##// END OF EJS Templates
fixed issue #644 When a user is both in read and write group, the permission taken in account is the last saved permission...
marcink -
r3094:b70c6652 beta
parent child Browse files
Show More
@@ -0,0 +1,1 b''
1 #TODO; write tests when we activate algo for permissions. No newline at end of file
@@ -26,6 +26,8 b''
26 26 import logging
27 27 import traceback
28 28 import itertools
29 import collections
30 import functools
29 31 from pylons import url
30 32 from pylons.i18n.translation import _
31 33
@@ -379,13 +381,21 b' class UserModel(BaseModel):'
379 381
380 382 return True
381 383
382 def fill_perms(self, user):
384 def fill_perms(self, user, explicit=True, algo='higherwin'):
383 385 """
384 386 Fills user permission attribute with permissions taken from database
385 387 works for permissions given for repositories, and for permissions that
386 388 are granted to groups
387 389
388 390 :param user: user instance to fill his perms
391 :param explicit: In case there are permissions both for user and a group
392 that user is part of, explicit flag will defiine if user will
393 explicitly override permissions from group, if it's False it will
394 make decision based on the algo
395 :param algo: algorithm to decide what permission should be choose if
396 it's multiple defined, eg user in two different groups. It also
397 decides if explicit flag is turned off how to specify the permission
398 for case when user is in a group + have defined separate permission
389 399 """
390 400 RK = 'repositories'
391 401 GK = 'repositories_groups'
@@ -394,6 +404,18 b' class UserModel(BaseModel):'
394 404 user.permissions[GK] = {}
395 405 user.permissions[GLOBAL] = set()
396 406
407 def _choose_perm(new_perm, cur_perm):
408 new_perm_val = PERM_WEIGHTS[new_perm]
409 cur_perm_val = PERM_WEIGHTS[cur_perm]
410 if algo == 'higherwin':
411 if new_perm_val > cur_perm_val:
412 return new_perm
413 return cur_perm
414 elif algo == 'lowerwin':
415 if new_perm_val < cur_perm_val:
416 return new_perm
417 return cur_perm
418
397 419 #======================================================================
398 420 # fetch default permissions
399 421 #======================================================================
@@ -503,12 +525,14 b' class UserModel(BaseModel):'
503 525 user.permissions[GLOBAL].add(perm.permission.permission_name)
504 526
505 527 #======================================================================
506 # !! REPO PERMISSIONS !!
528 # !! PERMISSIONS FOR REPOSITORIES !!
507 529 #======================================================================
508 530 #======================================================================
509 531 # check if user is part of user groups for this repository and
510 # fill in (or NOT replace with higher `or 1` permissions
532 # fill in his permission from it. _choose_perm decides of which
533 # permission should be selected based on selected method
511 534 #======================================================================
535
512 536 # users group for repositories permissions
513 537 user_repo_perms_from_users_groups = \
514 538 self.sa.query(UsersGroupRepoToPerm, Permission, Repository,)\
@@ -521,20 +545,23 b' class UserModel(BaseModel):'
521 545 .filter(UsersGroupMember.user_id == uid)\
522 546 .all()
523 547
548 multiple_counter = collections.Counter()
524 549 for perm in user_repo_perms_from_users_groups:
525 550 r_k = perm.UsersGroupRepoToPerm.repository.repo_name
551 multiple_counter[r_k] += 1
526 552 p = perm.Permission.permission_name
527 553 cur_perm = user.permissions[RK][r_k]
528 # overwrite permission only if it's greater than permission
529 # given from other sources - disabled with `or 1` now
530 if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1: # disable check
531 if perm.Repository.user_id == uid:
532 # set admin if owner
533 p = 'repository.admin'
534 554
535 user.permissions[RK][r_k] = p
555 if perm.Repository.user_id == uid:
556 # set admin if owner
557 p = 'repository.admin'
558 else:
559 if multiple_counter[r_k] > 1:
560 p = _choose_perm(p, cur_perm)
561 user.permissions[RK][r_k] = p
536 562
537 # user explicit permissions for repositories
563 # user explicit permissions for repositories, overrides any specified
564 # by the group permission
538 565 user_repo_perms = \
539 566 self.sa.query(UserRepoToPerm, Permission, Repository)\
540 567 .join((Repository, UserRepoToPerm.repository_id ==
@@ -545,24 +572,52 b' class UserModel(BaseModel):'
545 572 .all()
546 573
547 574 for perm in user_repo_perms:
575 r_k = perm.UserRepoToPerm.repository.repo_name
576 cur_perm = user.permissions[RK][r_k]
548 577 # set admin if owner
549 r_k = perm.UserRepoToPerm.repository.repo_name
550 578 if perm.Repository.user_id == uid:
551 579 p = 'repository.admin'
552 580 else:
553 581 p = perm.Permission.permission_name
582 if not explicit:
583 p = _choose_perm(p, cur_perm)
554 584 user.permissions[RK][r_k] = p
555 585
556 # REPO GROUP
557 #==================================================================
558 # get access for this user for repos group and override defaults
559 #==================================================================
586 #======================================================================
587 # !! PERMISSIONS FOR REPOSITORIES GROUPS !!
588 #======================================================================
589 #======================================================================
590 # check if user is part of user groups for this repository groups and
591 # fill in his permission from it. _choose_perm decides of which
592 # permission should be selected based on selected method
593 #======================================================================
594 # users group for repo groups permissions
595 user_repo_group_perms_from_users_groups = \
596 self.sa.query(UsersGroupRepoGroupToPerm, Permission, RepoGroup)\
597 .join((RepoGroup, UsersGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\
598 .join((Permission, UsersGroupRepoGroupToPerm.permission_id
599 == Permission.permission_id))\
600 .join((UsersGroupMember, UsersGroupRepoGroupToPerm.users_group_id
601 == UsersGroupMember.users_group_id))\
602 .filter(UsersGroupMember.user_id == uid)\
603 .all()
560 604
561 # user explicit permissions for repository
605 multiple_counter = collections.Counter()
606 for perm in user_repo_group_perms_from_users_groups:
607 g_k = perm.UsersGroupRepoGroupToPerm.group.group_name
608 multiple_counter[g_k] += 1
609 p = perm.Permission.permission_name
610 cur_perm = user.permissions[GK][g_k]
611 if multiple_counter[g_k] > 1:
612 p = _choose_perm(p, cur_perm)
613 user.permissions[GK][g_k] = p
614
615 # user explicit permissions for repository groups
562 616 user_repo_groups_perms = \
563 617 self.sa.query(UserRepoGroupToPerm, Permission, RepoGroup)\
564 618 .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\
565 .join((Permission, UserRepoGroupToPerm.permission_id == Permission.permission_id))\
619 .join((Permission, UserRepoGroupToPerm.permission_id
620 == Permission.permission_id))\
566 621 .filter(UserRepoGroupToPerm.user_id == uid)\
567 622 .all()
568 623
@@ -570,32 +625,9 b' class UserModel(BaseModel):'
570 625 rg_k = perm.UserRepoGroupToPerm.group.group_name
571 626 p = perm.Permission.permission_name
572 627 cur_perm = user.permissions[GK][rg_k]
573 if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1: # disable check
574 user.permissions[GK][rg_k] = p
575
576 # REPO GROUP + USER GROUP
577 #==================================================================
578 # check if user is part of user groups for this repo group and
579 # fill in (or replace with higher) permissions
580 #==================================================================
581
582 # users group for repositories permissions
583 user_repo_group_perms_from_users_groups = \
584 self.sa.query(UsersGroupRepoGroupToPerm, Permission, RepoGroup)\
585 .join((RepoGroup, UsersGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\
586 .join((Permission, UsersGroupRepoGroupToPerm.permission_id == Permission.permission_id))\
587 .join((UsersGroupMember, UsersGroupRepoGroupToPerm.users_group_id == UsersGroupMember.users_group_id))\
588 .filter(UsersGroupMember.user_id == uid)\
589 .all()
590
591 for perm in user_repo_group_perms_from_users_groups:
592 g_k = perm.UsersGroupRepoGroupToPerm.group.group_name
593 p = perm.Permission.permission_name
594 cur_perm = user.permissions[GK][g_k]
595 # overwrite permission only if it's greater than permission
596 # given from other sources
597 if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1: # disable check
598 user.permissions[GK][g_k] = p
628 if not explicit:
629 p = _choose_perm(p, cur_perm)
630 user.permissions[GK][rg_k] = p
599 631
600 632 return user
601 633
General Comments 0
You need to be logged in to leave comments. Login now