kallithea Changeset - 5c1ad3b410e5

Changeset - 5c1ad3b410e5

Parent rev.

Child rev.

[Not reviewed]

beta

0 3 0

Marcin Kuzminski - 13 years ago 2012-09-23 13:04:53
marcin@python-works.com

fixed #570 explicit users group permissions can overwrite owner permissions
- added test for that case

3 files changed with 54 insertions and 2 deletions:

docs/changelog.rst

rhodecode/model/user.py

rhodecode/tests/models/test_permissions.py

0 comments (0 inline, 0 general)

docs/changelog.rst

➞

Show inline comments

 .. _changelog:
 =========
 Changelog
 =========
 .4.3 (**2012-XX-XX**)
 ----------------------
 :status: in-progress
 :branch: beta
 news
 ++++
 - #558 Added config file to hooks extra data
 - bumbped mercurial version to 2.3.1
 fixes
 +++++
 - fixed #570 explicit users group permissions can overwrite owner permissions
 .4.2 (**2012-09-12**)
 ----------------------
 news
 ++++
 - added option to menu to quick lock/unlock repository for users that have
   write access to
 - Implemented permissions for writing to repo
   groups. Now only write access to group allows to create a repostiory
   within that group
 - #565 Add support for {netloc} and {scheme} to alternative_gravatar_url
 - updated translation for zh_CN
 fixes
 +++++
 - fixed visual permissions check on repos groups inside groups
 - fixed issues with non-ascii search terms in search, and indexers
 - fixed parsing of page number in GET parameters
 - fixed issues with generating pull-request overview for repos with
   bookmarks and tags, also preview doesn't loose chosen revision from
   select dropdown
 .4.1 (**2012-09-07**)
 ----------------------
 news
 ++++
 - always put a comment about code-review status change even if user send
   empty data
 - modified_on column saves repository update and it's going to be used
   later for light version of main page ref #500
 - pull request notifications send much nicer emails with details about pull
   request
 - #551 show breadcrumbs in summary view for repositories inside a group
 fixes
 +++++
 - fixed migrations of permissions that can lead to inconsistency.
   Some users sent feedback that after upgrading from older versions issues
   with updating default permissions occurred. RhodeCode detects that now and
   resets default user permission to initial state if there is a need for that.
   Also forces users to set the default value for new forking permission.
 - #535 improved apache wsgi example configuration in docs
 - fixes #550 mercurial repositories comparision failed when origin repo had
   additional not-common changesets
 - fixed status of code-review in preview windows of pull request
 - git forks were not initialized at bare repos
 - fixes #555 fixes issues with comparing non-related repositories
 - fixes #557 follower counter always counts up
 - fixed issue #560 require push ssl checkbox wasn't shown when option was
   enabled
 - fixed #559
 - fixed issue #559 fixed bug in routing that mapped repo names with <name>_<num> in name as
   if it was a request to url by repository ID
 .4.0 (**2012-09-03**)
 ----------------------
 news
 ++++
 - new codereview system
 - email map, allowing users to have multiple email addresses mapped into
   their accounts
 - improved git-hook system. Now all actions for git are logged into journal
   including pushed revisions, user and IP address
 - changed setup-app into setup-rhodecode and added default options to it.
 - new git repos are created as bare now by default
 - #464 added links to groups in permission box
 - #465 mentions autocomplete inside comments boxes
 - #469 added --update-only option to whoosh to re-index only given list
   of repos in index
 - rhodecode-api CLI client
 - new git http protocol replaced buggy dulwich implementation.
   Now based on pygrack & gitweb
 - Improved RSS/ATOM feeds. Discoverable by browsers using proper headers, and
   reformated based on user suggestions. Additional rss/atom feeds for user
   journal
 - various i18n improvements
 - #478 permissions overview for admin in user edit view
 - File view now displays small gravatars off all authors of given file
 - Implemented landing revisions. Each repository will get landing_rev attribute
   that defines 'default' revision/branch for generating readme files
 - Implemented #509, RhodeCode enforces SSL for push/pulling if requested at
   earliest possible call.
 - Import remote svn repositories to mercurial using hgsubversion.
 - Fixed #508 RhodeCode now has a option to explicitly set forking permissions
 - RhodeCode can use alternative server for generating avatar icons
 - implemented repositories locking. Pull locks, push unlocks. Also can be done
   via API calls
 - #538 form for permissions can handle multiple users at once
 fixes
 +++++
 - improved translations
 - fixes issue #455 Creating an archive generates an exception on Windows
 - fixes #448 Download ZIP archive keeps file in /tmp open and results
   in out of disk space
 - fixes issue #454 Search results under Windows include proceeding
   backslash
 - fixed issue #450. Rhodecode no longer will crash when bad revision is
   present in journal data.
 - fix for issue #417, git execution was broken on windows for certain
   commands.
 - fixed #413. Don't disable .git directory for bare repos on deleting
 - fixed issue #459. Changed the way of obtaining logger in reindex task.
 - fixed #453 added ID field in whoosh SCHEMA that solves the issue of
   reindexing modified files
 - fixed #481 rhodecode emails are sent without Date header
 - fixed #458 wrong count when no repos are present
 - fixed issue #492 missing `\ No newline at end of file` test at the end of
   new chunk in html diff
 - full text search now works also for commit messages
 .3.6 (**2012-05-17**)
 ----------------------
 news
 ++++
 - chinese traditional translation
 - changed setup-app into setup-rhodecode and added arguments for auto-setup
   mode that doesn't need user interaction
 fixes
 +++++
 - fixed no scm found warning
 - fixed __future__ import error on rcextensions
 - made simplejson required lib for speedup on JSON encoding
 - fixes #449 bad regex could get more than revisions from parsing history
 - don't clear DB session when CELERY_EAGER is turned ON
 .3.5 (**2012-05-10**)
 ----------------------
 news
 ++++
 - use ext_json for json module
 - unified annotation view with file source view
 - notification improvements, better inbox + css
 - #419 don't strip passwords for login forms, make rhodecode
   more compatible with LDAP servers
 - Added HTTP_X_FORWARDED_FOR as another method of extracting
   IP for pull/push logs. - moved all to base controller
 - #415: Adding comment to changeset causes reload.
   Comments are now added via ajax and doesn't reload the page
 - #374 LDAP config is discarded when LDAP can't be activated
 - limited push/pull operations are now logged for git in the journal
 - bumped mercurial to 2.2.X series
 - added support for displaying submodules in file-browser
 - #421 added bookmarks in changelog view
 fixes
 +++++
 - fixed dev-version marker for stable when served from source codes
 - fixed missing permission checks on show forks page
 - #418 cast to unicode fixes in notification objects
 - #426 fixed mention extracting regex
 - fixed remote-pulling for git remotes remopositories
 - fixed #434: Error when accessing files or changesets of a git repository
   with submodules
 - fixed issue with empty APIKEYS for users after registration ref. #438
 - fixed issue with getting README files from git repositories
 .3.4 (**2012-03-28**)
 ----------------------
 news
 ++++
 - Whoosh logging is now controlled by the .ini files logging setup
 - added clone-url into edit form on /settings page
 - added help text into repo add/edit forms
 - created rcextensions module with additional mappings (ref #322) and
   post push/pull/create repo hooks callbacks
 - implemented #377 Users view for his own permissions on account page
 - #399 added inheritance of permissions for users group on repos groups
 - #401 repository group is automatically pre-selected when adding repos
   inside a repository group
 - added alternative HTTP 403 response when client failed to authenticate. Helps
   solving issues with Mercurial and LDAP
 - #402 removed group prefix from repository name when listing repositories
   inside a group
 - added gravatars into permission view and permissions autocomplete
 - #347 when running multiple RhodeCode instances, properly invalidates cache
   for all registered servers
 fixes
 +++++
 - fixed #390 cache invalidation problems on repos inside group
 - fixed #385 clone by ID url was loosing proxy prefix in URL
 - fixed some unicode problems with waitress
 - fixed issue with escaping < and > in changeset commits
 - fixed error occurring during recursive group creation in API
   create_repo function
 - fixed #393 py2.5 fixes for routes url generator
 - fixed #397 Private repository groups shows up before login
 - fixed #396 fixed problems with revoking users in nested groups
 - fixed mysql unicode issues + specified InnoDB as default engine with
   utf8 charset
 - #406 trim long branch/tag names in changelog to not break UI
 .3.3 (**2012-03-02**)
 ----------------------
 news
 ++++
 fixes
 +++++
 - fixed some python2.5 compatibility issues
 - fixed issues with removed repos was accidentally added as groups, after
   full rescan of paths
 - fixes #376 Cannot edit user (using container auth)
 - fixes #378 Invalid image urls on changeset screen with proxy-prefix
   configuration
 - fixed initial sorting of repos inside repo group
 - fixes issue when user tried to resubmit same permission into user/user_groups
 - bumped beaker version that fixes #375 leap error bug
 - fixed raw_changeset for git. It was generated with hg patch headers
 - fixed vcs issue with last_changeset for filenodes
 - fixed missing commit after hook delete
 - fixed #372 issues with git operation detection that caused a security issue
   for git repos
 .3.2 (**2012-02-28**)
 ----------------------
 news
 ++++
 fixes
 +++++
 - fixed git protocol issues with repos-groups
 - fixed git remote repos validator that prevented from cloning remote git repos
 - fixes #370 ending slashes fixes for repo and groups
 - fixes #368 improved git-protocol detection to handle other clients
 - fixes #366 When Setting Repository Group To Blank Repo Group Wont Be
   Moved To Root
 - fixes #371 fixed issues with beaker/sqlalchemy and non-ascii cache keys
 - fixed #373 missing cascade drop on user_group_to_perm table
 .3.1 (**2012-02-27**)
 ----------------------
 news
 ++++
 fixes
 +++++
 - redirection loop occurs when remember-me wasn't checked during login
 - fixes issues with git blob history generation
 - don't fetch branch for git in file history dropdown. Causes unneeded slowness
 .3.0 (**2012-02-26**)
 ----------------------
 news
 ++++
 - code review, inspired by github code-comments
 - #215 rst and markdown README files support
 - #252 Container-based and proxy pass-through authentication support
 - #44 branch browser. Filtering of changelog by branches
 - mercurial bookmarks support
 - new hover top menu, optimized to add maximum size for important views
 - configurable clone url template with possibility to specify  protocol like
   ssh:// or http:// and also manually alter other parts of clone_url.
 - enabled largefiles extension by default
 - optimized summary file pages and saved a lot of unused space in them
 - #239 option to manually mark repository as fork
 - #320 mapping of commit authors to RhodeCode users
 - #304 hashes are displayed using monospace font
 - diff configuration, toggle white lines and context lines
 - #307 configurable diffs, whitespace toggle, increasing context lines
 - sorting on branches, tags and bookmarks using YUI datatable
 - improved file filter on files page
 - implements #330 api method for listing nodes ar particular revision
 - #73 added linking issues in commit messages to chosen issue tracker url
   based on user defined regular expression
 - added linking of changesets in commit messages
 - new compact changelog with expandable commit messages
 - firstname and lastname are optional in user creation
 - #348 added post-create repository hook
 - #212 global encoding settings is now configurable from .ini files
 - #227 added repository groups permissions
 - markdown gets codehilite extensions
 - new API methods, delete_repositories, grante/revoke permissions for groups
   and repos
 fixes
 +++++
 - rewrote dbsession management for atomic operations, and better error handling
 - fixed sorting of repo tables
 - #326 escape of special html entities in diffs
 - normalized user_name => username in api attributes
 - fixes #298 ldap created users with mixed case emails created conflicts
   on saving a form
 - fixes issue when owner of a repo couldn't revoke permissions for users
   and groups
 - fixes #271 rare JSON serialization problem with statistics
 - fixes #337 missing validation check for conflicting names of a group with a
   repositories group
 - #340 fixed session problem for mysql and celery tasks
 - fixed #331 RhodeCode mangles repository names if the a repository group
   contains the "full path" to the repositories
 - #355 RhodeCode doesn't store encrypted LDAP passwords
 .2.5 (**2012-01-28**)
 ----------------------
 news
 ++++
 fixes
 +++++
 - #340 Celery complains about MySQL server gone away, added session cleanup
   for celery tasks
 - #341 "scanning for repositories in None" log message during Rescan was missing
   a parameter
 - fixed creating archives with subrepos. Some hooks were triggered during that
   operation leading to crash.
 - fixed missing email in account page.
 - Reverted Mercurial to 2.0.1 for windows due to bug in Mercurial that makes
   forking on windows impossible
 .2.4 (**2012-01-19**)
 ----------------------
 news
 ++++
 - RhodeCode is bundled with mercurial series 2.0.X by default, with
   full support to largefiles extension. Enabled by default in new installations
 - #329 Ability to Add/Remove Groups to/from a Repository via AP
 - added requires.txt file with requirements
 fixes
 +++++
 - fixes db session issues with celery when emailing admins
 - #331 RhodeCode mangles repository names if the a repository group
   contains the "full path" to the repositories
 - #298 Conflicting e-mail addresses for LDAP and RhodeCode users
 - DB session cleanup after hg protocol operations, fixes issues with
   `mysql has gone away` errors
 - #333 doc fixes for get_repo api function
 - #271 rare JSON serialization problem with statistics enabled
 - #337 Fixes issues with validation of repository name conflicting with
   a group name. A proper message is now displayed.
 - #292 made ldap_dn in user edit readonly, to get rid of confusion that field
   doesn't work
 - #316 fixes issues with web description in hgrc files
 .2.3 (**2011-11-02**)
 ----------------------
 news
 ++++
 - added option to manage repos group for non admin users
 - added following API methods for get_users, create_user, get_users_groups,
   get_users_group, create_users_group, add_user_to_users_groups, get_repos,
   get_repo, create_repo, add_user_to_repo
 - implements #237 added password confirmation for my account
   and admin edit user.
 - implements #291 email notification for global events are now sent to all
   administrator users, and global config email.
 fixes
 +++++
 - added option for passing auth method for smtp mailer
 - #276 issue with adding a single user with id>10 to usergroups
 - #277 fixes windows LDAP settings in which missing values breaks the ldap auth
 - #288 fixes managing of repos in a group for non admin user
 .2.2 (**2011-10-17**)
 ----------------------
 news
 ++++
 - #226 repo groups are available by path instead of numerical id
 fixes
 +++++
 - #259 Groups with the same name but with different parent group
 - #260 Put repo in group, then move group to another group -> repo becomes unavailable
 - #258 RhodeCode 1.2 assumes egg folder is writable (lockfiles problems)
 - #265 ldap save fails sometimes on converting attributes to booleans,
   added getter and setter into model that will prevent from this on db model level
 - fixed problems with timestamps issues #251 and #213
 - fixes #266 RhodeCode allows to create repo with the same name and in
   the same parent as group
 - fixes #245 Rescan of the repositories on Windows
 - fixes #248 cannot edit repos inside a group on windows
 - fixes #219 forking problems on windows
 .2.1 (**2011-10-08**)
 ----------------------
 news
 ++++
 fixes
 +++++
 - fixed problems with basic auth and push problems
 - gui fixes
 - fixed logger
 .2.0 (**2011-10-07**)
 ----------------------
 news
 ++++
 - implemented #47 repository groups
 - implemented #89 Can setup google analytics code from settings menu
 - implemented #91 added nicer looking archive urls with more download options
   like tags, branches
 - implemented #44 into file browsing, and added follow branch option
 - implemented #84 downloads can be enabled/disabled for each repository
 - anonymous repository can be cloned without having to pass default:default
   into clone url
 - fixed #90 whoosh indexer can index chooses repositories passed in command
   line
 - extended journal with day aggregates and paging
 - implemented #107 source code lines highlight ranges
 - implemented #93 customizable changelog on combined revision ranges -
   equivalent of githubs compare view
 - implemented #108 extended and more powerful LDAP configuration
 - implemented #56 users groups
 - major code rewrites optimized codes for speed and memory usage
 - raw and diff downloads are now in git format
 - setup command checks for write access to given path
 - fixed many issues with international characters and unicode. It uses utf8
   decode with replace to provide less errors even with non utf8 encoded strings
 - #125 added API KEY access to feeds
 - #109 Repository can be created from external Mercurial link (aka. remote
   repository, and manually updated (via pull) from admin panel
 - beta git support - push/pull server + basic view for git repos
 - added followers page and forks page
 - server side file creation (with binary file upload interface)
   and edition with commits powered by codemirror
 - #111 file browser file finder, quick lookup files on whole file tree
 - added quick login sliding menu into main page
 - changelog uses lazy loading of affected files details, in some scenarios
   this can improve speed of changelog page dramatically especially for
   larger repositories.
 - implements #214 added support for downloading subrepos in download menu.
 - Added basic API for direct operations on rhodecode via JSON
 - Implemented advanced hook management
 fixes
 +++++
 - fixed file browser bug, when switching into given form revision the url was
   not changing
 - fixed propagation to error controller on simplehg and simplegit middlewares
 - fixed error when trying to make a download on empty repository
 - fixed problem with '[' chars in commit messages in journal
 - fixed #99 Unicode errors, on file node paths with non utf-8 characters
 - journal fork fixes
 - removed issue with space inside renamed repository after deletion
 - fixed strange issue on formencode imports
 - fixed #126 Deleting repository on Windows, rename used incompatible chars.
 - #150 fixes for errors on repositories mapped in db but corrupted in
   filesystem
 - fixed problem with ascendant characters in realm #181
 - fixed problem with sqlite file based database connection pool
 - whoosh indexer and code stats share the same dynamic extensions map
 - fixes #188 - relationship delete of repo_to_perm entry on user removal
 - fixes issue #189 Trending source files shows "show more" when no more exist
 - fixes issue #197 Relative paths for pidlocks
 - fixes issue #198 password will require only 3 chars now for login form
 - fixes issue #199 wrong redirection for non admin users after creating a repository
 - fixes issues #202, bad db constraint made impossible to attach same group
   more than one time. Affects only mysql/postgres
 - fixes #218 os.kill patch for windows was missing sig param
 - improved rendering of dag (they are not trimmed anymore when number of
   heads exceeds 5)
 .1.8 (**2011-04-12**)
 ----------------------
 news
 ++++
 - improved windows support
 fixes
 +++++
 - fixed #140 freeze of python dateutil library, since new version is python2.x
   incompatible
 - setup-app will check for write permission in given path
 - cleaned up license info issue #149
 - fixes for issues #137,#116 and problems with unicode and accented characters.
 - fixes crashes on gravatar, when passed in email as unicode
 - fixed tooltip flickering problems
 - fixed came_from redirection on windows
 - fixed logging modules, and sql formatters
 - windows fixes for os.kill issue #133
 - fixes path splitting for windows issues #148
 - fixed issue #143 wrong import on migration to 1.1.X
 - fixed problems with displaying binary files, thanks to Thomas Waldmann
 - removed name from archive files since it's breaking ui for long repo names
 - fixed issue with archive headers sent to browser, thanks to Thomas Waldmann
 - fixed compatibility for 1024px displays, and larger dpi settings, thanks to
   Thomas Waldmann
 - fixed issue #166 summary pager was skipping 10 revisions on second page
 .1.7 (**2011-03-23**)
 ----------------------
 news
 ++++
 fixes
 +++++
 - fixed (again) #136 installation support for FreeBSD
 .1.6 (**2011-03-21**)
 ----------------------
 news
 ++++
 fixes
 +++++
 - fixed #136 installation support for FreeBSD
 - RhodeCode will check for python version during installation
 .1.5 (**2011-03-17**)
 ----------------------
 news
 ++++
 - basic windows support, by exchanging pybcrypt into sha256 for windows only
   highly inspired by idea of mantis406
 fixes
 +++++
 - fixed sorting by author in main page
 - fixed crashes with diffs on binary files
 - fixed #131 problem with boolean values for LDAP
 - fixed #122 mysql problems thanks to striker69
 - fixed problem with errors on calling raw/raw_files/annotate functions
   with unknown revisions
 - fixed returned rawfiles attachment names with international character
 - cleaned out docs, big thanks to Jason Harris
 .1.4 (**2011-02-19**)
 ----------------------
 news
 ++++
 fixes
 +++++
 - fixed formencode import problem on settings page, that caused server crash
   when that page was accessed as first after server start
 - journal fixes
 - fixed option to access repository just by entering http://server/<repo_name>
 .1.3 (**2011-02-16**)
 ----------------------
 news
 ++++
 - implemented #102 allowing the '.' character in username
 - added option to access repository just by entering http://server/<repo_name>
 - celery task ignores result for better performance
 fixes
 +++++
 - fixed ehlo command and non auth mail servers on smtp_lib. Thanks to
   apollo13 and Johan Walles
 - small fixes in journal
 - fixed problems with getting setting for celery from .ini files
 - registration, password reset and login boxes share the same title as main
   application now
 - fixed #113: to high permissions to fork repository
 - fixed problem with '[' chars in commit messages in journal
 - removed issue with space inside renamed repository after deletion
 - db transaction fixes when filesystem repository creation failed
 - fixed #106 relation issues on databases different than sqlite
 - fixed static files paths links to use of url() method
 .1.2 (**2011-01-12**)
 ----------------------
 news
 ++++
 fixes
 +++++
 - fixes #98 protection against float division of percentage stats
 - fixed graph bug
 - forced webhelpers version since it was making troubles during installation
 .1.1 (**2011-01-06**)
 ----------------------
 news
 ++++
 - added force https option into ini files for easier https usage (no need to
   set server headers with this options)
 - small css updates
 fixes
 +++++
 - fixed #96 redirect loop on files view on repositories without changesets
 - fixed #97 unicode string passed into server header in special cases (mod_wsgi)
   and server crashed with errors
 - fixed large tooltips problems on main page
 - fixed #92 whoosh indexer is more error proof
 .1.0 (**2010-12-18**)
 ----------------------
 news
 ++++
 - rewrite of internals for vcs >=0.1.10
 - uses mercurial 1.7 with dotencode disabled for maintaining compatibility
   with older clients
 - anonymous access, authentication via ldap
 - performance upgrade for cached repos list - each repository has its own
   cache that's invalidated when needed.
 - performance upgrades on repositories with large amount of commits (20K+)
 - main page quick filter for filtering repositories
 - user dashboards with ability to follow chosen repositories actions
 - sends email to admin on new user registration
 - added cache/statistics reset options into repository settings
 - more detailed action logger (based on hooks) with pushed changesets lists
   and options to disable those hooks from admin panel
 - introduced new enhanced changelog for merges that shows more accurate results
 - new improved and faster code stats (based on pygments lexers mapping tables,
   showing up to 10 trending sources for each repository. Additionally stats
   can be disabled in repository settings.
 - gui optimizations, fixed application width to 1024px
 - added cut off (for large files/changesets) limit into config files
 - whoosh, celeryd, upgrade moved to paster command
 - other than sqlite database backends can be used
 fixes
 +++++
 - fixes #61 forked repo was showing only after cache expired
 - fixes #76 no confirmation on user deletes
 - fixes #66 Name field misspelled
 - fixes #72 block user removal when he owns repositories
 - fixes #69 added password confirmation fields
 - fixes #87 RhodeCode crashes occasionally on updating repository owner
 - fixes #82 broken annotations on files with more than 1 blank line at the end
 - a lot of fixes and tweaks for file browser
 - fixed detached session issues
 - fixed when user had no repos he would see all repos listed in my account
 - fixed ui() instance bug when global hgrc settings was loaded for server
   instance and all hgrc options were merged with our db ui() object
 - numerous small bugfixes
 (special thanks for TkSoh for detailed feedback)
 .0.2 (**2010-11-12**)
 ----------------------
 news
 ++++
 - tested under python2.7
 - bumped sqlalchemy and celery versions
 fixes
 +++++
 - fixed #59 missing graph.js
 - fixed repo_size crash when repository had broken symlinks
 - fixed python2.5 crashes.
 .0.1 (**2010-11-10**)
 ----------------------
 news
 ++++
 - small css updated
 fixes
 +++++
 - fixed #53 python2.5 incompatible enumerate calls
 - fixed #52 disable mercurial extension for web
 - fixed #51 deleting repositories don't delete it's dependent objects
 .0.0 (**2010-11-02**)
 ----------------------
 - security bugfix simplehg wasn't checking for permissions on commands
   other than pull or push.
 - fixed doubled messages after push or pull in admin journal
 - templating and css corrections, fixed repo switcher on chrome, updated titles
 - admin menu accessible from options menu on repository view
 - permissions cached queries
 .0.0rc4  (**2010-10-12**)
 --------------------------
 - fixed python2.5 missing simplejson imports (thanks to Jens Bäckman)
 - removed cache_manager settings from sqlalchemy meta
 - added sqlalchemy cache settings to ini files
 - validated password length and added second try of failure on paster setup-app
 - fixed setup database destroy prompt even when there was no db
 .0.0rc3 (**2010-10-11**)
 -------------------------
 - fixed i18n during installation.
 .0.0rc2 (**2010-10-11**)
 -------------------------
 - Disabled dirsize in file browser, it's causing nasty bug when dir renames
   occure. After vcs is fixed it'll be put back again.
 - templating/css rewrites, optimized css.
@@ \ No newline at end of file @@

rhodecode/model/user.py

➞

Show inline comments

 # -*- coding: utf-8 -*-
 """
     rhodecode.model.user
     ~~~~~~~~~~~~~~~~~~~~
     users model for RhodeCode
     :created_on: Apr 9, 2010
     :author: marcink
     :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com>
     :license: GPLv3, see COPYING for more details.
 """
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
+#
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
+#
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import logging
 import traceback
 import itertools
 from pylons import url
 from pylons.i18n.translation import _
 from sqlalchemy.exc import DatabaseError
 from sqlalchemy.orm import joinedload
 from rhodecode.lib.utils2 import safe_unicode, generate_api_key
 from rhodecode.lib.caching_query import FromCache
 from rhodecode.model import BaseModel
 from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \
     UserToPerm, UsersGroupRepoToPerm, UsersGroupToPerm, UsersGroupMember, \
     Notification, RepoGroup, UserRepoGroupToPerm, UsersGroupRepoGroupToPerm, \
     UserEmailMap
 from rhodecode.lib.exceptions import DefaultUserException, \
     UserOwnsReposException
 log = logging.getLogger(__name__)
 PERM_WEIGHTS = Permission.PERM_WEIGHTS
 class UserModel(BaseModel):
     cls = User
     def get(self, user_id, cache=False):
         user = self.sa.query(User)
         if cache:
             user = user.options(FromCache("sql_cache_short",
                                           "get_user_%s" % user_id))
         return user.get(user_id)
     def get_user(self, user):
         return self._get_user(user)
     def get_by_username(self, username, cache=False, case_insensitive=False):
         if case_insensitive:
             user = self.sa.query(User).filter(User.username.ilike(username))
         else:
             user = self.sa.query(User)\
                 .filter(User.username == username)
         if cache:
             user = user.options(FromCache("sql_cache_short",
                                           "get_user_%s" % username))
         return user.scalar()
     def get_by_email(self, email, cache=False, case_insensitive=False):
         return User.get_by_email(email, case_insensitive, cache)
     def get_by_api_key(self, api_key, cache=False):
         return User.get_by_api_key(api_key, cache)
     def create(self, form_data):
         from rhodecode.lib.auth import get_crypt_password
         try:
             new_user = User()
             for k, v in form_data.items():
                 if k == 'password':
                     v = get_crypt_password(v)
                 if k == 'firstname':
                     k = 'name'
                 setattr(new_user, k, v)
             new_user.api_key = generate_api_key(form_data['username'])
             self.sa.add(new_user)
             return new_user
         except:
             log.error(traceback.format_exc())
             raise
     def create_or_update(self, username, password, email, firstname='',
                          lastname='', active=True, admin=False, ldap_dn=None):
         """
         Creates a new instance if not found, or updates current one
         :param username:
         :param password:
         :param email:
         :param active:
         :param firstname:
         :param lastname:
         :param active:
         :param admin:
         :param ldap_dn:
         """
         from rhodecode.lib.auth import get_crypt_password
         log.debug('Checking for %s account in RhodeCode database' % username)
         user = User.get_by_username(username, case_insensitive=True)
         if user is None:
             log.debug('creating new user %s' % username)
             new_user = User()
             edit = False
         else:
             log.debug('updating user %s' % username)
             new_user = user
             edit = True
         try:
             new_user.username = username
             new_user.admin = admin
             # set password only if creating an user or password is changed
             if edit is False or user.password != password:
                 new_user.password = get_crypt_password(password)
                 new_user.api_key = generate_api_key(username)
             new_user.email = email
             new_user.active = active
             new_user.ldap_dn = safe_unicode(ldap_dn) if ldap_dn else None
             new_user.name = firstname
             new_user.lastname = lastname
             self.sa.add(new_user)
             return new_user
         except (DatabaseError,):
             log.error(traceback.format_exc())
             raise
     def create_for_container_auth(self, username, attrs):
         """
         Creates the given user if it's not already in the database
         :param username:
         :param attrs:
         """
         if self.get_by_username(username, case_insensitive=True) is None:
             # autogenerate email for container account without one
             generate_email = lambda usr: '%s@container_auth.account' % usr
             try:
                 new_user = User()
                 new_user.username = username
                 new_user.password = None
                 new_user.api_key = generate_api_key(username)
                 new_user.email = attrs['email']
                 new_user.active = attrs.get('active', True)
                 new_user.name = attrs['name'] or generate_email(username)
                 new_user.lastname = attrs['lastname']
                 self.sa.add(new_user)
                 return new_user
             except (DatabaseError,):
                 log.error(traceback.format_exc())
                 self.sa.rollback()
                 raise
         log.debug('User %s already exists. Skipping creation of account'
                   ' for container auth.', username)
         return None
     def create_ldap(self, username, password, user_dn, attrs):
         """
         Checks if user is in database, if not creates this user marked
         as ldap user
         :param username:
         :param password:
         :param user_dn:
         :param attrs:
         """
         from rhodecode.lib.auth import get_crypt_password
         log.debug('Checking for such ldap account in RhodeCode database')
         if self.get_by_username(username, case_insensitive=True) is None:
             # autogenerate email for ldap account without one
             generate_email = lambda usr: '%s@ldap.account' % usr
             try:
                 new_user = User()
                 username = username.lower()
                 # add ldap account always lowercase
                 new_user.username = username
                 new_user.password = get_crypt_password(password)
                 new_user.api_key = generate_api_key(username)
                 new_user.email = attrs['email'] or generate_email(username)
                 new_user.active = attrs.get('active', True)
                 new_user.ldap_dn = safe_unicode(user_dn)
                 new_user.name = attrs['name']
                 new_user.lastname = attrs['lastname']
                 self.sa.add(new_user)
                 return new_user
             except (DatabaseError,):
                 log.error(traceback.format_exc())
                 self.sa.rollback()
                 raise
         log.debug('this %s user exists skipping creation of ldap account',
                   username)
         return None
     def create_registration(self, form_data):
         from rhodecode.model.notification import NotificationModel
         try:
             form_data['admin'] = False
             new_user = self.create(form_data)
             self.sa.add(new_user)
             self.sa.flush()
             # notification to admins
             subject = _('new user registration')
             body = ('New user registration\n'
                     '---------------------\n'
                     '- Username: %s\n'
                     '- Full Name: %s\n'
                     '- Email: %s\n')
             body = body % (new_user.username, new_user.full_name,
                            new_user.email)
             edit_url = url('edit_user', id=new_user.user_id, qualified=True)
             kw = {'registered_user_url': edit_url}
             NotificationModel().create(created_by=new_user, subject=subject,
                                        body=body, recipients=None,
                                        type_=Notification.TYPE_REGISTRATION,
                                        email_kwargs=kw)
         except:
             log.error(traceback.format_exc())
             raise
     def update(self, user_id, form_data):
         from rhodecode.lib.auth import get_crypt_password
         try:
             user = self.get(user_id, cache=False)
             if user.username == 'default':
                 raise DefaultUserException(
                                 _("You can't Edit this user since it's"
                                   " crucial for entire application"))
             for k, v in form_data.items():
                 if k == 'new_password' and v:
                     user.password = get_crypt_password(v)
                     user.api_key = generate_api_key(user.username)
                 else:
                     if k == 'firstname':
                         k = 'name'
                     setattr(user, k, v)
             self.sa.add(user)
         except:
             log.error(traceback.format_exc())
             raise
     def update_user(self, user, **kwargs):
         from rhodecode.lib.auth import get_crypt_password
         try:
             user = self._get_user(user)
             if user.username == 'default':
                 raise DefaultUserException(
                     _("You can't Edit this user since it's"
                       " crucial for entire application")
+                )
             for k, v in kwargs.items():
                 if k == 'password' and v:
                     v = get_crypt_password(v)
                     user.api_key = generate_api_key(user.username)
                 setattr(user, k, v)
             self.sa.add(user)
             return user
         except:
             log.error(traceback.format_exc())
             raise
     def update_my_account(self, user_id, form_data):
         from rhodecode.lib.auth import get_crypt_password
         try:
             user = self.get(user_id, cache=False)
             if user.username == 'default':
                 raise DefaultUserException(
                     _("You can't Edit this user since it's"
                       " crucial for entire application")
+                )
             for k, v in form_data.items():
                 if k == 'new_password' and v:
                     user.password = get_crypt_password(v)
                     user.api_key = generate_api_key(user.username)
                 else:
                     if k == 'firstname':
                         k = 'name'
                     if k not in ['admin', 'active']:
                         setattr(user, k, v)
             self.sa.add(user)
         except:
             log.error(traceback.format_exc())
             raise
     def delete(self, user):
         user = self._get_user(user)
         try:
             if user.username == 'default':
                 raise DefaultUserException(
                     _(u"You can't remove this user since it's"
                       " crucial for entire application")
+                )
             if user.repositories:
                 repos = [x.repo_name for x in user.repositories]
                 raise UserOwnsReposException(
                     _(u'user "%s" still owns %s repositories and cannot be '
                       'removed. Switch owners or remove those repositories. %s')
                     % (user.username, len(repos), ', '.join(repos))
+                )
             self.sa.delete(user)
         except:
             log.error(traceback.format_exc())
             raise
     def reset_password_link(self, data):
         from rhodecode.lib.celerylib import tasks, run_task
         run_task(tasks.send_password_link, data['email'])
     def reset_password(self, data):
         from rhodecode.lib.celerylib import tasks, run_task
         run_task(tasks.reset_user_password, data['email'])
     def fill_data(self, auth_user, user_id=None, api_key=None):
         """
         Fetches auth_user by user_id,or api_key if present.
         Fills auth_user attributes with those taken from database.
         Additionally set's is_authenitated if lookup fails
         present in database
         :param auth_user: instance of user to set attributes
         :param user_id: user id to fetch by
         :param api_key: api key to fetch by
         """
         if user_id is None and api_key is None:
             raise Exception('You need to pass user_id or api_key')
         try:
             if api_key:
                 dbuser = self.get_by_api_key(api_key)
             else:
                 dbuser = self.get(user_id)
             if dbuser is not None and dbuser.active:
                 log.debug('filling %s data' % dbuser)
                 for k, v in dbuser.get_dict().items():
                     setattr(auth_user, k, v)
             else:
                 return False
         except:
             log.error(traceback.format_exc())
             auth_user.is_authenticated = False
             return False
         return True
     def fill_perms(self, user):
         """
         Fills user permission attribute with permissions taken from database
         works for permissions given for repositories, and for permissions that
         are granted to groups
         :param user: user instance to fill his perms
         """
         RK = 'repositories'
         GK = 'repositories_groups'
         GLOBAL = 'global'
         user.permissions[RK] = {}
         user.permissions[GK] = {}
         user.permissions[GLOBAL] = set()
         #======================================================================
         # fetch default permissions
         #======================================================================
         default_user = User.get_by_username('default', cache=True)
         default_user_id = default_user.user_id
         default_repo_perms = Permission.get_default_perms(default_user_id)
         default_repo_groups_perms = Permission.get_default_group_perms(default_user_id)
         if user.is_admin:
             #==================================================================
             # admin user have all default rights for repositories
             # and groups set to admin
             #==================================================================
             user.permissions[GLOBAL].add('hg.admin')
             # repositories
             for perm in default_repo_perms:
                 r_k = perm.UserRepoToPerm.repository.repo_name
                 p = 'repository.admin'
                 user.permissions[RK][r_k] = p
             # repositories groups
             for perm in default_repo_groups_perms:
                 rg_k = perm.UserRepoGroupToPerm.group.group_name
                 p = 'group.admin'
                 user.permissions[GK][rg_k] = p
             return user
         #==================================================================
         # SET DEFAULTS GLOBAL, REPOS, REPOS GROUPS
         #==================================================================
         uid = user.user_id
         # default global permissions taken fron the default user
         default_global_perms = self.sa.query(UserToPerm)\
             .filter(UserToPerm.user_id == default_user_id)
         for perm in default_global_perms:
             user.permissions[GLOBAL].add(perm.permission.permission_name)
         # defaults for repositories, taken from default user
         for perm in default_repo_perms:
             r_k = perm.UserRepoToPerm.repository.repo_name
             if perm.Repository.private and not (perm.Repository.user_id == uid):
                 # disable defaults for private repos,
                 p = 'repository.none'
             elif perm.Repository.user_id == uid:
                 # set admin if owner
                 p = 'repository.admin'
             else:
                 p = perm.Permission.permission_name
             user.permissions[RK][r_k] = p
         # defaults for repositories groups taken from default user permission
         # on given group
         for perm in default_repo_groups_perms:
             rg_k = perm.UserRepoGroupToPerm.group.group_name
             p = perm.Permission.permission_name
             user.permissions[GK][rg_k] = p
         #======================================================================
         # !! OVERRIDE GLOBALS !! with user permissions if any found
         #======================================================================
         # those can be configured from groups or users explicitly
         _configurable = set(['hg.fork.none', 'hg.fork.repository',
                              'hg.create.none', 'hg.create.repository'])
         # USER GROUPS comes first
         # users group global permissions
         user_perms_from_users_groups = self.sa.query(UsersGroupToPerm)\
             .options(joinedload(UsersGroupToPerm.permission))\
             .join((UsersGroupMember, UsersGroupToPerm.users_group_id ==
                    UsersGroupMember.users_group_id))\
             .filter(UsersGroupMember.user_id == uid)\
             .order_by(UsersGroupToPerm.users_group_id)\
             .all()
         #need to group here by groups since user can be in more than one group
         _grouped = [[x, list(y)] for x, y in
                     itertools.groupby(user_perms_from_users_groups,
                                       lambda x:x.users_group)]
         for gr, perms in _grouped:
             # since user can be in multiple groups iterate over them and
             # select the lowest permissions first (more explicit)
             ##TODO: do this^^
             if not gr.inherit_default_permissions:
                 # NEED TO IGNORE all configurable permissions and
                 # replace them with explicitly set
                 user.permissions[GLOBAL] = user.permissions[GLOBAL]\
                                                 .difference(_configurable)
             for perm in perms:
                 user.permissions[GLOBAL].add(perm.permission.permission_name)
         # user specific global permissions
         user_perms = self.sa.query(UserToPerm)\
                 .options(joinedload(UserToPerm.permission))\
                 .filter(UserToPerm.user_id == uid).all()
         if not user.inherit_default_permissions:
             # NEED TO IGNORE all configurable permissions and
             # replace them with explicitly set
             user.permissions[GLOBAL] = user.permissions[GLOBAL]\
                                             .difference(_configurable)
             for perm in user_perms:
                 user.permissions[GLOBAL].add(perm.permission.permission_name)
         #======================================================================
         # !! REPO PERMISSIONS !!
         #======================================================================
         #======================================================================
         # check if user is part of user groups for this repository and
         # fill in (or NOT replace with higher `or 1` permissions
         #======================================================================
         # users group for repositories permissions
         user_repo_perms_from_users_groups = \
          self.sa.query(UsersGroupRepoToPerm, Permission, Repository,)\
             .join((Repository, UsersGroupRepoToPerm.repository_id ==
                    Repository.repo_id))\
             .join((Permission, UsersGroupRepoToPerm.permission_id ==
                    Permission.permission_id))\
             .join((UsersGroupMember, UsersGroupRepoToPerm.users_group_id ==
                    UsersGroupMember.users_group_id))\
             .filter(UsersGroupMember.user_id == uid)\
             .all()
         for perm in user_repo_perms_from_users_groups:
             r_k = perm.UsersGroupRepoToPerm.repository.repo_name
             p = perm.Permission.permission_name
             cur_perm = user.permissions[RK][r_k]
             # overwrite permission only if it's greater than permission
             # given from other sources
+            # given from other sources - disabled with `or 1` now
             if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1:  # disable check
                 if perm.Repository.user_id == uid:
                     # set admin if owner
                     p = 'repository.admin'
                 user.permissions[RK][r_k] = p
         # user explicit permissions for repositories
         user_repo_perms = \
          self.sa.query(UserRepoToPerm, Permission, Repository)\
             .join((Repository, UserRepoToPerm.repository_id ==
                    Repository.repo_id))\
             .join((Permission, UserRepoToPerm.permission_id ==
                    Permission.permission_id))\
             .filter(UserRepoToPerm.user_id == uid)\
             .all()
         for perm in user_repo_perms:
             # set admin if owner
             r_k = perm.UserRepoToPerm.repository.repo_name
             if perm.Repository.user_id == uid:
                 p = 'repository.admin'
             else:
                 p = perm.Permission.permission_name
             user.permissions[RK][r_k] = p
         # REPO GROUP
         #==================================================================
         # get access for this user for repos group and override defaults
         #==================================================================
         # user explicit permissions for repository
         user_repo_groups_perms = \
          self.sa.query(UserRepoGroupToPerm, Permission, RepoGroup)\
          .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\
          .join((Permission, UserRepoGroupToPerm.permission_id == Permission.permission_id))\
          .filter(UserRepoGroupToPerm.user_id == uid)\
          .all()
         for perm in user_repo_groups_perms:
             rg_k = perm.UserRepoGroupToPerm.group.group_name
             p = perm.Permission.permission_name
             cur_perm = user.permissions[GK][rg_k]
             if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1:  # disable check
                 user.permissions[GK][rg_k] = p
         # REPO GROUP + USER GROUP
         #==================================================================
         # check if user is part of user groups for this repo group and
         # fill in (or replace with higher) permissions
         #==================================================================
         # users group for repositories permissions
         user_repo_group_perms_from_users_groups = \
          self.sa.query(UsersGroupRepoGroupToPerm, Permission, RepoGroup)\
          .join((RepoGroup, UsersGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\
          .join((Permission, UsersGroupRepoGroupToPerm.permission_id == Permission.permission_id))\
          .join((UsersGroupMember, UsersGroupRepoGroupToPerm.users_group_id == UsersGroupMember.users_group_id))\
          .filter(UsersGroupMember.user_id == uid)\
          .all()
         for perm in user_repo_group_perms_from_users_groups:
             g_k = perm.UsersGroupRepoGroupToPerm.group.group_name
             p = perm.Permission.permission_name
             cur_perm = user.permissions[GK][g_k]
             # overwrite permission only if it's greater than permission
             # given from other sources
             if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1:  # disable check
                 user.permissions[GK][g_k] = p
         return user
     def has_perm(self, user, perm):
         perm = self._get_perm(perm)
         user = self._get_user(user)
         return UserToPerm.query().filter(UserToPerm.user == user)\
             .filter(UserToPerm.permission == perm).scalar() is not None
     def grant_perm(self, user, perm):
         """
         Grant user global permissions
         :param user:
         :param perm:
         """
         user = self._get_user(user)
         perm = self._get_perm(perm)
         # if this permission is already granted skip it
         _perm = UserToPerm.query()\
             .filter(UserToPerm.user == user)\
             .filter(UserToPerm.permission == perm)\
             .scalar()
         if _perm:
             return
         new = UserToPerm()
         new.user = user
         new.permission = perm
         self.sa.add(new)
     def revoke_perm(self, user, perm):
         """
         Revoke users global permissions
         :param user:
         :param perm:
         """
         user = self._get_user(user)
         perm = self._get_perm(perm)
         obj = UserToPerm.query()\
                 .filter(UserToPerm.user == user)\
                 .filter(UserToPerm.permission == perm)\
                 .scalar()
         if obj:
             self.sa.delete(obj)
     def add_extra_email(self, user, email):
         """
         Adds email address to UserEmailMap
         :param user:
         :param email:
         """
         from rhodecode.model import forms
         form = forms.UserExtraEmailForm()()
         data = form.to_python(dict(email=email))
         user = self._get_user(user)
         obj = UserEmailMap()
         obj.user = user
         obj.email = data['email']
         self.sa.add(obj)
         return obj
     def delete_extra_email(self, user, email_id):
         """
         Removes email address from UserEmailMap
         :param user:
         :param email_id:
         """
         user = self._get_user(user)
         obj = UserEmailMap.query().get(email_id)
         if obj:
             self.sa.delete(obj)

rhodecode/tests/models/test_permissions.py

➞

Show inline comments

 import os
 import unittest
 from rhodecode.tests import *
 from rhodecode.tests.models.common import _make_group
 from rhodecode.model.repos_group import ReposGroupModel
 from rhodecode.model.repo import RepoModel
 from rhodecode.model.db import RepoGroup, User, UsersGroupRepoGroupToPerm
 from rhodecode.model.user import UserModel
 from rhodecode.model.meta import Session
 from rhodecode.model.users_group import UsersGroupModel
 from rhodecode.lib.auth import AuthUser
+from rhodecode.tests.api.api_base import create_repo
 class TestPermissions(unittest.TestCase):
     def __init__(self, methodName='runTest'):
         super(TestPermissions, self).__init__(methodName=methodName)
     def setUp(self):
         self.u1 = UserModel().create_or_update(
             username=u'u1', password=u'qweqwe',
             email=u'u1@rhodecode.org', firstname=u'u1', lastname=u'u1'
+        )
         self.u2 = UserModel().create_or_update(
             username=u'u2', password=u'qweqwe',
             email=u'u2@rhodecode.org', firstname=u'u2', lastname=u'u2'
+        )
         self.u3 = UserModel().create_or_update(
             username=u'u3', password=u'qweqwe',
             email=u'u3@rhodecode.org', firstname=u'u3', lastname=u'u3'
+        )
         self.anon = User.get_by_username('default')
         self.a1 = UserModel().create_or_update(
             username=u'a1', password=u'qweqwe',
             email=u'a1@rhodecode.org', firstname=u'a1', lastname=u'a1', admin=True
+        )
         Session().commit()
     def tearDown(self):
         if hasattr(self, 'test_repo'):
             RepoModel().delete(repo=self.test_repo)
         UserModel().delete(self.u1)
         UserModel().delete(self.u2)
         UserModel().delete(self.u3)
         UserModel().delete(self.a1)
         if hasattr(self, 'g1'):
             ReposGroupModel().delete(self.g1.group_id)
         if hasattr(self, 'g2'):
             ReposGroupModel().delete(self.g2.group_id)
         if hasattr(self, 'ug1'):
             UsersGroupModel().delete(self.ug1, force=True)
         Session().commit()
     def test_default_perms_set(self):
         u1_auth = AuthUser(user_id=self.u1.user_id)
         perms = {
             'repositories_groups': {},
             'global': set([u'hg.create.repository', u'repository.read',
                            u'hg.register.manual_activate']),
             'repositories': {u'vcs_test_hg': u'repository.read'}
+        }
         self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
                          perms['repositories'][HG_REPO])
         new_perm = 'repository.write'
         RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1,
                                           perm=new_perm)
         Session().commit()
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
                          new_perm)
     def test_default_admin_perms_set(self):
         a1_auth = AuthUser(user_id=self.a1.user_id)
         perms = {
             'repositories_groups': {},
             'global': set([u'hg.admin']),
             'repositories': {u'vcs_test_hg': u'repository.admin'}
+        }
         self.assertEqual(a1_auth.permissions['repositories'][HG_REPO],
                          perms['repositories'][HG_REPO])
         new_perm = 'repository.write'
         RepoModel().grant_user_permission(repo=HG_REPO, user=self.a1,
                                           perm=new_perm)
         Session().commit()
         # cannot really downgrade admins permissions !? they still get's set as
         # admin !
         u1_auth = AuthUser(user_id=self.a1.user_id)
         self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
                          perms['repositories'][HG_REPO])
     def test_default_group_perms(self):
         self.g1 = _make_group('test1', skip_if_exists=True)
         self.g2 = _make_group('test2', skip_if_exists=True)
         u1_auth = AuthUser(user_id=self.u1.user_id)
         perms = {
             'repositories_groups': {u'test1': 'group.read', u'test2': 'group.read'},
             'global': set([u'hg.create.repository', u'repository.read', u'hg.register.manual_activate']),
             'repositories': {u'vcs_test_hg': u'repository.read'}
+        }
         self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
                          perms['repositories'][HG_REPO])
         self.assertEqual(u1_auth.permissions['repositories_groups'],
                          perms['repositories_groups'])
     def test_default_admin_group_perms(self):
         self.g1 = _make_group('test1', skip_if_exists=True)
         self.g2 = _make_group('test2', skip_if_exists=True)
         a1_auth = AuthUser(user_id=self.a1.user_id)
         perms = {
             'repositories_groups': {u'test1': 'group.admin', u'test2': 'group.admin'},
             'global': set(['hg.admin']),
             'repositories': {u'vcs_test_hg': 'repository.admin'}
+        }
         self.assertEqual(a1_auth.permissions['repositories'][HG_REPO],
                          perms['repositories'][HG_REPO])
         self.assertEqual(a1_auth.permissions['repositories_groups'],
                          perms['repositories_groups'])
     def test_propagated_permission_from_users_group_by_explicit_perms_exist(self):
         # make group
         self.ug1 = UsersGroupModel().create('G1')
         # add user to group
         UsersGroupModel().add_user_to_group(self.ug1, self.u1)
         # set permission to lower
         new_perm = 'repository.none'
         RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1, perm=new_perm)
         Session().commit()
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
                          new_perm)
         # grant perm for group this should not override permission from user
         # since it has explicitly set
         new_perm_gr = 'repository.write'
         RepoModel().grant_users_group_permission(repo=HG_REPO,
                                                  group_name=self.ug1,
                                                  perm=new_perm_gr)
         # check perms
         u1_auth = AuthUser(user_id=self.u1.user_id)
         perms = {
             'repositories_groups': {},
             'global': set([u'hg.create.repository', u'repository.read',
                            u'hg.register.manual_activate']),
             'repositories': {u'vcs_test_hg': u'repository.read'}
+        }
         self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
                          new_perm)
         self.assertEqual(u1_auth.permissions['repositories_groups'],
                          perms['repositories_groups'])
     def test_propagated_permission_from_users_group(self):
         # make group
         self.ug1 = UsersGroupModel().create('G1')
         # add user to group
         UsersGroupModel().add_user_to_group(self.ug1, self.u3)
         # grant perm for group this should override default permission from user
         new_perm_gr = 'repository.write'
         RepoModel().grant_users_group_permission(repo=HG_REPO,
                                                  group_name=self.ug1,
                                                  perm=new_perm_gr)
         # check perms
         u3_auth = AuthUser(user_id=self.u3.user_id)
         perms = {
             'repositories_groups': {},
             'global': set([u'hg.create.repository', u'repository.read',
                            u'hg.register.manual_activate']),
             'repositories': {u'vcs_test_hg': u'repository.read'}
+        }
         self.assertEqual(u3_auth.permissions['repositories'][HG_REPO],
                          new_perm_gr)
         self.assertEqual(u3_auth.permissions['repositories_groups'],
                          perms['repositories_groups'])
     def test_propagated_permission_from_users_group_lower_weight(self):
         # make group
         self.ug1 = UsersGroupModel().create('G1')
         # add user to group
         UsersGroupModel().add_user_to_group(self.ug1, self.u1)
         # set permission to lower
         new_perm_h = 'repository.write'
         RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1,
                                           perm=new_perm_h)
         Session().commit()
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
                          new_perm_h)
         # grant perm for group this should NOT override permission from user
         # since it's lower than granted
         new_perm_l = 'repository.read'
         RepoModel().grant_users_group_permission(repo=HG_REPO,
                                                  group_name=self.ug1,
                                                  perm=new_perm_l)
         # check perms
         u1_auth = AuthUser(user_id=self.u1.user_id)
         perms = {
             'repositories_groups': {},
             'global': set([u'hg.create.repository', u'repository.read',
                            u'hg.register.manual_activate']),
             'repositories': {u'vcs_test_hg': u'repository.write'}
+        }
         self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],
                          new_perm_h)
         self.assertEqual(u1_auth.permissions['repositories_groups'],
                          perms['repositories_groups'])
     def test_repo_in_group_permissions(self):
         self.g1 = _make_group('group1', skip_if_exists=True)
         self.g2 = _make_group('group2', skip_if_exists=True)
         Session().commit()
         # both perms should be read !
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories_groups'],
                          {u'group1': u'group.read', u'group2': u'group.read'})
         a1_auth = AuthUser(user_id=self.anon.user_id)
         self.assertEqual(a1_auth.permissions['repositories_groups'],
                  {u'group1': u'group.read', u'group2': u'group.read'})
         #Change perms to none for both groups
         ReposGroupModel().grant_user_permission(repos_group=self.g1,
                                                 user=self.anon,
                                                 perm='group.none')
         ReposGroupModel().grant_user_permission(repos_group=self.g2,
                                                 user=self.anon,
                                                 perm='group.none')
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories_groups'],
                  {u'group1': u'group.none', u'group2': u'group.none'})
         a1_auth = AuthUser(user_id=self.anon.user_id)
         self.assertEqual(a1_auth.permissions['repositories_groups'],
                  {u'group1': u'group.none', u'group2': u'group.none'})
         # add repo to group
         name = RepoGroup.url_sep().join([self.g1.group_name, 'test_perm'])
         self.test_repo = RepoModel().create_repo(
             repo_name=name,
             repo_type='hg',
             description='',
             repos_group=self.g1,
             owner=self.u1,
+        )
         Session().commit()
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories_groups'],
                  {u'group1': u'group.none', u'group2': u'group.none'})
         a1_auth = AuthUser(user_id=self.anon.user_id)
         self.assertEqual(a1_auth.permissions['repositories_groups'],
                  {u'group1': u'group.none', u'group2': u'group.none'})
         #grant permission for u2 !
         ReposGroupModel().grant_user_permission(repos_group=self.g1,
                                                 user=self.u2,
                                                 perm='group.read')
         ReposGroupModel().grant_user_permission(repos_group=self.g2,
                                                 user=self.u2,
                                                 perm='group.read')
         Session().commit()
         self.assertNotEqual(self.u1, self.u2)
         #u1 and anon should have not change perms while u2 should !
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories_groups'],
                  {u'group1': u'group.none', u'group2': u'group.none'})
         u2_auth = AuthUser(user_id=self.u2.user_id)
         self.assertEqual(u2_auth.permissions['repositories_groups'],
                  {u'group1': u'group.read', u'group2': u'group.read'})
         a1_auth = AuthUser(user_id=self.anon.user_id)
         self.assertEqual(a1_auth.permissions['repositories_groups'],
                  {u'group1': u'group.none', u'group2': u'group.none'})
     def test_repo_group_user_as_user_group_member(self):
         # create Group1
         self.g1 = _make_group('group1', skip_if_exists=True)
         Session().commit()
         a1_auth = AuthUser(user_id=self.anon.user_id)
         self.assertEqual(a1_auth.permissions['repositories_groups'],
                          {u'group1': u'group.read'})
         # set default permission to none
         ReposGroupModel().grant_user_permission(repos_group=self.g1,
                                                 user=self.anon,
                                                 perm='group.none')
         # make group
         self.ug1 = UsersGroupModel().create('G1')
         # add user to group
         UsersGroupModel().add_user_to_group(self.ug1, self.u1)
         Session().commit()
         # check if user is in the group
         membrs = [x.user_id for x in UsersGroupModel().get(self.ug1.users_group_id).members]
         self.assertEqual(membrs, [self.u1.user_id])
         # add some user to that group
         # check his permissions
         a1_auth = AuthUser(user_id=self.anon.user_id)
         self.assertEqual(a1_auth.permissions['repositories_groups'],
                          {u'group1': u'group.none'})
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories_groups'],
                          {u'group1': u'group.none'})
         # grant ug1 read permissions for
         ReposGroupModel().grant_users_group_permission(repos_group=self.g1,
                                                        group_name=self.ug1,
                                                        perm='group.read')
         Session().commit()
         # check if the
         obj = Session().query(UsersGroupRepoGroupToPerm)\
             .filter(UsersGroupRepoGroupToPerm.group == self.g1)\
             .filter(UsersGroupRepoGroupToPerm.users_group == self.ug1)\
             .scalar()
         self.assertEqual(obj.permission.permission_name, 'group.read')
         a1_auth = AuthUser(user_id=self.anon.user_id)
         self.assertEqual(a1_auth.permissions['repositories_groups'],
                          {u'group1': u'group.none'})
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories_groups'],
                          {u'group1': u'group.read'})
     def test_inherited_permissions_from_default_on_user_enabled(self):
         user_model = UserModel()
         # enable fork and create on default user
         usr = 'default'
         user_model.revoke_perm(usr, 'hg.create.none')
         user_model.grant_perm(usr, 'hg.create.repository')
         user_model.revoke_perm(usr, 'hg.fork.none')
         user_model.grant_perm(usr, 'hg.fork.repository')
         # make sure inherit flag is turned on
         self.u1.inherit_default_permissions = True
         Session().commit()
         u1_auth = AuthUser(user_id=self.u1.user_id)
         # this user will have inherited permissions from default user
         self.assertEqual(u1_auth.permissions['global'],
                          set(['hg.create.repository', 'hg.fork.repository',
                               'hg.register.manual_activate',
                               'repository.read']))
     def test_inherited_permissions_from_default_on_user_disabled(self):
         user_model = UserModel()
         # disable fork and create on default user
         usr = 'default'
         user_model.revoke_perm(usr, 'hg.create.repository')
         user_model.grant_perm(usr, 'hg.create.none')
         user_model.revoke_perm(usr, 'hg.fork.repository')
         user_model.grant_perm(usr, 'hg.fork.none')
         # make sure inherit flag is turned on
         self.u1.inherit_default_permissions = True
         Session().commit()
         u1_auth = AuthUser(user_id=self.u1.user_id)
         # this user will have inherited permissions from default user
         self.assertEqual(u1_auth.permissions['global'],
                          set(['hg.create.none', 'hg.fork.none',
                               'hg.register.manual_activate',
                               'repository.read']))
     def test_non_inherited_permissions_from_default_on_user_enabled(self):
         user_model = UserModel()
         # enable fork and create on default user
         usr = 'default'
         user_model.revoke_perm(usr, 'hg.create.none')
         user_model.grant_perm(usr, 'hg.create.repository')
         user_model.revoke_perm(usr, 'hg.fork.none')
         user_model.grant_perm(usr, 'hg.fork.repository')
         #disable global perms on specific user
         user_model.revoke_perm(self.u1, 'hg.create.repository')
         user_model.grant_perm(self.u1, 'hg.create.none')
         user_model.revoke_perm(self.u1, 'hg.fork.repository')
         user_model.grant_perm(self.u1, 'hg.fork.none')
         # make sure inherit flag is turned off
         self.u1.inherit_default_permissions = False
         Session().commit()
         u1_auth = AuthUser(user_id=self.u1.user_id)
         # this user will have non inherited permissions from he's
         # explicitly set permissions
         self.assertEqual(u1_auth.permissions['global'],
                          set(['hg.create.none', 'hg.fork.none',
                               'hg.register.manual_activate',
                               'repository.read']))
     def test_non_inherited_permissions_from_default_on_user_disabled(self):
         user_model = UserModel()
         # disable fork and create on default user
         usr = 'default'
         user_model.revoke_perm(usr, 'hg.create.repository')
         user_model.grant_perm(usr, 'hg.create.none')
         user_model.revoke_perm(usr, 'hg.fork.repository')
         user_model.grant_perm(usr, 'hg.fork.none')
         #enable global perms on specific user
         user_model.revoke_perm(self.u1, 'hg.create.none')
         user_model.grant_perm(self.u1, 'hg.create.repository')
         user_model.revoke_perm(self.u1, 'hg.fork.none')
         user_model.grant_perm(self.u1, 'hg.fork.repository')
         # make sure inherit flag is turned off
         self.u1.inherit_default_permissions = False
         Session().commit()
         u1_auth = AuthUser(user_id=self.u1.user_id)
         # this user will have non inherited permissions from he's
         # explicitly set permissions
         self.assertEqual(u1_auth.permissions['global'],
                          set(['hg.create.repository', 'hg.fork.repository',
                               'hg.register.manual_activate',
                               'repository.read']))
     def test_owner_permissions_doesnot_get_overwritten_by_group(self):
         #create repo as USER,
         self.test_repo = repo = RepoModel().create_repo(repo_name='myownrepo',
                                 repo_type='hg',
                                 description='desc',
                                 owner=self.u1)
         Session().commit()
         #he has permissions of admin as owner
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
                          'repository.admin')
         #set his permission as users group, he should still be admin
         self.ug1 = UsersGroupModel().create('G1')
         # add user to group
         UsersGroupModel().add_user_to_group(self.ug1, self.u1)
         RepoModel().grant_users_group_permission(repo, group_name=self.ug1,
                                                  perm='repository.none')
         Session().commit()
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
                          'repository.admin')
     def test_owner_permissions_doesnot_get_overwritten_by_others(self):
         #create repo as USER,
         self.test_repo = repo = RepoModel().create_repo(repo_name='myownrepo',
                                 repo_type='hg',
                                 description='desc',
                                 owner=self.u1)
         Session().commit()
         #he has permissions of admin as owner
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
                          'repository.admin')
         #set his permission as user, he should still be admin
         RepoModel().grant_user_permission(repo, user=self.u1,
                                           perm='repository.none')
         Session().commit()
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
                          'repository.admin')

0 comments (0 inline, 0 general)