('hg.extern_activate.auto', _('Automatic activation of external account')),

        ]

        c.repo_create_choices = [('hg.create.none', _('Disabled')),

                                 ('hg.create.repository', _('Enabled'))]

        c.user_group_create_choices = [('hg.usergroup.create.false', _('Disabled')),

                                       ('hg.usergroup.create.true', _('Enabled'))]

        c.fork_choices = [('hg.fork.none', _('Disabled')),

                          ('hg.fork.repository', _('Enabled'))]

        if request.POST:

            _form = DefaultPermissionsForm(

                [x[0] for x in c.repo_perms_choices],

                [x[0] for x in c.group_perms_choices],

                [x[0] for x in c.user_group_perms_choices],

                [x[0] for x in c.repo_create_choices],

                [x[0] for x in c.repo_group_create_choices],

                [x[0] for x in c.user_group_create_choices],

                [x[0] for x in c.fork_choices],

                [x[0] for x in c.register_choices],

                [x[0] for x in c.extern_activate_choices])()

            if p.permission.permission_name.startswith('group.'):

                defaults['default_group_perm'] = p.permission.permission_name

            if p.permission.permission_name.startswith('usergroup.'):

                defaults['default_user_group_perm'] = p.permission.permission_name

            elif p.permission.permission_name.startswith('hg.create.'):

                defaults['default_repo_create'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.usergroup.'):

                defaults['default_user_group_create'] = p.permission.permission_name

from tg.i18n import ugettext as _

from webob.exc import HTTPForbidden, HTTPFound, HTTPInternalServerError, HTTPNotFound

import kallithea

from kallithea.config.routing import url

from kallithea.lib import helpers as h

from kallithea.lib.base import BaseRepoController, jsonify, render

from kallithea.lib.exceptions import AttachedForksError

from kallithea.lib.utils import action_logger

from kallithea.lib.utils2 import safe_int

from kallithea.lib.vcs import RepositoryError

from kallithea.model.db import RepoGroup, Repository, RepositoryField, Setting, UserFollowing

            h.not_mapped_error(c.repo_name)

            raise HTTPFound(location=url('repos'))

        return repo_obj

    def __load_defaults(self, repo=None):

        extras = [] if repo is None else [repo.group]

        c.landing_revs_choices, c.landing_revs = ScmModel().get_repo_landing_revs(repo)

    def __load_data(self):

        """

        Load defaults settings for edit, and update

from tg.i18n import ugettext as _

from webob.exc import HTTPFound

import kallithea

import kallithea.lib.helpers as h

from kallithea.config.routing import url

from kallithea.lib.base import BaseRepoController, render

from kallithea.lib.page import Page

from kallithea.lib.utils2 import safe_int

from kallithea.model.db import Repository, Ui, UserFollowing

from kallithea.model.forms import RepoForkForm

from kallithea.model.repo import RepoModel

log = logging.getLogger(__name__)

class ForksController(BaseRepoController):

    def __load_defaults(self):

        c.landing_revs_choices, c.landing_revs = ScmModel().get_repo_landing_revs()

        c.can_update = Ui.get_by_key('hooks', Ui.HOOK_UPDATE).ui_active

    def __load_data(self):

    if user_is_admin:

        #==================================================================

        # admin users have all rights;

        # based on default permissions, just set everything to admin

        #==================================================================

        permissions[GLOBAL].add('hg.admin')

        # repositories

        for perm in default_repo_perms:

            r_k = perm.repository.repo_name

            p = 'repository.admin'

            permissions[RK][r_k] = p

    for perm in user_perms:

        permissions[GLOBAL].add(perm.permission.permission_name)

    # for each kind of global permissions, only keep the one with heighest weight

    kind_max_perm = {}

        kind = perm.rsplit('.', 1)[0]

        kind_max_perm[kind] = perm

    permissions[GLOBAL] = set(kind_max_perm.values())

    ## END GLOBAL PERMISSIONS

    #======================================================================

        ('hg.usergroup.create.false', _('Only admins can create user groups')),

        ('hg.usergroup.create.true', _('Non-admins can create user groups')),

        ('hg.create.none', _('Only admins can create top level repositories')),

        ('hg.create.repository', _('Non-admins can create top level repositories')),

        ('hg.fork.none', _('Only admins can fork repositories')),

        ('hg.fork.repository', _('Non-admins can fork repositories')),

        ('hg.register.none', _('Registration disabled')),

        ('hg.register.manual_activate', _('User registration with manual account activation')),

        ('hg.register.auto_activate', _('User registration with automatic account activation')),

    # definition of system default permissions for DEFAULT user

    DEFAULT_USER_PERMISSIONS = (

        'repository.read',

        'group.read',

        'usergroup.read',

        'hg.create.repository',

        'hg.fork.repository',

        'hg.register.manual_activate',

        'hg.extern_activate.auto',

    )

    # defines which permissions are more important higher the more important

        'hg.fork.none': 0,

        'hg.fork.repository': 1,

        'hg.create.none': 0,

        'hg.create.repository': 1,

        'hg.register.none': 0,

        'hg.register.manual_activate': 1,

        'hg.register.auto_activate': 2,

        'hg.extern_activate.manual': 0,

        'hg.extern_activate.auto': 1,

    return _ApplicationUiSettingsForm

def DefaultPermissionsForm(repo_perms_choices, group_perms_choices,

                           user_group_perms_choices, create_choices,

                           user_group_create_choices, fork_choices,

                           register_choices, extern_activate_choices):

    class _DefaultPermissionsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        overwrite_default_repo = v.StringBoolean(if_missing=False)

        anonymous = v.StringBoolean(if_missing=False)

        default_repo_perm = v.OneOf(repo_perms_choices)

        default_group_perm = v.OneOf(group_perms_choices)

        default_user_group_perm = v.OneOf(user_group_perms_choices)

        default_repo_create = v.OneOf(create_choices)

        default_user_group_create = v.OneOf(user_group_create_choices)

        default_fork = v.OneOf(fork_choices)

        default_register = v.OneOf(register_choices)

        default_extern_activate = v.OneOf(extern_activate_choices)

    return _DefaultPermissionsForm

                Session().delete(p)

            # create fresh set of permissions

            for def_perm_key in ['default_repo_perm',

                                 'default_group_perm',

                                 'default_user_group_perm',

                                 'default_repo_create',

                                 'default_user_group_create',

                                 'default_fork',

                                 'default_register',

                                 'default_extern_activate']:

                p = _make_new(perm_user, form_result[def_perm_key])

                Session().add(p)

        def _validate_python(self, value, state):

            gr = RepoGroup.get(value)

            gr_name = gr.group_name if gr is not None else None # None means ROOT location

            # create repositories with write permission on group is set to true

            group_admin = HasRepoGroupPermissionLevel('admin')(gr_name,

                                            'can write into group validator')

            group_write = HasRepoGroupPermissionLevel('write')(gr_name,

                                            'can write into group validator')

            can_create_repos = HasPermissionAny('hg.admin', 'hg.create.repository')

            gid = (old_data['repo_group'].get('group_id')

                   if (old_data and 'repo_group' in old_data) else None)

            value_changed = gid != value

            new = not old_data

            # do check if we changed the value, there's a case that someone got

                    ${h.select('default_repo_create','',c.repo_create_choices,class_='form-control')}

                    <span class="help-block">${_('Enable this to allow non-admins to create repositories at the top level.')}</span>

                    <span class="help-block">${_('Note: This will also give all users API access to create repositories everywhere. That might change in future versions.')}</span>

                </div>

            </div>

            <div class="form-group">

                <label class="control-label" for="default_user_group_create">${_('User group creation')}:</label>

                <div>

                    ${h.select('default_user_group_create','',c.user_group_create_choices,class_='form-control')}

                    <span class="help-block">${_('Enable this to allow non-admins to create user groups.')}</span>

                </div>

            </div>

            %if request.authuser.username != 'default':

              <div class="pull-right">

                <%

                    gr_name = c.group.group_name if c.group else None

                    # create repositories with write permission on group is set to true

                    group_admin = h.HasRepoGroupPermissionLevel('admin')(gr_name, 'can write into group index page')

                    group_write = h.HasRepoGroupPermissionLevel('write')(gr_name, 'can write into group index page')

                %>

                  %if c.group:

                        <a href="${h.url('new_repo',parent_group=c.group.group_id)}" class="btn btn-default btn-xs"><i class="icon-plus"></i>${_('Add Repository')}</a>

                        %if h.HasPermissionAny('hg.admin')() or h.HasRepoGroupPermissionLevel('admin')(c.group.group_name):

                            <a href="${h.url('new_repos_group', parent_group=c.group.group_id)}" class="btn btn-default btn-xs"><i class="icon-plus"></i>${_('Add Repository Group')}</a>

                        %endif

                  %else:

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have inherited permissions from default user

        assert u1_auth.permissions['global'] == set(['hg.create.repository', 'hg.fork.repository',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

    def test_inherit_sad_permissions_from_default_user(self):

        user_model = UserModel()

        # disable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.repository')

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have inherited permissions from default user

        assert u1_auth.permissions['global'] == set(['hg.create.none', 'hg.fork.none',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

    def test_inherit_more_permissions_from_default_user(self):

        user_model = UserModel()

        # enable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.none')

        assert u1_auth.permissions['global'] == set([

                              'hg.create.repository',

                              'hg.fork.repository',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

    def test_inherit_less_permissions_from_default_user(self):

        user_model = UserModel()

        # disable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.repository')

        assert u1_auth.permissions['global'] == set([

                              'hg.create.repository',

                              'hg.fork.repository',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

    def test_inactive_user_group_does_not_affect_global_permissions(self):

        # Add user to inactive user group, set specific permissions on user

        # group and and verify it really is inactive.

        self.ug1 = fixture.create_user_group('G1')

        user_group_model = UserGroupModel()

        assert u1_auth.permissions['global'] == set(['hg.create.none', 'hg.fork.none',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

                              'usergroup.read',

    def test_inactive_user_group_does_not_affect_global_permissions_inverse(self):

        # Add user to inactive user group, set specific permissions on user

        # group and and verify it really is inactive.

        self.ug1 = fixture.create_user_group('G1')

        user_group_model = UserGroupModel()

        assert u1_auth.permissions['global'] == set(['hg.create.repository', 'hg.fork.repository',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

                              'usergroup.read',

    def test_inactive_user_group_does_not_affect_repo_permissions(self):

        self.ug1 = fixture.create_user_group('G1')

        user_group_model = UserGroupModel()

        user_group_model.add_user_to_group(self.ug1, self.u1)

        user_group_model.update(self.ug1, {'users_group_active': False})