Show More
@@ -0,0 +1,1 b'' | |||||
|
1 | #TODO; write tests when we activate algo for permissions. No newline at end of file |
@@ -26,6 +26,8 b'' | |||||
26 | import logging |
|
26 | import logging | |
27 | import traceback |
|
27 | import traceback | |
28 | import itertools |
|
28 | import itertools | |
|
29 | import collections | |||
|
30 | import functools | |||
29 | from pylons import url |
|
31 | from pylons import url | |
30 | from pylons.i18n.translation import _ |
|
32 | from pylons.i18n.translation import _ | |
31 |
|
33 | |||
@@ -379,13 +381,21 b' class UserModel(BaseModel):' | |||||
379 |
|
381 | |||
380 | return True |
|
382 | return True | |
381 |
|
383 | |||
382 | def fill_perms(self, user): |
|
384 | def fill_perms(self, user, explicit=True, algo='higherwin'): | |
383 | """ |
|
385 | """ | |
384 | Fills user permission attribute with permissions taken from database |
|
386 | Fills user permission attribute with permissions taken from database | |
385 | works for permissions given for repositories, and for permissions that |
|
387 | works for permissions given for repositories, and for permissions that | |
386 | are granted to groups |
|
388 | are granted to groups | |
387 |
|
389 | |||
388 | :param user: user instance to fill his perms |
|
390 | :param user: user instance to fill his perms | |
|
391 | :param explicit: In case there are permissions both for user and a group | |||
|
392 | that user is part of, explicit flag will defiine if user will | |||
|
393 | explicitly override permissions from group, if it's False it will | |||
|
394 | make decision based on the algo | |||
|
395 | :param algo: algorithm to decide what permission should be choose if | |||
|
396 | it's multiple defined, eg user in two different groups. It also | |||
|
397 | decides if explicit flag is turned off how to specify the permission | |||
|
398 | for case when user is in a group + have defined separate permission | |||
389 | """ |
|
399 | """ | |
390 | RK = 'repositories' |
|
400 | RK = 'repositories' | |
391 | GK = 'repositories_groups' |
|
401 | GK = 'repositories_groups' | |
@@ -394,6 +404,18 b' class UserModel(BaseModel):' | |||||
394 | user.permissions[GK] = {} |
|
404 | user.permissions[GK] = {} | |
395 | user.permissions[GLOBAL] = set() |
|
405 | user.permissions[GLOBAL] = set() | |
396 |
|
406 | |||
|
407 | def _choose_perm(new_perm, cur_perm): | |||
|
408 | new_perm_val = PERM_WEIGHTS[new_perm] | |||
|
409 | cur_perm_val = PERM_WEIGHTS[cur_perm] | |||
|
410 | if algo == 'higherwin': | |||
|
411 | if new_perm_val > cur_perm_val: | |||
|
412 | return new_perm | |||
|
413 | return cur_perm | |||
|
414 | elif algo == 'lowerwin': | |||
|
415 | if new_perm_val < cur_perm_val: | |||
|
416 | return new_perm | |||
|
417 | return cur_perm | |||
|
418 | ||||
397 | #====================================================================== |
|
419 | #====================================================================== | |
398 | # fetch default permissions |
|
420 | # fetch default permissions | |
399 | #====================================================================== |
|
421 | #====================================================================== | |
@@ -503,12 +525,14 b' class UserModel(BaseModel):' | |||||
503 | user.permissions[GLOBAL].add(perm.permission.permission_name) |
|
525 | user.permissions[GLOBAL].add(perm.permission.permission_name) | |
504 |
|
526 | |||
505 | #====================================================================== |
|
527 | #====================================================================== | |
506 |
# !! |
|
528 | # !! PERMISSIONS FOR REPOSITORIES !! | |
507 | #====================================================================== |
|
529 | #====================================================================== | |
508 | #====================================================================== |
|
530 | #====================================================================== | |
509 | # check if user is part of user groups for this repository and |
|
531 | # check if user is part of user groups for this repository and | |
510 | # fill in (or NOT replace with higher `or 1` permissions |
|
532 | # fill in his permission from it. _choose_perm decides of which | |
|
533 | # permission should be selected based on selected method | |||
511 | #====================================================================== |
|
534 | #====================================================================== | |
|
535 | ||||
512 | # users group for repositories permissions |
|
536 | # users group for repositories permissions | |
513 | user_repo_perms_from_users_groups = \ |
|
537 | user_repo_perms_from_users_groups = \ | |
514 | self.sa.query(UsersGroupRepoToPerm, Permission, Repository,)\ |
|
538 | self.sa.query(UsersGroupRepoToPerm, Permission, Repository,)\ | |
@@ -521,20 +545,23 b' class UserModel(BaseModel):' | |||||
521 | .filter(UsersGroupMember.user_id == uid)\ |
|
545 | .filter(UsersGroupMember.user_id == uid)\ | |
522 | .all() |
|
546 | .all() | |
523 |
|
547 | |||
|
548 | multiple_counter = collections.Counter() | |||
524 | for perm in user_repo_perms_from_users_groups: |
|
549 | for perm in user_repo_perms_from_users_groups: | |
525 | r_k = perm.UsersGroupRepoToPerm.repository.repo_name |
|
550 | r_k = perm.UsersGroupRepoToPerm.repository.repo_name | |
|
551 | multiple_counter[r_k] += 1 | |||
526 | p = perm.Permission.permission_name |
|
552 | p = perm.Permission.permission_name | |
527 | cur_perm = user.permissions[RK][r_k] |
|
553 | cur_perm = user.permissions[RK][r_k] | |
528 | # overwrite permission only if it's greater than permission |
|
|||
529 | # given from other sources - disabled with `or 1` now |
|
|||
530 | if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1: # disable check |
|
|||
531 | if perm.Repository.user_id == uid: |
|
|||
532 | # set admin if owner |
|
|||
533 | p = 'repository.admin' |
|
|||
534 |
|
554 | |||
535 | user.permissions[RK][r_k] = p |
|
555 | if perm.Repository.user_id == uid: | |
|
556 | # set admin if owner | |||
|
557 | p = 'repository.admin' | |||
|
558 | else: | |||
|
559 | if multiple_counter[r_k] > 1: | |||
|
560 | p = _choose_perm(p, cur_perm) | |||
|
561 | user.permissions[RK][r_k] = p | |||
536 |
|
562 | |||
537 | # user explicit permissions for repositories |
|
563 | # user explicit permissions for repositories, overrides any specified | |
|
564 | # by the group permission | |||
538 | user_repo_perms = \ |
|
565 | user_repo_perms = \ | |
539 | self.sa.query(UserRepoToPerm, Permission, Repository)\ |
|
566 | self.sa.query(UserRepoToPerm, Permission, Repository)\ | |
540 | .join((Repository, UserRepoToPerm.repository_id == |
|
567 | .join((Repository, UserRepoToPerm.repository_id == | |
@@ -545,24 +572,52 b' class UserModel(BaseModel):' | |||||
545 | .all() |
|
572 | .all() | |
546 |
|
573 | |||
547 | for perm in user_repo_perms: |
|
574 | for perm in user_repo_perms: | |
|
575 | r_k = perm.UserRepoToPerm.repository.repo_name | |||
|
576 | cur_perm = user.permissions[RK][r_k] | |||
548 | # set admin if owner |
|
577 | # set admin if owner | |
549 | r_k = perm.UserRepoToPerm.repository.repo_name |
|
|||
550 | if perm.Repository.user_id == uid: |
|
578 | if perm.Repository.user_id == uid: | |
551 | p = 'repository.admin' |
|
579 | p = 'repository.admin' | |
552 | else: |
|
580 | else: | |
553 | p = perm.Permission.permission_name |
|
581 | p = perm.Permission.permission_name | |
|
582 | if not explicit: | |||
|
583 | p = _choose_perm(p, cur_perm) | |||
554 | user.permissions[RK][r_k] = p |
|
584 | user.permissions[RK][r_k] = p | |
555 |
|
585 | |||
556 | # REPO GROUP |
|
586 | #====================================================================== | |
557 | #================================================================== |
|
587 | # !! PERMISSIONS FOR REPOSITORIES GROUPS !! | |
558 | # get access for this user for repos group and override defaults |
|
588 | #====================================================================== | |
559 | #================================================================== |
|
589 | #====================================================================== | |
|
590 | # check if user is part of user groups for this repository groups and | |||
|
591 | # fill in his permission from it. _choose_perm decides of which | |||
|
592 | # permission should be selected based on selected method | |||
|
593 | #====================================================================== | |||
|
594 | # users group for repo groups permissions | |||
|
595 | user_repo_group_perms_from_users_groups = \ | |||
|
596 | self.sa.query(UsersGroupRepoGroupToPerm, Permission, RepoGroup)\ | |||
|
597 | .join((RepoGroup, UsersGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\ | |||
|
598 | .join((Permission, UsersGroupRepoGroupToPerm.permission_id | |||
|
599 | == Permission.permission_id))\ | |||
|
600 | .join((UsersGroupMember, UsersGroupRepoGroupToPerm.users_group_id | |||
|
601 | == UsersGroupMember.users_group_id))\ | |||
|
602 | .filter(UsersGroupMember.user_id == uid)\ | |||
|
603 | .all() | |||
560 |
|
604 | |||
561 | # user explicit permissions for repository |
|
605 | multiple_counter = collections.Counter() | |
|
606 | for perm in user_repo_group_perms_from_users_groups: | |||
|
607 | g_k = perm.UsersGroupRepoGroupToPerm.group.group_name | |||
|
608 | multiple_counter[g_k] += 1 | |||
|
609 | p = perm.Permission.permission_name | |||
|
610 | cur_perm = user.permissions[GK][g_k] | |||
|
611 | if multiple_counter[g_k] > 1: | |||
|
612 | p = _choose_perm(p, cur_perm) | |||
|
613 | user.permissions[GK][g_k] = p | |||
|
614 | ||||
|
615 | # user explicit permissions for repository groups | |||
562 | user_repo_groups_perms = \ |
|
616 | user_repo_groups_perms = \ | |
563 | self.sa.query(UserRepoGroupToPerm, Permission, RepoGroup)\ |
|
617 | self.sa.query(UserRepoGroupToPerm, Permission, RepoGroup)\ | |
564 | .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\ |
|
618 | .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\ | |
565 |
.join((Permission, UserRepoGroupToPerm.permission_id |
|
619 | .join((Permission, UserRepoGroupToPerm.permission_id | |
|
620 | == Permission.permission_id))\ | |||
566 | .filter(UserRepoGroupToPerm.user_id == uid)\ |
|
621 | .filter(UserRepoGroupToPerm.user_id == uid)\ | |
567 | .all() |
|
622 | .all() | |
568 |
|
623 | |||
@@ -570,32 +625,9 b' class UserModel(BaseModel):' | |||||
570 | rg_k = perm.UserRepoGroupToPerm.group.group_name |
|
625 | rg_k = perm.UserRepoGroupToPerm.group.group_name | |
571 | p = perm.Permission.permission_name |
|
626 | p = perm.Permission.permission_name | |
572 | cur_perm = user.permissions[GK][rg_k] |
|
627 | cur_perm = user.permissions[GK][rg_k] | |
573 | if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1: # disable check |
|
628 | if not explicit: | |
574 | user.permissions[GK][rg_k] = p |
|
629 | p = _choose_perm(p, cur_perm) | |
575 |
|
630 | user.permissions[GK][rg_k] = p | ||
576 | # REPO GROUP + USER GROUP |
|
|||
577 | #================================================================== |
|
|||
578 | # check if user is part of user groups for this repo group and |
|
|||
579 | # fill in (or replace with higher) permissions |
|
|||
580 | #================================================================== |
|
|||
581 |
|
||||
582 | # users group for repositories permissions |
|
|||
583 | user_repo_group_perms_from_users_groups = \ |
|
|||
584 | self.sa.query(UsersGroupRepoGroupToPerm, Permission, RepoGroup)\ |
|
|||
585 | .join((RepoGroup, UsersGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\ |
|
|||
586 | .join((Permission, UsersGroupRepoGroupToPerm.permission_id == Permission.permission_id))\ |
|
|||
587 | .join((UsersGroupMember, UsersGroupRepoGroupToPerm.users_group_id == UsersGroupMember.users_group_id))\ |
|
|||
588 | .filter(UsersGroupMember.user_id == uid)\ |
|
|||
589 | .all() |
|
|||
590 |
|
||||
591 | for perm in user_repo_group_perms_from_users_groups: |
|
|||
592 | g_k = perm.UsersGroupRepoGroupToPerm.group.group_name |
|
|||
593 | p = perm.Permission.permission_name |
|
|||
594 | cur_perm = user.permissions[GK][g_k] |
|
|||
595 | # overwrite permission only if it's greater than permission |
|
|||
596 | # given from other sources |
|
|||
597 | if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1: # disable check |
|
|||
598 | user.permissions[GK][g_k] = p |
|
|||
599 |
|
631 | |||
600 | return user |
|
632 | return user | |
601 |
|
633 |
General Comments 0
You need to be logged in to leave comments.
Login now