@@ -12,16 +12,19 @@ Changelog
:branch: beta
news
++++
- #558 Added config file to hooks extra data
- bumbped mercurial version to 2.3.1
fixes
+++++
- fixed #570 explicit users group permissions can overwrite owner permissions
1.4.2 (**2012-09-12**)
----------------------
@@ -521,14 +521,18 @@ class UserModel(BaseModel):
for perm in user_repo_perms_from_users_groups:
r_k = perm.UsersGroupRepoToPerm.repository.repo_name
p = perm.Permission.permission_name
cur_perm = user.permissions[RK][r_k]
# overwrite permission only if it's greater than permission
# given from other sources
# given from other sources - disabled with `or 1` now
if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1: # disable check
if perm.Repository.user_id == uid:
# set admin if owner
p = 'repository.admin'
user.permissions[RK][r_k] = p
# user explicit permissions for repositories
user_repo_perms = \
self.sa.query(UserRepoToPerm, Permission, Repository)\
.join((Repository, UserRepoToPerm.repository_id ==
@@ -7,13 +7,13 @@ from rhodecode.model.repo import RepoMod
from rhodecode.model.db import RepoGroup, User, UsersGroupRepoGroupToPerm
from rhodecode.model.user import UserModel
from rhodecode.model.meta import Session
from rhodecode.model.users_group import UsersGroupModel
from rhodecode.lib.auth import AuthUser
from rhodecode.tests.api.api_base import create_repo
class TestPermissions(unittest.TestCase):
def __init__(self, methodName='runTest'):
super(TestPermissions, self).__init__(methodName=methodName)
@@ -37,12 +37,13 @@ class TestPermissions(unittest.TestCase)
)
Session().commit()
def tearDown(self):
if hasattr(self, 'test_repo'):
RepoModel().delete(repo=self.test_repo)
UserModel().delete(self.u1)
UserModel().delete(self.u2)
UserModel().delete(self.u3)
UserModel().delete(self.a1)
if hasattr(self, 'g1'):
ReposGroupModel().delete(self.g1.group_id)
@@ -422,6 +423,50 @@ class TestPermissions(unittest.TestCase)
# this user will have non inherited permissions from he's
# explicitly set permissions
self.assertEqual(u1_auth.permissions['global'],
set(['hg.create.repository', 'hg.fork.repository',
'hg.register.manual_activate',
'repository.read']))
def test_owner_permissions_doesnot_get_overwritten_by_group(self):
#create repo as USER,
self.test_repo = repo = RepoModel().create_repo(repo_name='myownrepo',
repo_type='hg',
description='desc',
owner=self.u1)
#he has permissions of admin as owner
u1_auth = AuthUser(user_id=self.u1.user_id)
self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
'repository.admin')
#set his permission as users group, he should still be admin
self.ug1 = UsersGroupModel().create('G1')
# add user to group
UsersGroupModel().add_user_to_group(self.ug1, self.u1)
RepoModel().grant_users_group_permission(repo, group_name=self.ug1,
perm='repository.none')
def test_owner_permissions_doesnot_get_overwritten_by_others(self):
#set his permission as user, he should still be admin
RepoModel().grant_user_permission(repo, user=self.u1,
Status change: