##// END OF EJS Templates
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
marcink -
r3094:b70c6652 beta
parent child Browse files
Show More
@@ -0,0 +1,1 b''
1 #TODO; write tests when we activate algo for permissions. No newline at end of file
@@ -26,6 +26,8 b''
26 import logging
26 import logging
27 import traceback
27 import traceback
28 import itertools
28 import itertools
29 import collections
30 import functools
29 from pylons import url
31 from pylons import url
30 from pylons.i18n.translation import _
32 from pylons.i18n.translation import _
31
33
@@ -379,13 +381,21 b' class UserModel(BaseModel):'
379
381
380 return True
382 return True
381
383
382 def fill_perms(self, user):
384 def fill_perms(self, user, explicit=True, algo='higherwin'):
383 """
385 """
384 Fills user permission attribute with permissions taken from database
386 Fills user permission attribute with permissions taken from database
385 works for permissions given for repositories, and for permissions that
387 works for permissions given for repositories, and for permissions that
386 are granted to groups
388 are granted to groups
387
389
388 :param user: user instance to fill his perms
390 :param user: user instance to fill his perms
391 :param explicit: In case there are permissions both for user and a group
392 that user is part of, explicit flag will defiine if user will
393 explicitly override permissions from group, if it's False it will
394 make decision based on the algo
395 :param algo: algorithm to decide what permission should be choose if
396 it's multiple defined, eg user in two different groups. It also
397 decides if explicit flag is turned off how to specify the permission
398 for case when user is in a group + have defined separate permission
389 """
399 """
390 RK = 'repositories'
400 RK = 'repositories'
391 GK = 'repositories_groups'
401 GK = 'repositories_groups'
@@ -394,6 +404,18 b' class UserModel(BaseModel):'
394 user.permissions[GK] = {}
404 user.permissions[GK] = {}
395 user.permissions[GLOBAL] = set()
405 user.permissions[GLOBAL] = set()
396
406
407 def _choose_perm(new_perm, cur_perm):
408 new_perm_val = PERM_WEIGHTS[new_perm]
409 cur_perm_val = PERM_WEIGHTS[cur_perm]
410 if algo == 'higherwin':
411 if new_perm_val > cur_perm_val:
412 return new_perm
413 return cur_perm
414 elif algo == 'lowerwin':
415 if new_perm_val < cur_perm_val:
416 return new_perm
417 return cur_perm
418
397 #======================================================================
419 #======================================================================
398 # fetch default permissions
420 # fetch default permissions
399 #======================================================================
421 #======================================================================
@@ -503,12 +525,14 b' class UserModel(BaseModel):'
503 user.permissions[GLOBAL].add(perm.permission.permission_name)
525 user.permissions[GLOBAL].add(perm.permission.permission_name)
504
526
505 #======================================================================
527 #======================================================================
506 # !! REPO PERMISSIONS !!
528 # !! PERMISSIONS FOR REPOSITORIES !!
507 #======================================================================
529 #======================================================================
508 #======================================================================
530 #======================================================================
509 # check if user is part of user groups for this repository and
531 # check if user is part of user groups for this repository and
510 # fill in (or NOT replace with higher `or 1` permissions
532 # fill in his permission from it. _choose_perm decides of which
533 # permission should be selected based on selected method
511 #======================================================================
534 #======================================================================
535
512 # users group for repositories permissions
536 # users group for repositories permissions
513 user_repo_perms_from_users_groups = \
537 user_repo_perms_from_users_groups = \
514 self.sa.query(UsersGroupRepoToPerm, Permission, Repository,)\
538 self.sa.query(UsersGroupRepoToPerm, Permission, Repository,)\
@@ -521,20 +545,23 b' class UserModel(BaseModel):'
521 .filter(UsersGroupMember.user_id == uid)\
545 .filter(UsersGroupMember.user_id == uid)\
522 .all()
546 .all()
523
547
548 multiple_counter = collections.Counter()
524 for perm in user_repo_perms_from_users_groups:
549 for perm in user_repo_perms_from_users_groups:
525 r_k = perm.UsersGroupRepoToPerm.repository.repo_name
550 r_k = perm.UsersGroupRepoToPerm.repository.repo_name
551 multiple_counter[r_k] += 1
526 p = perm.Permission.permission_name
552 p = perm.Permission.permission_name
527 cur_perm = user.permissions[RK][r_k]
553 cur_perm = user.permissions[RK][r_k]
528 # overwrite permission only if it's greater than permission
554
529 # given from other sources - disabled with `or 1` now
530 if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1: # disable check
531 if perm.Repository.user_id == uid:
555 if perm.Repository.user_id == uid:
532 # set admin if owner
556 # set admin if owner
533 p = 'repository.admin'
557 p = 'repository.admin'
534
558 else:
559 if multiple_counter[r_k] > 1:
560 p = _choose_perm(p, cur_perm)
535 user.permissions[RK][r_k] = p
561 user.permissions[RK][r_k] = p
536
562
537 # user explicit permissions for repositories
563 # user explicit permissions for repositories, overrides any specified
564 # by the group permission
538 user_repo_perms = \
565 user_repo_perms = \
539 self.sa.query(UserRepoToPerm, Permission, Repository)\
566 self.sa.query(UserRepoToPerm, Permission, Repository)\
540 .join((Repository, UserRepoToPerm.repository_id ==
567 .join((Repository, UserRepoToPerm.repository_id ==
@@ -545,24 +572,52 b' class UserModel(BaseModel):'
545 .all()
572 .all()
546
573
547 for perm in user_repo_perms:
574 for perm in user_repo_perms:
575 r_k = perm.UserRepoToPerm.repository.repo_name
576 cur_perm = user.permissions[RK][r_k]
548 # set admin if owner
577 # set admin if owner
549 r_k = perm.UserRepoToPerm.repository.repo_name
550 if perm.Repository.user_id == uid:
578 if perm.Repository.user_id == uid:
551 p = 'repository.admin'
579 p = 'repository.admin'
552 else:
580 else:
553 p = perm.Permission.permission_name
581 p = perm.Permission.permission_name
582 if not explicit:
583 p = _choose_perm(p, cur_perm)
554 user.permissions[RK][r_k] = p
584 user.permissions[RK][r_k] = p
555
585
556 # REPO GROUP
586 #======================================================================
557 #==================================================================
587 # !! PERMISSIONS FOR REPOSITORIES GROUPS !!
558 # get access for this user for repos group and override defaults
588 #======================================================================
559 #==================================================================
589 #======================================================================
590 # check if user is part of user groups for this repository groups and
591 # fill in his permission from it. _choose_perm decides of which
592 # permission should be selected based on selected method
593 #======================================================================
594 # users group for repo groups permissions
595 user_repo_group_perms_from_users_groups = \
596 self.sa.query(UsersGroupRepoGroupToPerm, Permission, RepoGroup)\
597 .join((RepoGroup, UsersGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\
598 .join((Permission, UsersGroupRepoGroupToPerm.permission_id
599 == Permission.permission_id))\
600 .join((UsersGroupMember, UsersGroupRepoGroupToPerm.users_group_id
601 == UsersGroupMember.users_group_id))\
602 .filter(UsersGroupMember.user_id == uid)\
603 .all()
560
604
561 # user explicit permissions for repository
605 multiple_counter = collections.Counter()
606 for perm in user_repo_group_perms_from_users_groups:
607 g_k = perm.UsersGroupRepoGroupToPerm.group.group_name
608 multiple_counter[g_k] += 1
609 p = perm.Permission.permission_name
610 cur_perm = user.permissions[GK][g_k]
611 if multiple_counter[g_k] > 1:
612 p = _choose_perm(p, cur_perm)
613 user.permissions[GK][g_k] = p
614
615 # user explicit permissions for repository groups
562 user_repo_groups_perms = \
616 user_repo_groups_perms = \
563 self.sa.query(UserRepoGroupToPerm, Permission, RepoGroup)\
617 self.sa.query(UserRepoGroupToPerm, Permission, RepoGroup)\
564 .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\
618 .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\
565 .join((Permission, UserRepoGroupToPerm.permission_id == Permission.permission_id))\
619 .join((Permission, UserRepoGroupToPerm.permission_id
620 == Permission.permission_id))\
566 .filter(UserRepoGroupToPerm.user_id == uid)\
621 .filter(UserRepoGroupToPerm.user_id == uid)\
567 .all()
622 .all()
568
623
@@ -570,33 +625,10 b' class UserModel(BaseModel):'
570 rg_k = perm.UserRepoGroupToPerm.group.group_name
625 rg_k = perm.UserRepoGroupToPerm.group.group_name
571 p = perm.Permission.permission_name
626 p = perm.Permission.permission_name
572 cur_perm = user.permissions[GK][rg_k]
627 cur_perm = user.permissions[GK][rg_k]
573 if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1: # disable check
628 if not explicit:
629 p = _choose_perm(p, cur_perm)
574 user.permissions[GK][rg_k] = p
630 user.permissions[GK][rg_k] = p
575
631
576 # REPO GROUP + USER GROUP
577 #==================================================================
578 # check if user is part of user groups for this repo group and
579 # fill in (or replace with higher) permissions
580 #==================================================================
581
582 # users group for repositories permissions
583 user_repo_group_perms_from_users_groups = \
584 self.sa.query(UsersGroupRepoGroupToPerm, Permission, RepoGroup)\
585 .join((RepoGroup, UsersGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\
586 .join((Permission, UsersGroupRepoGroupToPerm.permission_id == Permission.permission_id))\
587 .join((UsersGroupMember, UsersGroupRepoGroupToPerm.users_group_id == UsersGroupMember.users_group_id))\
588 .filter(UsersGroupMember.user_id == uid)\
589 .all()
590
591 for perm in user_repo_group_perms_from_users_groups:
592 g_k = perm.UsersGroupRepoGroupToPerm.group.group_name
593 p = perm.Permission.permission_name
594 cur_perm = user.permissions[GK][g_k]
595 # overwrite permission only if it's greater than permission
596 # given from other sources
597 if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1: # disable check
598 user.permissions[GK][g_k] = p
599
600 return user
632 return user
601
633
602 def has_perm(self, user, perm):
634 def has_perm(self, user, perm):
General Comments 0
You need to be logged in to leave comments. Login now