remote'
                         raise HTTPFound(location=url('edit_repo_remote', repo_name=c.repo_name))
                     return render('admin/repos/repo_edit.html')
-                @HasRepoPermissionAnyDecorator('repository.admin')
+                @HasRepoPermissionLevelDecorator('admin')
                 def edit_statistics(self, repo_name):
                     c.repo_info = self._load_repo()
                     repo = c.repo_info.scm_instance

kallithea/controllers/api/api.py

0 +10 -28

             from kallithea.controllers.api import JSONRPCController, JSONRPCError
             from kallithea.lib.auth import (
                 PasswordGenerator, AuthUser, HasPermissionAnyDecorator,
-                HasPermissionAnyDecorator, HasPermissionAny, HasRepoPermissionAny,
+                HasPermissionAnyDecorator, HasPermissionAny, HasRepoPermissionLevel,
                 HasRepoGroupPermissionAny, HasUserGroupPermissionAny)
             from kallithea.lib.utils import map_groups, repo2db_mapper
             from kallithea.lib.utils2 import (
                     """
                     repo = get_repo_or_error(repoid)
                     if not HasPermissionAny('hg.admin')():
-                        # check if we have admin permission for this repo !
+                        if not HasRepoPermissionLevel('write')(repo.repo_name):
-                        if not HasRepoPermissionAny('repository.admin',
-                                                    'repository.write')(
-                                repo_name=repo.repo_name):
                             raise JSONRPCError('repository `%s` does not exist' % (repoid,))
                     try:
                     repo = get_repo_or_error(repoid)
                     if HasPermissionAny('hg.admin')():
                         pass
-                    elif HasRepoPermissionAny('repository.admin',
+                    elif HasRepoPermissionLevel('write')(repo.repo_name):
-                                              'repository.write')(repo_name=repo.repo_name):
                         # make sure normal user does not pass someone else userid,
                         # he is not allowed to do that
                         if not isinstance(userid, Optional) and userid != request.authuser.user_id:
                     repo = get_repo_or_error(repoid)
                     if not HasPermissionAny('hg.admin')():
-                        # check if we have admin permission for this repo !
+                        if not HasRepoPermissionLevel('read')(repo.repo_name):
-                        perms = ('repository.admin', 'repository.write', 'repository.read')
-                        if not HasRepoPermissionAny(*perms)(repo_name=repo.repo_name):
                             raise JSONRPCError('repository `%s` does not exist' % (repoid,))
                     members = []
                     repo = get_repo_or_error(repoid)
                     if not HasPermissionAny('hg.admin')():
-                        # check if we have admin permission for this repo !
+                        if not HasRepoPermissionLevel('read')(repo.repo_name):
-                        perms = ('repository.admin', 'repository.write', 'repository.read')
-                        if not HasRepoPermissionAny(*perms)(repo_name=repo.repo_name):
                             raise JSONRPCError('repository `%s` does not exist' % (repoid,))
                     ret_type = Optional.extract(ret_type)
                     """
                     repo = get_repo_or_error(repoid)
                     if not HasPermissionAny('hg.admin')():
-                        # check if we have admin permission for this repo !
+                        if not HasRepoPermissionLevel('admin')(repo.repo_name):
-                        if not HasRepoPermissionAny('repository.admin')(repo_name=repo.repo_name):
                             raise JSONRPCError('repository `%s` does not exist' % (repoid,))
                         if (name != repo.repo_name and
                     if HasPermissionAny('hg.admin')():
                         pass
-                    elif HasRepoPermissionAny('repository.admin',
+                    elif HasRepoPermissionLevel('read')(repo.repo_name):
-                                              'repository.write',
-                                              'repository.read')(repo_name=repo.repo_name):
                         if not isinstance(owner, Optional):
                             # forbid setting owner for non-admins
                             raise JSONRPCError(
                     repo = get_repo_or_error(repoid)
                     if not HasPermissionAny('hg.admin')():
-                        # check if we have admin permission for this repo !
+                        if not HasRepoPermissionLevel('admin')(repo.repo_name):
-                        if not HasRepoPermissionAny('repository.admin')(repo_name=repo.repo_name):
                             raise JSONRPCError('repository `%s` does not exist' % (repoid,))
                     try:
                     perm = get_perm_or_error(perm)
                     user_group = get_user_group_or_error(usergroupid)
                     if not HasPermissionAny('hg.admin')():
-                        # check if we have admin permission for this repo !
+                        if not HasRepoPermissionLevel('admin')(repo.repo_name):
-                        _perms = ('repository.admin',)
-                        if not HasRepoPermissionAny(*_perms)(
-                                repo_name=repo.repo_name):
                             raise JSONRPCError('repository `%s` does not exist' % (repoid,))
                         # check if we have at least read permission for this user group !
                     repo = get_repo_or_error(repoid)
                     user_group = get_user_group_or_error(usergroupid)
                     if not HasPermissionAny('hg.admin')():
-                        # check if we have admin permission for this repo !
+                        if not HasRepoPermissionLevel('admin')(repo.repo_name):
-                        _perms = ('repository.admin',)
-                        if not HasRepoPermissionAny(*_perms)(
-                                repo_name=repo.repo_name):
                             raise JSONRPCError('repository `%s` does not exist' % (repoid,))
                         # check if we have at least read permission for this user group !

kallithea/controllers/changelog.py

0 +4 -7

             import kallithea.lib.helpers as h
             from kallithea.config.routing import url
-            from kallithea.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator
+            from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator
             from kallithea.lib.base import BaseRepoController, render
             from kallithea.lib.compat import json
             from kallithea.lib.graphmod import graph_data
                     raise HTTPBadRequest()
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def index(self, repo_name, revision=None, f_path=None):
                     # Fix URL after page size form submission via GET
                     # TODO: Somehow just don't send this extra junk in the GET URL
                     return render('changelog/changelog.html')
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def changelog_details(self, cs):
                     if request.environ.get('HTTP_X_PARTIAL_XHR'):
                         c.cs = c.db_repo_scm_instance.get_changeset(cs)
                     raise HTTPNotFound()
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def changelog_summary(self, repo_name):
                     if request.environ.get('HTTP_X_PARTIAL_XHR'):
                         _load_changelog_summary()

kallithea/controllers/changeset.py

0 +11 -20

             from kallithea.lib.compat import json
             import kallithea.lib.helpers as h
-            from kallithea.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator, \
+            from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator, \
                 NotAnonymous
             from kallithea.lib.base import BaseRepoController, render, jsonify
             from kallithea.lib.utils import action_logger
                             return render('changeset/changeset_range.html')
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def index(self, revision, method='show'):
                     return self._index(revision, method=method)
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def changeset_raw(self, revision):
                     return self._index(revision, method='raw')
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def changeset_patch(self, revision):
                     return self._index(revision, method='patch')
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def changeset_download(self, revision):
                     return self._index(revision, method='download')
                 @LoginRequired()
                 @NotAnonymous()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def comment(self, repo_name, revision):
                     assert request.environ.get('HTTP_X_PARTIAL_XHR')
                 @LoginRequired()
                 @NotAnonymous()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def delete_comment(self, repo_name, comment_id):
                     co = ChangesetComment.get_or_404(comment_id)
                     if co.repo.repo_name != repo_name:
                         raise HTTPNotFound()
                     owner = co.author_id == request.authuser.user_id
-                    repo_admin = h.HasRepoPermissionAny('repository.admin')(repo_name)
+                    repo_admin = h.HasRepoPermissionLevel('admin')(repo_name)
                     if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
                         ChangesetCommentsModel().delete(comment=co)
                         Session().commit()
                         raise HTTPForbidden()
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def changeset_info(self, repo_name, revision):
                     if request.is_xhr:
                         raise HTTPBadRequest()
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def changeset_children(self, repo_name, revision):
                     if request.is_xhr:
                         raise HTTPBadRequest()
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def changeset_parents(self, repo_name, revision):
                     if request.is_xhr:

kallithea/controllers/compare.py

0 +3 -5

             from kallithea.lib.vcs.utils.hgcompat import unionrepo
             from kallithea.lib import helpers as h
             from kallithea.lib.base import BaseRepoController, render
-            from kallithea.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator
+            from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator
             from kallithea.lib import diffs
             from kallithea.model.db import Repository
             from kallithea.lib.diffs import LimitedDiffContainer
                     return other_changesets, org_changesets, ancestors
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def index(self, repo_name):
                     c.compare_home = True
                     c.a_ref_name = c.cs_ref_name = _('Select changeset')
                     return render('compare/compare_diff.html')
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def compare(self, repo_name, org_ref_type, org_ref_name, other_ref_type, other_ref_name):
                     org_ref_name = org_ref_name.strip()
                     other_ref_name = other_ref_name.strip()

kallithea/controllers/feed.py

0 +2 -3

             from kallithea import CONFIG
             from kallithea.lib import helpers as h
-            from kallithea.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator
+            from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator
             from kallithea.lib.base import BaseRepoController
             from kallithea.lib.diffs import DiffProcessor, LimitedDiffContainer
             from kallithea.model.db import CacheInvalidation
             class FeedController(BaseRepoController):
                 @LoginRequired(api_access=True)
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def __before__(self):
                     super(FeedController, self).__before__()

kallithea/controllers/files.py

0 +13 -22

             from kallithea.lib.compat import OrderedDict
             from kallithea.lib.utils2 import convert_line_endings, detect_mode, safe_str, \
                 str2bool, safe_int
-            from kallithea.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator
+            from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator
             from kallithea.lib.base import BaseRepoController, render, jsonify
             from kallithea.lib.vcs.backends.base import EmptyChangeset
             from kallithea.lib.vcs.conf import settings
                     return file_node
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def index(self, repo_name, revision, f_path, annotate=False):
                     # redirect to given revision from form if given
                     post_revision = request.POST.get('at_rev', None)
                     return render('files/files.html')
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def history(self, repo_name, revision, f_path):
                     changeset = self.__get_cs(revision)
                         return data
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def authors(self, repo_name, revision, f_path):
                     changeset = self.__get_cs(revision)
                     _file = changeset.get_node(f_path)
                         return render('files/files_history_box.html')
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def rawfile(self, repo_name, revision, f_path):
                     cs = self.__get_cs(revision)
                     file_node = self.__get_filenode(cs, f_path)
                     return file_node.content
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def raw(self, repo_name, revision, f_path):
                     cs = self.__get_cs(revision)
                     file_node = self.__get_filenode(cs, f_path)
                     return file_node.content
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.write', 'repository.admin')
+                @HasRepoPermissionLevelDecorator('write')
                 def delete(self, repo_name, revision, f_path):
                     repo = c.db_repo
                     if repo.enable_locking and repo.locked[0]:
                     return render('files/files_delete.html')
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.write', 'repository.admin')
+                @HasRepoPermissionLevelDecorator('write')
                 def edit(self, repo_name, revision, f_path):
                     repo = c.db_repo
                     if repo.enable_locking and repo.locked[0]:
                     return render('files/files_edit.html')
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.write', 'repository.admin')
+                @HasRepoPermissionLevelDecorator('write')
                 def add(self, repo_name, revision, f_path):
                     repo = c.db_repo
                     return render('files/files_add.html')
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def archivefile(self, repo_name, fname):
                     fileformat = None
                     revision = None
                     return get_chunked_archive(archive_path)
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def diff(self, repo_name, f_path):
                     ignore_whitespace = request.GET.get('ignorews') == '1'
                     line_context = safe_int(request.GET.get('context'), 3)
                         return render('files/file_diff.html')
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def diff_2way(self, repo_name, f_path):
                     diff1 = request.GET.get('diff1', '')
                     diff2 = request.GET.get('diff2', '')
                     return hist_l, changesets
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def nodelist(self, repo_name, revision, f_path):
                     if request.environ.get('HTTP_X_PARTIAL_XHR'):

kallithea/controllers/followers.py

0 +2 -3

             from pylons import tmpl_context as c, request
-            from kallithea.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator
+            from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator
             from kallithea.lib.base import BaseRepoController, render
             from kallithea.lib.page import Page
             from kallithea.lib.utils2 import safe_int
                     super(FollowersController, self).__before__()
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def followers(self, repo_name):
                     p = safe_int(request.GET.get('page'), 1)
                     repo_id = c.db_repo.repo_id

kallithea/controllers/forks.py

0 +6 -11

             import kallithea.lib.helpers as h
             from kallithea.config.routing import url
-            from kallithea.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator, \
+            from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator, \
-                NotAnonymous, HasRepoPermissionAny, HasPermissionAnyDecorator, HasPermissionAny
+                NotAnonymous, HasRepoPermissionLevel, HasPermissionAnyDecorator, HasPermissionAny
             from kallithea.lib.base import BaseRepoController, render
             from kallithea.lib.page import Page
             from kallithea.lib.utils2 import safe_int
                     return defaults
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def forks(self, repo_name):
                     p = safe_int(request.GET.get('page'), 1)
                     repo_id = c.db_repo.repo_id
                     d = []
                     for r in Repository.get_repo_forks(repo_id):
-                        if not HasRepoPermissionAny(
+                        if not HasRepoPermissionLevel('read')(r.repo_name, 'get forks check'):
-                            'repository.read', 'repository.write', 'repository.admin'
-                        )(r.repo_name, 'get forks check'):
                             continue
                         d.append(r)
                     c.forks_pager = Page(d, page=p, items_per_page=20)
                 @LoginRequired()
                 @NotAnonymous()
                 @HasPermissionAnyDecorator('hg.admin', 'hg.fork.repository')
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def fork(self, repo_name):
                     c.repo_info = Repository.get_by_repo_name(repo_name)
                     if not c.repo_info:
                 @LoginRequired()
                 @NotAnonymous()
                 @HasPermissionAnyDecorator('hg.admin', 'hg.fork.repository')
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def fork_create(self, repo_name):
                     self.__load_defaults()
                     c.repo_info = Repository.get_by_repo_name(repo_name)

kallithea/controllers/home.py

0 +2 -3

             from kallithea.lib.utils import conditional_cache
             from kallithea.lib.compat import json
-            from kallithea.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator
+            from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator
             from kallithea.lib.base import BaseController, render, jsonify
             from kallithea.model.db import Repository, RepoGroup
             from kallithea.model.repo import RepoModel
                         raise HTTPBadRequest()
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def repo_refs_data(self, repo_name):
                     repo = Repository.get_by_repo_name(repo_name).scm_instance

kallithea/controllers/pullrequests.py

0 +14 -23

             from kallithea.config.routing import url
             from kallithea.lib import helpers as h
             from kallithea.lib import diffs
-            from kallithea.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator, \
+            from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator, \
                 NotAnonymous
             from kallithea.lib.base import BaseRepoController, render, jsonify
             from kallithea.lib.compat import json, OrderedDict
                     return request.authuser.admin or owner or reviewer
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def show_all(self, repo_name):
                     c.from_ = request.GET.get('from_') or ''
                     c.closed = request.GET.get('closed') or ''
                 @LoginRequired()
                 @NotAnonymous()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def index(self):
                     org_repo = c.db_repo
                     org_scm_instance = org_repo.scm_instance
                 @LoginRequired()
                 @NotAnonymous()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def repo_info(self, repo_name):
                     repo = c.db_repo
                 @LoginRequired()
                 @NotAnonymous()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def create(self, repo_name):
                     repo = c.db_repo
                     try:
                 # pullrequest_post for PR editing
                 @LoginRequired()
                 @NotAnonymous()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def post(self, repo_name, pull_request_id):
                     pull_request = PullRequest.get_or_404(pull_request_id)
                     if pull_request.is_closed():
                     assert pull_request.other_repo.repo_name == repo_name
                     #only owner or admin can update it
                     owner = pull_request.owner_id == request.authuser.user_id
-                    repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name)
+                    repo_admin = h.HasRepoPermissionLevel('admin')(c.repo_name)
                     if not (h.HasPermissionAny('hg.admin')() or repo_admin or owner):
                         raise HTTPForbidden()
                 @LoginRequired()
                 @NotAnonymous()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def delete(self, repo_name, pull_request_id):
                     pull_request = PullRequest.get_or_404(pull_request_id)
                     raise HTTPForbidden()
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def show(self, repo_name, pull_request_id, extra=None):
                     repo_model = RepoModel()
                     c.users_array = repo_model.get_users_js()
                 @LoginRequired()
                 @NotAnonymous()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def comment(self, repo_name, pull_request_id):
                     pull_request = PullRequest.get_or_404(pull_request_id)
                     if delete == "delete":
                         if (pull_request.owner_id == request.authuser.user_id or
                             h.HasPermissionAny('hg.admin')() or
-                            h.HasRepoPermissionAny('repository.admin')(pull_request.org_repo.repo_name) or
+                            h.HasRepoPermissionLevel('admin')(pull_request.org_repo.repo_name) or
-                            h.HasRepoPermissionAny('repository.admin')(pull_request.other_repo.repo_name)
+                            h.HasRepoPermissionLevel('admin')(pull_request.other_repo.repo_name)
                             ) and not pull_request.is_closed():
                             PullRequestModel().delete(pull_request)
                             Session().commit()
                 @LoginRequired()
                 @NotAnonymous()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def delete_comment(self, repo_name, comment_id):
                     co = ChangesetComment.get(comment_id)
                         raise HTTPForbidden()
                     owner = co.author_id == request.authuser.user_id
-                    repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name)
+                    repo_admin = h.HasRepoPermissionLevel('admin')(c.repo_name)
                     if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
                         ChangesetCommentsModel().delete(comment=co)
                         Session().commit()

kallithea/controllers/summary.py

0 +4 -7

             from kallithea.config.conf import ALL_READMES, ALL_EXTS, LANGUAGES_EXTENSIONS_MAP
             from kallithea.model.db import Statistics, CacheInvalidation, User
             from kallithea.lib.utils2 import safe_str
-            from kallithea.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator, \
+            from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator, \
                 NotAnonymous
             from kallithea.lib.base import BaseRepoController, render, jsonify
             from kallithea.lib.vcs.backends.base import EmptyChangeset
                     return _get_readme_from_cache(repo_name, kind)
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def index(self, repo_name):
                     _load_changelog_summary()
                 @LoginRequired()
                 @NotAnonymous()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 @jsonify
                 def repo_size(self, repo_name):
                     if request.is_xhr:
                         raise HTTPBadRequest()
                 @LoginRequired()
-                @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
+                @HasRepoPermissionLevelDecorator('read')
-                                               'repository.admin')
                 def statistics(self, repo_name):
                     if c.db_repo.enable_statistics:
                         c.show_stats = True

kallithea/lib/auth.py

0 +19 -15

                 def permissions(self):
                     return self.__get_perms(user=self, cache=False)
+                def has_repository_permission_level(self, repo_name, level, purpose=None):
+                    required_perms = {
+                        'read': ['repository.read', 'repository.write', 'repository.admin'],
+                        'write': ['repository.write', 'repository.admin'],
+                        'admin': ['repository.admin'],
+                    }[level]
+                    actual_perm = self.permissions['repositories'].get(repo_name)
+                    ok = actual_perm in required_perms
+                    log.debug('Checking if user %r can %r repo %r (%s): %s (has %r)',
+                        self.username, level, repo_name, purpose, ok, actual_perm)
+                    return ok
                 @property
                 def api_keys(self):
                     return self._get_api_keys()
                     return any(p in global_permissions for p in self.required_perms)
-            class HasRepoPermissionAnyDecorator(_PermsDecorator):
+            class HasRepoPermissionLevelDecorator(_PermsDecorator):
                 """
-                Checks the user has any of given permissions for the requested repository.
+                Checks the user has at least the specified permission level for the requested repository.
                 """
                 def check_permissions(self, user):
                     repo_name = get_repo_slug(request)
-                    try:
+                    (level,) = self.required_perms
-                        return user.permissions['repositories'][repo_name] in self.required_perms
+                    return user.has_repository_permission_level(repo_name, level)
-                    except KeyError:
-                        return False
             class HasRepoGroupPermissionAnyDecorator(_PermsDecorator):
                     return ok
-            class HasRepoPermissionAny(_PermsFunction):
+            class HasRepoPermissionLevel(_PermsFunction):
                 def __call__(self, repo_name, purpose=None):
-                    try:
+                    (level,) = self.required_perms
-                        ok = request.user.permissions['repositories'][repo_name] in self.required_perms
+                    return request.user.has_repository_permission_level(repo_name, level, purpose)
-                    except KeyError:
-                        ok = False
-                    log.debug('Check %s for %s for repo %s (%s): %s' %
-                        (request.user.username, self.required_perms, repo_name, purpose, ok))
-                    return ok
             class HasRepoGroupPermissionAny(_PermsFunction):

kallithea/lib/helpers.py

0 +1 -1

             # PERMS
             #==============================================================================
             from kallithea.lib.auth import HasPermissionAny, \
-                HasRepoPermissionAny, HasRepoGroupPermissionAny
+                HasRepoPermissionLevel, HasRepoGroupPermissionAny
             #==============================================================================

kallithea/model/repo.py

0 +2 -5

                 Statistics, UserGroup, Ui, RepoGroup, RepositoryField
             from kallithea.lib import helpers as h
-            from kallithea.lib.auth import HasRepoPermissionAny, HasUserGroupPermissionAny
+            from kallithea.lib.auth import HasRepoPermissionLevel, HasUserGroupPermissionAny
             from kallithea.lib.exceptions import AttachedForksError
             from kallithea.model.scm import UserGroupList
                     for repo in repos_list:
                         if perm_check:
                             # check permission at this level
-                            if not HasRepoPermissionAny(
+                            if not HasRepoPermissionLevel('read')(repo.repo_name, 'get_repos_as_dict check'):
-                                    'repository.read', 'repository.write',
-                                    'repository.admin'
-                            )(repo.repo_name, 'get_repos_as_dict check'):
                                 continue
                         cs_cache = repo.changeset_cache
                         row = {

kallithea/model/scm.py

0 +5 -8

             from kallithea.lib import helpers as h
             from kallithea.lib.utils2 import safe_str, safe_unicode, get_server_url, \
                 _set_extras
-            from kallithea.lib.auth import HasRepoPermissionAny, HasRepoGroupPermissionAny, \
+            from kallithea.lib.auth import HasRepoPermissionLevel, HasRepoGroupPermissionAny, \
                 HasUserGroupPermissionAny, HasPermissionAny, HasPermissionAny
             from kallithea.lib.utils import get_filesystem_repos, make_ui, \
                 action_logger
             class RepoList(_PermCheckIterator):
-                def __init__(self, db_repo_list, perm_set=None, extra_kwargs=None):
+                def __init__(self, db_repo_list, perm_level, extra_kwargs=None):
-                    if not perm_set:
-                        perm_set = ['repository.read', 'repository.write', 'repository.admin']
                     super(RepoList, self).__init__(obj_list=db_repo_list,
-                                obj_attr='repo_name', perm_set=perm_set,
+                                obj_attr='repo_name', perm_set=[perm_level],
-                                perm_checker=HasRepoPermissionAny,
+                                perm_checker=HasRepoPermissionLevel,
                                 extra_kwargs=extra_kwargs)
                 def get_repos(self, repos):
                     """Return the repos the user has access to"""
-                    return RepoList(repos)
+                    return RepoList(repos, perm_level='read')
                 def get_repo_groups(self, groups=None):
                     """Return the repo groups the user has access to

kallithea/templates/base/base.html

0 +3 -3

                       <input id="branch_switcher" name="branch_switcher" type="hidden">
                     </li>
                     <li class="${'active' if current == 'options' else ''} dropdown" data-context="options">
-                         %if h.HasRepoPermissionAny('repository.admin')(c.repo_name):
+                         %if h.HasRepoPermissionLevel('admin')(c.repo_name):
                            <a href="${h.url('edit_repo',repo_name=c.repo_name)}" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false" aria-haspopup="true"><i class="icon-wrench"></i> ${_('Options')} <i class="caret"></i></a>
                          %else:
                            <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false" aria-haspopup="true"><i class="icon-wrench"></i> ${_('Options')} <i class="caret"></i></a>
                          %endif
                       <ul class="dropdown-menu" role="menu" aria-hidden="true">
-                         %if h.HasRepoPermissionAny('repository.admin')(c.repo_name):
+                         %if h.HasRepoPermissionLevel('admin')(c.repo_name):
                                <li><a href="${h.url('edit_repo',repo_name=c.repo_name)}"><i class="icon-gear"></i> ${_('Settings')}</a></li>
                          %endif
                           %if c.db_repo.fork:
                           <li><a href="${h.url('search_repo',repo_name=c.repo_name)}"><i class="icon-search"></i> ${_('Search')}</a></li>
-                          %if h.HasRepoPermissionAny('repository.write','repository.admin')(c.repo_name) and c.db_repo.enable_locking:
+                          %if h.HasRepoPermissionLevel('write')(c.repo_name) and c.db_repo.enable_locking:
                             %if c.db_repo.locked[0]:
                               <li><a href="${h.url('toggle_locking', repo_name=c.repo_name)}"><i class="icon-lock"></i> ${_('Unlock')}</a></li>
                             %else:

kallithea/templates/changelog/changelog_summary_data.html

0 +1 -1

             </ul>
             %else:
-            %if h.HasRepoPermissionAny('repository.write','repository.admin')(c.repo_name):
+            %if h.HasRepoPermissionLevel('write')(c.repo_name):
             <h4>${_('Add or upload files directly via Kallithea')}</h4>
             <div style="margin: 20px 30px;">
               <div id="add_node_id" class="add_node">

kallithea/templates/changeset/changeset_file_comment.html

0 +2 -2

                           <a class="permalink" href="${co.url()}">&para;</a>
                       </span>
-                      %if co.author_id == request.authuser.user_id or h.HasRepoPermissionAny('repository.admin')(c.repo_name):
+                      %if co.author_id == request.authuser.user_id or h.HasRepoPermissionLevel('admin')(c.repo_name):
                         %if co.deletable():
                           <div onClick="confirm('${_('Delete comment?')}') && deleteComment(${co.comment_id})" class="buttons delete-comment btn btn-default btn-xs" style="margin:0 5px">${_('Delete')}</div>
                         %endif
                             %endfor
                             %if c.pull_request is not None and ( \
-                                h.HasPermissionAny('hg.admin')() or h.HasRepoPermissionAny('repository.admin')(c.repo_name) \
+                                h.HasPermissionAny('hg.admin')() or h.HasRepoPermissionLevel('admin')(c.repo_name) \
                                 or c.pull_request.owner_id == request.authuser.user_id):
                             <div>
                               ${_('Finish pull request')}:

kallithea/templates/files/files_edit.html

0 +1 -1

                                   ${h.link_to(_('Show Annotation'),h.url('files_annotate_home',repo_name=c.repo_name,revision=c.cs.raw_id,f_path=c.f_path),class_="btn btn-default btn-xs")}
                                   ${h.link_to(_('Show as Raw'),h.url('files_raw_home',repo_name=c.repo_name,revision=c.cs.raw_id,f_path=c.f_path),class_="btn btn-default btn-xs")}
                                   ${h.link_to(_('Download as Raw'),h.url('files_rawfile_home',repo_name=c.repo_name,revision=c.cs.raw_id,f_path=c.f_path),class_="btn btn-default btn-xs")}
-                                  % if h.HasRepoPermissionAny('repository.write','repository.admin')(c.repo_name):
+                                  % if h.HasRepoPermissionLevel('write')(c.repo_name):
                                    % if not c.file.is_binary:
                                     ${h.link_to(_('Source'),h.url('files_home',repo_name=c.repo_name,revision=c.cs.raw_id,f_path=c.f_path),class_="btn btn-default btn-xs")}
                                    % endif

kallithea/templates/files/files_source.html

0 +1 -1

                           %endif
                           ${h.link_to(_('Show as Raw'),h.url('files_raw_home',repo_name=c.repo_name,revision=c.changeset.raw_id,f_path=c.f_path),class_="btn btn-default btn-xs")}
                           ${h.link_to(_('Download as Raw'),h.url('files_rawfile_home',repo_name=c.repo_name,revision=c.changeset.raw_id,f_path=c.f_path),class_="btn btn-default btn-xs")}
-                          %if h.HasRepoPermissionAny('repository.write','repository.admin')(c.repo_name):
+                          %if h.HasRepoPermissionLevel('write')(c.repo_name):
                            %if c.on_branch_head and not c.file.is_binary:
                             ${h.link_to(_('Edit on Branch: %s') % c.changeset.branch, h.url('files_edit_home',repo_name=c.repo_name,revision=c.changeset.raw_id,f_path=c.f_path, anchor='edit'),class_="btn btn-default btn-xs")}
                             ${h.link_to(_('Delete'), h.url('files_delete_home',repo_name=c.repo_name,revision=c.changeset.raw_id,f_path=c.f_path, anchor='edit'),class_="btn btn-danger btn-xs")}

kallithea/templates/files/files_ypjax.html

0 +1 -1

                     - ${_('annotation')}
                     %endif
                     %if c.file.is_dir():
-                      % if h.HasRepoPermissionAny('repository.write','repository.admin')(c.repo_name):
+                      % if h.HasRepoPermissionLevel('write')(c.repo_name):
                          / <span title="${_('Add New File')}">
                            <a href="${h.url('files_add_home',repo_name=c.repo_name,revision=c.changeset.raw_id,f_path=c.f_path, anchor='edit')}">
                                <i class="icon-plus-circled" style="color:#5bb75b; font-size: 16px"></i></a>

kallithea/templates/pullrequests/pullrequest_show.html

0 +1 -1

             </%block>
             <%def name="main()">
-            <% editable = not c.pull_request.is_closed() and (h.HasPermissionAny('hg.admin')() or h.HasRepoPermissionAny('repository.admin')(c.repo_name) or c.pull_request.owner_id == request.authuser.user_id) %>
+            <% editable = not c.pull_request.is_closed() and (h.HasPermissionAny('hg.admin')() or h.HasRepoPermissionLevel('admin')(c.repo_name) or c.pull_request.owner_id == request.authuser.user_id) %>
             ${self.repo_context_bar('showpullrequest')}
             <div class="panel panel-primary">
               <div class="panel-heading clearfix">

kallithea/templates/search/search_commit.html

0 +1 -1

             ##commit highlighting
             %for cnt,sr in enumerate(c.formated_results):
-                %if h.HasRepoPermissionAny('repository.write','repository.read','repository.admin')(sr['repository'],'search results check'):
+                %if h.HasRepoPermissionLevel('read')(sr['repository'],'search results check'):
                     <div id="body${cnt}" class="codeblock">
                         <div class="code-header">
                             <div class="search-path">${h.link_to(h.literal('%s &raquo; %s' % (sr['repository'],sr['raw_id'])),

kallithea/templates/search/search_content.html

0 +1 -1

             ##content highlighting
             %for cnt,sr in enumerate(c.formated_results):
-                %if h.HasRepoPermissionAny('repository.write','repository.read','repository.admin')(sr['repository'],'search results check'):
+                %if h.HasRepoPermissionLevel('read')(sr['repository'],'search results check'):
                     <div id="body${cnt}" class="codeblock">
                         <div class="code-header">
                             <div class="search-path">${h.link_to(h.literal('%s &raquo; %s' % (sr['repository'],sr['f_path'])),

kallithea/templates/search/search_path.html

0 +1 -1

             ##path search
             %for cnt,sr in enumerate(c.formated_results):
-                %if h.HasRepoPermissionAny('repository.write','repository.read','repository.admin')(sr['repository'],'search results check'):
+                %if h.HasRepoPermissionLevel('read')(sr['repository'],'search results check'):
                     <div class="panel panel-default">
                         <div class="panel-heading">
                             ${h.link_to(h.literal('%s &raquo; %s' % (sr['repository'],sr['f_path'])),

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages