##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

fixed default permissions population during upgrades...
marcink -
r3733:af049a95 beta
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -44,6 +44,7 b' from rhodecode.model.repos_group import '
44 #from rhodecode.model import meta
44 #from rhodecode.model import meta
45 from rhodecode.model.meta import Session, Base
45 from rhodecode.model.meta import Session, Base
46 from rhodecode.model.repo import RepoModel
46 from rhodecode.model.repo import RepoModel
47 from rhodecode.model.permission import PermissionModel
47
48
48
49
49 log = logging.getLogger(__name__)
50 log = logging.getLogger(__name__)
@@ -550,7 +551,7 b' class DbManage(object):'
550 u2p = UserToPerm.query()\
551 u2p = UserToPerm.query()\
551 .filter(UserToPerm.user == default_user).all()
552 .filter(UserToPerm.user == default_user).all()
552 fixed = False
553 fixed = False
553 if len(u2p) != len(User.DEFAULT_PERMISSIONS):
554 if len(u2p) != len(Permission.DEFAULT_USER_PERMISSIONS):
554 for p in u2p:
555 for p in u2p:
555 Session().delete(p)
556 Session().delete(p)
556 fixed = True
557 fixed = True
@@ -682,6 +683,9 b' class DbManage(object):'
682 firstname='Anonymous', lastname='User')
683 firstname='Anonymous', lastname='User')
683
684
684 def create_permissions(self):
685 def create_permissions(self):
686 """
687 Creates all permissions defined in the system
688 """
685 # module.(access|create|change|delete)_[name]
689 # module.(access|create|change|delete)_[name]
686 # module.(none|read|write|admin)
690 # module.(none|read|write|admin)
687
691
@@ -693,27 +697,12 b' class DbManage(object):'
693 self.sa.add(new_perm)
697 self.sa.add(new_perm)
694
698
695 def populate_default_permissions(self):
699 def populate_default_permissions(self):
700 """
701 Populate default permissions. It will create only the default
702 permissions that are missing, and not alter already defined ones
703 """
696 log.info('creating default user permissions')
704 log.info('creating default user permissions')
697
705 PermissionModel(self.sa).create_default_permissions(user=User.DEFAULT_USER)
698 default_user = User.get_by_username('default')
699
700 for def_perm in User.DEFAULT_PERMISSIONS:
701
702 perm = self.sa.query(Permission)\
703 .filter(Permission.permission_name == def_perm)\
704 .scalar()
705 if not perm:
706 raise Exception(
707 'CRITICAL: permission %s not found inside database !!'
708 % def_perm
709 )
710 if not UserToPerm.query()\
711 .filter(UserToPerm.permission == perm)\
712 .filter(UserToPerm.user == default_user).scalar():
713 reg_perm = UserToPerm()
714 reg_perm.user = default_user
715 reg_perm.permission = perm
716 self.sa.add(reg_perm)
717
706
718 @staticmethod
707 @staticmethod
719 def check_waitress():
708 def check_waitress():
Show file before | Show file after | Hide comments
@@ -320,10 +320,7 b' class User(Base, BaseModel):'
320 'mysql_charset': 'utf8'}
320 'mysql_charset': 'utf8'}
321 )
321 )
322 DEFAULT_USER = 'default'
322 DEFAULT_USER = 'default'
323 DEFAULT_PERMISSIONS = [
323
324 'hg.register.manual_activate', 'hg.create.repository',
325 'hg.fork.repository', 'repository.read', 'group.read'
326 ]
327 user_id = Column("user_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
324 user_id = Column("user_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
328 username = Column("username", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)
325 username = Column("username", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)
329 password = Column("password", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)
326 password = Column("password", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)
@@ -502,6 +499,13 b' class User(Base, BaseModel):'
502 raise Exception('Missing administrative account!')
499 raise Exception('Missing administrative account!')
503 return user
500 return user
504
501
502 @classmethod
503 def get_default_user(cls, cache=False):
504 user = User.get_by_username(User.DEFAULT_USER, cache=cache)
505 if user is None:
506 raise Exception('Missing default account!')
507 return user
508
505 def get_api_data(self):
509 def get_api_data(self):
506 """
510 """
507 Common function for generating user related data for API
511 Common function for generating user related data for API
@@ -1405,6 +1409,8 b' class Permission(Base, BaseModel):'
1405 'mysql_charset': 'utf8'},
1409 'mysql_charset': 'utf8'},
1406 )
1410 )
1407 PERMS = [
1411 PERMS = [
1412 ('hg.admin', _('RhodeCode Administrator')),
1413
1408 ('repository.none', _('Repository no access')),
1414 ('repository.none', _('Repository no access')),
1409 ('repository.read', _('Repository read access')),
1415 ('repository.read', _('Repository read access')),
1410 ('repository.write', _('Repository write access')),
1416 ('repository.write', _('Repository write access')),
@@ -1420,11 +1426,12 b' class Permission(Base, BaseModel):'
1420 ('usergroup.write', _('User group write access')),
1426 ('usergroup.write', _('User group write access')),
1421 ('usergroup.admin', _('User group admin access')),
1427 ('usergroup.admin', _('User group admin access')),
1422
1428
1423 ('hg.admin', _('RhodeCode Administrator')),
1424 ('hg.create.none', _('Repository creation disabled')),
1429 ('hg.create.none', _('Repository creation disabled')),
1425 ('hg.create.repository', _('Repository creation enabled')),
1430 ('hg.create.repository', _('Repository creation enabled')),
1431
1426 ('hg.fork.none', _('Repository forking disabled')),
1432 ('hg.fork.none', _('Repository forking disabled')),
1427 ('hg.fork.repository', _('Repository forking enabled')),
1433 ('hg.fork.repository', _('Repository forking enabled')),
1434
1428 ('hg.register.none', _('Register disabled')),
1435 ('hg.register.none', _('Register disabled')),
1429 ('hg.register.manual_activate', _('Register new user with RhodeCode '
1436 ('hg.register.manual_activate', _('Register new user with RhodeCode '
1430 'with manual activation')),
1437 'with manual activation')),
@@ -1433,6 +1440,16 b' class Permission(Base, BaseModel):'
1433 'with auto activation')),
1440 'with auto activation')),
1434 ]
1441 ]
1435
1442
1443 #definition of system default permissions for DEFAULT user
1444 DEFAULT_USER_PERMISSIONS = [
1445 'repository.read',
1446 'group.read',
1447 'usergroup.read',
1448 'hg.create.repository',
1449 'hg.fork.repository',
1450 'hg.register.manual_activate',
1451 ]
1452
1436 # defines which permissions are more important higher the more important
1453 # defines which permissions are more important higher the more important
1437 PERM_WEIGHTS = {
1454 PERM_WEIGHTS = {
1438 'repository.none': 0,
1455 'repository.none': 0,
Show file before | Show file after | Hide comments
@@ -43,11 +43,49 b' class PermissionModel(BaseModel):'
43
43
44 cls = Permission
44 cls = Permission
45
45
46 def create_default_permissions(self, user):
47 """
48 Creates only missing default permissions for user
49
50 :param user:
51 """
52 user = self._get_user(user)
53
54 def _make_perm(perm):
55 new_perm = UserToPerm()
56 new_perm.user = user
57 new_perm.permission = Permission.get_by_key(perm)
58 return new_perm
59
60 def _get_group(perm_name):
61 return '.'.join(perm_name.split('.')[:1])
62
63 perms = UserToPerm.query().filter(UserToPerm.user == user).all()
64 defined_perms_groups = map(_get_group,
65 (x.permission.permission_name for x in perms))
66 log.debug('GOT ALREADY DEFINED:%s' % perms)
67 DEFAULT_PERMS = Permission.DEFAULT_USER_PERMISSIONS
68
69 # for every default permission that needs to be created, we check if
70 # it's group is already defined, if it's not we create default perm
71 for perm_name in DEFAULT_PERMS:
72 gr = _get_group(perm_name)
73 if gr not in defined_perms_groups:
74 log.debug('GR:%s not found, creating permission %s'
75 % (gr, perm_name))
76 new_perm = _make_perm(perm_name)
77 self.sa.add(new_perm)
78
46 def update(self, form_result):
79 def update(self, form_result):
47 perm_user = User.get_by_username(username=form_result['perm_user_name'])
80 perm_user = User.get_by_username(username=form_result['perm_user_name'])
48 u2p = self.sa.query(UserToPerm).filter(UserToPerm.user == perm_user).all()
49
81
50 try:
82 try:
83 # stage 1 set anonymous access
84 if perm_user.username == 'default':
85 perm_user.active = str2bool(form_result['anonymous'])
86 self.sa.add(perm_user)
87
88 # stage 2 reset defaults and set them from form data
51 def _make_new(usr, perm_name):
89 def _make_new(usr, perm_name):
52 new = UserToPerm()
90 new = UserToPerm()
53 new.user = usr
91 new.user = usr
@@ -56,6 +94,9 b' class PermissionModel(BaseModel):'
56 # clear current entries, to make this function idempotent
94 # clear current entries, to make this function idempotent
57 # it will fix even if we define more permissions or permissions
95 # it will fix even if we define more permissions or permissions
58 # are somehow missing
96 # are somehow missing
97 u2p = self.sa.query(UserToPerm)\
98 .filter(UserToPerm.user == perm_user)\
99 .all()
59 for p in u2p:
100 for p in u2p:
60 self.sa.delete(p)
101 self.sa.delete(p)
61 #create fresh set of permissions
102 #create fresh set of permissions
@@ -65,7 +106,7 b' class PermissionModel(BaseModel):'
65 p = _make_new(perm_user, form_result[def_perm_key])
106 p = _make_new(perm_user, form_result[def_perm_key])
66 self.sa.add(p)
107 self.sa.add(p)
67
108
68 #stage 2 update all default permissions for repos if checked
109 #stage 3 update all default permissions for repos if checked
69 if form_result['overwrite_default_repo'] == True:
110 if form_result['overwrite_default_repo'] == True:
70 _def_name = form_result['default_repo_perm'].split('repository.')[-1]
111 _def_name = form_result['default_repo_perm'].split('repository.')[-1]
71 _def = Permission.get_by_key('repository.' + _def_name)
112 _def = Permission.get_by_key('repository.' + _def_name)
@@ -89,11 +130,6 b' class PermissionModel(BaseModel):'
89 g2p.permission = _def
130 g2p.permission = _def
90 self.sa.add(g2p)
131 self.sa.add(g2p)
91
132
92 # stage 3 set anonymous access
93 if perm_user.username == 'default':
94 perm_user.active = str2bool(form_result['anonymous'])
95 self.sa.add(perm_user)
96
97 self.sa.commit()
133 self.sa.commit()
98 except (DatabaseError,):
134 except (DatabaseError,):
99 log.error(traceback.format_exc())
135 log.error(traceback.format_exc())
Show file before | Show file after | Hide comments
@@ -4,12 +4,14 b' from rhodecode.tests import *'
4 from rhodecode.tests.fixture import Fixture
4 from rhodecode.tests.fixture import Fixture
5 from rhodecode.model.repos_group import ReposGroupModel
5 from rhodecode.model.repos_group import ReposGroupModel
6 from rhodecode.model.repo import RepoModel
6 from rhodecode.model.repo import RepoModel
7 from rhodecode.model.db import RepoGroup, User, UserGroupRepoGroupToPerm
7 from rhodecode.model.db import RepoGroup, User, UserGroupRepoGroupToPerm,\
8 Permission, UserToPerm
8 from rhodecode.model.user import UserModel
9 from rhodecode.model.user import UserModel
9
10
10 from rhodecode.model.meta import Session
11 from rhodecode.model.meta import Session
11 from rhodecode.model.users_group import UserGroupModel
12 from rhodecode.model.users_group import UserGroupModel
12 from rhodecode.lib.auth import AuthUser
13 from rhodecode.lib.auth import AuthUser
14 from rhodecode.model.permission import PermissionModel
13
15
14
16
15 fixture = Fixture()
17 fixture = Fixture()
@@ -101,13 +103,15 b' class TestPermissions(unittest.TestCase)'
101 u1_auth = AuthUser(user_id=self.u1.user_id)
103 u1_auth = AuthUser(user_id=self.u1.user_id)
102 perms = {
104 perms = {
103 'repositories_groups': {u'test1': 'group.read', u'test2': 'group.read'},
105 'repositories_groups': {u'test1': 'group.read', u'test2': 'group.read'},
104 'global': set([u'hg.create.repository', u'repository.read', u'hg.register.manual_activate']),
106 'global': set(Permission.DEFAULT_USER_PERMISSIONS),
105 'repositories': {u'vcs_test_hg': u'repository.read'}
107 'repositories': {u'vcs_test_hg': u'repository.read'}
106 }
108 }
107 self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
109 self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
108 perms['repositories'][HG_REPO])
110 perms['repositories'][HG_REPO])
109 self.assertEqual(u1_auth.permissions['repositories_groups'],
111 self.assertEqual(u1_auth.permissions['repositories_groups'],
110 perms['repositories_groups'])
112 perms['repositories_groups'])
113 self.assertEqual(u1_auth.permissions['global'],
114 perms['global'])
111
115
112 def test_default_admin_group_perms(self):
116 def test_default_admin_group_perms(self):
113 self.g1 = fixture.create_group('test1', skip_if_exists=True)
117 self.g1 = fixture.create_group('test1', skip_if_exists=True)
@@ -347,7 +351,8 b' class TestPermissions(unittest.TestCase)'
347 self.assertEqual(u1_auth.permissions['global'],
351 self.assertEqual(u1_auth.permissions['global'],
348 set(['hg.create.repository', 'hg.fork.repository',
352 set(['hg.create.repository', 'hg.fork.repository',
349 'hg.register.manual_activate',
353 'hg.register.manual_activate',
350 'repository.read', 'group.read']))
354 'repository.read', 'group.read',
355 'usergroup.read']))
351
356
352 def test_inherited_permissions_from_default_on_user_disabled(self):
357 def test_inherited_permissions_from_default_on_user_disabled(self):
353 user_model = UserModel()
358 user_model = UserModel()
@@ -365,7 +370,8 b' class TestPermissions(unittest.TestCase)'
365 self.assertEqual(u1_auth.permissions['global'],
370 self.assertEqual(u1_auth.permissions['global'],
366 set(['hg.create.none', 'hg.fork.none',
371 set(['hg.create.none', 'hg.fork.none',
367 'hg.register.manual_activate',
372 'hg.register.manual_activate',
368 'repository.read', 'group.read']))
373 'repository.read', 'group.read',
374 'usergroup.read']))
369
375
370 def test_non_inherited_permissions_from_default_on_user_enabled(self):
376 def test_non_inherited_permissions_from_default_on_user_enabled(self):
371 user_model = UserModel()
377 user_model = UserModel()
@@ -391,7 +397,8 b' class TestPermissions(unittest.TestCase)'
391 self.assertEqual(u1_auth.permissions['global'],
397 self.assertEqual(u1_auth.permissions['global'],
392 set(['hg.create.none', 'hg.fork.none',
398 set(['hg.create.none', 'hg.fork.none',
393 'hg.register.manual_activate',
399 'hg.register.manual_activate',
394 'repository.read', 'group.read']))
400 'repository.read', 'group.read',
401 'usergroup.read']))
395
402
396 def test_non_inherited_permissions_from_default_on_user_disabled(self):
403 def test_non_inherited_permissions_from_default_on_user_disabled(self):
397 user_model = UserModel()
404 user_model = UserModel()
@@ -417,7 +424,8 b' class TestPermissions(unittest.TestCase)'
417 self.assertEqual(u1_auth.permissions['global'],
424 self.assertEqual(u1_auth.permissions['global'],
418 set(['hg.create.repository', 'hg.fork.repository',
425 set(['hg.create.repository', 'hg.fork.repository',
419 'hg.register.manual_activate',
426 'hg.register.manual_activate',
420 'repository.read', 'group.read']))
427 'repository.read', 'group.read',
428 'usergroup.read']))
421
429
422 def test_owner_permissions_doesnot_get_overwritten_by_group(self):
430 def test_owner_permissions_doesnot_get_overwritten_by_group(self):
423 #create repo as USER,
431 #create repo as USER,
@@ -458,3 +466,60 b' class TestPermissions(unittest.TestCase)'
458 u1_auth = AuthUser(user_id=self.u1.user_id)
466 u1_auth = AuthUser(user_id=self.u1.user_id)
459 self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
467 self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
460 'repository.admin')
468 'repository.admin')
469
470 def _test_def_perm_equal(self, user, change_factor=0):
471 perms = UserToPerm.query()\
472 .filter(UserToPerm.user == user)\
473 .all()
474 self.assertEqual(len(perms),
475 len(Permission.DEFAULT_USER_PERMISSIONS,)+change_factor,
476 msg=perms)
477
478 def test_set_default_permissions(self):
479 PermissionModel().create_default_permissions(user=self.u1)
480 self._test_def_perm_equal(user=self.u1)
481
482 def test_set_default_permissions_after_one_is_missing(self):
483 PermissionModel().create_default_permissions(user=self.u1)
484 self._test_def_perm_equal(user=self.u1)
485 #now we delete one, it should be re-created after another call
486 perms = UserToPerm.query()\
487 .filter(UserToPerm.user == self.u1)\
488 .all()
489 Session().delete(perms[0])
490 Session().commit()
491
492 self._test_def_perm_equal(user=self.u1, change_factor=-1)
493
494 #create missing one !
495 PermissionModel().create_default_permissions(user=self.u1)
496 self._test_def_perm_equal(user=self.u1)
497
498 @parameterized.expand([
499 ('repository.read', 'repository.none'),
500 ('group.read', 'group.none'),
501 ('usergroup.read', 'usergroup.none'),
502 ('hg.create.repository', 'hg.create.none'),
503 ('hg.fork.repository', 'hg.fork.none'),
504 ('hg.register.manual_activate', 'hg.register.auto_activate',)
505 ])
506 def test_set_default_permissions_after_modification(self, perm, modify_to):
507 PermissionModel().create_default_permissions(user=self.u1)
508 self._test_def_perm_equal(user=self.u1)
509
510 old = Permission.get_by_key(perm)
511 new = Permission.get_by_key(modify_to)
512 self.assertNotEqual(old, None)
513 self.assertNotEqual(new, None)
514
515 #now modify permissions
516 p = UserToPerm.query()\
517 .filter(UserToPerm.user == self.u1)\
518 .filter(UserToPerm.permission == old)\
519 .one()
520 p.permission = new
521 Session().add(p)
522 Session().commit()
523
524 PermissionModel().create_default_permissions(user=self.u1)
525 self._test_def_perm_equal(user=self.u1)
General Comments 0
You need to be logged in to leave comments. Login now