##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

auth: simplify user group permission checks...
Søren Løvborg -
r6473:ca77c6da default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -45,7 +45,7 b' from kallithea.lib.exceptions import Use'
45 RepoGroupAssignmentError
45 RepoGroupAssignmentError
46 from kallithea.lib.utils2 import safe_unicode, safe_int
46 from kallithea.lib.utils2 import safe_unicode, safe_int
47 from kallithea.lib.auth import LoginRequired, \
47 from kallithea.lib.auth import LoginRequired, \
48 HasUserGroupPermissionAnyDecorator, HasPermissionAnyDecorator
48 HasUserGroupPermissionLevelDecorator, HasPermissionAnyDecorator
49 from kallithea.lib.base import BaseController, render
49 from kallithea.lib.base import BaseController, render
50 from kallithea.model.scm import UserGroupList
50 from kallithea.model.scm import UserGroupList
51 from kallithea.model.user_group import UserGroupModel
51 from kallithea.model.user_group import UserGroupModel
@@ -92,7 +92,7 b' class UserGroupsController(BaseControlle'
92 _list = UserGroup.query() \
92 _list = UserGroup.query() \
93 .order_by(func.lower(UserGroup.users_group_name)) \
93 .order_by(func.lower(UserGroup.users_group_name)) \
94 .all()
94 .all()
95 group_iter = UserGroupList(_list, perm_set=['usergroup.admin'])
95 group_iter = UserGroupList(_list, perm_level='admin')
96 user_groups_data = []
96 user_groups_data = []
97 total_records = len(group_iter)
97 total_records = len(group_iter)
98 _tmpl_lookup = kallithea.CONFIG['pylons.app_globals'].mako_lookup
98 _tmpl_lookup = kallithea.CONFIG['pylons.app_globals'].mako_lookup
@@ -165,7 +165,7 b' class UserGroupsController(BaseControlle'
165 def new(self, format='html'):
165 def new(self, format='html'):
166 return render('admin/user_groups/user_group_add.html')
166 return render('admin/user_groups/user_group_add.html')
167
167
168 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
168 @HasUserGroupPermissionLevelDecorator('admin')
169 def update(self, id):
169 def update(self, id):
170 c.user_group = UserGroup.get_or_404(id)
170 c.user_group = UserGroup.get_or_404(id)
171 c.active = 'settings'
171 c.active = 'settings'
@@ -211,7 +211,7 b' class UserGroupsController(BaseControlle'
211
211
212 raise HTTPFound(location=url('edit_users_group', id=id))
212 raise HTTPFound(location=url('edit_users_group', id=id))
213
213
214 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
214 @HasUserGroupPermissionLevelDecorator('admin')
215 def delete(self, id):
215 def delete(self, id):
216 usr_gr = UserGroup.get_or_404(id)
216 usr_gr = UserGroup.get_or_404(id)
217 try:
217 try:
@@ -226,7 +226,7 b' class UserGroupsController(BaseControlle'
226 category='error')
226 category='error')
227 raise HTTPFound(location=url('users_groups'))
227 raise HTTPFound(location=url('users_groups'))
228
228
229 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
229 @HasUserGroupPermissionLevelDecorator('admin')
230 def edit(self, id, format='html'):
230 def edit(self, id, format='html'):
231 c.user_group = UserGroup.get_or_404(id)
231 c.user_group = UserGroup.get_or_404(id)
232 c.active = 'settings'
232 c.active = 'settings'
@@ -241,7 +241,7 b' class UserGroupsController(BaseControlle'
241 force_defaults=False
241 force_defaults=False
242 )
242 )
243
243
244 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
244 @HasUserGroupPermissionLevelDecorator('admin')
245 def edit_perms(self, id):
245 def edit_perms(self, id):
246 c.user_group = UserGroup.get_or_404(id)
246 c.user_group = UserGroup.get_or_404(id)
247 c.active = 'perms'
247 c.active = 'perms'
@@ -267,7 +267,7 b' class UserGroupsController(BaseControlle'
267 force_defaults=False
267 force_defaults=False
268 )
268 )
269
269
270 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
270 @HasUserGroupPermissionLevelDecorator('admin')
271 def update_perms(self, id):
271 def update_perms(self, id):
272 """
272 """
273 grant permission for given usergroup
273 grant permission for given usergroup
@@ -291,7 +291,7 b' class UserGroupsController(BaseControlle'
291 h.flash(_('User group permissions updated'), category='success')
291 h.flash(_('User group permissions updated'), category='success')
292 raise HTTPFound(location=url('edit_user_group_perms', id=id))
292 raise HTTPFound(location=url('edit_user_group_perms', id=id))
293
293
294 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
294 @HasUserGroupPermissionLevelDecorator('admin')
295 def delete_perms(self, id):
295 def delete_perms(self, id):
296 try:
296 try:
297 obj_type = request.POST.get('obj_type')
297 obj_type = request.POST.get('obj_type')
@@ -319,7 +319,7 b' class UserGroupsController(BaseControlle'
319 category='error')
319 category='error')
320 raise HTTPInternalServerError()
320 raise HTTPInternalServerError()
321
321
322 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
322 @HasUserGroupPermissionLevelDecorator('admin')
323 def edit_default_perms(self, id):
323 def edit_default_perms(self, id):
324 c.user_group = UserGroup.get_or_404(id)
324 c.user_group = UserGroup.get_or_404(id)
325 c.active = 'default_perms'
325 c.active = 'default_perms'
@@ -368,7 +368,7 b' class UserGroupsController(BaseControlle'
368 force_defaults=False
368 force_defaults=False
369 )
369 )
370
370
371 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
371 @HasUserGroupPermissionLevelDecorator('admin')
372 def update_default_perms(self, id):
372 def update_default_perms(self, id):
373 user_group = UserGroup.get_or_404(id)
373 user_group = UserGroup.get_or_404(id)
374
374
@@ -408,7 +408,7 b' class UserGroupsController(BaseControlle'
408
408
409 raise HTTPFound(location=url('edit_user_group_default_perms', id=id))
409 raise HTTPFound(location=url('edit_user_group_default_perms', id=id))
410
410
411 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
411 @HasUserGroupPermissionLevelDecorator('admin')
412 def edit_advanced(self, id):
412 def edit_advanced(self, id):
413 c.user_group = UserGroup.get_or_404(id)
413 c.user_group = UserGroup.get_or_404(id)
414 c.active = 'advanced'
414 c.active = 'advanced'
@@ -417,7 +417,7 b' class UserGroupsController(BaseControlle'
417 return render('admin/user_groups/user_group_edit.html')
417 return render('admin/user_groups/user_group_edit.html')
418
418
419
419
420 @HasUserGroupPermissionAnyDecorator('usergroup.admin')
420 @HasUserGroupPermissionLevelDecorator('admin')
421 def edit_members(self, id):
421 def edit_members(self, id):
422 c.user_group = UserGroup.get_or_404(id)
422 c.user_group = UserGroup.get_or_404(id)
423 c.active = 'members'
423 c.active = 'members'
Show file before | Show file after | Hide comments
@@ -36,7 +36,7 b' from kallithea.controllers.api import JS'
36 from kallithea.lib.auth import (
36 from kallithea.lib.auth import (
37 PasswordGenerator, AuthUser, HasPermissionAnyDecorator,
37 PasswordGenerator, AuthUser, HasPermissionAnyDecorator,
38 HasPermissionAnyDecorator, HasPermissionAny, HasRepoPermissionLevel,
38 HasPermissionAnyDecorator, HasPermissionAny, HasRepoPermissionLevel,
39 HasRepoGroupPermissionLevel, HasUserGroupPermissionAny)
39 HasRepoGroupPermissionLevel, HasUserGroupPermissionLevel)
40 from kallithea.lib.utils import map_groups, repo2db_mapper
40 from kallithea.lib.utils import map_groups, repo2db_mapper
41 from kallithea.lib.utils2 import (
41 from kallithea.lib.utils2 import (
42 str2bool, time_to_datetime, safe_int, Optional, OAttr)
42 str2bool, time_to_datetime, safe_int, Optional, OAttr)
@@ -820,10 +820,7 b' class ApiController(JSONRPCController):'
820 """
820 """
821 user_group = get_user_group_or_error(usergroupid)
821 user_group = get_user_group_or_error(usergroupid)
822 if not HasPermissionAny('hg.admin')():
822 if not HasPermissionAny('hg.admin')():
823 # check if we have at least read permission for this user group !
823 if not HasUserGroupPermissionLevel('read')(user_group.users_group_name):
824 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
825 if not HasUserGroupPermissionAny(*_perms)(
826 user_group_name=user_group.users_group_name):
827 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
824 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
828
825
829 data = user_group.get_api_data()
826 data = user_group.get_api_data()
@@ -845,9 +842,7 b' class ApiController(JSONRPCController):'
845 """
842 """
846
843
847 result = []
844 result = []
848 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
845 for user_group in UserGroupList(UserGroup.query().all(), perm_level='read'):
849 for user_group in UserGroupList(UserGroup.query().all(),
850 perm_set=_perms):
851 result.append(user_group.get_api_data())
846 result.append(user_group.get_api_data())
852 return result
847 return result
853
848
@@ -949,10 +944,7 b' class ApiController(JSONRPCController):'
949 """
944 """
950 user_group = get_user_group_or_error(usergroupid)
945 user_group = get_user_group_or_error(usergroupid)
951 if not HasPermissionAny('hg.admin')():
946 if not HasPermissionAny('hg.admin')():
952 # check if we have admin permission for this user group !
947 if not HasUserGroupPermissionLevel('admin')(user_group.users_group_name):
953 _perms = ('usergroup.admin',)
954 if not HasUserGroupPermissionAny(*_perms)(
955 user_group_name=user_group.users_group_name):
956 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
948 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
957
949
958 if not isinstance(owner, Optional):
950 if not isinstance(owner, Optional):
@@ -1006,10 +998,7 b' class ApiController(JSONRPCController):'
1006 """
998 """
1007 user_group = get_user_group_or_error(usergroupid)
999 user_group = get_user_group_or_error(usergroupid)
1008 if not HasPermissionAny('hg.admin')():
1000 if not HasPermissionAny('hg.admin')():
1009 # check if we have admin permission for this user group !
1001 if not HasUserGroupPermissionLevel('admin')(user_group.users_group_name):
1010 _perms = ('usergroup.admin',)
1011 if not HasUserGroupPermissionAny(*_perms)(
1012 user_group_name=user_group.users_group_name):
1013 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
1002 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
1014
1003
1015 try:
1004 try:
@@ -1065,10 +1054,7 b' class ApiController(JSONRPCController):'
1065 user = get_user_or_error(userid)
1054 user = get_user_or_error(userid)
1066 user_group = get_user_group_or_error(usergroupid)
1055 user_group = get_user_group_or_error(usergroupid)
1067 if not HasPermissionAny('hg.admin')():
1056 if not HasPermissionAny('hg.admin')():
1068 # check if we have admin permission for this user group !
1057 if not HasUserGroupPermissionLevel('admin')(user_group.users_group_name):
1069 _perms = ('usergroup.admin',)
1070 if not HasUserGroupPermissionAny(*_perms)(
1071 user_group_name=user_group.users_group_name):
1072 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
1058 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
1073
1059
1074 try:
1060 try:
@@ -1117,10 +1103,7 b' class ApiController(JSONRPCController):'
1117 user = get_user_or_error(userid)
1103 user = get_user_or_error(userid)
1118 user_group = get_user_group_or_error(usergroupid)
1104 user_group = get_user_group_or_error(usergroupid)
1119 if not HasPermissionAny('hg.admin')():
1105 if not HasPermissionAny('hg.admin')():
1120 # check if we have admin permission for this user group !
1106 if not HasUserGroupPermissionLevel('admin')(user_group.users_group_name):
1121 _perms = ('usergroup.admin',)
1122 if not HasUserGroupPermissionAny(*_perms)(
1123 user_group_name=user_group.users_group_name):
1124 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
1107 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
1125
1108
1126 try:
1109 try:
@@ -1812,10 +1795,7 b' class ApiController(JSONRPCController):'
1812 if not HasRepoPermissionLevel('admin')(repo.repo_name):
1795 if not HasRepoPermissionLevel('admin')(repo.repo_name):
1813 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
1796 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
1814
1797
1815 # check if we have at least read permission for this user group !
1798 if not HasUserGroupPermissionLevel('read')(user_group.users_group_name):
1816 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
1817 if not HasUserGroupPermissionAny(*_perms)(
1818 user_group_name=user_group.users_group_name):
1819 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
1799 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
1820
1800
1821 try:
1801 try:
@@ -1865,10 +1845,7 b' class ApiController(JSONRPCController):'
1865 if not HasRepoPermissionLevel('admin')(repo.repo_name):
1845 if not HasRepoPermissionLevel('admin')(repo.repo_name):
1866 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
1846 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
1867
1847
1868 # check if we have at least read permission for this user group !
1848 if not HasUserGroupPermissionLevel('read')(user_group.users_group_name):
1869 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
1870 if not HasUserGroupPermissionAny(*_perms)(
1871 user_group_name=user_group.users_group_name):
1872 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
1849 raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))
1873
1850
1874 try:
1851 try:
@@ -2245,10 +2222,7 b' class ApiController(JSONRPCController):'
2245 raise JSONRPCError(
2222 raise JSONRPCError(
2246 'repository group `%s` does not exist' % (repogroupid,))
2223 'repository group `%s` does not exist' % (repogroupid,))
2247
2224
2248 # check if we have at least read permission for this user group !
2225 if not HasUserGroupPermissionLevel('read')(user_group.users_group_name):
2249 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
2250 if not HasUserGroupPermissionAny(*_perms)(
2251 user_group_name=user_group.users_group_name):
2252 raise JSONRPCError(
2226 raise JSONRPCError(
2253 'user group `%s` does not exist' % (usergroupid,))
2227 'user group `%s` does not exist' % (usergroupid,))
2254
2228
@@ -2318,10 +2292,7 b' class ApiController(JSONRPCController):'
2318 raise JSONRPCError(
2292 raise JSONRPCError(
2319 'repository group `%s` does not exist' % (repogroupid,))
2293 'repository group `%s` does not exist' % (repogroupid,))
2320
2294
2321 # check if we have at least read permission for this user group !
2295 if not HasUserGroupPermissionLevel('read')(user_group.users_group_name):
2322 _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)
2323 if not HasUserGroupPermissionAny(*_perms)(
2324 user_group_name=user_group.users_group_name):
2325 raise JSONRPCError(
2296 raise JSONRPCError(
2326 'user group `%s` does not exist' % (usergroupid,))
2297 'user group `%s` does not exist' % (usergroupid,))
2327
2298
Show file before | Show file after | Hide comments
@@ -561,6 +561,18 b' class AuthUser(object):'
561 self.username, level, repo_group_name, purpose, ok, actual_perm)
561 self.username, level, repo_group_name, purpose, ok, actual_perm)
562 return ok
562 return ok
563
563
564 def has_user_group_permission_level(self, user_group_name, level, purpose=None):
565 required_perms = {
566 'read': ['usergroup.read', 'usergroup.write', 'usergroup.admin'],
567 'write': ['usergroup.write', 'usergroup.admin'],
568 'admin': ['usergroup.admin'],
569 }[level]
570 actual_perm = self.permissions['user_groups'].get(user_group_name)
571 ok = actual_perm in required_perms
572 log.debug('Checking if user %r can %r user group %r (%s): %s (has %r)',
573 self.username, level, user_group_name, purpose, ok, actual_perm)
574 return ok
575
564 @property
576 @property
565 def api_keys(self):
577 def api_keys(self):
566 return self._get_api_keys()
578 return self._get_api_keys()
@@ -882,7 +894,7 b' class HasRepoGroupPermissionLevelDecorat'
882 return user.has_repository_group_permission_level(repo_group_name, level)
894 return user.has_repository_group_permission_level(repo_group_name, level)
883
895
884
896
885 class HasUserGroupPermissionAnyDecorator(_PermsDecorator):
897 class HasUserGroupPermissionLevelDecorator(_PermsDecorator):
886 """
898 """
887 Checks for access permission for any of given predicates for specific
899 Checks for access permission for any of given predicates for specific
888 user group. In order to fulfill the request any of predicates must be meet
900 user group. In order to fulfill the request any of predicates must be meet
@@ -890,10 +902,8 b' class HasUserGroupPermissionAnyDecorator'
890
902
891 def check_permissions(self, user):
903 def check_permissions(self, user):
892 user_group_name = get_user_group_slug(request)
904 user_group_name = get_user_group_slug(request)
893 try:
905 (level,) = self.required_perms
894 return user.permissions['user_groups'][user_group_name] in self.required_perms
906 return user.has_user_group_permission_level(user_group_name, level)
895 except KeyError:
896 return False
897
907
898
908
899 #==============================================================================
909 #==============================================================================
@@ -942,17 +952,11 b' class HasRepoGroupPermissionLevel(_Perms'
942 return request.user.has_repository_group_permission_level(group_name, level, purpose)
952 return request.user.has_repository_group_permission_level(group_name, level, purpose)
943
953
944
954
945 class HasUserGroupPermissionAny(_PermsFunction):
955 class HasUserGroupPermissionLevel(_PermsFunction):
946
956
947 def __call__(self, user_group_name, purpose=None):
957 def __call__(self, user_group_name, purpose=None):
948 try:
958 (level,) = self.required_perms
949 ok = request.user.permissions['user_groups'][user_group_name] in self.required_perms
959 return request.user.has_user_group_permission_level(user_group_name, level, purpose)
950 except KeyError:
951 ok = False
952
953 log.debug('Check %s %s for user group %s (%s): %s' %
954 (request.user.username, self.required_perms, user_group_name, purpose, ok))
955 return ok
956
960
957
961
958 #==============================================================================
962 #==============================================================================
Show file before | Show file after | Hide comments
@@ -47,7 +47,7 b' from kallithea.model.db import Repositor'
47 Statistics, UserGroup, Ui, RepoGroup, RepositoryField
47 Statistics, UserGroup, Ui, RepoGroup, RepositoryField
48
48
49 from kallithea.lib import helpers as h
49 from kallithea.lib import helpers as h
50 from kallithea.lib.auth import HasRepoPermissionLevel, HasUserGroupPermissionAny
50 from kallithea.lib.auth import HasRepoPermissionLevel, HasUserGroupPermissionLevel
51 from kallithea.lib.exceptions import AttachedForksError
51 from kallithea.lib.exceptions import AttachedForksError
52 from kallithea.model.scm import UserGroupList
52 from kallithea.model.scm import UserGroupList
53
53
@@ -144,9 +144,7 b' class RepoModel(BaseModel):'
144 .order_by(UserGroup.users_group_name) \
144 .order_by(UserGroup.users_group_name) \
145 .options(subqueryload(UserGroup.members)) \
145 .options(subqueryload(UserGroup.members)) \
146 .all()
146 .all()
147 user_groups = UserGroupList(user_groups, perm_set=['usergroup.read',
147 user_groups = UserGroupList(user_groups, perm_level='read')
148 'usergroup.write',
149 'usergroup.admin'])
150 return json.dumps([
148 return json.dumps([
151 {
149 {
152 'id': gr.users_group_id,
150 'id': gr.users_group_id,
@@ -468,11 +466,8 b' class RepoModel(BaseModel):'
468 repo=repo, user=member, perm=perm
466 repo=repo, user=member, perm=perm
469 )
467 )
470 else:
468 else:
471 #check if we have permissions to alter this usergroup
469 #check if we have permissions to alter this usergroup's access
472 req_perms = (
470 if not check_perms or HasUserGroupPermissionLevel('read')(member):
473 'usergroup.read', 'usergroup.write', 'usergroup.admin')
474 if not check_perms or HasUserGroupPermissionAny(*req_perms)(
475 member):
476 self.grant_user_group_permission(
471 self.grant_user_group_permission(
477 repo=repo, group_name=member, perm=perm
472 repo=repo, group_name=member, perm=perm
478 )
473 )
@@ -483,11 +478,8 b' class RepoModel(BaseModel):'
483 repo=repo, user=member, perm=perm
478 repo=repo, user=member, perm=perm
484 )
479 )
485 else:
480 else:
486 #check if we have permissions to alter this usergroup
481 #check if we have permissions to alter this usergroup's access
487 req_perms = (
482 if not check_perms or HasUserGroupPermissionLevel('read')(member):
488 'usergroup.read', 'usergroup.write', 'usergroup.admin')
489 if not check_perms or HasUserGroupPermissionAny(*req_perms)(
490 member):
491 self.grant_user_group_permission(
483 self.grant_user_group_permission(
492 repo=repo, group_name=member, perm=perm
484 repo=repo, group_name=member, perm=perm
493 )
485 )
Show file before | Show file after | Hide comments
@@ -187,7 +187,7 b' class RepoGroupModel(BaseModel):'
187 perms_updates=None, recursive=None,
187 perms_updates=None, recursive=None,
188 check_perms=True):
188 check_perms=True):
189 from kallithea.model.repo import RepoModel
189 from kallithea.model.repo import RepoModel
190 from kallithea.lib.auth import HasUserGroupPermissionAny
190 from kallithea.lib.auth import HasUserGroupPermissionLevel
191
191
192 if not perms_new:
192 if not perms_new:
193 perms_new = []
193 perms_new = []
@@ -255,18 +255,16 b' class RepoGroupModel(BaseModel):'
255 _set_perm_user(obj, user=member, perm=perm)
255 _set_perm_user(obj, user=member, perm=perm)
256 ## set for user group
256 ## set for user group
257 else:
257 else:
258 #check if we have permissions to alter this usergroup
258 #check if we have permissions to alter this usergroup's access
259 req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')
259 if not check_perms or HasUserGroupPermissionLevel('read')(member):
260 if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):
261 _set_perm_group(obj, users_group=member, perm=perm)
260 _set_perm_group(obj, users_group=member, perm=perm)
262 # set new permissions
261 # set new permissions
263 for member, perm, member_type in perms_new:
262 for member, perm, member_type in perms_new:
264 if member_type == 'user':
263 if member_type == 'user':
265 _set_perm_user(obj, user=member, perm=perm)
264 _set_perm_user(obj, user=member, perm=perm)
266 else:
265 else:
267 #check if we have permissions to alter this usergroup
266 #check if we have permissions to alter this usergroup's access
268 req_perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin')
267 if not check_perms or HasUserGroupPermissionLevel('read')(member):
269 if not check_perms or HasUserGroupPermissionAny(*req_perms)(member):
270 _set_perm_group(obj, users_group=member, perm=perm)
268 _set_perm_group(obj, users_group=member, perm=perm)
271 updates.append(obj)
269 updates.append(obj)
272 # if it's not recursive call for all,repos,groups
270 # if it's not recursive call for all,repos,groups
Show file before | Show file after | Hide comments
@@ -50,7 +50,7 b' from kallithea.lib import helpers as h'
50 from kallithea.lib.utils2 import safe_str, safe_unicode, get_server_url, \
50 from kallithea.lib.utils2 import safe_str, safe_unicode, get_server_url, \
51 _set_extras
51 _set_extras
52 from kallithea.lib.auth import HasRepoPermissionLevel, HasRepoGroupPermissionLevel, \
52 from kallithea.lib.auth import HasRepoPermissionLevel, HasRepoGroupPermissionLevel, \
53 HasUserGroupPermissionAny, HasPermissionAny, HasPermissionAny
53 HasUserGroupPermissionLevel, HasPermissionAny, HasPermissionAny
54 from kallithea.lib.utils import get_filesystem_repos, make_ui, \
54 from kallithea.lib.utils import get_filesystem_repos, make_ui, \
55 action_logger
55 action_logger
56 from kallithea.model.base import BaseModel
56 from kallithea.model.base import BaseModel
@@ -132,13 +132,10 b' class RepoGroupList(_PermCheckIterator):'
132
132
133 class UserGroupList(_PermCheckIterator):
133 class UserGroupList(_PermCheckIterator):
134
134
135 def __init__(self, db_user_group_list, perm_set=None, extra_kwargs=None):
135 def __init__(self, db_user_group_list, perm_level, extra_kwargs=None):
136 if not perm_set:
137 perm_set = ['usergroup.read', 'usergroup.write', 'usergroup.admin']
138
139 super(UserGroupList, self).__init__(obj_list=db_user_group_list,
136 super(UserGroupList, self).__init__(obj_list=db_user_group_list,
140 obj_attr='users_group_name', perm_set=perm_set,
137 obj_attr='users_group_name', perm_set=[perm_level],
141 perm_checker=HasUserGroupPermissionAny,
138 perm_checker=HasUserGroupPermissionLevel,
142 extra_kwargs=extra_kwargs)
139 extra_kwargs=extra_kwargs)
143
140
144
141
Show file before | Show file after | Hide comments
@@ -57,7 +57,7 b' class UserGroupModel(BaseModel):'
57
57
58 def _update_permissions(self, user_group, perms_new=None,
58 def _update_permissions(self, user_group, perms_new=None,
59 perms_updates=None):
59 perms_updates=None):
60 from kallithea.lib.auth import HasUserGroupPermissionAny
60 from kallithea.lib.auth import HasUserGroupPermissionLevel
61 if not perms_new:
61 if not perms_new:
62 perms_new = []
62 perms_new = []
63 if not perms_updates:
63 if not perms_updates:
@@ -71,9 +71,8 b' class UserGroupModel(BaseModel):'
71 user_group=user_group, user=member, perm=perm
71 user_group=user_group, user=member, perm=perm
72 )
72 )
73 else:
73 else:
74 #check if we have permissions to alter this usergroup
74 #check if we have permissions to alter this usergroup's access
75 if HasUserGroupPermissionAny('usergroup.read', 'usergroup.write',
75 if HasUserGroupPermissionLevel('read')(member):
76 'usergroup.admin')(member):
77 self.grant_user_group_permission(
76 self.grant_user_group_permission(
78 target_user_group=user_group, user_group=member, perm=perm
77 target_user_group=user_group, user_group=member, perm=perm
79 )
78 )
@@ -84,9 +83,8 b' class UserGroupModel(BaseModel):'
84 user_group=user_group, user=member, perm=perm
83 user_group=user_group, user=member, perm=perm
85 )
84 )
86 else:
85 else:
87 #check if we have permissions to alter this usergroup
86 #check if we have permissions to alter this usergroup's access
88 if HasUserGroupPermissionAny('usergroup.read', 'usergroup.write',
87 if HasUserGroupPermissionLevel('read')(member):
89 'usergroup.admin')(member):
90 self.grant_user_group_permission(
88 self.grant_user_group_permission(
91 target_user_group=user_group, user_group=member, perm=perm
89 target_user_group=user_group, user_group=member, perm=perm
92 )
90 )
General Comments 0
You need to be logged in to leave comments. Login now