# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.controllers.admin.repo_groups

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Repository groups controller for Kallithea

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Mar 23, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

import traceback

import formencode

from formencode import htmlfill

from tg import app_globals, request

from tg import tmpl_context as c

from tg.i18n import ugettext as _

from tg.i18n import ungettext

from webob.exc import HTTPForbidden, HTTPFound, HTTPInternalServerError, HTTPNotFound

from kallithea.controllers import base

from kallithea.lib import webutils

from kallithea.lib.auth import HasPermissionAny, HasRepoGroupPermissionLevel, HasRepoGroupPermissionLevelDecorator, LoginRequired

from kallithea.lib.utils2 import safe_int

from kallithea.lib.webutils import url

from kallithea.model import db, meta

from kallithea.model.forms import RepoGroupForm, RepoGroupPermsForm

from kallithea.model.repo import RepoModel

from kallithea.model.repo_group import RepoGroupModel

from kallithea.model.scm import AvailableRepoGroupChoices, RepoGroupList

log = logging.getLogger(__name__)

class RepoGroupsController(base.BaseController):

    @LoginRequired(allow_default_user=True)

    def _before(self, *args, **kwargs):

        super(RepoGroupsController, self)._before(*args, **kwargs)

    def __load_defaults(self, extras=(), exclude=()):

        """extras is used for keeping current parent ignoring permissions

        exclude is used for not moving group to itself TODO: also exclude descendants

        Note: only admin can create top level groups

        """

        repo_groups = AvailableRepoGroupChoices('admin', extras)

        exclude_group_ids = set(rg.group_id for rg in exclude)

        c.repo_groups = [rg for rg in repo_groups

                         if rg[0] not in exclude_group_ids]

    def __load_data(self, group_id):

        """

        Load defaults settings for edit, and update

        :param group_id:

        """

        repo_group = db.RepoGroup.get_or_404(group_id)

        data = repo_group.get_dict()

        data['group_name'] = repo_group.name

        # fill repository group users

        for p in repo_group.repo_group_to_perm:

            data.update({'u_perm_%s' % p.user.username:

                             p.permission.permission_name})

        # fill repository group groups

        for p in repo_group.users_group_to_perm:

            data.update({'g_perm_%s' % p.users_group.users_group_name:

                             p.permission.permission_name})

        return data

    def _revoke_perms_on_yourself(self, form_result):

        _up = [u for u in form_result['perms_updates'] if request.authuser.username == u[0]]

        _new = [u for u in form_result['perms_new'] if request.authuser.username == u[0]]

        if _new and _new[0][1] != 'group.admin' or _up and _up[0][1] != 'group.admin':

            return True

        return False

    def index(self, format='html'):

        _list = db.RepoGroup.query(sorted=True).all()

        group_iter = RepoGroupList(_list, perm_level='admin')

        repo_groups_data = []

        _tmpl_lookup = app_globals.mako_lookup

        template = _tmpl_lookup.get_template('data_table/_dt_elements.html')

        def repo_group_name(repo_group_name, children_groups):

            return template.get_def("repo_group_name") \

                .render_unicode(repo_group_name, children_groups, _=_, webutils=webutils, c=c)

        def repo_group_actions(repo_group_id, repo_group_name, gr_count):

            return template.get_def("repo_group_actions") \

                .render_unicode(repo_group_id, repo_group_name, gr_count, _=_, webutils=webutils, c=c,

                        ungettext=ungettext)

        for repo_gr in group_iter:

            children_groups = [g.name for g in repo_gr.parents] + [repo_gr.name]

            repo_count = repo_gr.repositories.count()

            repo_groups_data.append({

                "raw_name": webutils.escape(repo_gr.group_name),

                "group_name": repo_group_name(repo_gr.group_name, children_groups),

                "desc": webutils.escape(repo_gr.group_description),

                "repos": repo_count,

                "owner": repo_gr.owner.username,

                "action": repo_group_actions(repo_gr.group_id, repo_gr.group_name,

                                             repo_count)

            })

        c.data = {

            "sort": None,

            "dir": "asc",

            "records": repo_groups_data

        }

        return base.render('admin/repo_groups/repo_groups.html')

    def create(self):

        self.__load_defaults()

        # permissions for can create group based on parent_id are checked

        # here in the Form

        repo_group_form = RepoGroupForm(repo_groups=c.repo_groups)

        form_result = None

        try:

            form_result = repo_group_form.to_python(dict(request.POST))

            gr = RepoGroupModel().create(

                group_name=form_result['group_name'],

                group_description=form_result['group_description'],

                parent=form_result['parent_group_id'],

                copy_permissions=form_result['group_copy_permissions']

            )

            meta.Session().commit()

            # TODO: in future action_logger(, '', '', '')

        except formencode.Invalid as errors:

            return htmlfill.render(

                base.render('admin/repo_groups/repo_group_add.html'),

                defaults=errors.value,

                errors=errors.error_dict or {},

                prefix_error=False,

                encoding="UTF-8",

                force_defaults=False)

        except Exception:

            log.error(traceback.format_exc())

            webutils.flash(_('Error occurred during creation of repository group %s')

                    % request.POST.get('group_name'), category='error')

            if form_result is None:

                raise

            parent_group_id = form_result['parent_group_id']

            # TODO: maybe we should get back to the main view, not the admin one

            raise HTTPFound(location=url('repos_groups', parent_group=parent_group_id))

        webutils.flash(_('Created repository group %s') % gr.group_name,

                category='success')

        raise HTTPFound(location=url('repos_group_home', group_name=gr.group_name))

    def new(self):

        parent_group_id = safe_int(request.GET.get('parent_group') or '-1')

        if HasPermissionAny('hg.admin')('group create'):

            # we're global admin, we're ok and we can create TOP level groups

            pass

        else:

            # we pass in parent group into creation form, thus we know

            # what would be the group, we can check perms here !

            group = db.RepoGroup.get(parent_group_id) if parent_group_id else None

            group_name = group.group_name if group else None

            if HasRepoGroupPermissionLevel('admin')(group_name, 'group create'):

                pass

            else:

                raise HTTPForbidden()

        self.__load_defaults()

        return htmlfill.render(

            base.render('admin/repo_groups/repo_group_add.html'),

            defaults={'parent_group_id': parent_group_id},

            errors={},

            prefix_error=False,

            encoding="UTF-8",

            force_defaults=False)

    @HasRepoGroupPermissionLevelDecorator('admin')

    def update(self, group_name):

        c.repo_group = db.RepoGroup.guess_instance(group_name)

        self.__load_defaults(extras=[c.repo_group.parent_group],

                             exclude=[c.repo_group])

        # TODO: kill allow_empty_group - it is only used for redundant form validation!

        if HasPermissionAny('hg.admin')('group edit'):

            # we're global admin, we're ok and we can create TOP level groups

            allow_empty_group = True

        elif not c.repo_group.parent_group:

            allow_empty_group = True

        else:

            allow_empty_group = False

        repo_group_form = RepoGroupForm(

            edit=True,

            old_data=c.repo_group.get_dict(),

            repo_groups=c.repo_groups,

            can_create_in_root=allow_empty_group,

        )()

        try:

            form_result = repo_group_form.to_python(dict(request.POST))

            new_gr = RepoGroupModel().update(group_name, form_result)

            meta.Session().commit()

            webutils.flash(_('Updated repository group %s')

                    % form_result['group_name'], category='success')

            # we now have new name !

            group_name = new_gr.group_name

            # TODO: in future action_logger(, '', '', '')

        except formencode.Invalid as errors:

            c.active = 'settings'

            return htmlfill.render(

                base.render('admin/repo_groups/repo_group_edit.html'),

                defaults=errors.value,

                errors=errors.error_dict or {},

                prefix_error=False,

                encoding="UTF-8",

                force_defaults=False)

        except Exception:

            log.error(traceback.format_exc())

            webutils.flash(_('Error occurred during update of repository group %s')

                    % request.POST.get('group_name'), category='error')

        raise HTTPFound(location=url('edit_repo_group', group_name=group_name))

    @HasRepoGroupPermissionLevelDecorator('admin')

        filter_extra_fields = True

        current_password = v.ValidOldPassword(username)(not_empty=True)

        new_password = All(v.ValidPassword(), v.UnicodeString(strip=False, min=6))

        new_password_confirmation = All(v.ValidPassword(), v.UnicodeString(strip=False, min=6))

        chained_validators = [v.ValidPasswordsMatch('new_password',

                                                    'new_password_confirmation')]

    return _PasswordChangeForm

def UserForm(edit=False, old_data=None):

    old_data = old_data or {}

    class _UserForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        username = All(v.UnicodeString(strip=True, min=1, not_empty=True),

                       v.ValidUsername(edit, old_data))

        if edit:

            new_password = All(

                v.ValidPassword(),

                v.UnicodeString(strip=False, min=6, not_empty=False)

            )

            password_confirmation = All(

                v.ValidPassword(),

                v.UnicodeString(strip=False, min=6, not_empty=False),

            )

            admin = v.StringBoolean(if_missing=False)

            chained_validators = [v.ValidPasswordsMatch('new_password',

                                                        'password_confirmation')]

        else:

            password = All(

                v.ValidPassword(),

                v.UnicodeString(strip=False, min=6, not_empty=True)

            )

            password_confirmation = All(

                v.ValidPassword(),

                v.UnicodeString(strip=False, min=6, not_empty=False)

            )

            chained_validators = [v.ValidPasswordsMatch('password',

                                                        'password_confirmation')]

        active = v.StringBoolean(if_missing=False)

        firstname = v.UnicodeString(strip=True, min=1, not_empty=False)

        lastname = v.UnicodeString(strip=True, min=1, not_empty=False)

        email = All(v.Email(not_empty=True), v.UniqSystemEmail(old_data))

        extern_name = v.UnicodeString(strip=True, if_missing=None)

        extern_type = v.UnicodeString(strip=True, if_missing=None)

    return _UserForm

def UserGroupForm(edit=False, old_data=None, available_members=None):

    old_data = old_data or {}

    available_members = available_members or []

    class _UserGroupForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        users_group_name = All(

            v.UnicodeString(strip=True, min=1, not_empty=True),

            v.ValidUserGroup(edit, old_data)

        )

        user_group_description = v.UnicodeString(strip=True, min=1,

                                                 not_empty=False)

        users_group_active = v.StringBoolean(if_missing=False)

        if edit:

            users_group_members = v.OneOf(

                available_members, hideList=False, testValueList=True,

                if_missing=None, not_empty=False

            )

    return _UserGroupForm

def RepoGroupForm(edit=False, old_data=None, repo_groups=None,

                   can_create_in_root=False):

    old_data = old_data or {}

    repo_groups = repo_groups or []

    repo_group_ids = [rg[0] for rg in repo_groups]

    class _RepoGroupForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = False

        group_name = All(v.UnicodeString(strip=True, min=1, not_empty=True),

                         v.SlugifyName(),

                         v.ValidRegex(msg=_('Name must not contain only digits'))(r'(?!^\d+$)^.+$'))

        group_description = v.UnicodeString(strip=True, min=1,

                                            not_empty=False)

        group_copy_permissions = v.StringBoolean(if_missing=False)

        if edit:

            # FIXME: do a special check that we cannot move a group to one of

            # its children

            pass

        parent_group_id = All(v.CanCreateGroup(can_create_in_root),

                              v.OneOf(repo_group_ids, hideList=False,

                                      testValueList=True,

                                      if_missing=None, not_empty=True),

                              v.Int(min=-1, not_empty=True))

        chained_validators = [v.ValidRepoGroup(edit, old_data)]

    return _RepoGroupForm

def RegisterForm(edit=False, old_data=None):

    class _RegisterForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        username = All(

            v.ValidUsername(edit, old_data),

            v.UnicodeString(strip=True, min=1, not_empty=True)

        )

        password = All(

            v.ValidPassword(),

            v.UnicodeString(strip=False, min=6, not_empty=True)

        )

        password_confirmation = All(

            v.ValidPassword(),

            v.UnicodeString(strip=False, min=6, not_empty=True)

        )

        active = v.StringBoolean(if_missing=False)

        firstname = v.UnicodeString(strip=True, min=1, not_empty=False)

        lastname = v.UnicodeString(strip=True, min=1, not_empty=False)

        email = All(v.Email(not_empty=True), v.UniqSystemEmail(old_data))

        chained_validators = [v.ValidPasswordsMatch('password',

                                                    'password_confirmation')]

    return _RegisterForm

def PasswordResetRequestForm():

    class _PasswordResetRequestForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        email = v.Email(not_empty=True)

    return _PasswordResetRequestForm

def PasswordResetConfirmationForm():

    class _PasswordResetConfirmationForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        email = v.UnicodeString(strip=True, not_empty=True)

        timestamp = v.Number(strip=True, not_empty=True)

        token = v.UnicodeString(strip=True, not_empty=True)

        password = All(v.ValidPassword(), v.UnicodeString(strip=False, min=6))

        password_confirm = All(v.ValidPassword(), v.UnicodeString(strip=False, min=6))

        chained_validators = [v.ValidPasswordsMatch('password',

                                                    'password_confirm')]

    return _PasswordResetConfirmationForm

def RepoForm(edit=False, old_data=None, supported_backends=kallithea.BACKENDS,

             repo_groups=None, landing_revs=None):

    old_data = old_data or {}

    repo_groups = repo_groups or []

    landing_revs = landing_revs or []

    repo_group_ids = [rg[0] for rg in repo_groups]

    class _RepoForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = False

        repo_name = All(v.UnicodeString(strip=True, min=1, not_empty=True),

                        v.SlugifyName())

        repo_group = All(v.CanWriteGroup(old_data),

                         v.OneOf(repo_group_ids, hideList=True),

                         v.Int(min=-1, not_empty=True))

        repo_type = v.OneOf(supported_backends, required=False,

                            if_missing=old_data.get('repo_type'))

        repo_description = v.UnicodeString(strip=True, min=1, not_empty=False)

        repo_private = v.StringBoolean(if_missing=False)

        repo_landing_rev = v.OneOf(landing_revs, hideList=True)

        repo_copy_permissions = v.StringBoolean(if_missing=False)

        clone_uri = All(v.UnicodeString(strip=True, min=1, not_empty=False))

        repo_enable_statistics = v.StringBoolean(if_missing=False)

        repo_enable_downloads = v.StringBoolean(if_missing=False)

        if edit:

            owner = All(v.UnicodeString(not_empty=True), v.ValidRepoUser())

            # Not a real field - just for reference for validation:

            # clone_uri_hidden = v.UnicodeString(if_missing='')

    def _update_permissions(self, repo_group, perms_new=None,

                            perms_updates=None, recursive=None,

                            check_perms=True):

        from kallithea.lib.auth import HasUserGroupPermissionLevel

        if not perms_new:

            perms_new = []

        if not perms_updates:

            perms_updates = []

        def _set_perm_user(obj, user, perm):

            if isinstance(obj, db.RepoGroup):

                self.grant_user_permission(repo_group=obj, user=user, perm=perm)

            elif isinstance(obj, db.Repository):

                user = db.User.guess_instance(user)

                # private repos will not allow to change the default permissions

                # using recursive mode

                if obj.private and user.is_default_user:

                    return

                # we set group permission but we have to switch to repo

                # permission

                perm = perm.replace('group.', 'repository.')

                repo.RepoModel().grant_user_permission(

                    repo=obj, user=user, perm=perm

                )

        def _set_perm_group(obj, users_group, perm):

            if isinstance(obj, db.RepoGroup):

                self.grant_user_group_permission(repo_group=obj,

                                                  group_name=users_group,

                                                  perm=perm)

            elif isinstance(obj, db.Repository):

                # we set group permission but we have to switch to repo

                # permission

                perm = perm.replace('group.', 'repository.')

                repo.RepoModel().grant_user_group_permission(

                    repo=obj, group_name=users_group, perm=perm

                )

        # start updates

        updates = []

        log.debug('Now updating permissions for %s in recursive mode:%s',

                  repo_group, recursive)

        for obj in repo_group.recursive_groups_and_repos():

            # iterated obj is an instance of a repos group or repository in

            # that group, recursive option can be: none, repos, groups, all

            if recursive == 'all':

                pass

            elif recursive == 'repos':

                # skip groups, other than this one

                if isinstance(obj, db.RepoGroup) and not obj == repo_group:

                    continue

            elif recursive == 'groups':

                # skip repos

                if isinstance(obj, db.Repository):

                    continue

            else:  # recursive == 'none': # DEFAULT don't apply to iterated objects

                obj = repo_group

                # also we do a break at the end of this loop.

            # update permissions

            for member, perm, member_type in perms_updates:

                ## set for user

                if member_type == 'user':

                    # this updates also current one if found

                    _set_perm_user(obj, user=member, perm=perm)

                ## set for user group

                else:

                    # check if we have permissions to alter this usergroup's access

                    if not check_perms or HasUserGroupPermissionLevel('read')(member):

                        _set_perm_group(obj, users_group=member, perm=perm)

            # set new permissions

            for member, perm, member_type in perms_new:

                if member_type == 'user':

                    _set_perm_user(obj, user=member, perm=perm)

                else:

                    # check if we have permissions to alter this usergroup's access

                    if not check_perms or HasUserGroupPermissionLevel('read')(member):

                        _set_perm_group(obj, users_group=member, perm=perm)

            updates.append(obj)

            # if it's not recursive call for all,repos,groups

            # break the loop and don't proceed with other changes

            if recursive not in ['all', 'repos', 'groups']:

                break

        return updates

    def update(self, repo_group, repo_group_args):

        try:

            repo_group = db.RepoGroup.guess_instance(repo_group)

            old_path = repo_group.full_path

            # change properties

            if 'group_description' in repo_group_args:

                repo_group.group_description = repo_group_args['group_description']

            if 'parent_group_id' in repo_group_args:

                assert repo_group_args['parent_group_id'] != '-1', repo_group_args  # RepoGroupForm should have converted to None

                repo_group.parent_group = db.RepoGroup.get(repo_group_args['parent_group_id'])

                repo_group.group_name = repo_group.get_new_name(repo_group.name)

            if 'group_name' in repo_group_args:

                group_name = repo_group_args['group_name']

                if kallithea.lib.utils2.repo_name_slug(group_name) != group_name:

                    raise Exception('invalid repo group name %s' % group_name)

                repo_group.group_name = repo_group.get_new_name(group_name)

            new_path = repo_group.full_path

            meta.Session().add(repo_group)

            # iterate over all members of this groups and do fixes

            # if obj is a repoGroup also fix the name of the group according

            # to the parent

            # if obj is a Repo fix it's name

            # this can be potentially heavy operation

            for obj in repo_group.recursive_groups_and_repos():

                # set the value from it's parent

                if isinstance(obj, db.RepoGroup):

                    new_name = obj.get_new_name(obj.name)

                    log.debug('Fixing group %s to new name %s'

                                % (obj.group_name, new_name))

                    obj.group_name = new_name

                elif isinstance(obj, db.Repository):

                    # we need to get all repositories from this new group and

                    # rename them accordingly to new group path

                    new_name = obj.get_new_name(obj.just_name)

                    log.debug('Fixing repo %s to new name %s'

                                % (obj.repo_name, new_name))

                    obj.repo_name = new_name

            self._rename_group(old_path, new_path)

            return repo_group

        except Exception:

            log.error(traceback.format_exc())

            raise

    def delete(self, repo_group, force_delete=False):

        repo_group = db.RepoGroup.guess_instance(repo_group)

        try:

            meta.Session().delete(repo_group)

            self._delete_group(repo_group, force_delete)

        except Exception:

            log.error('Error removing repo_group %s', repo_group)

            raise

    def add_permission(self, repo_group, obj, obj_type, perm, recursive):

        repo_group = db.RepoGroup.guess_instance(repo_group)

        perm = db.Permission.guess_instance(perm)

        for el in repo_group.recursive_groups_and_repos():

            # iterated obj is an instance of a repos group or repository in

            # that group, recursive option can be: none, repos, groups, all

            if recursive == 'all':

                pass

            elif recursive == 'repos':

                # skip groups, other than this one

                if isinstance(el, db.RepoGroup) and not el == repo_group:

                    continue

            elif recursive == 'groups':

                # skip repos

                if isinstance(el, db.Repository):

                    continue

            else:  # recursive == 'none': # DEFAULT don't apply to iterated objects

                el = repo_group

                # also we do a break at the end of this loop.

            if isinstance(el, db.RepoGroup):

                if obj_type == 'user':

                    RepoGroupModel().grant_user_permission(el, user=obj, perm=perm)

                elif obj_type == 'user_group':

                    RepoGroupModel().grant_user_group_permission(el, group_name=obj, perm=perm)

                else:

                    raise Exception('undefined object type %s' % obj_type)

            elif isinstance(el, db.Repository):

                # for repos we need to hotfix the name of permission

                _perm = perm.permission_name.replace('group.', 'repository.')

                if obj_type == 'user':

                    repo.RepoModel().grant_user_permission(el, user=obj, perm=_perm)

                elif obj_type == 'user_group':

                    repo.RepoModel().grant_user_group_permission(el, group_name=obj, perm=_perm)

                else:

                    raise Exception('undefined object type %s' % obj_type)

            else:

                raise Exception('el should be instance of Repository or '

                                'RepositoryGroup got %s instead' % type(el))

            # if it's not recursive call for all,repos,groups

            # break the loop and don't proceed with other changes

            if recursive not in ['all', 'repos', 'groups']:

                break

## -*- coding: utf-8 -*-

${h.form(url('update_repos_group',group_name=c.repo_group.group_name))}

<div class="form">

        <div class="form-group">

            <label class="control-label" for="group_name">${_('Group name')}:</label>

            <div>

                ${h.text('group_name',class_='form-control')}

            </div>

        </div>

        <div class="form-group">

            <label class="control-label" for="group_description">${_('Description')}:</label>

            <div>

                ${h.textarea('group_description',cols=23,rows=5,class_='form-control')}

            </div>

        </div>

        <div class="form-group">

            <label class="control-label" for="parent_group_id">${_('Group parent')}:</label>

            <div>

                ${h.select('parent_group_id','',c.repo_groups,class_='form-control')}

            </div>

        </div>

        <div class="form-group">

            <div class="buttons">

                ${h.submit('save',_('Save'),class_="btn btn-default")}

                ${h.reset('reset',_('Reset'),class_="btn btn-default")}

            </div>

        </div>

</div>

${h.end_form()}

${h.form(url('delete_repo_group', group_name=c.repo_group.group_name))}

<div class="form">

        <div class="form-group">

            <div class="buttons">

                ${h.submit('remove_%s' % c.repo_group.group_name,_('Remove this group'),class_="btn btn-danger",onclick="return confirm('"+_('Confirm to delete this group')+"');")}

            </div>

        </div>

</div>

${h.end_form()}

<script>

    'use strict';

    $(document).ready(function(){

        $("#parent_group_id").select2({

            'dropdownAutoWidth': true

        });

    });

</script>

    @mock.patch.object(RepoModel, 'revoke_user_permission', raise_exception)

    def test_api_revoke_user_permission_exception_when_adding(self):

        id_, params = _build_data(self.apikey,

                                  'revoke_user_permission',

                                  repoid=self.REPO,

                                  userid=base.TEST_USER_ADMIN_LOGIN, )

        response = api_call(self, params)

        expected = 'failed to edit permission for user: `%s` in repo: `%s`' % (

            base.TEST_USER_ADMIN_LOGIN, self.REPO

        )

        self._compare_error(id_, expected, given=response.body)

    @base.parametrize('name,perm', [

        ('none', 'repository.none'),

        ('read', 'repository.read'),

        ('write', 'repository.write'),

        ('admin', 'repository.admin'),

    ])

    def test_api_grant_user_group_permission(self, name, perm):

        id_, params = _build_data(self.apikey,

                                  'grant_user_group_permission',

                                  repoid=self.REPO,

                                  usergroupid=TEST_USER_GROUP,

                                  perm=perm)

        response = api_call(self, params)

        ret = {

            'msg': 'Granted perm: `%s` for user group: `%s` in repo: `%s`' % (

                perm, TEST_USER_GROUP, self.REPO

            ),

            'success': True

        }

        expected = ret

        self._compare_ok(id_, expected, given=response.body)

    def test_api_grant_user_group_permission_wrong_permission(self):

        perm = 'haha.no.permission'

        id_, params = _build_data(self.apikey,

                                  'grant_user_group_permission',

                                  repoid=self.REPO,

                                  usergroupid=TEST_USER_GROUP,

                                  perm=perm)

        response = api_call(self, params)

        expected = 'permission `%s` does not exist' % perm

        self._compare_error(id_, expected, given=response.body)

    @mock.patch.object(RepoModel, 'grant_user_group_permission', raise_exception)

    def test_api_grant_user_group_permission_exception_when_adding(self):

        perm = 'repository.read'

        id_, params = _build_data(self.apikey,

                                  'grant_user_group_permission',

                                  repoid=self.REPO,

                                  usergroupid=TEST_USER_GROUP,

                                  perm=perm)

        response = api_call(self, params)

        expected = 'failed to edit permission for user group: `%s` in repo: `%s`' % (

            TEST_USER_GROUP, self.REPO

        )

        self._compare_error(id_, expected, given=response.body)

    def test_api_revoke_user_group_permission(self):

        RepoModel().grant_user_group_permission(repo=self.REPO,

                                                group_name=TEST_USER_GROUP,

                                                perm='repository.read')

        meta.Session().commit()

        id_, params = _build_data(self.apikey,

                                  'revoke_user_group_permission',

                                  repoid=self.REPO,

                                  usergroupid=TEST_USER_GROUP, )

        response = api_call(self, params)

        expected = {

            'msg': 'Revoked perm for user group: `%s` in repo: `%s`' % (

                TEST_USER_GROUP, self.REPO

            ),

            'success': True

        }

        self._compare_ok(id_, expected, given=response.body)

    @mock.patch.object(RepoModel, 'revoke_user_group_permission', raise_exception)

    def test_api_revoke_user_group_permission_exception_when_adding(self):

        id_, params = _build_data(self.apikey,

                                  'revoke_user_group_permission',

                                  repoid=self.REPO,

                                  usergroupid=TEST_USER_GROUP, )

        response = api_call(self, params)

        expected = 'failed to edit permission for user group: `%s` in repo: `%s`' % (

            TEST_USER_GROUP, self.REPO

        )

        self._compare_error(id_, expected, given=response.body)

    @base.parametrize('changing_attr,updates', [

        ('description', {'description': 'new description'}),

        ('group_name', {'group_name': 'new_repo_name'}),

        ('parent', {'parent': 'test_group_for_update'}),

    ])

    def test_api_update_repo_group(self, changing_attr, updates):

        group_name = 'lololo'

        repo_group = fixture.create_repo_group(group_name)

        new_group_name = group_name

        if changing_attr == 'group_name':

            assert repo_group.parent_group_id is None  # lazy assumption for this test

            new_group_name = updates['group_name']

        if changing_attr == 'parent':

            new_group_name = '/'.join([updates['parent'], group_name.rsplit('/', 1)[-1]])

        expected = {

            'msg': 'updated repository group ID:%s %s' % (repo_group.group_id, new_group_name),

            'repo_group': repo_group.get_api_data()

        }

        expected['repo_group'].update(updates)

        if 'description' in updates:

            expected['repo_group']['group_description'] = expected['repo_group'].pop('description')

        if changing_attr == 'parent':

            new_parent = fixture.create_repo_group(updates['parent'])

            expected['repo_group']['parent_group'] = expected['repo_group'].pop('parent')

            expected['repo_group']['group_name'] = new_group_name

        id_, params = _build_data(self.apikey, 'update_repo_group',

                                  repogroupid=group_name, **updates)

        response = api_call(self, params)

        try:

            self._compare_ok(id_, expected, given=response.body)

        finally:

            if changing_attr == 'parent':

                fixture.destroy_repo_group(new_parent.group_id)

            fixture.destroy_repo_group(new_group_name)

    @base.parametrize('name,perm,apply_to_children', [

        ('none', 'group.none', 'none'),

        ('read', 'group.read', 'none'),

        ('write', 'group.write', 'none'),

        ('admin', 'group.admin', 'none'),

        ('none', 'group.none', 'all'),

        ('read', 'group.read', 'all'),

        ('write', 'group.write', 'all'),

        ('admin', 'group.admin', 'all'),

        ('none', 'group.none', 'repos'),

        ('read', 'group.read', 'repos'),

        ('write', 'group.write', 'repos'),

        ('admin', 'group.admin', 'repos'),

        ('none', 'group.none', 'groups'),

        ('read', 'group.read', 'groups'),

        ('write', 'group.write', 'groups'),

        ('admin', 'group.admin', 'groups'),

    ])

    def test_api_grant_user_permission_to_repo_group(self, name, perm, apply_to_children):

        id_, params = _build_data(self.apikey,

                                  'grant_user_permission_to_repo_group',

                                  repogroupid=TEST_REPO_GROUP,

                                  userid=base.TEST_USER_ADMIN_LOGIN,

                                  perm=perm, apply_to_children=apply_to_children)

        response = api_call(self, params)