kallithea Changeset - 2e1059de6751

Changeset - 2e1059de6751

Parent rev.

Child rev.

[Not reviewed]

stable

0 2 0

Mads Kiilerich (mads) - 3 years ago 2023-05-09 17:42:44
mads@kiilerich.com

repo groups: make it possible to remove own explicit permissions, now when group owners always have admin permissions

Until recently, group owners very given explicit admin permissions on repo
group, and special care was taken to make sure they didn't remove themselves.

Now we always give admin permissions to owners, and don't care about the
explicit permissions. We no longer add them when creating groups or changing
owner. There is no migration step to remove redundant permissions, but we
should allow group admins to remove them. This change will thus remove the
mechanism for preventing removal of own/owner permissions.

2 files changed with 0 insertions and 30 deletions:

kallithea/controllers/admin/repo_groups.py

kallithea/templates/admin/repo_groups/repo_group_edit_perms.html

0 comments (0 inline, 0 general)

kallithea/controllers/admin/repo_groups.py

➞

Show inline comments

@@ @@ -69,55 +69,48 @@ class RepoGroupsController(base.BaseCont @@
     def __load_data(self, group_id):
         """
         Load defaults settings for edit, and update
         :param group_id:
         """
         repo_group = db.RepoGroup.get_or_404(group_id)
         data = repo_group.get_dict()
         data['group_name'] = repo_group.name
         data['owner'] = repo_group.owner.username
         # fill repository group users
         for p in repo_group.repo_group_to_perm:
             data.update({'u_perm_%s' % p.user.username:
                              p.permission.permission_name})
         # fill repository group groups
         for p in repo_group.users_group_to_perm:
             data.update({'g_perm_%s' % p.users_group.users_group_name:
                              p.permission.permission_name})
         return data
     def _revoke_perms_on_yourself(self, form_result):
         _up = [u for u in form_result['perms_updates'] if request.authuser.username == u[0]]
         _new = [u for u in form_result['perms_new'] if request.authuser.username == u[0]]
         if _new and _new[0][1] != 'group.admin' or _up and _up[0][1] != 'group.admin':
             return True
         return False
     def index(self, format='html'):
         _list = db.RepoGroup.query(sorted=True).all()
         group_iter = RepoGroupList(_list, perm_level='admin')
         repo_groups_data = []
         _tmpl_lookup = app_globals.mako_lookup
         template = _tmpl_lookup.get_template('data_table/_dt_elements.html')
         def repo_group_name(repo_group_name, children_groups):
             return template.get_def("repo_group_name") \
                 .render_unicode(repo_group_name, children_groups, _=_, webutils=webutils, c=c)
         def repo_group_actions(repo_group_id, repo_group_name, gr_count):
             return template.get_def("repo_group_actions") \
                 .render_unicode(repo_group_id, repo_group_name, gr_count, _=_, webutils=webutils, c=c,
                         ungettext=ungettext)
         for repo_gr in group_iter:
             children_groups = [g.name for g in repo_gr.parents] + [repo_gr.name]
             repo_count = repo_gr.repositories.count()
             repo_groups_data.append({
                 "raw_name": webutils.escape(repo_gr.group_name),
                 "group_name": repo_group_name(repo_gr.group_name, children_groups),
                 "desc": webutils.escape(repo_gr.group_description),
                 "repos": repo_count,
@@ @@ -328,76 +321,66 @@ class RepoGroupsController(base.BaseCont @@
     def edit_repo_group_perms(self, group_name):
         c.active = 'perms'
         c.repo_group = db.RepoGroup.guess_instance(group_name)
         self.__load_defaults()
         defaults = self.__load_data(c.repo_group.group_id)
         return htmlfill.render(
             base.render('admin/repo_groups/repo_group_edit.html'),
             defaults=defaults,
             encoding="UTF-8",
             force_defaults=False
+        )
     @HasRepoGroupPermissionLevelDecorator('admin')
     def update_perms(self, group_name):
         """
         Update permissions for given repository group
         :param group_name:
         """
         c.repo_group = db.RepoGroup.guess_instance(group_name)
         valid_recursive_choices = ['none', 'repos', 'groups', 'all']
         form_result = RepoGroupPermsForm(valid_recursive_choices)().to_python(request.POST)
         if not request.authuser.is_admin:
             if self._revoke_perms_on_yourself(form_result):
                 msg = _('Cannot revoke permission for yourself as admin')
                 webutils.flash(msg, category='warning')
                 raise HTTPFound(location=url('edit_repo_group_perms', group_name=group_name))
         recursive = form_result['recursive']
         # iterate over all members(if in recursive mode) of this groups and
         # set the permissions !
         # this can be potentially heavy operation
         RepoGroupModel()._update_permissions(c.repo_group,
                                              form_result['perms_new'],
                                              form_result['perms_updates'],
                                              recursive)
         # TODO: implement this
         #action_logger(request.authuser, 'admin_changed_repo_permissions',
         #              repo_name, request.ip_addr)
         meta.Session().commit()
         webutils.flash(_('Repository group permissions updated'), category='success')
         raise HTTPFound(location=url('edit_repo_group_perms', group_name=group_name))
     @HasRepoGroupPermissionLevelDecorator('admin')
     def delete_perms(self, group_name):
         try:
             obj_type = request.POST.get('obj_type')
             obj_id = None
             if obj_type == 'user':
                 obj_id = safe_int(request.POST.get('user_id'))
             elif obj_type == 'user_group':
                 obj_id = safe_int(request.POST.get('user_group_id'))
             if not request.authuser.is_admin:
                 if obj_type == 'user' and request.authuser.user_id == obj_id:
                     msg = _('Cannot revoke permission for yourself as admin')
                     webutils.flash(msg, category='warning')
                     raise Exception('revoke admin permission on self')
             recursive = request.POST.get('recursive', 'none')
             if obj_type == 'user':
                 RepoGroupModel().delete_permission(repo_group=group_name,
                                                    obj=obj_id, obj_type='user',
                                                    recursive=recursive)
             elif obj_type == 'user_group':
                 RepoGroupModel().delete_permission(repo_group=group_name,
                                                    obj=obj_id,
                                                    obj_type='user_group',
                                                    recursive=recursive)
             meta.Session().commit()
         except Exception:
             log.error(traceback.format_exc())
             webutils.flash(_('An error occurred during revoking of permission'),
                     category='error')
             raise HTTPInternalServerError()

kallithea/templates/admin/repo_groups/repo_group_edit_perms.html

➞

Show inline comments

 ${h.form(url('edit_repo_group_perms', group_name=c.repo_group.group_name))}
 <div class="form">
         <div>
             <table id="permissions_manage" class="table">
                 <tr>
                     <td>${_('None')}<br />(${_('Not visible')})</td>
                     <td>${_('Read')}<br />(${_('Visible')})</td>
                     <td>${_('Write')}<br />(${_('Add repos')})</td>
                     <td>${_('Admin')}<br />(${_('Add/Edit groups')})</td>
                     <td>${_('User/User Group')}</td>
                     <td></td>
                 </tr>
                 ## USERS
                 %for r2p in c.repo_group.repo_group_to_perm:
                     ##forbid revoking permission from yourself, except if you're an super admin
                     <tr id="id${id(r2p.user.username)}">
                       %if request.authuser.user_id != r2p.user.user_id or request.authuser.is_admin:
                         <td>${h.radio('u_perm_%s' % r2p.user.username,'group.none')}</td>
                         <td>${h.radio('u_perm_%s' % r2p.user.username,'group.read')}</td>
                         <td>${h.radio('u_perm_%s' % r2p.user.username,'group.write')}</td>
                         <td>${h.radio('u_perm_%s' % r2p.user.username,'group.admin')}</td>
                         <td>
                             ${h.gravatar(r2p.user.email, cls="perm-gravatar", size=14)}
                             %if h.HasPermissionAny('hg.admin')() and r2p.user.username != 'default':
                              <a href="${h.url('edit_user',id=r2p.user.user_id)}">${r2p.user.username}</a>
                             %else:
                              ${r2p.user.username if r2p.user.username != 'default' else _('Default')}
                             %endif
                         </td>
                         <td>
                           %if r2p.user.username !='default':
                             <button type="button" class="btn btn-default btn-xs" onclick="ajaxActionRevoke(${r2p.user.user_id}, 'user', '${'id%s'%id(r2p.user.username)}', '${r2p.user.username}')">
                              <i class="icon-minus-circled"></i>${_('Revoke')}
                             </button>
                           %endif
                         </td>
                       %else:
                         <td>${h.radio('u_perm_%s' % r2p.user.username,'group.none', disabled="disabled")}</td>
                         <td>${h.radio('u_perm_%s' % r2p.user.username,'group.read', disabled="disabled")}</td>
                         <td>${h.radio('u_perm_%s' % r2p.user.username,'group.write', disabled="disabled")}</td>
                         <td>${h.radio('u_perm_%s' % r2p.user.username,'group.admin', disabled="disabled")}</td>
                         <td>
                             ${h.gravatar(r2p.user.email, cls="perm-gravatar", size=14)}
                             ${r2p.user.username if r2p.user.username != 'default' else _('Default')}
                         </td>
                         <td><i class="icon-user"></i>${_('Admin')}</td>
                       %endif
                     </tr>
                 %endfor
                 ## USER GROUPS
                 %for g2p in c.repo_group.users_group_to_perm:
                     <tr id="id${id(g2p.users_group.users_group_name)}">
                         <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.none')}</td>
                         <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.read')}</td>
                         <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.write')}</td>
                         <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.admin')}</td>
                         <td>
                             <i class="icon-users"></i>
                             %if h.HasPermissionAny('hg.admin')():
                              <a href="${h.url('edit_users_group',id=g2p.users_group.users_group_id)}">
                                  ${g2p.users_group.users_group_name}
                              </a>
                             %else:
                              ${g2p.users_group.users_group_name}
                             %endif
                         </td>
                         <td>
                             <button type="button" class="btn btn-default btn-xs" onclick="ajaxActionRevoke(${g2p.users_group.users_group_id}, 'user_group', '${'id%s'%id(g2p.users_group.users_group_name)}', '${g2p.users_group.users_group_name}')">
                             <i class="icon-minus-circled"></i>${_('Revoke')}
                             </button>

0 comments (0 inline, 0 general)