kallithea Changeset - 2ce710e81e61

Changeset - 2ce710e81e61

Parent rev.

Child rev.

[Not reviewed]

default

0 11 0

Mads Kiilerich (mads) - 6 years ago 2020-04-11 20:18:29
mads@kiilerich.com

Grafted from: 7c0220adaae7

permissions: drop hg.create.write_on_repogroup "Repository creation with group write access" setting

Simplify permissions system and get rid of some confusing tech debt.

Before, the global 'write_on_repogroup' setting controlled what write
permission on a repo group meant.

With this change, users can create repositories in a repo group if and only if
they have write access. Write access to a repo group will now mean the
permission to create repositories in it.

Write access to repo groups must be granted explicitly. There should not be any
other reason to grant write access than to allow users to create repos. There
is thus no upgrade concerns for this change.

An admin that doesn't want users to create repos in a repogroup should just not
give them write access.

These global settings might still exist in the database, but is ignored and no
longer used and do no harm.

11 files changed with 14 insertions and 50 deletions:

kallithea/controllers/admin/permissions.py

kallithea/controllers/admin/repos.py

kallithea/controllers/forks.py

kallithea/lib/auth.py

kallithea/model/db.py

kallithea/model/forms.py

kallithea/model/permission.py

kallithea/model/validators.py

kallithea/templates/admin/permissions/permissions_globals.html

kallithea/templates/index_base.html

kallithea/tests/models/test_permissions.py

0 comments (0 inline, 0 general)

kallithea/controllers/admin/permissions.py

➞

Show inline comments

@@ @@ -89,11 +89,6 @@ class PermissionsController(BaseControll @@
         c.repo_create_choices = [('hg.create.none', _('Disabled')),
                                  ('hg.create.repository', _('Enabled'))]
         c.repo_create_on_write_choices = [
             ('hg.create.write_on_repogroup.true', _('Enabled')),
             ('hg.create.write_on_repogroup.false', _('Disabled')),
+        ]
         c.user_group_create_choices = [('hg.usergroup.create.false', _('Disabled')),
                                        ('hg.usergroup.create.true', _('Enabled'))]
@@ @@ -109,7 +104,6 @@ class PermissionsController(BaseControll @@
                 [x[0] for x in c.group_perms_choices],
                 [x[0] for x in c.user_group_perms_choices],
                 [x[0] for x in c.repo_create_choices],
                 [x[0] for x in c.repo_create_on_write_choices],
                 [x[0] for x in c.repo_group_create_choices],
                 [x[0] for x in c.user_group_create_choices],
                 [x[0] for x in c.fork_choices],
@@ @@ -154,9 +148,6 @@ class PermissionsController(BaseControll @@
             if p.permission.permission_name.startswith('usergroup.'):
                 defaults['default_user_group_perm'] = p.permission.permission_name
             if p.permission.permission_name.startswith('hg.create.write_on_repogroup.'):
                 defaults['create_on_write'] = p.permission.permission_name
             elif p.permission.permission_name.startswith('hg.create.'):
                 defaults['default_repo_create'] = p.permission.permission_name

kallithea/controllers/admin/repos.py

➞

Show inline comments

@@ @@ -39,7 +39,7 @@ from webob.exc import HTTPForbidden, HTT @@
 import kallithea
 from kallithea.config.routing import url
 from kallithea.lib import helpers as h
-from kallithea.lib.auth import HasPermissionAny, HasRepoPermissionLevelDecorator, LoginRequired, NotAnonymous
 from kallithea.lib.auth import HasRepoPermissionLevelDecorator, LoginRequired, NotAnonymous
 from kallithea.lib.base import BaseRepoController, jsonify, render
 from kallithea.lib.exceptions import AttachedForksError
 from kallithea.lib.utils import action_logger
@@ @@ -76,13 +76,9 @@ class ReposController(BaseRepoController @@
         return repo_obj
     def __load_defaults(self, repo=None):
         if HasPermissionAny('hg.create.write_on_repogroup.true')():
             repo_group_perm_level = 'write'
         else:
             repo_group_perm_level = 'admin'
         extras = [] if repo is None else [repo.group]
-        c.repo_groups = AvailableRepoGroupChoices(repo_group_perm_level, extras)
+        c.repo_groups = AvailableRepoGroupChoices('write', extras)
         c.landing_revs_choices, c.landing_revs = ScmModel().get_repo_landing_revs(repo)

kallithea/controllers/forks.py

➞

Show inline comments

@@ @@ -38,7 +38,7 @@ from webob.exc import HTTPFound @@
 import kallithea
 import kallithea.lib.helpers as h
 from kallithea.config.routing import url
-from kallithea.lib.auth import HasPermissionAny, HasPermissionAnyDecorator, HasRepoPermissionLevel, HasRepoPermissionLevelDecorator, LoginRequired
 from kallithea.lib.auth import HasPermissionAnyDecorator, HasRepoPermissionLevel, HasRepoPermissionLevelDecorator, LoginRequired
 from kallithea.lib.base import BaseRepoController, render
 from kallithea.lib.page import Page
 from kallithea.lib.utils2 import safe_int
@@ @@ -54,11 +54,7 @@ log = logging.getLogger(__name__) @@
 class ForksController(BaseRepoController):
     def __load_defaults(self):
         if HasPermissionAny('hg.create.write_on_repogroup.true')():
             repo_group_perm_level = 'write'
         else:
             repo_group_perm_level = 'admin'
         c.repo_groups = AvailableRepoGroupChoices(repo_group_perm_level)
         c.repo_groups = AvailableRepoGroupChoices('write')
         c.landing_revs_choices, c.landing_revs = ScmModel().get_repo_landing_revs()

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -149,7 +149,6 @@ def _cached_perms_data(user_id, user_is_ @@
         # based on default permissions, just set everything to admin
         #==================================================================
         permissions[GLOBAL].add('hg.admin')
         permissions[GLOBAL].add('hg.create.write_on_repogroup.true')
         # repositories
         for perm in default_repo_perms:
@@ @@ -242,7 +241,7 @@ def _cached_perms_data(user_id, user_is_ @@
     # for each kind of global permissions, only keep the one with heighest weight
     kind_max_perm = {}
-    for perm in sorted(permissions[GLOBAL], key=lambda n: PERM_WEIGHTS[n]):
+    for perm in sorted(permissions[GLOBAL], key=lambda n: PERM_WEIGHTS.get(n, -1)):
         kind = perm.rsplit('.', 1)[0]
         kind_max_perm[kind] = perm
     permissions[GLOBAL] = set(kind_max_perm.values())

kallithea/model/db.py

➞

Show inline comments

@@ @@ -1562,9 +1562,6 @@ class Permission(Base, BaseDbModel): @@
         ('hg.create.none', _('Only admins can create top level repositories')),
         ('hg.create.repository', _('Non-admins can create top level repositories')),
         ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')),
         ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')),
         ('hg.fork.none', _('Only admins can fork repositories')),
         ('hg.fork.repository', _('Non-admins can fork repositories')),
@@ @@ -1582,7 +1579,6 @@ class Permission(Base, BaseDbModel): @@
         'group.read',
         'usergroup.read',
         'hg.create.repository',
         'hg.create.write_on_repogroup.true',
         'hg.fork.repository',
         'hg.register.manual_activate',
         'hg.extern_activate.auto',
@@ @@ -1616,9 +1612,6 @@ class Permission(Base, BaseDbModel): @@
         'hg.create.none': 0,
         'hg.create.repository': 1,
         'hg.create.write_on_repogroup.false': 0,
         'hg.create.write_on_repogroup.true': 1,
         'hg.register.none': 0,
         'hg.register.manual_activate': 1,
         'hg.register.auto_activate': 2,

kallithea/model/forms.py

➞

Show inline comments

@@ @@ -396,7 +396,7 @@ def ApplicationUiSettingsForm(): @@
 def DefaultPermissionsForm(repo_perms_choices, group_perms_choices,
                            user_group_perms_choices, create_choices,
-                           create_on_write_choices, repo_group_create_choices,
                            repo_group_create_choices,
                            user_group_create_choices, fork_choices,
                            register_choices, extern_activate_choices):
     class _DefaultPermissionsForm(formencode.Schema):
@@ @@ -411,7 +411,6 @@ def DefaultPermissionsForm(repo_perms_ch @@
         default_user_group_perm = v.OneOf(user_group_perms_choices)
         default_repo_create = v.OneOf(create_choices)
         create_on_write = v.OneOf(create_on_write_choices)
         default_user_group_create = v.OneOf(user_group_create_choices)
         default_fork = v.OneOf(fork_choices)

kallithea/model/permission.py

➞

Show inline comments

@@ @@ -119,7 +119,6 @@ class PermissionModel(object): @@
                                  'default_group_perm',
                                  'default_user_group_perm',
                                  'default_repo_create',
                                  'create_on_write', # special case for create repos on write access to group
                                  'default_user_group_create',
                                  'default_fork',
                                  'default_register',

kallithea/model/validators.py

➞

Show inline comments

@@ @@ -456,12 +456,11 @@ def CanWriteGroup(old_data=None): @@
             gr_name = gr.group_name if gr is not None else None # None means ROOT location
             # create repositories with write permission on group is set to true
             create_on_write = HasPermissionAny('hg.create.write_on_repogroup.true')()
             group_admin = HasRepoGroupPermissionLevel('admin')(gr_name,
                                             'can write into group validator')
             group_write = HasRepoGroupPermissionLevel('write')(gr_name,
                                             'can write into group validator')
-            forbidden = not (group_admin or (group_write and create_on_write))
             forbidden = not (group_admin or group_write)
             can_create_repos = HasPermissionAny('hg.admin', 'hg.create.repository')
             gid = (old_data['repo_group'].get('group_id')
                    if (old_data and 'repo_group' in old_data) else None)

kallithea/templates/admin/permissions/permissions_globals.html

➞

Show inline comments

@@ @@ -58,13 +58,6 @@ ${h.form(url('admin_permissions'), metho @@
                 </div>
             </div>
             <div class="form-group">
                 <label class="control-label" for="create_on_write">${_('Repository creation with group write access')}:</label>
                 <div>
                     ${h.select('create_on_write','',c.repo_create_on_write_choices,class_='form-control')}
                     <span class="help-block">${_('With this, write permission to a repository group allows creating repositories inside that group. Without this, group write permissions mean nothing.')}</span>
                 </div>
             </div>
             <div class="form-group">
                 <label class="control-label" for="default_user_group_create">${_('User group creation')}:</label>
                 <div>
                     ${h.select('default_user_group_create','',c.user_group_create_choices,class_='form-control')}

kallithea/templates/index_base.html

➞

Show inline comments

@@ @@ -16,11 +16,10 @@ @@
                 <%
                     gr_name = c.group.group_name if c.group else None
                     # create repositories with write permission on group is set to true
                     create_on_write = h.HasPermissionAny('hg.create.write_on_repogroup.true')()
                     group_admin = h.HasRepoGroupPermissionLevel('admin')(gr_name, 'can write into group index page')
                     group_write = h.HasRepoGroupPermissionLevel('write')(gr_name, 'can write into group index page')
                 %>
-                %if h.HasPermissionAny('hg.admin','hg.create.repository')() or (group_admin or (group_write and create_on_write)):
                 %if h.HasPermissionAny('hg.admin','hg.create.repository')() or group_admin or group_write:
                   %if c.group:
                         <a href="${h.url('new_repo',parent_group=c.group.group_id)}" class="btn btn-default btn-xs"><i class="icon-plus"></i>${_('Add Repository')}</a>
                         %if h.HasPermissionAny('hg.admin')() or h.HasRepoGroupPermissionLevel('admin')(c.group.group_name):

kallithea/tests/models/test_permissions.py

➞

Show inline comments

@@ @@ -290,7 +290,7 @@ class TestPermissions(base.TestControlle @@
                               'hg.register.manual_activate',
                               'hg.extern_activate.auto',
                               'repository.read', 'group.read',
-                              'usergroup.read', 'hg.create.write_on_repogroup.true'])
                               'usergroup.read'])
     def test_inherit_sad_permissions_from_default_user(self):
         user_model = UserModel()
@@ @@ -307,7 +307,7 @@ class TestPermissions(base.TestControlle @@
                               'hg.register.manual_activate',
                               'hg.extern_activate.auto',
                               'repository.read', 'group.read',
-                              'usergroup.read', 'hg.create.write_on_repogroup.true'])
                               'usergroup.read'])
     def test_inherit_more_permissions_from_default_user(self):
         user_model = UserModel()
@@ @@ -333,7 +333,7 @@ class TestPermissions(base.TestControlle @@
                               'hg.register.manual_activate',
                               'hg.extern_activate.auto',
                               'repository.read', 'group.read',
-                              'usergroup.read', 'hg.create.write_on_repogroup.true'])
                               'usergroup.read'])
     def test_inherit_less_permissions_from_default_user(self):
         user_model = UserModel()
@@ @@ -359,7 +359,7 @@ class TestPermissions(base.TestControlle @@
                               'hg.register.manual_activate',
                               'hg.extern_activate.auto',
                               'repository.read', 'group.read',
-                              'usergroup.read', 'hg.create.write_on_repogroup.true'])
                               'usergroup.read'])
     def test_inactive_user_group_does_not_affect_global_permissions(self):
         # Add user to inactive user group, set specific permissions on user
@@ @@ -391,7 +391,7 @@ class TestPermissions(base.TestControlle @@
                               'hg.extern_activate.auto',
                               'repository.read', 'group.read',
                               'usergroup.read',
-                              'hg.create.write_on_repogroup.true'])
                               ])
     def test_inactive_user_group_does_not_affect_global_permissions_inverse(self):
         # Add user to inactive user group, set specific permissions on user
@@ @@ -423,7 +423,7 @@ class TestPermissions(base.TestControlle @@
                               'hg.extern_activate.auto',
                               'repository.read', 'group.read',
                               'usergroup.read',
-                              'hg.create.write_on_repogroup.true'])
                               ])
     def test_inactive_user_group_does_not_affect_repo_permissions(self):
         self.ug1 = fixture.create_user_group('G1')

0 comments (0 inline, 0 general)