##// END OF EJS Templates
Repository groups: super admin shouldn't have the permission set...
marcink -
r3853:be2b7577 beta
parent child Browse files
Show More
@@ -1,438 +1,440 b''
1 # -*- coding: utf-8 -*-
1 # -*- coding: utf-8 -*-
2 """
2 """
3 rhodecode.model.user_group
3 rhodecode.model.user_group
4 ~~~~~~~~~~~~~~~~~~~~~~~~~~
4 ~~~~~~~~~~~~~~~~~~~~~~~~~~
5
5
6 repo group model for RhodeCode
6 repo group model for RhodeCode
7
7
8 :created_on: Jan 25, 2011
8 :created_on: Jan 25, 2011
9 :author: marcink
9 :author: marcink
10 :copyright: (C) 2011-2012 Marcin Kuzminski <marcin@python-works.com>
10 :copyright: (C) 2011-2012 Marcin Kuzminski <marcin@python-works.com>
11 :license: GPLv3, see COPYING for more details.
11 :license: GPLv3, see COPYING for more details.
12 """
12 """
13 # This program is free software: you can redistribute it and/or modify
13 # This program is free software: you can redistribute it and/or modify
14 # it under the terms of the GNU General Public License as published by
14 # it under the terms of the GNU General Public License as published by
15 # the Free Software Foundation, either version 3 of the License, or
15 # the Free Software Foundation, either version 3 of the License, or
16 # (at your option) any later version.
16 # (at your option) any later version.
17 #
17 #
18 # This program is distributed in the hope that it will be useful,
18 # This program is distributed in the hope that it will be useful,
19 # but WITHOUT ANY WARRANTY; without even the implied warranty of
19 # but WITHOUT ANY WARRANTY; without even the implied warranty of
20 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 # GNU General Public License for more details.
21 # GNU General Public License for more details.
22 #
22 #
23 # You should have received a copy of the GNU General Public License
23 # You should have received a copy of the GNU General Public License
24 # along with this program. If not, see <http://www.gnu.org/licenses/>.
24 # along with this program. If not, see <http://www.gnu.org/licenses/>.
25
25
26 import os
26 import os
27 import logging
27 import logging
28 import traceback
28 import traceback
29 import shutil
29 import shutil
30 import datetime
30 import datetime
31
31
32 from rhodecode.lib.utils2 import LazyProperty
32 from rhodecode.lib.utils2 import LazyProperty
33
33
34 from rhodecode.model import BaseModel
34 from rhodecode.model import BaseModel
35 from rhodecode.model.db import RepoGroup, RhodeCodeUi, UserRepoGroupToPerm, \
35 from rhodecode.model.db import RepoGroup, RhodeCodeUi, UserRepoGroupToPerm, \
36 User, Permission, UserGroupRepoGroupToPerm, UserGroup, Repository
36 User, Permission, UserGroupRepoGroupToPerm, UserGroup, Repository
37
37
38 log = logging.getLogger(__name__)
38 log = logging.getLogger(__name__)
39
39
40
40
41 class ReposGroupModel(BaseModel):
41 class ReposGroupModel(BaseModel):
42
42
43 cls = RepoGroup
43 cls = RepoGroup
44
44
45 def _get_user_group(self, users_group):
45 def _get_user_group(self, users_group):
46 return self._get_instance(UserGroup, users_group,
46 return self._get_instance(UserGroup, users_group,
47 callback=UserGroup.get_by_group_name)
47 callback=UserGroup.get_by_group_name)
48
48
49 def _get_repo_group(self, repos_group):
49 def _get_repo_group(self, repos_group):
50 return self._get_instance(RepoGroup, repos_group,
50 return self._get_instance(RepoGroup, repos_group,
51 callback=RepoGroup.get_by_group_name)
51 callback=RepoGroup.get_by_group_name)
52
52
53 @LazyProperty
53 @LazyProperty
54 def repos_path(self):
54 def repos_path(self):
55 """
55 """
56 Get's the repositories root path from database
56 Get's the repositories root path from database
57 """
57 """
58
58
59 q = RhodeCodeUi.get_by_key('/')
59 q = RhodeCodeUi.get_by_key('/')
60 return q.ui_value
60 return q.ui_value
61
61
62 def _create_default_perms(self, new_group):
62 def _create_default_perms(self, new_group):
63 # create default permission
63 # create default permission
64 default_perm = 'group.read'
64 default_perm = 'group.read'
65 def_user = User.get_default_user()
65 def_user = User.get_default_user()
66 for p in def_user.user_perms:
66 for p in def_user.user_perms:
67 if p.permission.permission_name.startswith('group.'):
67 if p.permission.permission_name.startswith('group.'):
68 default_perm = p.permission.permission_name
68 default_perm = p.permission.permission_name
69 break
69 break
70
70
71 repo_group_to_perm = UserRepoGroupToPerm()
71 repo_group_to_perm = UserRepoGroupToPerm()
72 repo_group_to_perm.permission = Permission.get_by_key(default_perm)
72 repo_group_to_perm.permission = Permission.get_by_key(default_perm)
73
73
74 repo_group_to_perm.group = new_group
74 repo_group_to_perm.group = new_group
75 repo_group_to_perm.user_id = def_user.user_id
75 repo_group_to_perm.user_id = def_user.user_id
76 return repo_group_to_perm
76 return repo_group_to_perm
77
77
78 def __create_group(self, group_name):
78 def __create_group(self, group_name):
79 """
79 """
80 makes repository group on filesystem
80 makes repository group on filesystem
81
81
82 :param repo_name:
82 :param repo_name:
83 :param parent_id:
83 :param parent_id:
84 """
84 """
85
85
86 create_path = os.path.join(self.repos_path, group_name)
86 create_path = os.path.join(self.repos_path, group_name)
87 log.debug('creating new group in %s' % create_path)
87 log.debug('creating new group in %s' % create_path)
88
88
89 if os.path.isdir(create_path):
89 if os.path.isdir(create_path):
90 raise Exception('That directory already exists !')
90 raise Exception('That directory already exists !')
91
91
92 os.makedirs(create_path)
92 os.makedirs(create_path)
93
93
94 def __rename_group(self, old, new):
94 def __rename_group(self, old, new):
95 """
95 """
96 Renames a group on filesystem
96 Renames a group on filesystem
97
97
98 :param group_name:
98 :param group_name:
99 """
99 """
100
100
101 if old == new:
101 if old == new:
102 log.debug('skipping group rename')
102 log.debug('skipping group rename')
103 return
103 return
104
104
105 log.debug('renaming repository group from %s to %s' % (old, new))
105 log.debug('renaming repository group from %s to %s' % (old, new))
106
106
107 old_path = os.path.join(self.repos_path, old)
107 old_path = os.path.join(self.repos_path, old)
108 new_path = os.path.join(self.repos_path, new)
108 new_path = os.path.join(self.repos_path, new)
109
109
110 log.debug('renaming repos paths from %s to %s' % (old_path, new_path))
110 log.debug('renaming repos paths from %s to %s' % (old_path, new_path))
111
111
112 if os.path.isdir(new_path):
112 if os.path.isdir(new_path):
113 raise Exception('Was trying to rename to already '
113 raise Exception('Was trying to rename to already '
114 'existing dir %s' % new_path)
114 'existing dir %s' % new_path)
115 shutil.move(old_path, new_path)
115 shutil.move(old_path, new_path)
116
116
117 def __delete_group(self, group, force_delete=False):
117 def __delete_group(self, group, force_delete=False):
118 """
118 """
119 Deletes a group from a filesystem
119 Deletes a group from a filesystem
120
120
121 :param group: instance of group from database
121 :param group: instance of group from database
122 :param force_delete: use shutil rmtree to remove all objects
122 :param force_delete: use shutil rmtree to remove all objects
123 """
123 """
124 paths = group.full_path.split(RepoGroup.url_sep())
124 paths = group.full_path.split(RepoGroup.url_sep())
125 paths = os.sep.join(paths)
125 paths = os.sep.join(paths)
126
126
127 rm_path = os.path.join(self.repos_path, paths)
127 rm_path = os.path.join(self.repos_path, paths)
128 log.info("Removing group %s" % (rm_path))
128 log.info("Removing group %s" % (rm_path))
129 # delete only if that path really exists
129 # delete only if that path really exists
130 if os.path.isdir(rm_path):
130 if os.path.isdir(rm_path):
131 if force_delete:
131 if force_delete:
132 shutil.rmtree(rm_path)
132 shutil.rmtree(rm_path)
133 else:
133 else:
134 #archive that group`
134 #archive that group`
135 _now = datetime.datetime.now()
135 _now = datetime.datetime.now()
136 _ms = str(_now.microsecond).rjust(6, '0')
136 _ms = str(_now.microsecond).rjust(6, '0')
137 _d = 'rm__%s_GROUP_%s' % (_now.strftime('%Y%m%d_%H%M%S_' + _ms),
137 _d = 'rm__%s_GROUP_%s' % (_now.strftime('%Y%m%d_%H%M%S_' + _ms),
138 group.name)
138 group.name)
139 shutil.move(rm_path, os.path.join(self.repos_path, _d))
139 shutil.move(rm_path, os.path.join(self.repos_path, _d))
140
140
141 def create(self, group_name, group_description, owner, parent=None, just_db=False):
141 def create(self, group_name, group_description, owner, parent=None, just_db=False):
142 try:
142 try:
143 user = self._get_user(owner)
143 new_repos_group = RepoGroup()
144 new_repos_group = RepoGroup()
144 new_repos_group.user = self._get_user(owner)
145 new_repos_group.user = user
145 new_repos_group.group_description = group_description or group_name
146 new_repos_group.group_description = group_description or group_name
146 new_repos_group.parent_group = self._get_repo_group(parent)
147 new_repos_group.parent_group = self._get_repo_group(parent)
147 new_repos_group.group_name = new_repos_group.get_new_name(group_name)
148 new_repos_group.group_name = new_repos_group.get_new_name(group_name)
148
149
149 self.sa.add(new_repos_group)
150 self.sa.add(new_repos_group)
150 perm_obj = self._create_default_perms(new_repos_group)
151 perm_obj = self._create_default_perms(new_repos_group)
151 self.sa.add(perm_obj)
152 self.sa.add(perm_obj)
152
153
153 #create an ADMIN permission for owner, later owner should go into
154 #create an ADMIN permission for owner except if we're super admin,
154 #the owner field of groups
155 #later owner should go into the owner field of groups
155 self.grant_user_permission(repos_group=new_repos_group,
156 if not user.is_admin:
156 user=owner, perm='group.admin')
157 self.grant_user_permission(repos_group=new_repos_group,
158 user=owner, perm='group.admin')
157
159
158 if not just_db:
160 if not just_db:
159 # we need to flush here, in order to check if database won't
161 # we need to flush here, in order to check if database won't
160 # throw any exceptions, create filesystem dirs at the very end
162 # throw any exceptions, create filesystem dirs at the very end
161 self.sa.flush()
163 self.sa.flush()
162 self.__create_group(new_repos_group.group_name)
164 self.__create_group(new_repos_group.group_name)
163
165
164 return new_repos_group
166 return new_repos_group
165 except Exception:
167 except Exception:
166 log.error(traceback.format_exc())
168 log.error(traceback.format_exc())
167 raise
169 raise
168
170
169 def _update_permissions(self, repos_group, perms_new=None,
171 def _update_permissions(self, repos_group, perms_new=None,
170 perms_updates=None, recursive=False,
172 perms_updates=None, recursive=False,
171 check_perms=True):
173 check_perms=True):
172 from rhodecode.model.repo import RepoModel
174 from rhodecode.model.repo import RepoModel
173 from rhodecode.lib.auth import HasUserGroupPermissionAny
175 from rhodecode.lib.auth import HasUserGroupPermissionAny
174
176
175 if not perms_new:
177 if not perms_new:
176 perms_new = []
178 perms_new = []
177 if not perms_updates:
179 if not perms_updates:
178 perms_updates = []
180 perms_updates = []
179
181
180 def _set_perm_user(obj, user, perm):
182 def _set_perm_user(obj, user, perm):
181 if isinstance(obj, RepoGroup):
183 if isinstance(obj, RepoGroup):
182 self.grant_user_permission(
184 self.grant_user_permission(
183 repos_group=obj, user=user, perm=perm
185 repos_group=obj, user=user, perm=perm
184 )
186 )
185 elif isinstance(obj, Repository):
187 elif isinstance(obj, Repository):
186 #we do this ONLY IF repository is non-private
188 #we do this ONLY IF repository is non-private
187 if obj.private:
189 if obj.private:
188 return
190 return
189
191
190 # we set group permission but we have to switch to repo
192 # we set group permission but we have to switch to repo
191 # permission
193 # permission
192 perm = perm.replace('group.', 'repository.')
194 perm = perm.replace('group.', 'repository.')
193 RepoModel().grant_user_permission(
195 RepoModel().grant_user_permission(
194 repo=obj, user=user, perm=perm
196 repo=obj, user=user, perm=perm
195 )
197 )
196
198
197 def _set_perm_group(obj, users_group, perm):
199 def _set_perm_group(obj, users_group, perm):
198 if isinstance(obj, RepoGroup):
200 if isinstance(obj, RepoGroup):
199 self.grant_users_group_permission(
201 self.grant_users_group_permission(
200 repos_group=obj, group_name=users_group, perm=perm
202 repos_group=obj, group_name=users_group, perm=perm
201 )
203 )
202 elif isinstance(obj, Repository):
204 elif isinstance(obj, Repository):
203 # we set group permission but we have to switch to repo
205 # we set group permission but we have to switch to repo
204 # permission
206 # permission
205 perm = perm.replace('group.', 'repository.')
207 perm = perm.replace('group.', 'repository.')
206 RepoModel().grant_users_group_permission(
208 RepoModel().grant_users_group_permission(
207 repo=obj, group_name=users_group, perm=perm
209 repo=obj, group_name=users_group, perm=perm
208 )
210 )
209 updates = []
211 updates = []
210 log.debug('Now updating permissions for %s in recursive mode:%s'
212 log.debug('Now updating permissions for %s in recursive mode:%s'
211 % (repos_group, recursive))
213 % (repos_group, recursive))
212
214
213 for obj in repos_group.recursive_groups_and_repos():
215 for obj in repos_group.recursive_groups_and_repos():
214 #obj is an instance of a group or repositories in that group
216 #obj is an instance of a group or repositories in that group
215 if not recursive:
217 if not recursive:
216 obj = repos_group
218 obj = repos_group
217
219
218 # update permissions
220 # update permissions
219 for member, perm, member_type in perms_updates:
221 for member, perm, member_type in perms_updates:
220 ## set for user
222 ## set for user
221 if member_type == 'user':
223 if member_type == 'user':
222 # this updates also current one if found
224 # this updates also current one if found
223 _set_perm_user(obj, user=member, perm=perm)
225 _set_perm_user(obj, user=member, perm=perm)
224 ## set for user group
226 ## set for user group
225 else:
227 else:
226 #check if we have permissions to alter this usergroup
228 #check if we have permissions to alter this usergroup
227 req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')
229 req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')
228 if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):
230 if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):
229 _set_perm_group(obj, users_group=member, perm=perm)
231 _set_perm_group(obj, users_group=member, perm=perm)
230 # set new permissions
232 # set new permissions
231 for member, perm, member_type in perms_new:
233 for member, perm, member_type in perms_new:
232 if member_type == 'user':
234 if member_type == 'user':
233 _set_perm_user(obj, user=member, perm=perm)
235 _set_perm_user(obj, user=member, perm=perm)
234 else:
236 else:
235 #check if we have permissions to alter this usergroup
237 #check if we have permissions to alter this usergroup
236 req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')
238 req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')
237 if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):
239 if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):
238 _set_perm_group(obj, users_group=member, perm=perm)
240 _set_perm_group(obj, users_group=member, perm=perm)
239 updates.append(obj)
241 updates.append(obj)
240 #if it's not recursive call
242 #if it's not recursive call
241 # break the loop and don't proceed with other changes
243 # break the loop and don't proceed with other changes
242 if not recursive:
244 if not recursive:
243 break
245 break
244 return updates
246 return updates
245
247
246 def update(self, repos_group, form_data):
248 def update(self, repos_group, form_data):
247
249
248 try:
250 try:
249 repos_group = self._get_repo_group(repos_group)
251 repos_group = self._get_repo_group(repos_group)
250 old_path = repos_group.full_path
252 old_path = repos_group.full_path
251
253
252 # change properties
254 # change properties
253 repos_group.group_description = form_data['group_description']
255 repos_group.group_description = form_data['group_description']
254 repos_group.group_parent_id = form_data['group_parent_id']
256 repos_group.group_parent_id = form_data['group_parent_id']
255 repos_group.enable_locking = form_data['enable_locking']
257 repos_group.enable_locking = form_data['enable_locking']
256
258
257 repos_group.parent_group = RepoGroup.get(form_data['group_parent_id'])
259 repos_group.parent_group = RepoGroup.get(form_data['group_parent_id'])
258 repos_group.group_name = repos_group.get_new_name(form_data['group_name'])
260 repos_group.group_name = repos_group.get_new_name(form_data['group_name'])
259 new_path = repos_group.full_path
261 new_path = repos_group.full_path
260 self.sa.add(repos_group)
262 self.sa.add(repos_group)
261
263
262 # iterate over all members of this groups and do fixes
264 # iterate over all members of this groups and do fixes
263 # set locking if given
265 # set locking if given
264 # if obj is a repoGroup also fix the name of the group according
266 # if obj is a repoGroup also fix the name of the group according
265 # to the parent
267 # to the parent
266 # if obj is a Repo fix it's name
268 # if obj is a Repo fix it's name
267 # this can be potentially heavy operation
269 # this can be potentially heavy operation
268 for obj in repos_group.recursive_groups_and_repos():
270 for obj in repos_group.recursive_groups_and_repos():
269 #set the value from it's parent
271 #set the value from it's parent
270 obj.enable_locking = repos_group.enable_locking
272 obj.enable_locking = repos_group.enable_locking
271 if isinstance(obj, RepoGroup):
273 if isinstance(obj, RepoGroup):
272 new_name = obj.get_new_name(obj.name)
274 new_name = obj.get_new_name(obj.name)
273 log.debug('Fixing group %s to new name %s' \
275 log.debug('Fixing group %s to new name %s' \
274 % (obj.group_name, new_name))
276 % (obj.group_name, new_name))
275 obj.group_name = new_name
277 obj.group_name = new_name
276 elif isinstance(obj, Repository):
278 elif isinstance(obj, Repository):
277 # we need to get all repositories from this new group and
279 # we need to get all repositories from this new group and
278 # rename them accordingly to new group path
280 # rename them accordingly to new group path
279 new_name = obj.get_new_name(obj.just_name)
281 new_name = obj.get_new_name(obj.just_name)
280 log.debug('Fixing repo %s to new name %s' \
282 log.debug('Fixing repo %s to new name %s' \
281 % (obj.repo_name, new_name))
283 % (obj.repo_name, new_name))
282 obj.repo_name = new_name
284 obj.repo_name = new_name
283 self.sa.add(obj)
285 self.sa.add(obj)
284
286
285 self.__rename_group(old_path, new_path)
287 self.__rename_group(old_path, new_path)
286
288
287 return repos_group
289 return repos_group
288 except Exception:
290 except Exception:
289 log.error(traceback.format_exc())
291 log.error(traceback.format_exc())
290 raise
292 raise
291
293
292 def delete(self, repos_group, force_delete=False):
294 def delete(self, repos_group, force_delete=False):
293 repos_group = self._get_repo_group(repos_group)
295 repos_group = self._get_repo_group(repos_group)
294 try:
296 try:
295 self.sa.delete(repos_group)
297 self.sa.delete(repos_group)
296 self.__delete_group(repos_group, force_delete)
298 self.__delete_group(repos_group, force_delete)
297 except Exception:
299 except Exception:
298 log.error('Error removing repos_group %s' % repos_group)
300 log.error('Error removing repos_group %s' % repos_group)
299 raise
301 raise
300
302
301 def delete_permission(self, repos_group, obj, obj_type, recursive):
303 def delete_permission(self, repos_group, obj, obj_type, recursive):
302 """
304 """
303 Revokes permission for repos_group for given obj(user or users_group),
305 Revokes permission for repos_group for given obj(user or users_group),
304 obj_type can be user or user group
306 obj_type can be user or user group
305
307
306 :param repos_group:
308 :param repos_group:
307 :param obj: user or user group id
309 :param obj: user or user group id
308 :param obj_type: user or user group type
310 :param obj_type: user or user group type
309 :param recursive: recurse to all children of group
311 :param recursive: recurse to all children of group
310 """
312 """
311 from rhodecode.model.repo import RepoModel
313 from rhodecode.model.repo import RepoModel
312 repos_group = self._get_repo_group(repos_group)
314 repos_group = self._get_repo_group(repos_group)
313
315
314 for el in repos_group.recursive_groups_and_repos():
316 for el in repos_group.recursive_groups_and_repos():
315 if not recursive:
317 if not recursive:
316 # if we don't recurse set the permission on only the top level
318 # if we don't recurse set the permission on only the top level
317 # object
319 # object
318 el = repos_group
320 el = repos_group
319
321
320 if isinstance(el, RepoGroup):
322 if isinstance(el, RepoGroup):
321 if obj_type == 'user':
323 if obj_type == 'user':
322 ReposGroupModel().revoke_user_permission(el, user=obj)
324 ReposGroupModel().revoke_user_permission(el, user=obj)
323 elif obj_type == 'users_group':
325 elif obj_type == 'users_group':
324 ReposGroupModel().revoke_users_group_permission(el, group_name=obj)
326 ReposGroupModel().revoke_users_group_permission(el, group_name=obj)
325 else:
327 else:
326 raise Exception('undefined object type %s' % obj_type)
328 raise Exception('undefined object type %s' % obj_type)
327 elif isinstance(el, Repository):
329 elif isinstance(el, Repository):
328 if obj_type == 'user':
330 if obj_type == 'user':
329 RepoModel().revoke_user_permission(el, user=obj)
331 RepoModel().revoke_user_permission(el, user=obj)
330 elif obj_type == 'users_group':
332 elif obj_type == 'users_group':
331 RepoModel().revoke_users_group_permission(el, group_name=obj)
333 RepoModel().revoke_users_group_permission(el, group_name=obj)
332 else:
334 else:
333 raise Exception('undefined object type %s' % obj_type)
335 raise Exception('undefined object type %s' % obj_type)
334
336
335 #if it's not recursive call
337 #if it's not recursive call
336 # break the loop and don't proceed with other changes
338 # break the loop and don't proceed with other changes
337 if not recursive:
339 if not recursive:
338 break
340 break
339
341
340 def grant_user_permission(self, repos_group, user, perm):
342 def grant_user_permission(self, repos_group, user, perm):
341 """
343 """
342 Grant permission for user on given repository group, or update
344 Grant permission for user on given repository group, or update
343 existing one if found
345 existing one if found
344
346
345 :param repos_group: Instance of ReposGroup, repositories_group_id,
347 :param repos_group: Instance of ReposGroup, repositories_group_id,
346 or repositories_group name
348 or repositories_group name
347 :param user: Instance of User, user_id or username
349 :param user: Instance of User, user_id or username
348 :param perm: Instance of Permission, or permission_name
350 :param perm: Instance of Permission, or permission_name
349 """
351 """
350
352
351 repos_group = self._get_repo_group(repos_group)
353 repos_group = self._get_repo_group(repos_group)
352 user = self._get_user(user)
354 user = self._get_user(user)
353 permission = self._get_perm(perm)
355 permission = self._get_perm(perm)
354
356
355 # check if we have that permission already
357 # check if we have that permission already
356 obj = self.sa.query(UserRepoGroupToPerm)\
358 obj = self.sa.query(UserRepoGroupToPerm)\
357 .filter(UserRepoGroupToPerm.user == user)\
359 .filter(UserRepoGroupToPerm.user == user)\
358 .filter(UserRepoGroupToPerm.group == repos_group)\
360 .filter(UserRepoGroupToPerm.group == repos_group)\
359 .scalar()
361 .scalar()
360 if obj is None:
362 if obj is None:
361 # create new !
363 # create new !
362 obj = UserRepoGroupToPerm()
364 obj = UserRepoGroupToPerm()
363 obj.group = repos_group
365 obj.group = repos_group
364 obj.user = user
366 obj.user = user
365 obj.permission = permission
367 obj.permission = permission
366 self.sa.add(obj)
368 self.sa.add(obj)
367 log.debug('Granted perm %s to %s on %s' % (perm, user, repos_group))
369 log.debug('Granted perm %s to %s on %s' % (perm, user, repos_group))
368
370
369 def revoke_user_permission(self, repos_group, user):
371 def revoke_user_permission(self, repos_group, user):
370 """
372 """
371 Revoke permission for user on given repository group
373 Revoke permission for user on given repository group
372
374
373 :param repos_group: Instance of ReposGroup, repositories_group_id,
375 :param repos_group: Instance of ReposGroup, repositories_group_id,
374 or repositories_group name
376 or repositories_group name
375 :param user: Instance of User, user_id or username
377 :param user: Instance of User, user_id or username
376 """
378 """
377
379
378 repos_group = self._get_repo_group(repos_group)
380 repos_group = self._get_repo_group(repos_group)
379 user = self._get_user(user)
381 user = self._get_user(user)
380
382
381 obj = self.sa.query(UserRepoGroupToPerm)\
383 obj = self.sa.query(UserRepoGroupToPerm)\
382 .filter(UserRepoGroupToPerm.user == user)\
384 .filter(UserRepoGroupToPerm.user == user)\
383 .filter(UserRepoGroupToPerm.group == repos_group)\
385 .filter(UserRepoGroupToPerm.group == repos_group)\
384 .scalar()
386 .scalar()
385 if obj:
387 if obj:
386 self.sa.delete(obj)
388 self.sa.delete(obj)
387 log.debug('Revoked perm on %s on %s' % (repos_group, user))
389 log.debug('Revoked perm on %s on %s' % (repos_group, user))
388
390
389 def grant_users_group_permission(self, repos_group, group_name, perm):
391 def grant_users_group_permission(self, repos_group, group_name, perm):
390 """
392 """
391 Grant permission for user group on given repository group, or update
393 Grant permission for user group on given repository group, or update
392 existing one if found
394 existing one if found
393
395
394 :param repos_group: Instance of ReposGroup, repositories_group_id,
396 :param repos_group: Instance of ReposGroup, repositories_group_id,
395 or repositories_group name
397 or repositories_group name
396 :param group_name: Instance of UserGroup, users_group_id,
398 :param group_name: Instance of UserGroup, users_group_id,
397 or user group name
399 or user group name
398 :param perm: Instance of Permission, or permission_name
400 :param perm: Instance of Permission, or permission_name
399 """
401 """
400 repos_group = self._get_repo_group(repos_group)
402 repos_group = self._get_repo_group(repos_group)
401 group_name = self._get_user_group(group_name)
403 group_name = self._get_user_group(group_name)
402 permission = self._get_perm(perm)
404 permission = self._get_perm(perm)
403
405
404 # check if we have that permission already
406 # check if we have that permission already
405 obj = self.sa.query(UserGroupRepoGroupToPerm)\
407 obj = self.sa.query(UserGroupRepoGroupToPerm)\
406 .filter(UserGroupRepoGroupToPerm.group == repos_group)\
408 .filter(UserGroupRepoGroupToPerm.group == repos_group)\
407 .filter(UserGroupRepoGroupToPerm.users_group == group_name)\
409 .filter(UserGroupRepoGroupToPerm.users_group == group_name)\
408 .scalar()
410 .scalar()
409
411
410 if obj is None:
412 if obj is None:
411 # create new
413 # create new
412 obj = UserGroupRepoGroupToPerm()
414 obj = UserGroupRepoGroupToPerm()
413
415
414 obj.group = repos_group
416 obj.group = repos_group
415 obj.users_group = group_name
417 obj.users_group = group_name
416 obj.permission = permission
418 obj.permission = permission
417 self.sa.add(obj)
419 self.sa.add(obj)
418 log.debug('Granted perm %s to %s on %s' % (perm, group_name, repos_group))
420 log.debug('Granted perm %s to %s on %s' % (perm, group_name, repos_group))
419
421
420 def revoke_users_group_permission(self, repos_group, group_name):
422 def revoke_users_group_permission(self, repos_group, group_name):
421 """
423 """
422 Revoke permission for user group on given repository group
424 Revoke permission for user group on given repository group
423
425
424 :param repos_group: Instance of ReposGroup, repositories_group_id,
426 :param repos_group: Instance of ReposGroup, repositories_group_id,
425 or repositories_group name
427 or repositories_group name
426 :param group_name: Instance of UserGroup, users_group_id,
428 :param group_name: Instance of UserGroup, users_group_id,
427 or user group name
429 or user group name
428 """
430 """
429 repos_group = self._get_repo_group(repos_group)
431 repos_group = self._get_repo_group(repos_group)
430 group_name = self._get_user_group(group_name)
432 group_name = self._get_user_group(group_name)
431
433
432 obj = self.sa.query(UserGroupRepoGroupToPerm)\
434 obj = self.sa.query(UserGroupRepoGroupToPerm)\
433 .filter(UserGroupRepoGroupToPerm.group == repos_group)\
435 .filter(UserGroupRepoGroupToPerm.group == repos_group)\
434 .filter(UserGroupRepoGroupToPerm.users_group == group_name)\
436 .filter(UserGroupRepoGroupToPerm.users_group == group_name)\
435 .scalar()
437 .scalar()
436 if obj:
438 if obj:
437 self.sa.delete(obj)
439 self.sa.delete(obj)
438 log.debug('Revoked perm to %s on %s' % (repos_group, group_name))
440 log.debug('Revoked perm to %s on %s' % (repos_group, group_name))
General Comments 0
You need to be logged in to leave comments. Login now